UAC, it may be annoying,

[bradavon]

Yes, it does. You now have access to write to anyones User profile

Not in my experience I had to take ownership, even using the so called "real" admin account.

You now have access to write to \windows directory

True that is a pity but evoking UAC is overkill just for this, even then if I so wish I can enable protected mode as I wish per application. Which isn't as good as across the board but it will have to do, and let's face it it's program like your web browser, e-mail, p2p software that are most likely to let malicious code in.

And if you really want a full admin account, reenable the default "Administrator" account that comes in Vista.

From what I can gather it doesn't. I have enabled it and am using the Admin account you mention but it's not a full admin account in fact it has the same file/folder permissions as the Admin account created during setup including the inability by default to gain access to Documents and Settings. From what I can gather it's identical except it fully disables UAC (and cannot be re-enabled while logged into it), which gives you access to put files in the SYSTEM32 folder, but not modify existing files inside it.

It's permissions are the shame, more to the pity as that's what I want. I just can't stand getting access denied going into any folder, it's my PC.

I also need to put it into context and ask myself how many times in reality I have had some kind of attack? 1-4 times maximum in 15+ years. Considering any web enabled program runs as a limited protected mode user (you don't need UAC for this), a hardware firewall and I have up to date security software (software firewall, antivirus, antispyware). I even update the host files from time to time.

I also have to ask myself do I want to get constand popups which are a definite vs. the possible threat of an attack. Most of the time people get caught out using social engineering and no security tool in the world can account for that.

I did test UAC again tonight (by creating a new user) and after changing the registry so it no longer went black (as a compromise) it was more workable but ultimately still OTT. I was willing to leave it for a few days but by then I'd have configured my profile more so it's harder to switch to the Admin account.

It's a pity as I like the idea of a Limited Account and when I wanted to do Admin work I use another account but there is no such account in Vista which gets you access to everything, and the Limited Account needs to have unnecessary popups to facilitate it. Popups aren't specifically connected to denying access to say the Windows folder, they're a side effect of the all-in-one solution Microsoft decided to implement.

I never had a real issues with XP's security.

Edited April 30, 2007 by bradavon

[solardog]

The most coherent view on UAC.

[Mordkanin]

Not in my experience I had to take ownership, even using the so called "real" admin account.

The point is that malicious code now has access to taking ownership without a UAC prompt stopping it.

[bradavon]

He he I was rambling a bit wasn't I :D

[Xilo]

*Nix derivatives have already had a version of UAC for a long time. The *Nix method is how it should be. It's very unobtrusive, and you usually don't encounter it in normal daily use. UAC on the other hand, nags you for every little thing. It's annoying as hell, and is why I immediately disabled it upon first booting into Vista.

[bradavon]

That's all nice but it breaks apps such as Ntune by preventing its service to run at startup which i badly need. There are a lot of applications from known and safe publishers broken by UAC.

Is there a list somewhere please?

[Mordkanin]

*Nix derivatives have already had a version of UAC for a long time. The *Nix method is how it should be. It's very unobtrusive, and you usually don't encounter it in normal daily use. UAC on the other hand, nags you for every little thing. It's annoying as hell, and is why I immediately disabled it upon first booting into Vista.

It only bothers you when you need to do an administrative task that affects system-wide settings. I've started leaving an elevated command prompt open. Installing, uninstalling, system-wide settings. I don't see how it's any different from the *nix variant. The only difference is the lack of a true Admin account you can log in as (Again, fixed by just leaving an elevated command prompt open)

[Victor V.]

In other words,

Microsot: Hey professional guys, go get Ubuntu =D

[1759]

*Nix derivatives have already had a version of UAC for a long time. The *Nix method is how it should be. It's very unobtrusive, and you usually don't encounter it in normal daily use. UAC on the other hand, nags you for every little thing. It's annoying as hell, and is why I immediately disabled it upon first booting into Vista.

But on a day-to-day basis, you should never see a UAC prompt.

If you see one it's either because you're making a system-wide change, trying to access a file with insufficient privileges, installing a program, or running a program that is expecting admin rights. If your getting it for any other reason, I'd gather to say your system is FUBAR'd anyhow.

I only see a UAC prompt 1-3 times a week. It's not that different from Linux, like Ubuntu. Go use Ubuntu for awhile and watch how often you're typing in sudo. But that's operating the way it was designed as well, UAC isn't any different.

The only thing I don't like that is UAC related, is with Windows Defender blocking apps at startup, w/o a way to enable the app to startup always, and how the UAC prompt won't always pop up in the center of the screen, and other times it will take a couple seconds for the prompt to appear, ie you hear the sound, and then the box shows up.

