• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

The Great UAC Debate!

UAC  

1,263 members have voted

You do not have permission to vote in this poll, or see the poll results. Please sign in or register to vote in this poll.

Recommended Posts

De.Bug    19

UAC still doesn't remove the need for AV software though.

Very true.

Share this post


Link to post
Share on other sites
Brian    67

You can configure the admin approval mode prompt (the prompt given to administrator users) to always ask for credentials if you really want to, but what's the point.

When you say "Unix," I'm going to assume you only mean OS X and the handful of popular Linux distros that come preconfigured with a sudo setup since it's otherwise a meaningless umbrella term for a whole host of OSes which can't be grouped as one.

Anyway, I would speculate that the reason it's configured to prompt for your password there is for security reasons. I suspect the sudo prompts (and whatever frontends exist for them) are not secure and could easily be bypassed. Windows deals with this by prompting on a separate desktop running in a separate session so it can't be manipulated, while OS X and the Linux distros deal with it by prompting for a password. There is also a subtle technical difference in what sudo and Windows do. Sudo substitutes users, in other words runs a program as a separate user. Windows runs the program as the same user but with a different security token.

Ah okay! I can't admit that I've understood it properly before your explanation.

Share this post


Link to post
Share on other sites
hdood    145

Wrong. If you get a virus and you have UAC on your computer will be safe. The virus won't be able to touch your system files or the other accounts on your system. Your account will be attacked by the virus, but any other accounts on the machine will be safe. If you turn UAC off and you get a virus your f*****.

What other accounts? Like most other people I only have one. All my data is accessible from it, as are my programs and the internet. Malware could steal all my files, spy on me, and make me part of a botnet without ever needing administrator access. It could also ride along with a legitimate elevation request and trick me into elevating it. UAC is in no way a substitute for antimalware and common sense.

Share this post


Link to post
Share on other sites
halcyoncmdr    4

Wrong. If you get a virus and you have UAC on your computer will be safe. The virus won't be able to touch your system files or the other accounts on your system. Your account will be attacked by the virus, but any other accounts on the machine will be safe. If you turn UAC off and you get a virus your f*****.

And what happens if you click allow on that UAC prompt when the malware asks for elevation? It then has access to everything it would have had with UAC turned off. UAC is no security feature. Really it is just a means to inform the user when an application is requesting admin access on the system. IF the user allows it access when prompted then there is no real difference than having UAC turned off.

UAC will limit the damage however if you don't allow access, and that alone is the reason it should stay enabled. Even if you know what you are doing, there are other ways to prevent the many UAC prompts from appearing. For example, if copying a bunch of files in Explorer, simply open your explorer windows as an admin, and voila no UAC prompts because they are already running with Admin rights.

Share this post


Link to post
Share on other sites
BeerFan    288

And what happens if you click allow on that UAC prompt when the malware asks for elevation? It then has access to everything it would have had with UAC turned off. UAC is no security feature. Really it is just a means to inform the user when an application is requesting admin access on the system. IF the user allows it access when prompted then there is no real difference than having UAC turned off.

Exactly. All it does it force users to make one extra click. And anyone in IT knows that the general user never reads the information in the prompt; they just click on "OK" and blame IT for the annoyance.

Share this post


Link to post
Share on other sites
Julius Caro    55

Exactly. All it does it force users to make one extra click. And anyone in IT knows that the general user never reads the information in the prompt; they just click on "OK" and blame IT for the annoyance.

That's why the user wouldn't be an admin in the first place.

And without elevation, only user folders are accessible

Share this post


Link to post
Share on other sites
Seizure1990    252

All you have to do is install to a folder other than Program Files, which is protected. No more prompts.

Wait, so you're saying that to keep my system more secure, I should instead install my programs in locations where they AREN'T protected from tampering? That doesn't make sense/defeats the purpose.

Wrong. If you get a virus and you have UAC on your computer will be safe. The virus won't be able to touch your system files or the other accounts on your system. Your account will be attacked by the virus, but any other accounts on the machine will be safe. If you turn UAC off and you get a virus your f*****.

It's a good thing I only silence it, not turn it off.

Share this post


Link to post
Share on other sites
Guest xiphi   

It's a good thing I only silence it, not turn it off.

