UAC: Don't be part of the problem
-
Yeah, it's wireless and I need to run their connection program.
Christian Graus - Microsoft MVP - C++ Metal Musings - Rex and my new metal blog "I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )
Ah, see? If your ISP would've listened to Ian, they would've developed their software to run under a limited account. ;P That really stinks, though. Can you run the process as admin? I do that under my limited account in XP when some apps do dumb things like write to protected locations at runtime.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Judah Himango wrote:
But now that home users have non-admin accounts by default
Actually, users STILL have admin accounts by default. The default Vista account is an admin account. You only get a standard user account if you explicitly create one. Yes, even after all of the hype.
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
Richie308 wrote:
The default Vista account is an admin account.
“In Windows Vista we made numerous changes to our user account model. Standard users are now the default user type....
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Vikram A Punathambekar wrote:
although George Bush may have said that as well
He probably said it for stategery reasons. ;)
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
The reason that Microsoft made home users Admins is historical. Before Windows XP was released, all home users used Windows 9x/Me--operating systems that basically ran on top of MS-DOS and had absolutely no security at all. Most early OEM Windows XP installations also had their hard drives formatted with FAT32, not NTFS which is necessary for file security. So that old Windows 9x/Me and MS-DOS software had to run on Windows XP home or people would not have upgraded to it. Also for YEARS software had to be designed to run on both Windows 9x and Windows XP (Really Windows NT 5.1). And also, for YEARS, many IT departments also continued to use Windows 98 because the hardware for Windows XP was just too expensive. But I do blame Microsoft for rushing Vista out the door with a poorly implemented and tested UAC. Beta testers screamed when it was introduced near the end of the beta without time for proper testing. But they had promised Wall Street and the OEMs that Vista would ship. Major, major design mistakes made Vista late. The first was the attempt to base the file system on SQL. That caused the reset when they had to start over. Another was all of effort that went into AERO at the expense of security. Thankfully many of the people who pushed form over function are no longer part of Microsoft.
Herbert N Swearengen III
hswear3 wrote:
The reason that Microsoft made home users Admins is historical.
I know, it's also exactly why the blame rests with Microsoft. The Unix permission system existed 30 years ago, so Microsoft can't claim they had no basis for comparison. They simply chose to build a system without permissions or security at all. I do agree that developers SHOULD be testing their applications on non-Admin accounts, and always should have been; but the culture of always having admin rights started with Microsoft. That's all I was saying :)
Cheers, Patrick
-
The reason that Microsoft made home users Admins is historical. Before Windows XP was released, all home users used Windows 9x/Me--operating systems that basically ran on top of MS-DOS and had absolutely no security at all. Most early OEM Windows XP installations also had their hard drives formatted with FAT32, not NTFS which is necessary for file security. So that old Windows 9x/Me and MS-DOS software had to run on Windows XP home or people would not have upgraded to it. Also for YEARS software had to be designed to run on both Windows 9x and Windows XP (Really Windows NT 5.1). And also, for YEARS, many IT departments also continued to use Windows 98 because the hardware for Windows XP was just too expensive. But I do blame Microsoft for rushing Vista out the door with a poorly implemented and tested UAC. Beta testers screamed when it was introduced near the end of the beta without time for proper testing. But they had promised Wall Street and the OEMs that Vista would ship. Major, major design mistakes made Vista late. The first was the attempt to base the file system on SQL. That caused the reset when they had to start over. Another was all of effort that went into AERO at the expense of security. Thankfully many of the people who pushed form over function are no longer part of Microsoft.
Herbert N Swearengen III
Good points, thanks Herbert.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Ian Griffiths tells it like it is[^]. Excellent article.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Torah Answers to Christian Questions The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
"On UNIX, you’d be considered nuts if you ran as root all the time." I think I'll have that put up on my wall -- in foot-high letters, painted in blood.
-
Richie308 wrote:
The default Vista account is an admin account.
“In Windows Vista we made numerous changes to our user account model. Standard users are now the default user type....
