JorgeA Posted September 13, 2014 Author Posted September 13, 2014 Putting some levity back into the discussion, check out Windows Weekly #373, starting at 1:44:28, where Leo and Paul talk about Steve Ballmer's recent purchase of the NBA team the Los Angeles Clippers, leading to the following exchange: Leo: Is there any truth rumor that Ballmer is going to rename them to the Clippys? Paul: Haha, the Clippys. No, but that logo was awesome. You’ve seen the awesome Clippy logo? The Clippys. "It looks like you are trying to play a basketball game. Do you need any help?"[transcript edited for clarity] --JorgeA
MagicAndre1981 Posted September 13, 2014 Posted September 13, 2014 (edited) UAC has nothing to do with being a strong/increased security feature. It is a UX feature. When you run an action, which requires admin rights, you get an error message (Access denied). So you have to switch to an account which has admin rights and run it again. This is pure horror. UAC helps you here. You can with standard user rights and when you need admin rights you only have to approve them. This is large UX IMPROVEMENT! Read my UAC tutorial here on msfn. Edited September 13, 2014 by MagicAndre1981
JorgeA Posted September 13, 2014 Author Posted September 13, 2014 I, too, have doubts about the utility of UAC. Here's my reasoning: If the user knows "enough" about computing, he will be able to decide for himself whether a program is or is not safe to use -- he doesn't need UAC. If the user does not know "enough" about computing, he can't determine ahead of time whether a program is safe to use. He will either decline to use a beneficial program for fear of screwing things up, in which case UAC is a hindrance; or he will click "continue" on the UAC prompt anyway, in which case UAC is no help. The only scenario where I can see UAC serving a useful purpose is if a program were to download itself automatically from a malicious webpage. In such a case, I could understand the user thinking, "Hey, I didn't tell the computer to download anything, what is this???" But AFAIK that's not the way malicious programs install themselves. I can't remember a single instance ever of getting a UAC prompt for a program that I didn't already know I was trying to install. UAC doesn't provide any security information specific to the program, only a general warning that it might be bad. But the time to research the trustworthiness of a program is BEFORE you download it, not at the point where you are about to install it. IMHO much preferable is Internet Explorer's SmartScreen filter and the download scans performed by security software. These do perform a useful function. (I also examine the downloaded file with several manual scanners. When downloading I don't click on "Run," only on "Save" unless I trust the source.) I'm still open, though, to being persuaded as to the usefulness of UAC. --JorgeA
JorgeA Posted September 13, 2014 Author Posted September 13, 2014 UAC has nothing to do with being a strong/increased security feature. It is a UX feature. When you run an action, which requires admin rights, you get an error message (Access denied). So you have to switch to an account which has admin rights and run it again. This is pure horror. UAC helps you here. You can with standard user rights and when you need admin rights you only have to approve them. This is large UX IMPROVEMENT! Read my UAC tutorial here on msfn. I'll look for the tutorial and read it, thanks. --JorgeA
jaclaz Posted September 13, 2014 Posted September 13, 2014 @JorgeAIn other words, it is *something* that makes everyone able to do *dangerous* things through an additional click of the mouse. @MagicAndre1981 UAC has nothing to do with being a strong/increased security feature. I am pretty sure you have it right , but you should tell this to the good MS guys:http://technet.microsoft.com/en-us/library/cc709691(v=ws.10).aspx User Account Control (UAC) is a security component that allows an administrator to enter credentials during a non-administrator's user session to perform occasional administrative tasks. This step-by-step guide provides the instructions that are necessary for using UAC in a test environment. You can use this guide to test how your line-of-business (LOB) applications run in Windows 7 and Windows Vista. and: What is User Account Control?User Account Control (UAC) is a security component that enables users to perform common tasks as non-administrators (called standard users in Windows Vista), and as administrators without having to switch users, log off, or use Run As. User accounts that are members of the local Administrators group run most applications as a standard user. By separating user and administrator functions, UAC helps users move toward using standard user rights by default.When an administrator logs on to a computer that is running Windows 7 or Windows Vista, the user is assigned two separate access tokens. Access tokens, which contain a user's group membership and authorization and access control data, are used by the Windows operating system to control what resources and tasks the user can access. The access control model in earlier Windows operating systems did not include any failsafe checks to ensure that users truly wanted to perform a task that required their administrative access token. As a result, malicious software could install on users' computers without notifying the users. (This is sometimes referred to as a "silent" installation.)Even more damaging, because the user is an administrator, the malicious software could use the administrator's access control data to infect core operating system files, and in some instances, become nearly impossible to remove. At least they call it a "security component" and say that it's adoption should help protect the OS from "malicious software". jaclaz
TELVM Posted September 13, 2014 Posted September 13, 2014 Leo: Is there any truth rumor that Ballmer is going to rename them to the Clippys? Paul: Haha, the Clippys. No, but that logo was awesome. You’ve seen the awesome Clippy logo? The Clippys. "It looks like you are trying to play a basketball game. Do you need any help?" :lol: ... ... 1