While it's better to have it silenced rather than turned off, if a virus were to request elevation, it would be granted without your knowledge. Thus, infecting your whole system. IMO, it's better that I'm given the option deny an application access to my system. Although, if you're running as a Standard User on a day-to-day basis, none of that really matters.

Share this post


Link to post
Share on other sites
+Thom Vee    89

Uh, it's not that simple. By that logic, if I were to install CCleaner outside of PF, I'd get no prompts. Which I know would not be true since the program itself specifically asks for elevation.

Correct me if I'm wrong, but it does that because it sometimes has to access system protected folders / files. Other older software (some games in my experience) like to write to the install folder, which is why the prompt appears. All I was suggesting is that if it is software you know will be safe, you can install it to another folder.

Share this post


Link to post
Share on other sites
wds7    0

Exactly. All it does it force users to make one extra click. And anyone in IT knows that the general user never reads the information in the prompt; they just click on "OK" and blame IT for the annoyance.

+1 ...It's there to annoy you ..that's all ."...good-job...on that M$ ..

"That was the first thing i shut-off .."

Share this post


Link to post
Share on other sites
HawkMan    5,232

+1 ...It's there to annoy you ..that's all ."...good-job...on that M$ ..

"That was the first thing i shut-off .."

Good job onb replying to a thread and not reading anything in it, and being another one of those who don't know what UAC is and think it's only the prompt which is only a very small part of UAC.

Share this post


Link to post
Share on other sites
Seizure1990    252

While it's better to have it silenced rather than turned off, if a virus were to request elevation, it would be granted without your knowledge. Thus, infecting your whole system. IMO, it's better that I'm given the option deny an application access to my system. Although, if you're running as a Standard User on a day-to-day basis, none of that really matters.

Erm, I could be wrong, but I don't think the UAC activates for background tasks, only user-activated ones. At least, I can only assume so, seeing as I don't get UAC requests every 5 seconds for every system service or process that happens to go off at any time.

Share this post


Link to post
Share on other sites
ozgeek    157

I have came to find another great use for UAC : Cancelling accidently started installers. I'm a clumsy person and tend to accidently double-click on programs stored on the desktop or starting random games on steam (this is not common just occasional).

Share this post


Link to post
Share on other sites
Seizure1990    252

Doesn't it have an entirely separate dialog for that too, anyways?

Share this post


Link to post
Share on other sites
Richard C.    289

I so rarely use new versions of Windows I have little to say on it, however I like the security that the mac auth option provides a UAC similar option like this:

auth.png

After experiencing it I would support UAC staying in Windows, albeit with a few fixes. (I've heard various reports of some applications being able to hide from UAC in Vista at least, this may have been fixed)

Share this post


Link to post
Share on other sites
Wannes    39

What is silencing UAC? I have it set so it won't dimm my desktop but it's still present.

Share this post


Link to post
Share on other sites
xxtechxx    0

i never disable this feature of windows :)

it very useful.. we can know.. what the programs will be run :D

can prevent from running PUP in background processes

Share this post


Link to post
Share on other sites
Richard C.    289

No-one answered my concern about how in tests some applications have managed to bypass UAC and gain elevated status, have some of the holes which allowed this in Vista been fixed?

Share this post


Link to post
Share on other sites
DaveBG    78

UAC can save your ass from some viruses (basic ones) but will cause you much more personal mental problems. So i prefer it off.

Share this post


Link to post
Share on other sites
cork1958    1,867

The SECOND thing I do with ANY computer I touch is disable this PITA POS "feature"

First thing I do is turn the machine on!!

If nothing else, this thing has helped me wreck more machines than saved me. Get so mad seeing it pop up, especially when on a laptop with out a mouse plugged in, that trying to click continue on it, I have screwed stuff up with those equally as irritating touchpads!

Glad to see that most users here run as admin and have never been saved by this POS, irritating technology!!

Share this post


Link to post
Share on other sites
ITFiend    41

Erm, I could be wrong, but I don't think the UAC activates for background tasks, only user-activated ones. At least, I can only assume so, seeing as I don't get UAC requests every 5 seconds for every system service or process that happens to go off at any time.

You are correct if you mean that background tasks will not active a user UAC prompt. UAC flat out kills those. A great proof of this was psexec. If you wanted to install software silently, running that tool when Vista first came out required you used the true "Administrator" account credentials (UAC disabled by default), disable UAC for all administrators via Group Policy, or just disabled it system wide. Otherwise it went squish due to UAC.