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
The built-in Administrator account is disabled by default, but I'm speaking as one who has installed and uses Vista Ultimate. The account that it creates for you after installation is an admin account. You are still required to answer UAC prompts, but the prompts do not require a password, they only require you to click "Yes". This quote is directly from the Vista Help and Support: When you set up Windows, you'll be required to create a user account. This account is an administrator account that allows you to set up your computer and install any programs that you would like to use. Once you have finished setting up your computer, we recommend that you use a standard user account for your day-to-day computing. It's more secure to use a standard user account instead of an administrator account.
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
-
The built-in Administrator account is disabled by default, but I'm speaking as one who has installed and uses Vista Ultimate. The account that it creates for you after installation is an admin account. You are still required to answer UAC prompts, but the prompts do not require a password, they only require you to click "Yes". This quote is directly from the Vista Help and Support: When you set up Windows, you'll be required to create a user account. This account is an administrator account that allows you to set up your computer and install any programs that you would like to use. Once you have finished setting up your computer, we recommend that you use a standard user account for your day-to-day computing. It's more secure to use a standard user account instead of an administrator account.
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
Ah, now I understand; chicken and egg problem if you don't start out with an admin account. So it's an account used for creating other accounts. And when you create other accounts, they're standard users by default; that accomplishes almost the same thing, since virtually every machine I've been on has multiple users.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Funny Love The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
"On UNIX, you’d be considered nuts if you ran as root all the time." I think I'll have that put up on my wall -- in foot-high letters, painted in blood.
:-D
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Funny Love The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Ah, now I understand; chicken and egg problem if you don't start out with an admin account. So it's an account used for creating other accounts. And when you create other accounts, they're standard users by default; that accomplishes almost the same thing, since virtually every machine I've been on has multiple users.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Funny Love The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
Sort of. There is an "Admin" account that works like in XP and previous and starts every app with admin privileges, but it's hidden and not available by default. The difference in vista UAC between a normal account and an "administrator" account is that the normal user needs to enter the password of an admin account to run an app with admin privileges or to clear other UAC prompts. The "administrator" account type only requires clicking yes, no password is needed but all your apps still run with regular user privileges by default.
-- You have to explain to them [VB coders] what you mean by "typed". their first response is likely to be something like, "Of course my code is typed. Do you think i magically project it onto the screen with the power of my mind?" --- John Simmons / outlaw programmer
-
Hey this computer belongs to ME! If I want to run all kinds of stuff at any friggen privilege level I want to then that is MY RIGHT. I am getting pretty alienated with M'soft forgetting that fact, and thinking the whole darn thing belongs to them and the friggen OS. Perfect example: I left my w/s running last night as I was late getting out of the office. When I came in today, windows update decided it just "HAD" to reboot my w/s .... My Gawd! Os-es-interruptus is getting too much in the way.... What I want is an application shipped from m'soft to protect me from *them* more than I'm worried about a program I purchased and *want* to use running at some so-called "admin level." This appliance is supposed to be a tool from which I benefit by use of, not some extension of some over hardened security dink that thinks they have any right to determine what I should allowed to do with MY GEAR without needing some "special permission" to do so....Come on, don't be so quick to buy the m'soft party line on this stuff.....They have lost their way....The more power ballman gets, the worse that company gets.....
Just trying to keep the forces of entropy at bay
RedZenBird wrote:
windows update decided it just "HAD" to reboot my w/s
Actually that's a setting that *you* approved of when you installed either XP SP2, or Vista. Remember that "get updates automatically" prompt? Probably not, most people just {click}{click}{click} their way through setups without actually reading what they're approving. Go into the Control Panel, open up the security center portion and change the setting from "Install updates automatically" to "Download updates but let me choose whether to install them". Yes you'll get a small balloon that says updates are available for install, but hey, at least you won't loose any work you didn't save prior to walking away from your computer.
Mike Poz
-
Excellent indeed, but there is one thing I need to add to this. I noticed that windows acts really weird with UAC turned off. Sometimes you get unexplainable errors. I had this with VS2005, copying files to the program files directory and more stuff. After turning on UAC again and right-clicking run as administrator solved the problem. So don't turn it off, it gives you a bigger headache then when you leave it on.
WM. What about weapons of mass-construction? "What? Its an Apple MacBook Pro. They are sexy!" - Paul Watson
-
Programit wrote:
Microsofts BIG security fix for windows - Annoy the users and blame the developers!