[geoken]

I honestly don't understand how you'd see more UAC prompts in Vista than password prompts in Linux (assuming you're doing the same things). I can't think of too many actions that will trigger UAC but wont trigger a sudo prompt (and vice versa).

[bradavon]

Personally I found the way the screen goes black and you cannot access anything added to the frustration. Surely they could've worked out a way to prevent malicious code from faking this without that.

In other words,

Microsot: Hey professional guys, go get Ubuntu =D

Well no Ubuntu and Windows cannot really be compared. One is a Techie OS and another an OS trying it's best to suit everybody's needs. I've used Ubuntu and while it's miles easier to use than other Linux OS's it's nowhere near as user friendly as Windows (not even as usable as Windows 95).

:)

[bradavon]

Check out this interesting article where Microsoft stare all OS's should be taking Microsoft's approach:

Microsoft: UAC approach is so good, other OSes should follow suit:

Microsoft doesn't, however. The company says that UAC and the approach it embodies is really the direction that all operating systems should be headed in, but to understand that argument, one must first understand what Microsoft means.

The most controversial aspect of Watson's comments all center around the idea that Microsoft is a leader with UAC, and that other OSes should follow suit. UAC is a cousin of myriad "superuser" process elevation strategies, which Mac OS X and all flavors of Linux already enjoy. The fact is that Microsoft is late to the party with their Microsoftized version of sudo.

Where UAC is different?and also where I think many power users would completely freak out?is in its mistrust for full Administrators. While your average Linux distro will allow you to run as root and give you complete control without prompts (Ubuntu's default settings excepted, of course), Vista's UAC still prompts Administrator users as though they're not admins. There are some users who feel as though being an Admin should mean no interruptions or calls for authentication from the OS, but Microsoft's message seems to be this: the days of the mighty Administrator should come to an end.

The last sentence is true, even the Full Admin account doesn't have access to many system folders by default.

Read the full article: http://arstechnica.com/news.ars/post/20070...ollow-suit.html

Also worth a reMicrosoft's guru: malware and viruses will evolve on Vista: http://arstechnica.com/news.ars/post/20070...e-on-vista.html

[SionicIon]

Personally, I love UAC, and would never dream of turning it off :)

I agree! And if you don't turn it off, your on a standard user account environment, and when UAC prompts, and you click continue, your default permissions kick in! Its just safer!

Agreed. Once you have your computer set up (drivers and applications installed), you should really not run into any UAC consent prompts during every day usage, and the only time you should see one is if an ActiveX control needs to be installed or if an application update installer requires administrative privileges. It's really not that much of a hassle.

Correct, if you need a folder with permission granted to you, add you as owner and UAC won't bother you for that! Its the only thing you need, plus services to run an application on startup, thats all, its not like you people will be installing applications/active-X all day! You get less and less UAC prompts since you installed Windows Vista!

That's a horrible idea from a computer security standpoint. There's no justification for running with Admin access all the time. It's like running *nix/BSD as root, people just don't do it because it's dumb.

I agree, who needs so much permission and independence, I feel safer having an agent (UAC, funny name thats all) review everything!

You miss my point. If this is such a vital security technology how come it premiers in a desktop OS first? Why was this not a server feature that they trickled down to the desktop?

Turbo, if that were true then why again shouldn't 'power users' not disable this off the bat? Brandon argues that it even protects us admins from doing something critically stupid or preventing things happening that we don't know about. What better place to protect us than on mission critical servers? Who cares about a desktop? If it gets pooched..reimage.

Nix has it because historically it is a server OS so people masochistic enough to run it as a workstation inherited it. Not the other way around. Even though my nix servers are just left on and serve their purpose, I still have to logon as root.

Maybe I'm just confused but it seems to me that apologists want it both ways. Either its a user created issue for 'mommies and daddies' or its a global system security blanket. Which is it? If its the first then if you are competent enough to know how to maintain your box its irrelevent. If its the latter see my point above.

This new technology is scheduled for Windows Vista AND Windows Server Longhorn, both are Windows 6.0! Stop dissing Microsoft's security technoligies and asking for it to be backported!

I don't even understand why your asking this question. It's a scheduled feature of both Longhorn Server and Windows Vista, it was included in both from the start, the only reason you see it in Vista first is that's the way things were scheduled. Both have essentially the same underpinnings, including UAC, LHS just needed a bit more time to bake the server oriented features.

Moreover, UAC is a more client-targetted form of security. Once a server is set up, services manage what's going on, and users aren't typically installing new software with potential malware in them or browsing the internet. So why should it have "trickled down" from a server release in the first place?

Correct, it does not need to be backported. What is it worth installing a new OS if your not going to have anything NOT backported.

