topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 6:45 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Is UAC as bad as I think it is?  (Read 15438 times)

urlwolf

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,837
    • View Profile
    • Donate to Member
Is UAC as bad as I think it is?
« on: June 11, 2009, 06:06 PM »
UAC is "lets give the user Admin rights whenever he asks for it and trust that he will never do anything wrong with it."

This cannot be. It's asking for trouble.

And worse, users will automatize this, and will make no decision (i.e., always allow).

In this sense, it's better to run in admin mode and  be spared the 500 M prompts a day that you endure as a normal user. It feels like you are borrowing your own computer instead of owning it...

Please somebody correct me before I kill UAC forever... or run as admin.

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: Is UAC as bad as I think it is?
« Reply #1 on: June 11, 2009, 06:28 PM »
UAC has been improved in Windows 7 - in Vista it is a royal PITA.

It has been widely said that MS deliberately made Vista UAC a royal PITA deliberately because they were so fed up with the bad security press they were constantly subjected to. By forcing windows to flag UAC prompts constantly they could say 'we warn you of potential security problems' - trouble is many people simply click through without thinking (like you said) or just turn UAC off.

Many of those 'bad press' episodes were orchestrated by Apple but to be fair at least MS issues regular patches and fixes which is more than can be said for Apple. The recent upgrade to Windows Safari 4 dealt with over 50 security exploits, many of which have been known about for months.

The big problem is MS don't know how to do security apps - we have UAC and Windows Defender - neither of which have any real user interface for customising responses to prompts. Then there is the OneCare debacle that rendered systems unusable and suffered such bad press and reputation that they are now axing it altogether.

I'll probably get shot down for saying this but the big problem with all operating system security is the use of C++ as a staple language. How many exploits are because of buffer issues? A strongly typed language with proper error checking would slow systems down a bit but would avoid many of the exploits that still plague every OS.

Eóin

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,401
    • View Profile
    • Donate to Member
Re: Is UAC as bad as I think it is?
« Reply #2 on: June 11, 2009, 07:44 PM »
My understanding was that UAC being a PITA was to give developers a wake up call and get them to stop their apps wanting Admin privileges when most never need it.

Which is equally stupid as far as users are concerned but history would seem to show that the only means of getting developers to change their ways are to stop those old ways working. DEP for example would prevent a lot of buffer issues but developers won't stop mixing code with data hence DEP has to be left opt-in by default if those badly written programs are to still work.

NoWhereMan

  • Participant
  • Joined in 2005
  • *
  • default avatar
  • Posts: 23
    • View Profile
    • Donate to Member
Re: Is UAC as bad as I think it is?
« Reply #3 on: June 12, 2009, 02:26 AM »
UAC is "lets give the user Admin rights whenever he asks for it and trust that he will never do anything wrong with it."

This cannot be. It's asking for trouble.

how are you supposed to perform administrative tasks, then?

And worse, users will automatize this, and will make no decision (i.e., always allow).

one of the biggest criticism to UAC is that there is no such thing as "always allow". Permission must be always granted

In this sense, it's better to run in admin mode and  be spared the 500 M prompts a day that you endure as a normal user. It feels like you are borrowing your own computer instead of owning it...

Please somebody correct me before I kill UAC forever... or run as admin.

I'm assuming you didn't even try it; UAC is there even when you *are* admin, that's the other criticism. In Vista the default user is an Administrator, but runs at at a lower level of permissions, which is then elevated when required; the elevation requires answering the prompt. There is actually a class of superusers running at the higher level but the account is disabled as a default.

If you are running as a standard user (non-Admin) then the prompt will ask you for an admin password.

In this case, this is nothing different than the superuser password you get in linux or mac.

UAC is much less annoying than you might think, if you stay in your little user-space and don't mess with the file system.
Your world is your user directory \users\youruserid.
Permission will be asked only when changing system settings, or when installing software. And you really don't do that that often.

