The Great UAC Debate!

[Simon Veteran]

Nevermind the fact that most peope "saved" by UAC will never know it. That's like asking if their eating habits have helped them avoid getting sick. They'll never know if drinking less orange juice would have meant they'd have gotten sick sometime when they didn't.

Well... in order for them to be saved, they'd need to refuse permissions to an application. So I think they'd know that they denied an application access, and would likely only do that if they thought there was a risk.

[gigapixels Veteran]

UAC does much more than that in the background. I don't know the specifics, but I know asking for permissions is a very small part of what UAC does.

[jesseinsf]

UAC not only asks for your permission, but if it is a malicious program is also needs to be installed at the administrator level. People would also have to right click the installer and manually choose to run it as an Administrator. The program will install no matter what after clicking yes to the UAC prompt, but it will not run properly unless it is installed and ran as an administrator. That is the benifit of UAC, it prompts for approval and then won't run correctly without being ran as an Administrator. The malicious program may even cause a run prompt every time you turn on your computer.

[mad_onion]

Well... in order for them to be saved, they'd need to refuse permissions to an application. So I think they'd know that they denied an application access, and would likely only do that if they thought there was a risk.

UAC isn't just that dialog. it means all programs have by default lower privelage level until they have been elevated. therefore when an exploit is found in a piece of software and exploited it's ability to affect the system is severly limited, as in it can only access non crucial areas of the system like the Users folder.

[jamesVault]

The program will install no matter what after clicking yes to the UAC prompt, but it will not run properly unless it is installed and ran as an administrator.

clicking on UAC prompt is equal to run as administrator

Edited August 18, 2008 by jamesVault

[jesseinsf]

UAC not only asks for your permission, but if it is a malicious program is also needs to be installed at the administrator level. People would also have to right click the installer and manually choose to run it as an Administrator. The program will install no matter what after clicking yes to the UAC prompt, but it will not run properly unless it is installed and ran as an administrator. That is the benifit of UAC, it prompts for approval and then won't run correctly without being ran as an Administrator. The malicious program may even cause a run prompt every time you turn on your computer.

Update, Windows defender seems to also block unknown programs, and you always have to unblock them on every startup, even though they are running as an Administrator.

FWI....I can't say everything I say here is bullet proof. All I can say is that I'm noticing the functionallity of how programs are delt with that require admin aproval and how Windows Defender helps allong side UAC in terms that protect us.

[Linkinfamous]

Well... in order for them to be saved, they'd need to refuse permissions to an application. So I think they'd know that they denied an application access, and would likely only do that if they thought there was a risk.

Not necessarily. Many exploits will simply flat out fail without showing you a single prompt, because the process they're contained in is being constrained by the integrity level launched at, because of UAC.

[markwolfe Veteran]

Not necessarily. Many exploits will simply flat out fail without showing you a single prompt, because the process they're contained in is being constrained by the integrity level launched at, because of UAC.

Not sure what you mean. As a Linux user, I see a slightly different privilege escalation scheme. In *.nix, privileges are typically elevated ahead of operation (though some apps allow post-execution elevation, let's not get into all the varieties, and stick with the typical). UAC seems designed all around the ability to elevate at any time. If you drag items around your C:/Windows folder in your explorer, you are given a "Cancel or Allow" type prompt, right? This allows you to initiate the event, and click to allow. Convenient.

In Linux, if I tried to drag items around in my /bin, I would not be given the ability to elevate at that time. The action would simply be forbidden. I like it, because a user ought to be thinking about his tasks, using forethought. But truth is, it is just a different philosophy behind the same escalation mechanisms yielding a slightly different implementation.

So, would not an exploit, running as the default user in Windows merely prompt to elevate, as the system isn't able to tell if the user wants the task to run or not? Or am I missing some way that Windows tries to differentiate between whether the user wants a task to run or not?

[ViperAFK]

Not sure what you mean. As a Linux user, I see a slightly different privilege escalation scheme. In *.nix, privileges are typically elevated ahead of operation (though some apps allow post-execution elevation, let's not get into all the varieties, and stick with the typical). UAC seems designed all around the ability to elevate at any time. If you drag items around your C:/Windows folder in your explorer, you are given a "Cancel or Allow" type prompt, right? This allows you to initiate the event, and click to allow. Convenient.

