USER Account Control… but I’m an ADMIN!

re: USER Account Control… but I’m an ADMIN!

Robert — Sat, 04 Dec 2010 23:08:16 GMT

I enjoyed reading this, I sort of already had this idea but it wasn't something which I knew for certain. Now I realize that UAC isn't just a nusance but actually a capable, handy feature which allows you to stay logged in as a user without compromising pc security nor program compatibility.

re: USER Account Control… but I’m an ADMIN!

Paul Adams MSFT — Sun, 08 Aug 2010 06:21:43 GMT

In my blogs I try to clearly distinguish between that which is fact and that which is opinion, as there are many different "best" ways to achieve something depending on a number of variables.

The purpose of UAC has been described as "user awareness" and "convenience", and incorrectly at times as "security":

1. It lets non-admins run legacy or poorly-designed applications that would normally get "access denied" - virtualization

2. It lets all users be aware when an application is recognised as requiring admin privileges at launch - OTS prompt

3. Makes the default behaviour of launching a process for admins the same as users - Protected Admin

I distinguish between my daily use of a computer and infrequent administrative tasks I want to perform, by using separate user accounts with the relevant privileges and permissions.

If an application triggers an OTS prompt when I run as a standard user, I would log on as the admin user to find out what permissions it "requires" and then grant those permissions to the Users group and shim the application using ACT.

I would not run the application as the admin user, elevated - i.e. "Run As".

This also avoids the problem you mention about settings being configured for the wrong (admin) users per application, as I run only ever run applications as a user, and administer the system as an admin.

So for me, "best" is "more secure" - not using (or even being granted) more privileges or permissions that are needed to do the job at hand.

I feel am getting the best features UAC provides a standard user through virtualization and the presence of the OTS prompt, which then prompts me to address why the OTS prompt is appearing rather than simply accept it.

As UAC is not a security feature, relying on it as such and wanting it be as configurable as possible (whilst remaining "secure") is going to lead to disappointment.

The mention of the piggybacking the OTS prompt as an admin to elevate a process is an example of how responding to "there are too many popups" leading to a design change can introduce side effects, so being able to further configure the details of its behaviour would, in my opinion, be bad.

To cite an early line in my blog again:

"If too many prompts are being thrown, look at what you are doing and why (if!) the application needs administrative access."

Investigating the cause of a specific issue and using a surgical fix to address it is much better then using a sledgehammer approach which, while solving it, adds a lot more potential for harm.

See Mark Russinovich's "Inside Windows 7 User Account Control" article from July 2009 for a very good analysis, his method of explanation is much better than mine:

technet.microsoft.com/.../2009.07.uac.aspx

Jim Allchin is referenced by Mark too, in his blog entry "Security Features vs. Convenience":

windowsteamblog.com/.../security-features-vs-convenience.aspx

re: USER Account Control… but I’m an ADMIN!

André — Sat, 07 Aug 2010 15:02:13 GMT

Hi Paul,

what you do is losing the best UAC improvement, having 2 tokens. In your case the UAC acts like RunAs service. This is bad and causes lot of bugs (settings are configured for the admin, but not for the current user).

Better: Setup creates 2 Users (Admin and standarduser), the user get a new membership (LUAEnhancer group, where you also get the 2 tokens). So people have the same comfortability like the when they are in the admin group when UAC is on, but the see that they are STANDARD users. Next, with this you can control which users can have the UAC enhancements. Currently you can only turn UAC on or Off. This is stupid and bad. 3rd, the UI must be coded better. Setting of the personalization trigger incorrectly an UAC prompt, because the Dialog is next to setting which belong to the system settings.

I'm using the default config but set the UAC slider to highest to get the Vista level back, which his much more secure, than the default crap setting in Windows 7, which can be by-passed (www.pretentiousname.com/.../win7_uac_whitelist2.html). I'm using the task scheduler as woraround to start program with elevated rights at startup.

André

re: USER Account Control… but I’m an ADMIN!

Paul Adams MSFT — Sat, 07 Aug 2010 06:45:46 GMT

UAC could be considered a half-way house to getting users to be users - letting them logon as Administrators but be treated as Users.

The mistake of making the first user a member of Administrators was made a long time ago and I'm sure is not trivial to undo.

I log onto my home machine as a standard user and when UAC pops up I have to enter the credentials of an administrator, UAC has been left at the default.

Some modern apps still trigger OTS prompts, so we still have a way to go before developers will not assume the user has admin privileges.

UAC needed to be opaque in terms of its presence (popups) but as transparent as possible in its behaviour (it does not PREVENT things from happening, it just ALERTS the user).

Removing admin rights from users that have enjoyed or expected them for years would have a much bigger impact, and John Q User is probably not ready to have 2 sets of logon credentials and understand when to use them.

Me, I'm just glad I wasn't on the team designing UAC, that must have been one heated debate :)

re: USER Account Control… but I’m an ADMIN!

André — Fri, 06 Aug 2010 23:11:16 GMT

It was the mistake to leave the user in the admin group. The people only look at which group they are.

next, the documentation is too complicated for the average joe.

User Account Control explained really well

simonmay — Fri, 06 Aug 2010 08:33:52 GMT

I was just browsing around on TechNet for info and came across Paul Addams blog and a post about UAC