Oh, and if some of the freeware you love it's asking for an admin password... they're doing it wrong.

In Win7 they introduced a UAC control panel with a "nag" level chooser; the default level provides a whitelist, so common administrative tasks can be performed without asking user for confirmation. There are however some side effects for which I would suggest to raise the bar to the higher level (you'll get the same Vista level); or in alternative, create a second, lower level user and use that for any everyday task (which is what I already do on my Vista -- and something everyone should already do on his/her xp/vista/7)

bye!

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: Is UAC as bad as I think it is?
« Reply #4 on: June 12, 2009, 03:10 AM »
NoWhereMan- the issue is precisely that it always asks and there are no controls to supress pointless prompts. Consequently users just click Allow when ever it pops up without thinking about it (or else they simply disable it). This totally negates the purpose of UAC because it no longer offers any sort of protection for most users. The same is true of techy firewalls and the average user - constant prompts and questions that the user can't answer without more knowledge means that the firewall is pretty pointless as the only response the user has is OK let it go.

As you say it even happens when you log on as Administrator.

The biggest problem with UAC (and it will still be the same in Win7) is that it is purely a kludge to avoid doing proper user permissions and enforcing them. If MS simply said that the normal user is just that (a user) and that all software should allow 'users' to work without needing extra permissions they could then have a proper admin group without restrictions, and the ability to elevate to admin just as Linux does.

They won't do that because the crappy history of user rights in windows development means that most software would break - hell the fact that you needed to have admin rights to run earlier versions of MS Office says it all.

Having said that the UAC rules in Vista are deliberately stupid. The fact that you need admin rights to even look at device manager (OK if you want to update drivers etc. you should need admin rights but just to look at the current settings shouldn't need access rights).
« Last Edit: June 12, 2009, 03:12 AM by Carol Haynes »

urlwolf

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,837
    • View Profile
    • Donate to Member
Re: Is UAC as bad as I think it is?
« Reply #5 on: June 12, 2009, 04:13 AM »
I should add I'm running windows server 2008, that explains some discrepancies. I'm putting my userspace files in a different partition, not on the same one where the OS is (could be part of the problem).

Something that could be done is to set up a timer in which you are admin without more prompts.

Alternatively, one can run one filemanager app always elevated, and use it rarely, only for installs.

Yet another solution: give rwx permissions to your user, recursively, on pretty much every little corner of the filesystem but the most obviously wrong ones. Btw, what a long time it takes to change permissions recursively!

Unix is pretty bad in some aspects, but permissions, they got right. And the ubuntu way of doing things (timed sudo) is pretty good. Not to mention you can have a shell for admin and leave it open in a tab, where it's out of the way... something I couldn't do on console (replacement for cmd.exe).




urlwolf

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,837
    • View Profile
    • Donate to Member
Re: Is UAC as bad as I think it is?
« Reply #6 on: June 12, 2009, 06:20 AM »
What would actually be useful is to know WHY the prompt.
Is this installer trying to write to c:\windows? Is it adding something in the registry? What? etc

Right now, when I get a prompt, I'm blind. I just assume it must be ok to accept.

If the thing I'm installing has a big hoking trojan inside, there's no way for me to know that. How is UAC helping with security then? It's just making me exercise my fingers.


f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Is UAC as bad as I think it is?
« Reply #7 on: June 12, 2009, 07:19 AM »
UAC is fine, and I don't find it popping up all the time when I'm doing normal stuff. If you get lots of popups, either you're doing stuff wrong or running some very badly-behaved applications... which you should nag the software developers about. For dealing with badly designed apps, you can often amend it by setting some NTFS permissions (yes, obviously regular users don't know about that kind of stuff).

Win7's "improved" UAC is actually a problem since it's a gaping security hole - you need to ramp it back up to Vista level as one of the first things you do after system install.

I do agree that timed elevation would be a nice thing, but "always allow this" or application whitelisting is a really bad idea. Really, developers need to fix their shitty code.