In Linux, if I tried to drag items around in my /bin, I would not be given the ability to elevate at that time. The action would simply be forbidden. I like it, because a user ought to be thinking about his tasks, using forethought. But truth is, it is just a different philosophy behind the same escalation mechanisms yielding a slightly different implementation.

So, would not an exploit, running as the default user in Windows merely prompt to elevate, as the system isn't able to tell if the user wants the task to run or not? Or am I missing some way that Windows tries to differentiate between whether the user wants a task to run or not?

If a prompt just comes out of nowhere that should be suspicious enough in itself and you should hit cancel.

[markwolfe Veteran]

If a prompt just comes out of nowhere that should be suspicious enough in itself and you should hit cancel.

Oh, I would. Not sure that everyone would. :p You know, the old social issue with PEBKAC

[Linkinfamous]

Not sure what you mean. As a Linux user, I see a slightly different privilege escalation scheme. In *.nix, privileges are typically elevated ahead of operation (though some apps allow post-execution elevation, let's not get into all the varieties, and stick with the typical). UAC seems designed all around the ability to elevate at any time. If you drag items around your C:/Windows folder in your explorer, you are given a "Cancel or Allow" type prompt, right? This allows you to initiate the event, and click to allow. Convenient.

Explorer is spawning another elevated process to perform that operation. Once a process is spawned, its IL cannot be changed. The only way it can do "Admin" tasks is by spawning another, elevated, process to do them for it.

It's just a convenient feature in explorer, not really UAC itself. VMWare does the same thing: When you want to configure something that requires Admin privileges, it spawns another little helper process to take care of the operation, which gives you a UAC prompt.

If an exploit is something like redirecting the output of a program, and overwriting some data (Like a critical system file), then you're perfectly safe, UAC will contain it.

You'd need arbitrary code execution or the ability to spawn another process to trigger a UAC prompt from a hijacked process.

The action would simply be forbidden.

And if you tried to perform the operation from an un-elevated command prompt, or another filemanager, you'd simply get an "Access Denied" error there.

Edited August 18, 2008 by MioTheGreat

[markwolfe Veteran]

^^^ Thanks, Mio. I wasn't quite understanding the Microsoft implementation, and your explanation of Explorer spawning a separate task with its own level makes a lot of sense. It only appears to allow elevation after-the-fact because it is already pre-leveled to allow, but prompts. Sounds like an app in an email attachment or such would not be subjected to the pre-elevated spawned separate task that an explorer item is, and would similarly just fail on Vista or *nix.

[Linkinfamous]

Sounds like an app in an email attachment or such would not be subjected to the pre-elevated spawned separate task that an explorer item is, and would similarly just fail on Vista or *nix.

Well, binaries can be signed with a manifest that requests that it always be launched with Administrative privileges. If such a binary is sent in an email, you'll get a prompt when you try to run the attachment.

If it's something like screwing with a preview handler in your email application, then it'll be contained by the lower privileges of the email client.

[Brandon Live Veteran]

^^^ Thanks, Mio. I wasn't quite understanding the Microsoft implementation, and your explanation of Explorer spawning a separate task with its own level makes a lot of sense. It only appears to allow elevation after-the-fact because it is already pre-leveled to allow, but prompts. Sounds like an app in an email attachment or such would not be subjected to the pre-elevated spawned separate task that an explorer item is, and would similarly just fail on Vista or *nix.

Nothing is pre-elevated. When you copy a file into a directory that only has a write permission for the Administrator group, Explorer gets an "Access Denied" error. Internally it swallows that error and offers to try again with Admin privileges, which results in Explorer launching a new process with Admin privileges (more specifically, I believe it's an out-of-proc COM activation). It is that new process that requests to be started with Admin privileges and thus UAC prompts you for consent/credentials in order to allow it to run.

The system isn't all that different from what you described on *nix systems. Many apps or system components simply delegate their admin tasks to separate processes, while working to maintain an integrated experience (and not having to relaunch the original app, etc).

[theyarecomingforyou]

I have UAC disabled and haven't experienced any problems. I have it disabled because some of the applications I need demanded it and I never saw the need to turn it back on. I don't dispute its functionality but I simply don't appreciate multiple click-throughs to create folders - trying to sort my start menu in folders was a nightmare. I don't like the way the screen is dimmed in secure mode; it's not that it looks bad but the delay is noticeable. I also find the information provided by the prompts to be quite vague, meaning I'm likely to just click through them anyway. I'm not one of those users that pretend they're superior to others and I run anti-virus to protect against most threats. I like the idea of UAC, I just don't like the implementation.