You're insane. Users running as non-admins is a big security boon. And MS is not blaming the developers -- Ian Griffiths does not work for Microsoft. But he's right nonetheless; devs should be building software that runs on non-admin accounts.
Programit wrote:
Linux can, Apple can
Both of those operating systems run users in non-admin mode. UAC is a way to help users and developers ween off the admin mode that's been prevalent for the last 10 years on Windows.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
UAC, in its implimintation, IS the biggest security vulnerability because it endlessly pops up useless messages, that 90% of end users ignore! Just hit okay and continue! - No one takes any notice, its just an annoyance that people who know how to, just turn off! IF microsoft was ever to get serious about security, then simply lock out the admin access to general users. Bad luck that 95% of all software won't run. Developers would soon then rewrite software to be secure and compatable because they'd have to if they stick with MS. In a couple of years Windows could then be a semi secure system. - It'll never happen! MS won't do this because it would mean they didn't make countless billions off insecure software. Linux and apple got it right, microsoft won't. "Vista - the WOE starts now!"
-
Hey this computer belongs to ME! If I want to run all kinds of stuff at any friggen privilege level I want to then that is MY RIGHT. I am getting pretty alienated with M'soft forgetting that fact, and thinking the whole darn thing belongs to them and the friggen OS. Perfect example: I left my w/s running last night as I was late getting out of the office. When I came in today, windows update decided it just "HAD" to reboot my w/s .... My Gawd! Os-es-interruptus is getting too much in the way.... What I want is an application shipped from m'soft to protect me from *them* more than I'm worried about a program I purchased and *want* to use running at some so-called "admin level." This appliance is supposed to be a tool from which I benefit by use of, not some extension of some over hardened security dink that thinks they have any right to determine what I should allowed to do with MY GEAR without needing some "special permission" to do so....Come on, don't be so quick to buy the m'soft party line on this stuff.....They have lost their way....The more power ballman gets, the worse that company gets.....
Just trying to keep the forces of entropy at bay
I fully agree with you. Since Microsofts started using malware and virus type intervention with updates hiding programs and their "genuine advantage" fiasco marking 6 of 18 work machines as non-genuine, I have ALL automatic updates turned off on all computers. I then select the ones I want, if any, have a lot less issues. We removed Vista from all new business machines and loaded XP (and a couple of Ubuntus-hooray!) and have no problems now! My Personal machine runs full admin in vista (Hidden admin account[^]) I have a lot of compatability issues - but thats Vista in general - but no security problems. (I still run XP 95% of the time - it works and is far better for development.)
-
Yes, the OS is interrupting. Reason? Software that you and me write is doing potentially dangerous things when it doesn't need to be. The point? Write software that doesn't require admin privileges. It's safer for users to run as non-admins; so let's not continue the unfortunate habit of writing software the requires admin privileges when it doesn't really need it. Honestly, it's not that hard.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
You missed my point....the point is: That 99.999% of the users don't care for all this hogwash. They just want the darned thing to work, and to do what they want it to do....all these goofy messages only "alarm the user" and these notices are terroristic in nature; they just freak the user out and don't help a ding-dang thing.....And what in the world is a "potentially dangerous" thing? For goodness sake, the pc is not a freaking explosive device. If an app I write crashes, because it can't do what it wants, then that is that, but "dangerous" gads! I don't buy it....this is just another attempt at the monopolistic empire that m'soft has become to garner more control....it echoes the worst of the modern facism.....as in: "Hey if we can't convince them with facts, then we'll resort to fear...." What is hard is to keep the world a sensible place....I mean, I don't run the friggen world bank on my pc; so who cares if I want to run at admin level? Now I can't even directly twiddle bits on the parallel port anymore because m'soft doesn't trust me to talk to the hardware without writing a bazillion lines of code? the whole industry has gotten jacked by large corporate and govt interests, they are the only ones that care about all this security nonsense.....most folks just want to have fun; but I'll wager in the near future there will be a message box from the OS that says: "Warning you are about to enjoy your PC again. Continue? [yes] [no] [abort] " I think it is getting high time for some embedded programming again, where my code is in control of every register, can access anything in the hardware it wants to and is as "dangerous" as I want it to be .... phhhhhhhttt
Just trying to keep the forces of entropy at bay
-
I fully agree with you. Since Microsofts started using malware and virus type intervention with updates hiding programs and their "genuine advantage" fiasco marking 6 of 18 work machines as non-genuine, I have ALL automatic updates turned off on all computers. I then select the ones I want, if any, have a lot less issues. We removed Vista from all new business machines and loaded XP (and a couple of Ubuntus-hooray!) and have no problems now! My Personal machine runs full admin in vista (Hidden admin account[^]) I have a lot of compatability issues - but thats Vista in general - but no security problems. (I still run XP 95% of the time - it works and is far better for development.)
