UAC's and why you need to learn to use then
Any One can say "I Do not care about security", "I can tell when I Have spyware", BUT here is the simple truth. When your computer crashes, you cannot work, you blame Microsoft. UAC is a way to reduce users from working as ADMINs. WE all should know that you work with least privilege access, BUT we do not, Companies hate support costs, Companies buy operating system, they said make it secure and MS heard the message. I have seen message posted here saying I would like to Install P2P software on my computer and make it secure! This is almost impossible, due to the way that most P2P software works. Now working with Vista for the last 16 months I have to tell you 3-5 time a week I get UAC prompts and that not bad. Yes when I install new software I get prompted but no spyware, and my system is running much better that XP.
Let’s look at the history of PC software
The DOS and Windows 95/ 98 were great (no security)
XP had some security
XP/sp2 added additional security
VISTA adds Lots more
Think about this. IT’S A NEW operating system and you need to learn how to use NEW technology. If you want XP use XP, But VISTA is not XP it a leap ahead in the basic security model. Same happens with all software, but as up upgrade you software you need to upgrade you apps, that just the way it is.
The UAC Model is as follows –
A user works in VISTA as a Standard user, if that user does something that requires administrator privileges they get a prompt. If you are not an admin you get a Prompt. Just like XP.
To continue type a administrator user name and password
If you are an Administrator You get a Give you process an elevated privileges prompt where you grant security that Process only the rest of the OS keeps running at standard user mode.
This is a very large difference in that in Vista only that Process is running in elevated mode.
When you are in XP the full desktop is in elevated mode.
In Windows Vista you will find that once you get beyond the setup phase on most systems, you can work just fine as a standard user. The problem was what to do when the user needs to complete a task that does require the administrator privilege. To address this need, we created a new capability in Windows Vista so that when a standard user tries to do something that requires the administrator privilege, the system prompts the user to have an administrator authorize the task by entering their credentials (or confirm the task if you are an administrator).
Please review these articles to further understand UAC’s
http://windowsvistablog.com/blogs/windowsvista/archive/2007/01/23/security-features-vs-convenience.aspx
http://windowsvistablog.com/blogs/windowsvista/archive/2007/01/25/accessible-uac-prompts.aspx
All Replies
I've started a poll to get a feel for how many people have disabled UAC and how many are living with it. Please take a few seconds to cast your vote:
http://professionalinsight.net/vista_uac.aspx
Thanks
Al Degutis
well, if a click keeps my stuff safe and working then so be it. atleast the next time i
install a downloaded program i will have to take ownership rather then blame
MS for a crash 2 days later.
Sad part : the cute looking users cant claim 'It happened on its own' .
I have very mixed feelings about UAC. I still can not see any security value when a single click of a mouse is supposed to stand between Nirvana and Hades. If I have repeatedly allowed a program to run, from the same account, so many times, why oh why can't MS allow some way of accepting an option such as:
'YES, I do really, really know this program and I would love you to bits if you accept my decision to run it for ever and ever, and I completely absolve MS from all responsibility - but PLEASE REMEMBER my choice and don't bother me ever again about THIS program in THIS user account. Thank you'
Seriously, why can there not be a way of telling the security system to remember my choice?
I voted in the poll with having disabled UAC. Where is the security there then! It must be a better option to allow a user to acknowledge program(s) and not have the constant pop up and yet still have UAC notify all others.
Les wrote: 'YES, I do really, really know this program and I would love you to bits if you accept my decision to run it for ever and ever, and I completely absolve MS from all responsibility - but PLEASE REMEMBER my choice and don't bother me ever again about THIS program in THIS user account. Thank you'
Because what happens when a malicious application uses the flagged executable to launch an attack. Consider the (common) scenario in which a user decides to say "It is always ok to launch CMD elevated". From that day forth any application can elevate whenever it likes by running a batch file.
The solution to too many UAC prompts is to fix the applications that unnecessarily require Administrator rights so that they never ever ask to elevate, not to hide the problem by making the OS elevate them silently.
JAYTF:
Everything you say is true. That does not excuse one serious deficiency in the UAC scheme... people dont want to be constantly harassed by the operating system. There is no combination of spin and fear-mongering that will change that. If my sister tells my mom that "I dont like Vista, it constantly pops these windows up every time I try to open my recipe program" then my mom is not going to shell out $159 for Home Premium, or buy a machine with it installed. It is that simple.