Share this post


Link to post
Share on other sites
ViperAFK    797

You are correct if you mean that background tasks will not active a user UAC prompt. UAC flat out kills those. A great proof of this was psexec. If you wanted to install software silently, running that tool when Vista first came out required you used the true "Administrator" account credentials (UAC disabled by default), disable UAC for all administrators via Group Policy, or just disabled it system wide. Otherwise it went squish due to UAC.

He's sort of right, in that services do not need UAC prompt, but a program has to install the service in the first place which does require a prompt. Programs like steam for example will use a background service, so installing games doesn't require UAC prompt.

Share this post


Link to post
Share on other sites
rafter109    127

I manage a PC repair shop and find that a vast majority of the virus infections we encounter are on XP machines where UAC is not present. On the Vista and 7 machines that do get virus infections, they tend to be less severe. UAC is not a cure-all and was never intended to be. The purpose of UAC is to require user intervention when a program requires access to protected areas (Registry, program files, system files, etc.) The idea behind this is to get the user to stop and verify before allowing the program to run. While I would agree that there are times when UAC becomes obtrusive (you cant directly edit files in protected directories), in general it has become second nature. I have personally had it save me as well. I was checking the news one day and as the ads were rolling over I got a UAC prompt for privilege escalation on a randomly named exe. I was able to use the UAC prompt to stop it and run a full scan with my AV to ensure the virus did not infect my system. All said and done, anyone would be foolish not to use a quality internet security product whether or not you choose to use UAC. I'm sure this will probably start a war with the thrifty among us but free != quality, quite the contrary. None of the free AV products have solid detection and removal records across the multitude of testing labs.

  • Like 1

Share this post


Link to post
Share on other sites
olger901    0

I'm using it on Microsoft Windows 7. Not saying it sacred, but it does provide an additional layer of protection in some cases and doesn't cost that much reasons, so I don't see any reason why it shouldn't be there. In most business I generally configure it to ask for a password additionally, so if a user has local admin rights and forgets to lock his computer that another user can't start any application in Administrator mode without knowing the users password.

Share this post


Link to post
Share on other sites
ITFiend    41

He's sort of right, in that services do not need UAC prompt, but a program has to install the service in the first place which does require a prompt. Programs like steam for example will use a background service, so installing games doesn't require UAC prompt.

Sorry, I phrased that poorly. I was only referring to background processes that execute through an interactive desktop user, not non-interactive system services.

Actually the Steam service only facilitates registry changes without UAC elevation on behalf of a game prior to its first launch, and maybe change some registry ACLS here and there if a game keeps preferences in the system hive (very rare with modern games). It also helps Steam update without UAC elevation. It does nothing else.

Now, far as the file system goes, installing games on Steam does not call on UAC because the Steam client installer alters the ACLS on the Steam directory (defaults to "%ProgramFiles%\Steam" or "%ProgramFiles% (x86)\Steam" based on your Windows architecture). This directory is set so the "Users" group always gets "Full Control" over everything inside. If you strip this ACL away, the Steam client can no longer function for limited users, but if Steam launches as an Administrator it will automatically add the ACL back and then limited users can use it again. (And this is why I slap the Steam directory with harsh AppLocker whitelist only rules; any user and any processes running as a user can insert code into the Steam directory)

At no time does Steam automatically bypass UAC for...

...launching a game.

...third party copy protection activation or deactivation.

...installation of third party redistributions such as PhysX, DirectX, OpenAL, etc.

All of those trigger UAC elevation.

Fun fact: If your logged in as a limited user and Steam calls on UAC elevation during first launch of a game, when you enter your admin credentials everything related to redists as well as the game itself will execute as your admin user. This normally only happens the first time ever you launch that game on that install of Windows. As a side effect, if the game places its save files in the user profile, all saves during that first launch go to the admin directory that UAC authenticated and not your limited user. If you played a lot during that first session, you then have to go find your saved games in that admin profile and transfer it to your limited profile.

UAC becomes much more beneficial if you are using it in conjunction AppLocker policies in Windows 7 or 8, and in Vista if you use the more limited Software Restriction Policies that AppLocker replaces. (Note that home edition of 7 doesn't get AppLocker, and only 8 Enterprise will get AppLocker which is why I've already moved back to using Windows Server as my desktop environment for 2012 Release Preview.)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.