NoelC Posted September 14, 2014 Posted September 14, 2014 (edited) UAC has nothing to do with being a strong/increased security feature. It is a UX feature. When you run an action, which requires admin rights, you get an error message (Access denied). So you have to switch to an account which has admin rights and run it again. This is pure horror. UAC helps you here. You can with standard user rights and when you need admin rights you only have to approve them. This is large UX IMPROVEMENT! Read my UAC tutorial here on msfn. Sorry Andre, but that's a load of baloney (I was going to use a stronger word). That whole argument makes the tacit assumption that a user needs to run things as a non-Admin, which in turn implies the user doesn't know what he's running or what he's doing. Baloney! >When you run an action, which requires admin rights, you get an error message (Access denied) No, I don't! That's the whole reason for chucking this BS UAC "feature"! Someone somewhere said it's best to run as a non-privileged user and I guess a whole bunch of sheeple agreed, because it just sounds like a good idea. I have a better idea: Think for yourself! It's easy to name a small handful of things that will protect a user 1000% better than the status quo. Start with blocking parasite web sites (including ads) with the MVPS hosts file topped with OpenDNS, add a sprinkle of changing IE's promiscuous default configuration by disabling ActiveX from the Internet Zone, throw in a pinch of better anti-malware software as a safety net, research what you're going to run before you run it, and bake it all with a healthy dose of discipline - think first, do second. A person armed with this strategy and with UAC disabled is FAR less likely to have any problems than someone who blindly thinks they're well-protected by mother UAC, and their system won't keep awkwardly stepping in the way and trying to block what they need it to do. Jorge has it right - non-technical users just "click through" to run whatever stupidware they've downloaded. So UAC hinders knowledgeable users and irritates non-techies who just proceed to get infected anyway. -Noel Edited September 14, 2014 by NoelC
NoelC Posted September 14, 2014 Posted September 14, 2014 Oh, and I've not even touched on the ridiculousness that is the "file system virtualization" portion of UAC. Where did that data just get written? Most likely not where you think! GOD, what a strikingly bad idea it is to have the file system magically do something different than specifically what it was told to do! The whole thing has the feel of "The operation was a great success! But the patient died." -Noel
MagicAndre1981 Posted September 14, 2014 Posted September 14, 2014 I, too, have doubts about the utility of UAC. Here's my reasoning: If the user knows "enough" about computing, he will be able to decide for himself whether a program is or is not safe to use -- he doesn't need UAC. If the user does not know "enough" about computing, he can't determine ahead of time whether a program is safe to use. again, the UAC is NO block list feature to see which program is safe. Read my guide. @Noel sorry your post shows you have no idea about anything. And you are a developer? So you don't care about permissions in your tools and write to C:\Program Files?
NoelC Posted September 14, 2014 Posted September 14, 2014 Andre, your FAQ is a nice little blurb, but we'll have to agree to disagree on this one. I respect your skills, and I don't want to insult you nor get into ad hominem, but we're talking on very different levels here. Judging from your FAQ you have some technical understanding of UAC, but clearly only a limited idea of the practical issues it causes. You were simply wrong about what it helps with when you wrote: >And by running with standard user rights UAC also protects you against viruses and Trojans. Baloney! That's exactly what I've already spoken to in this thread above. It's proven utterly ineffective at that. For a person who knows what they're doing, running as a non-privileged user is just silly, because all it does is throw up roadblocks to what you need to do. No matter how many permissions you reconfigure or set up to Run As Administrator, you get to places where you're trying to do something (trying to change a file or a registry key or something) and realize you can't get there from here without going back and starting over, which breaks your concentration. I don't need that! I need to keep my mind on the work at hand, and so I choose to disable the "feature" that helps me with NOTHING and only hinders. I don't know whether you are toeing the Microsoft line for some unspoken reason, but please know that I already had years of professional experience with the DEC operating systems whose architecture ultimately became Windows before you were born. I might just have a perspective on this that you don't. I have given UAC a proper try with every new OS release. I know that it's better not to paddle against the current. But UAC simply proves itself to be a poor implementation of a questionable idea every time, and this is coming from a person who understands all aspects of Windows security intimately. And regarding my products, we do exactly what's prescribed to work properly within the constraints of UAC. I can go into more detail about what we do with our installers, manifests, etc. if you'd like. Just because I personally prefer to disable it as a user doesn't mean I write software that requires that. The world is not that simple, my friend. -Noel
MagicAndre1981 Posted September 14, 2014 Posted September 14, 2014 For a person who knows what they're doing, running as a non-privileged user is just silly, because all it does is throw up roadblocks to what you need to do. This argument is silly, not UAC. But I gave it up. I'll stop this discussion. You're not willing to accept valid arguments.
NoelC Posted September 14, 2014 Posted September 14, 2014 It's probably best to stop. We agree on too many things to let a difference of opinion on this one thing sour things between us.-Noel
Tripredacus Posted September 15, 2014 Posted September 15, 2014 I don't understand the complaints about UAC. I have PCs where I both use it and don't use it. Of course the one that I have it disabled is in an isolated network. For all other PCs and Servers, the only thing I change is to disable the screen lockout during the UAC prompt, via the Local Security Policy.
NoelC Posted September 15, 2014 Posted September 15, 2014 You can probably boil the whole debate down to this: Different people expect different things from their systems. Certainly different people DO different things with their systems. -Noel
Recommended Posts