That's more the fact IE7 is now running as a Limited User than UAC, there is no reason IE7 ever needs access to secure locations so a prompt isn't really necessary, just block it. Especially when if it were to popup in IE7 99% of people will click Continue. You can have this very same functionality without turning UAC on:

http://msdn2.microsoft.com/en-us/library/ms972827.aspx

With a Firewall installed you'd have to grant them access in the first place, this job is better suited by a Firewall which even Vista has already.

You raise some interesting points their original poster but pretty much all of them are better suited by your Firewall which already prompts you when something is trying to do something it shouldn't granted. It won't prompt every action you cite but for me anyway I know full well what the implications are of changing a system file before I do it.

If it popped up only when something serious was about to happen I'd gladly leave it on but it pops up all the time. I like tinkering with Control Panel and the File System (I go into both regularly), you get enough prompts as it is. I had to confirm to 3 times delete a folder a hotfix had left behind, that's overkill. Firstly the normal confirmation fine I like that, then as it's a system folder another one, then finally UAC kicked and another confirmation before it's finally deleted.

UAC wouldn't be so bad if the whole screen didn't go black, that's overkill.

UAC is vital and long overdue for newbies/business but for experienced users it's just a pain in the neck, assuming it doesn't stop malicious code which I'm sure it doesn't, and even then security software is there for that anyway (which you are going to run regardless).

I'm as protected on the web by using that DropMyRights program above (without UAC prompts), any application I choose is forced to run as a limited user (perhaps even lower than Protected Mode) so even if malicious code got in it couldn't do much.

You've written an interesting post though which puts it into context well, something that can be lacking in such discussions.

True but most users aren't going to have a Scooby Doo what Admin mode is let alone does and will just click Continue. The locking down of system folders is a good one, most users will have no idea how to revert this. I would be nicer if they made it a bit easier to reverse though.

That depends what you do with your PC does it not. I regularly go into Control Panel and/or System folders. It's just how I use my PC.

Unless I'm mistaken it won't stop spyware or viruses as it's designed to prompt newbie users "are you sure you want to do this". It won't stop malicious code getting in, that's not what it's for (except for IE7's protected mode). Even if it does popup when a program is run when maybe it shouldn't the Firewall will catch this anyway and it has some intelligence to boot.

You shouldn't use permissions day-to-day basis, Windows Vista is out of beta, no longer does it need tweaked. Use your software in folders you own and you won't be bothered.

I hardly ever see UAC prompts anymore. The times I do see them (once or twice every couple of days) aren't really a big deal. Personally, I think adding a cumulative .8 seconds to my workflow over the course of a week is a more than fair price for the security and peace of mind that comes with knowing nothing can run secretly in the background.

I was reading the other day that the vulnerability found in the 'pwn to own' contest affects every OS and browser which has the quicktime plugin and Java, with the exception of Vista. For those who aren't familiar the exploit automatically runs when a user visits a website with an embeded malicious quicktime file. No user interaction is neccessary (apart from going to the site).

That is exactly what I was saying!!! My first post! You don't even have to click a clickable area, it just automatically installs, its how the internet works now and its not safe or enjoyable to have something auto start.

Check out this interesting article where Microsoft stare all OS's should be taking Microsoft's approach:

The last sentence is true, even the Full Admin account doesn't have access to many system folders by default.

Read the full article: http://arstechnica.com/news.ars/post/20070...ollow-suit.html

Also worth a read, Microsoft's guru: malware and viruses will evolve on Vista: http://arstechnica.com/news.ars/post/20070...e-on-vista.html

So, maybe they want it to be Windows Vista... Maybe they want to protect you. Have you seen the movies? In I-Robot, you don't see people tweaking the PCs, you see them doing there job on the PC. You see the Microsoft Silverstar preview movie? It doesn't show them tweaking there PC, it shows them dragging and dropping, hand motions, not obsessed with there PCs. Soon, maybe Windows Seven, we won't have an issue with malware and can actually use the PC without a threat in sight. Maybe we won't have to touch program files or system32.

When you first install Windows Vista Ultimate. You can adjust your folder permissions, then connect your Windows Vista based PC to your networked WHS based server PC, adjust folder permissions on there. Install your programs and adjust backup to the server. Install Windows Live Onecare and Windows Defender will be shutdown and Onecare takes its place. You don't need to unlock the system32 folder or anything because you shouldn't touch them. Even if you write applications, play video games, burn music, sync media, browse RSS feeds, logon interactively/remotely to a PC/server at work or at a different location, use Microsoft Office 2007 Ultimate to do work, use Microsoft Expression Studio to design silverstar applications, use photoshop, or anything. Now in a business with Windows Server Longhorn, you shouldn't have it plugged into a monitor, or any accessories. All server PCs in offices should be joined by a Windows Server Longhorn domain and UAC should be enabled to make sure nobody does anything administrative and do their work. You people shouldn't do anythhing administrative!