Glad to know I am not alone here.....My theory: Auto Update is a crafty and insidious mechanism that is designed to slowly trash the OS you have all the way to the point that you have to buy a new one just to get all the cruft out of the way ....as in: let's just keep futzing with the files there until the whole thing is a snarl, then they'll have to get a new one just so that the stuff that used to work before we started 'fixing it' will work again....
Just trying to keep the forces of entropy at bay
-
Hey this computer belongs to ME! If I want to run all kinds of stuff at any friggen privilege level I want to then that is MY RIGHT. I am getting pretty alienated with M'soft forgetting that fact, and thinking the whole darn thing belongs to them and the friggen OS. Perfect example: I left my w/s running last night as I was late getting out of the office. When I came in today, windows update decided it just "HAD" to reboot my w/s .... My Gawd! Os-es-interruptus is getting too much in the way.... What I want is an application shipped from m'soft to protect me from *them* more than I'm worried about a program I purchased and *want* to use running at some so-called "admin level." This appliance is supposed to be a tool from which I benefit by use of, not some extension of some over hardened security dink that thinks they have any right to determine what I should allowed to do with MY GEAR without needing some "special permission" to do so....Come on, don't be so quick to buy the m'soft party line on this stuff.....They have lost their way....The more power ballman gets, the worse that company gets.....
Just trying to keep the forces of entropy at bay
"Hey this computer belongs to ME! If I want to run all kinds of stuff at any friggen privilege level I want to then that is MY RIGHT." Truer words were never spoken, absolutely spot on mate. I'm sick and tired of Microsoft telling me what I can and can't do. I've spent a lot of time & money on MY computer, and Microsoft just want to put obstacles (and UAC is just one big annoying obstacle) in my way. Enough. Guess what? Vista will suffer from malware and viruses and badly written software exactly as much as any other operating system on the planet (written by Microsoft). UAC doesn't solve anything, except to annoy experienced users and freak out inexperienced ones. Granted, there are SOME aspects of it which are good - but *only* the transparent parts. Anything that pops up several frigging dialogs every time I try and run a program will cause far more problems than it potentially solves.
-
UAC, in its implimintation, IS the biggest security vulnerability because it endlessly pops up useless messages, that 90% of end users ignore! Just hit okay and continue! - No one takes any notice, its just an annoyance that people who know how to, just turn off! IF microsoft was ever to get serious about security, then simply lock out the admin access to general users. Bad luck that 95% of all software won't run. Developers would soon then rewrite software to be secure and compatable because they'd have to if they stick with MS. In a couple of years Windows could then be a semi secure system. - It'll never happen! MS won't do this because it would mean they didn't make countless billions off insecure software. Linux and apple got it right, microsoft won't. "Vista - the WOE starts now!"
Programit wrote:
UAC, in its implimintation, IS the biggest security vulnerability because it endlessly pops up useless messages, that 90% of end users ignore!
That's a non-sequitur. Even if 90% of users ignore it, as you say, that's 10% better security than XP. But you're missing the point: developers will get feedback from their users/managers, "why the hell is your app asking for permission all the time?!" Developers will then make their software run without admin rights -- somethign we should already be doing. (That was the point of the article.) Thus, UAC will pop up less and less, and security will get better and better since fewer users will be running as admin.
Programit wrote:
Bad luck that 95% of all software won't run.
Exactly. UAC is forcing developers to change that.
Programit wrote:
In a couple of years Windows could then be a semi secure system. - It'll never happen!
You'd fit in at Slashdot perfectly.
Programit wrote:
MS won't do this because it would mean they didn't make countless billions off insecure software.