Regardless of whose fault it is that ApplicationA.exe does not play well with the UAC, if I know what ApplicationA does, I want the option to tell Windows to shut its ignorant mouth and never ask me whether I trust it to run again.
And spare me the social-engineering argument, etc. I have heard it. Life is risky. People smoke. Some live in L.A. Some eat at KFC. A computer disaster for them is losing the clips of their cat attacking the vacuum cleaner. Its fixed with a quick re-install.
The bottom line is that system security is, for many home users, useful if it keeps its mouth shut and stays out of the way. When I sit down at my PC, I am not looking for a chance to explain my forthcoming actions to the operating system. It is good that is asks initially, but it quickly begins to wear.
In Vista's current state, its a choice between: either constant harassment (UAC is on) or constant harassment (UAC is off, and the security center takes over the harassment duties).
That is garbage. But so is my moms computer, so I need to go get her a new one. Karen already warned her away from Vista, and mom only uses her machine for things like email, web surfing, etc. So, she gets a Mac for her birthday. Now, I am a .NET developer by trade, and I loathe Apple and their smug "I'm a Mac" TV campaign of half-truths (except the one targeted at UAC, which was right on), but my mom will be on the phone 100 times a day to verify that "its ok to tell this box thingy that I want to allow that Flash thingy to update ?"
I cant bear that thought. So she gets a Mac. These are the ways people migrate away from a product, and no amount of public education on the dangers of....whatever... are going to change that. Fix the damn UAC, Microsoft. I dont want to hear any more sniveling to the tune of "But..but..but... its not broke, its you stupid users trying to use things."
You say its not broke, and so you are quite obviously in denial. The perception of the paying customers is that UAC is broke, so UAC is broke. What you apparently dont understand, Andy, is that people dont think you know whats best for them. I believe you do, from a security standpoint, but my opinion does not matter either. But this:
Because what happens when a malicious application uses the flagged executable to launch an attack. Consider the (common) scenario in which a user decides to say "It is always ok to launch CMD elevated". From that day forth any application can elevate whenever it likes by running a batch file.
That is such a cop-out. Just quit it. Applications dont get to scour your system, looking for an elevated executable, find CMD.exe is elevated, write a batch file, and then set your monitor on fire. That is a pretty insulting post, to those of us with a highschool education.
If it is dangerous to elevate portions of the operating system internals (ex: cmd.exe), then simply disallow the "never ask again" check box for that application. You might even go so far as to take the 10 seconds to add an explanation of why in that afore-mentioned message box. The point is, we have heard the defense of UAC, and we still dont care. If MS wont fix it, some dev. will, and that is like getting botox in somebodys basement ... My point is that people are going to do it, you may as well make sure they do it with some semblance of safety.
Jay,
Ok, I agree with your goals in using UAC. I like the idea and have no problem dealing with the messages even though I often do things that require elevated rights.
My problems are as follows:
1) There is no way to resolve conflicts that arise from UAC other than turning it off. Look at the problems with Adobe Flash and UAC (Flash only works on some Vista systems if UAC is off.) There are a number of threads on this issue on MS as well as other sites. Why doesn't MS have a facility for people to report such problems (especially with major vendors such as Adobe) so it can be resolved quickly rather than my just turning off UAC?
2) Most novice users I know simply click through the warning, not even bothering to read it.
3) There is no way to tell UAC that it doesn't need to bother me about a given situation in the future. For example, I manually add/change folders in the menus to arrange things the way I like them. Each step is time consuming - UAC pops up to create a folder (named New Folder), then to rename it, then to copy in a shortcut, etc.
Again, I like UAC and think it is a good idea. I just wish that it had been tested with "real" users a little more (especially those with more advanced abilities.) But, in my case, it appears that I have no choice but to turn it off.
Thanks,
Fletcher
- Hi all
I did disable it but if you read my post here :
http://social.technet.microsoft.com/Forums/en-US/itprovistasecurity/thread/e26d17d9-d4f0-4b02-a63b-60691f8e1365
you will see that I thnk that may well have been a mistake !!
I have it back on now, as Windows Defender & NIS2008 seem to have been unable to protect me fully !
