Windows 8.1 UAC Learning?

[goretsky Supervisor]

Hello,

 

One concern I have not seen mentioned is how this would open up a new attack vector for Windows.  If Microsoft were to implement a "disable UAC on a per-program basis" type functionality in Microsoft Windows 8, it would mean that somewhere on the computer, the operating system would have to be storing what was allowed to bypass UAC in some kind of trusted application repository database.

 

Assuming such a database existed, it would rapidly become one of the most-studied entry points for malicious software authors, since finding a vulnerability in it would allow them to code exploits to bypassing your security.  Allowing programs to silently run with Administrator or SYSTEM privileges is not a good idea, and would set Windows security back by at least a decade.  The flip side to this is if the trusted application repository database was used to whitelist programs, why not also build in the functionality to blacklist them as well?  A malware author (or even just a disgruntled syadmin) might decide to use the database to block not just anti-malware software, but things like Windows updates, the base filtering engine, Windows firewall, and oter software that might be critical to securing your computer, or just run your business.

 

There are already technologies like AppLocker and Software Restriction Policies to control access to programs, and these work quite well, especially when combined with other tools like anti-malware software, EMET, encryption, software firewalls, and user account restrictions, to name a few.

 

On computers that I administer, I always turn up UAC to its highest level, not because it is a security boundary (it isn't) but because it alerts me when a program needs to perform operations that may affect the computer and its operating system, and I think that's something which is very important to know.  Of course, if you want to have a more insecure system, I don't judge, everyone has to make their own assessments of risk and trade-offs in security, but in this case, the idea of having a trusted application repository database on any system I am responsible for is something I would not want to see.

 

Regards,

 

Aryeh Goretsky

[lmaobox]

Only tasks that require Administrator rights will trigger UAC. If is program triggering UAC prompt even when doing basic tasks there is some issue with the program.

[Rickkins]

What a stupid thing to say. You can't defend your machine yourself!

 

What happens when you visit a website that has some drive-by malware which your anti-virus software doesn't pick up?

Perhaps you can't... but I certainly can, as witnessed by the fact that I have never had a virus... Please, do not assume that your level of competence is all there is.

[Noir Angel]

Only tasks that require Administrator rights will trigger UAC. If is program triggering UAC prompt even when doing basic tasks there is some issue with the program.

 

Some older applications are a bit funny with UAC as well. The Steam edition of Mass Effect for example will crash if you're on a UAC enabled system and don't run Steam as an administrator the first time you launch Mass Effect.

[dangel]

Some older applications are a bit funny with UAC as well. The Steam edition of Mass Effect for example will crash if you're on a UAC enabled system and don't run Steam as an administrator the first time you launch Mass Effect.

 

Depends where Steam is installed, and thus where your games are.  If you're in program files.. then yes UAC comes into play - I have steam on it's own partition which isn't covered by UAC, so no prompts (aside from initial set-up for C drive stuff - e.g. run-times) when playing.  Regardless the fault there is mass effect for not being compliant (but then it's old).

 

Personally I agree with UAC - I'm a developer and I leave it on, all the time, on all my systems work and home.  I don't find it annoying since I understand it's purpose (despite the pain of making sure our own software was compliant with it when Vista arrived).    Nor do I think that just because I haven't been hit by a bus I never will (ze I must have ze control of all my funktions argument).  Weird thinking, but your choice(s).  OTOH I like having a method for elevation - and thus a way of being a 'non root' user when just doing my everyday work/play/surfing.  In truth i'm rarely prompted outside of installation.

 

I'm also really happy that my parents (once trained lol) actually think about that blacked out screen and UAC request rather than installing everything on God's own and killing their machine.  They'll click 'no' if unsure or if they can't ask me - instant 99% reduction in phone support.  Wicked.

[Mayhem]

well you can do something alike, i dont recomend it but you can do it

 

here you go http://winaero.com/comment.php?comment.news.152