Insecure software costs MS billions. They've been sued over security vulnerabilities; they devout developer time and effort (which also costs money) into releasing security fixes for Windows, Office, and other MS software. If MS wasn't serious about fixing security, they would've let users continue running as admins. The only folks making money off of insecure software are the security vendors like Symantec and MacAfee.
Programit wrote:
Linux and apple got it right, microsoft won't. "Vista - the WOE starts now!"
:laugh: I haven't heard insane crap like that since I was an immature slashdotter anti-Microsoft, Linux fanboy, spelling Microsoft with a cash symbol. Ah, those were the days of ignorance and insanity. Thanks for the laugh.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Funny Love The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
You missed my point....the point is: That 99.999% of the users don't care for all this hogwash. They just want the darned thing to work, and to do what they want it to do....all these goofy messages only "alarm the user" and these notices are terroristic in nature; they just freak the user out and don't help a ding-dang thing.....And what in the world is a "potentially dangerous" thing? For goodness sake, the pc is not a freaking explosive device. If an app I write crashes, because it can't do what it wants, then that is that, but "dangerous" gads! I don't buy it....this is just another attempt at the monopolistic empire that m'soft has become to garner more control....it echoes the worst of the modern facism.....as in: "Hey if we can't convince them with facts, then we'll resort to fear...." What is hard is to keep the world a sensible place....I mean, I don't run the friggen world bank on my pc; so who cares if I want to run at admin level? Now I can't even directly twiddle bits on the parallel port anymore because m'soft doesn't trust me to talk to the hardware without writing a bazillion lines of code? the whole industry has gotten jacked by large corporate and govt interests, they are the only ones that care about all this security nonsense.....most folks just want to have fun; but I'll wager in the near future there will be a message box from the OS that says: "Warning you are about to enjoy your PC again. Continue? [yes] [no] [abort] " I think it is getting high time for some embedded programming again, where my code is in control of every register, can access anything in the hardware it wants to and is as "dangerous" as I want it to be .... phhhhhhhttt
Just trying to keep the forces of entropy at bay
RedZenBird wrote:
That 99.999% of the users don't care for all this hogwash.
They do care about spyware and viruses, which are propagated more easily when the user runs as admin.
RedZenBird wrote:
They just want the darned thing to work, and to do what they want it to do
Another purpose of UAC - now that developers realize they're writing software that requires admin rights, they'll change it. I can picture it now, "why is your program keep asking me for permission?!" The devs will turn around and fix that.
RedZenBird wrote:
And what in the world is a "potentially dangerous" thing?
Writing to protected locations like c:\windows. Trying to delete a system file. Writing to protected registry locations. These things are bad practices to begin with, but are dangerous because they can make the machine unstable.
RedZenBird wrote:
I don't buy it....this is just another attempt at the monopolistic empire that m'soft has become to garner more control
:laugh: You're on the wrong site: for insane, childish, anti-MS bunk, please go to this site[^].
RedZenBird wrote:
who cares if I want to run at admin level
Go ahead. The point of the article is not to "never run as admin", but rather, stop writing software that needlessly requires admin rights. It's bad for security. That said, you'd be insane to run as root on Mac and Unix-based OSes for the same reason you shouldn't run as admin on Windows.
RedZenBird wrote:
Now I can't even directly twiddle bits on the parallel port anymore because m'soft doesn't trust me to talk to the hardware without writing a bazillion lines of code?
:laugh: A bazillion? I've heard more convincing arguments from my 7 year old.
RedZenBird wrote:
the whole industry has gotten jacked by large corporate and govt interests
Thank you, Agent Mulder. Remember, don't give in to the conspiracy! The truth is out there! :~
RedZenBird wrote:
they are the only ones that care about all this security nonsense
I'd laug
-
Ian Griffiths tells it like it is[^]. Excellent article.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Torah Answers to Christian Questions The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
I've been living under a large rock (of Java) for a few years. However I read this thread (and the article referenced) and grasped some key concepts of security on Vista without pain. Glad I did, cheers. It would be sane to also lower the default access privileges in our real-world society - I can't believe most people are allowed to drive. Seriously, there's a big proportion who can't cope with roundabouts. Giving Joe Public an admin account is like arming kids with real weapons for a game of 'reality paintball Quake 2007'. In my mind, anyway. :-)
'All there really is, is: virute and vice' ...Black Crowes