PS: if you open an elevated cmd.exe, applications you start from that should be elevated as well?
- carpe noctem

Eóin

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,401
    • View Profile
    • Donate to Member
Re: Is UAC as bad as I think it is?
« Reply #8 on: June 12, 2009, 07:55 AM »
What would actually be useful is to know WHY the prompt.
Is this installer trying to write to c:\windows? Is it adding something in the registry? What? etc

This would only work though if you had to ok every operation, and that wouldn't be fun. As it is one could ok the first innocent looking operation and then all the malicious ones could follow.

now, when I get a prompt, I'm blind. I just assume it must be ok to accept.

If the thing I'm installing has a big hoking trojan inside, there's no way for me to know that. How is UAC helping with security then? It's just making me exercise my fingers.

For me I really see UAC as asking 'Do you trust this app do give it free reign of your system?'. Personally I just not sure how else it could work.



Josh

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Points: 45
  • Posts: 3,411
    • View Profile
    • Donate to Member
Re: Is UAC as bad as I think it is?
« Reply #9 on: June 12, 2009, 08:14 AM »
f0dder, any applications started under an elevated profile for one program will launch elevated in their instance. I.E., I launch cmd.exe in elevated mode and I type "mspaint". That launches MSPaint in elevated privellege mode as well.

By the way, am I the only one who doesn't find UAC all that annoying? I actually enjoy having it. While "Allow all" is definitely a no-no, I think NortonUAC is a great addon. I use this and it lets you set an "Allow always" depending on the context in which the program is executed. For example, if I launch procexp from a custom build placed on my desktop in admin mode, I will be able to allow THAT location and that version to run elevated at any time. But, if I place that same file in c:\temp, I am again prompted to confirm that I want to run it. Also, if the file hash changes, I am then re-prompted for elevated rights again

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Is UAC as bad as I think it is?
« Reply #10 on: June 12, 2009, 10:03 AM »
I find UAC somewhat annoying when setting up a system right after a fresh installation - but you can just disable it temporarily while doing that (although that might affect the whole shadow copy junk that Vista introduced - that I'm not a fan of). But in daily operation? Nope.

Even though NortonUAC does file hashing (reassuring to hear!) I still don't think it's a super good idea. I can't help but think that
1) it might be exploitable, leading to backdoors.
2) it's probably hooking the system in somewhat shady ways.
- carpe noctem

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Is UAC as bad as I think it is?
« Reply #11 on: June 12, 2009, 10:10 AM »
After tinkering with Ubuntu for the past several months, I don't find UAC any more annoying than having to type in a password all the time to "sudo" this or that.

NoWhereMan

  • Participant
  • Joined in 2005
  • *
  • default avatar
  • Posts: 23
    • View Profile
    • Donate to Member
Re: Is UAC as bad as I think it is?
« Reply #12 on: June 12, 2009, 01:16 PM »
Having said that the UAC rules in Vista are deliberately stupid. The fact that you need admin rights to even look at device manager (OK if you want to update drivers etc. you should need admin rights but just to look at the current settings shouldn't need access rights).
-Carol Haynes (June 12, 2009, 03:10 AM)

there are indeed some quirks, but, for instance, what you are talking about happens (IIRC) only when you're loggedin as an administrator. as a standard user you can for instance look at the device manager without being asked for a password (unless you decide to modify some settings).

here, I've just typed in "device manager" I just get this message, http://i41.tinypic.com/2l9rw48.jpg and the the panel pops up as usual.

Something that could be done is to set up a timer in which you are admin without more prompts.

you can't. otherwise malicious software might launch a trusted program, requiring elevation. You would then get an "elevated permission" cookie for enough time to let the malicious program to perform an administrative tasks without asking again for your consent.


Unix is pretty bad in some aspects, but permissions, they got right. And the ubuntu way of doing things (timed sudo) is pretty good.

no it's not. On Ubuntu you might feel secure since there is almost no real treat, but on windows the time frame might be well exploited as I explained above.