It would also be nice if UAC didn't require a restart to enable / disable. I don't care to know the technical reasons for it but there must be a way to shutdown the necessary components without requiring a full restart.

[Brandon Live Veteran]

Well... in order for them to be saved, they'd need to refuse permissions to an application. So I think they'd know that they denied an application access, and would likely only do that if they thought there was a risk.

A common misconception, but entirely false.

If someone attacks an exploit in Outlook by sending you a mail message that attempts a buffer overflow, and then they are able to inject code into Outlook that tries to modify system files, some or all of their code will fail.

That's because Outlook is already running at the "medium" integrity level (ie. non-admin level), and once Outlook has been started this integrity level cannot be changed. Now, if the code tried to launch something else with admin rights, you might see a dialog come out of nowhere and have to click "no" to be saved. But in many cases the exploit won't do that, or won't be able to do that, and will simply fail.

Even more useful is the existance of the "low" integrity level, which is used by Internet Explorer in Protected Mode, along with other processes like prevhost.exe (which Explorer uses to host previewers that may load untrusted content).

In low-integrity mode, there is no elevation path at all, so they CANNOT make an elevation prompt get displayed*. They're also much, much more restricted, and while an attack could still do harm by reading your data, it could not delete or corrupt anything, even things in your Documents folder and what not.

* = An application, like IE, can actually provide its own mechanism to "elevate" something out of Low IL by using a broker process like ieuser.exe.

[Linkinfamous]

I don't care to know the technical reasons for it but there must be a way to shutdown the necessary components without requiring a full restart.

Every process running has to be restarted to truly disable it. Otherwise, they're still running with a Medium IL.

[Brandon Live Veteran]

It depends on what you mean by "disable." You can effectively disable UAC, but in a much more secure way, by enabling the auto-elevation policy. This still provides the exact same experience for Low IL processes like IE in Protected Mode, prevhost, etc. But it makes elevation from medium -> high IL always automatic if it's asked for.

On the other hand, if you use the checkbox "big switch" method to totally turn off UAC, you have to reboot because it completely changes the way everything in the system works, and every process needs to be restarted with the full user token, instead of the "split token" that UAC provides.

[mad_onion]

brandon, please tell me that auto elevation "silent mode" is going to be made avaliable as an option in the user interface in windows 7.

the biggest problem with UAC in vista isn't the implementation itself but the fact that many people are turing it off because they aren't given the option to turn on silent mode at that point.

[ViperAFK]

I agree that silent mode should be visibly available in the options, or perhaps the "Off" option in windows 7 should be silent mode. A much better alternative to people turning it off.

[bradavon]

I agree that silent mode should be visibly available in the options, or perhaps the "Off" option in windows 7 should be silent mode. A much better alternative to people turning it off.

I completely agree.

It's scary the amount of people (even those working in the IT field) who just turn UAC off without any idea of what it actually controls. The reality is the majority of software will work just fine with UAC in Silent Mode (or fully on) and the user will be none the wiser, and not try to disable it.

[GuJu]

I turned it off the day I installed vista

[Linkinfamous]

I turned it off the day I installed vista

It really is no wonder Windows has such a horrible security reputation that persists even to this day: It seems that a large portion of its user base simply doesn't care about security.

[MasterSasuke]

Like I always say, if the UAC elevation prompts p*ss you off, grab TweakUAC and switch UAC to quiet mode.

where do you ppls find these 1-function apps?

MzVistaforce can do that... and almost everything else...

[edit]

and... I do not see that it offers any security.

UAC on or off, I get no viruses :p (avira antivir)

[bob_c_b]

I'm suprised people take such a simple view of UAC, it is far from just a simple bunch of settings to slow down users. Even more suprising is that anyone turns it off, as the prompts go away once you get your machine set up properly and tweak a few things. Outside of RealTemp and eVGA precision (which I only run once in a while to do spot checks) and the Transcender test engine (which is really a result of the copy protection Transcender uses not being fully tweaked for Vista) I rarely see a UAC prompt. And when I do see one I don't mind taking 5 seconds to think about what I'm doing and what the app is asking to do.

One of the reasons we haven't seen a bunch of security issues with Vista is UAC/Secure Desktop/Broker Processes/Secure Mode IE have made it much harder to script exploits and drive-bys.