When it comes to the new security functions in Windows Vista, User Account Control is the one people tend to scratch their heads over, Gartner Analyst Neil MacDonald said during his presentation on implementing Vista security at Gartner's IT Security Summit here on June 4. "It's one that has plenty of people confused regarding what, exactly, it is," MacDonald said.
In fact, UAC isn't one capability; rather, it's a set of Vista capabilities that collectively help to limit the ability of applications and users to make unsanctioned system changes—whether the user is running as an administrator or as a standard user. "The idea is that when a piece of software is asking for user credentials … you shouldn't just hand them over," MacDonald said. UAC's raison d'être is basically to cure the new operating system of a legacy of bad applications that freely granted administrator rights—a tendency that has eased malware writers' jobs. "Malicious code would be far less effective if users ran without administrative privileges," MacDonald said.
View: Full Story
News source: eWeek
In fact, UAC isn't one capability; rather, it's a set of Vista capabilities that collectively help to limit the ability of applications and users to make unsanctioned system changes—whether the user is running as an administrator or as a standard user. "The idea is that when a piece of software is asking for user credentials … you shouldn't just hand them over," MacDonald said. UAC's raison d'être is basically to cure the new operating system of a legacy of bad applications that freely granted administrator rights—a tendency that has eased malware writers' jobs. "Malicious code would be far less effective if users ran without administrative privileges," MacDonald said.
View: Full Story News source: eWeek
It's a bit embarassing to see a Windows edition to encourage working with proper privilegies more appear in Vista only now, but I don't think as embarrasing as seeing supposedly professionals being confused over what it is. It's a system to encourage users and developers alike to work in their user-local directories, and protect users from stuff doing machine-local changes without their permission. People have been used to working in this fashion (and being similarly protected by having to elevate to root privilegies) in Unix since about 30 years. This should really NOT be hard to get for any developer worth his/her salary.
Last edited by Jugalator on 08 Jun 2007 - 14:39
Speaking of virtualization, why would any business run Vista at all, when they can run virtual machines of XP instead? Or even virtual machines of the apps themselves? The only limitation is licensing. Does MS allow Office 2007 to be legally run in a virtual machine on Linux or OS X?
Office is a primary reason businesses install Windows at all, with virtualization they won't have to install Windows to run Office (or their other Windows apps), unless the licensing prevents it.
So how long will that licensing scheme last before businesses decide enough is enough and switch to another Office suite that doesn't have these restrictions? And why should they "upgrade" to Vista?
Vista shipped without a killer app or feature. MS should have at least made it a good OS instead of another bug-ridden, bloated hack job, then maybe it would be worth buying. Right now, it's a hassle for consumers and not very attractive for businesses planning on upgrading their infrastructure in the next few years.
Don't get me wrong. Microsoft is trying. I would dare say that they are starting to build a decent operating system (although I must note that it is so because of certain Unix-like features -- uac indeed reminds me of something, symbolic links scream unix too, and certainly, vista is the first microsoft operating system with a proper firewall).
But please, don't depict Microsoft as the angel and developers as the devil.
You want bandaid situations? That's UAC for you.
You want bandaid situations? That's UAC for you.
you need uac regardless. Everyone needs the ability to perform something and provide credentials. This is not a registry issue (but the registry does need an overhaul)
You want bandaid situations? That's UAC for you.
you need uac regardless. Everyone needs the ability to perform something and provide credentials. This is not a registry issue (but the registry does need an overhaul)
UAC is a bad copy of the Unix security model because Microsoft doesn't really understand what's worth a UAC prompt in the first place. Sigh. Maybe in Vienna. -_-
There's very little that prompts UAC unnesisarily.
Doing stuff in Program Files? UAC Prompt.
Modifying something in HKLM? UAC Prompt.
Need access to files flagged with "Administrator", but not "User"? UAC Prompt.
Changing ANYTHING System wide? UAC Prompt.
It's not like they're prompting you when you go to change your Display settings.
Did you know that U.A.C. was the corporation that opened the gates to hell in Doom 3? Seems to also fit here as well.
I did too. It kinda reminded back in the days of fixing everyone's computers infected with pop-ups.
UAC only does it that way if you're logged in as an administrator, otherwise you get password prompts just as in *nix (or previous windows OS's when trying to access file shares).
UAC only does it that way if you're logged in as an administrator, otherwise you get password prompts just as in *nix (or previous windows OS's when trying to access file shares).
Yes but Vista has the *option* of running with just a prompt, where as unix has to have the user enter a password or run with no protection. Having only a password option would make users more inclined to run without any protection because that is way more of a hassle than hitting 'allow'.
No thanks.
The problems with UAC are compounded by the fact that Vista is a new OS so people are in fact updating system settings and files all the time to get various applications and hardware to work.
For me, UAC shouldn't even be turned on unless the person logged on is using the machine as a 'limited user' or the like. When all is said and done UAC is more of an annoyance than a helpful security tool and ends up getting turned off hence negating any security benefits it ever had to begin with.
The problems with UAC are compounded by the fact that Vista is a new OS so people are in fact updating system settings and files all the time to get various applications and hardware to work.
For me, UAC shouldn't even be turned on unless the person logged on is using the machine as a 'limited user' or the like. When all is said and done UAC is more of an annoyance than a helpful security tool and ends up getting turned off hence negating any security benefits it ever had to begin with.
Actually, the limited user account shouldn't allow the types of changes for which UAC prompts at all. Limited user means that they can't change ANY system level settings or files.
I, for one, like the fact that if a program tries to change a system setting or does something outside of the normal application sandbox, I get notified and can stop it if needed.
Last edited by J_R_G on 09 Jun 2007 - 00:37
Last edited by Optix Illusion on 09 Jun 2007 - 06:03
But... saving a wallpaper image produces no UAC prompt and kills the program with a message like.. "has encountered a problem..."
Or basically saving a file outside of your user folder.
So there are issues that requires elevated rights within programs and currently Vista will give NO UAC prompt.
Still work to be done on this... and a lot of it is miss leading.
Any Visual Studio project that builds files or folders in the program files folder will be denied with no UAC prompt... access denied. This happens even if you run VS with elevated privileges. This is very common place.
Granted people need to use an installer geared for Vista, but when they don't there are issues regarding the UAC that give erroneous msgs.
Last edited by WindSailor on 09 Jun 2007 - 14:28
Maybe after enough prompts, Users will understand that you DON'T click OK to anything that pops up.
OMG OMG !!! The guy is a genius ! Everyone has been saying that since when? oh maybe since Unix was designed?
IMHO only specifics programs must be allowed to do changes in the system but even MS will try to f##ck the system, doing unnecesaries changes (for example installing Office).
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.