After tinkering with Ubuntu for the past several months, I don't find UAC any more annoying than having to type in a password all the time to "sudo" this or that.
exactly my feeling
« Last Edit: June 12, 2009, 01:21 PM by NoWhereMan »

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Is UAC as bad as I think it is?
« Reply #13 on: June 12, 2009, 01:30 PM »
Something that could be done is to set up a timer in which you are admin without more prompts.
you can't. otherwise malicious software might launch a trusted program, requiring elevation. You would then get an "elevated permission" cookie for enough time to let the malicious program to perform an administrative tasks without asking again for your consent.
Pretty good point, embarrassing I hadn't thought about that :-[
- carpe noctem

dhuser

  • Honorary Member
  • Joined in 2006
  • **
  • Posts: 96
  • King Dogbert
    • View Profile
    • StumbleUpon Profile
    • Read more about this member.
    • Donate to Member
Re: Is UAC as bad as I think it is?
« Reply #14 on: June 13, 2009, 02:03 PM »
Long Zheng recently demonstrated a vulnerability with auto-elevation with UAC in Windows 7. Here he also gives a  video demo of it.
http://www.istartedsomething.com/20090613/windows-7-uac-code-injection-vulnerability-video-demonstration-source-code-released/

Microsoft is yet to admit that the vulnerability exists. It looks like it might come down to user pressure to get Microsoft to fix this issue.
My StumbleUpon Profile
Imagine.Explore.Create!

NoWhereMan

  • Participant
  • Joined in 2005
  • *
  • default avatar
  • Posts: 23
    • View Profile
    • Donate to Member
Re: Is UAC as bad as I think it is?
« Reply #15 on: June 13, 2009, 02:20 PM »
Long Zheng recently demonstrated a vulnerability with auto-elevation with UAC in Windows 7. Here he also gives a  video demo of it.
http://www.istartedsomething.com/20090613/windows-7-uac-code-injection-vulnerability-video-demonstration-source-code-released/

Microsoft is yet to admit that the vulnerability exists. It looks like it might come down to user pressure to get Microsoft to fix this issue.


problem is that fixing is not trivial.

by the way, setting UAC to vista-like level  (or running with a standard user) makes the treat nonexistent.

urlwolf

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,837
    • View Profile
    • Donate to Member
Re: Is UAC as bad as I think it is?
« Reply #16 on: June 13, 2009, 02:28 PM »
So in any case, what is worse, to switch off UAC or to run as admin?

urlwolf

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,837
    • View Profile
    • Donate to Member
Re: Is UAC as bad as I think it is?
« Reply #17 on: June 13, 2009, 02:56 PM »
I just tried to switch off UAC temporarily on windows server 2008 to see how life is.

It turns out that your user will not be able to do any system changes, not even optionally. If I want to change PATH or any system variable, the button is grayed out.
Since there's no sudo, I'd have to log off, log on as admin do the changes, and log in as my user again. It takes several seconds. This is a no go...

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: Is UAC as bad as I think it is?
« Reply #18 on: June 13, 2009, 03:55 PM »
Can't you use run as admin?

Josh

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Points: 45
  • Posts: 3,411
    • View Profile
    • Donate to Member
Re: Is UAC as bad as I think it is?
« Reply #19 on: June 13, 2009, 05:06 PM »
Can't you use run as admin?

-Carol Haynes (June 13, 2009, 03:55 PM)

Works fine for me on almost every occasion. I have no reason to run as an administrator which saves me a lot of headaches. Run as administrator is a great tool and for those files which arent directly executable I can use the command prompt with the "runas /user" command.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Is UAC as bad as I think it is?
« Reply #20 on: June 14, 2009, 09:38 AM »
So in any case, what is worse, to switch off UAC or to run as admin?
Both options are pretty silly when UAC is available :)
- carpe noctem