Windows Vista: When you should use UAC - Overclock.net

pauldovi · 04-10-08

I hear a lot of people complaining about UAC and I really cannot figure out why. User Account Control was designed to allow for the system administrator to also be the primary user of the computer without degrading the security of the system.

You should have an elevated "Administrator" account on your computer as well as a limited general use account on your computer. Not doing this is poor security habits and opens your computer up to all sorts of vulnerabilities. We all know we should do this... but how many actually do?

User Account Control offers an alternative to having multiple accounts with different system privileges. UAC allows you to safely use an administrator account for every day activities.

So when should you use UAC? When you use your administrator account as your primary account, which is something the vast majority of users do.

When don't you need to use it (but you still should)? If your primary user account is a restricted account, without administrator privledges.

I am tired of people complaining about UAC. It is not that pertrusive, especially once your have your system configured.

One example of UAC in action:

Teamspeak can bind a keyboard settings to ignite voice communications. Unless teamspeak is in your primary and visible window, UAC will not allow teamspeak access to input / output data, unless you run it as an administrator. What does this protect against? Key loggers! You must intentionally set TeamSpeak as an elevated application in order for it to have access to keystroke data. This is excellent!

What actions trigger UAC:

Quote:

Right-clicking an application's icon and clicking "Run as administrator"
Changes to files or folders in %SystemRoot% or %ProgramFiles%
Installing and uninstalling applications
Installing device drivers
Installing ActiveX controls
Changing settings for Windows Firewall
Changing UAC settings
Configuring Windows Update
Adding or removing user accounts
Changing a user’s account type
Configuring Parental Controls
Running Task Scheduler
Restoring backed-up system files
Viewing or changing another user’s folders and files
Repairing a network connection (requesting a new IP address)

If you have Windows Vista Business or Ultimate, you have configure specific settings of UAC:

Quote:

UAC can be configured via security settings (secpol.msc), though this is only available for the business and ultimate editions. All configuration items are prefixed with “User Account Control”.

Behaviour of the elevation prompt for administrators in admin approval mode.
- Turn off UAC (no prompt).
- Prompt for consent (default).
- Prompt for credentials.
Behaviour of the elevation prompt for standard users.
This settings determines what happens if you run as a standard user and start a program that needs administrator rights (for the cases UAC can determine admin rights are required e.g. does not work for MMC snapins).
- No prompt: fail and do not start the program if it required admin rights.
- Prompt for credentials (default).
Admin approval mode for the built-in administrator account.
This setting can be used to disable UAC for the built-in Administrator account (however, this account is disabled by default in Windows Vista).
- Enable (default)
- Disable
Detect application installations and prompt for elevation.
Windows by default uses some heuristics to determine if an EXE is an installer (which most likely requires elevation)
- Enable (default)
- Disable
Switch to the secure desktop when prompting for elevation.
- Enable (default)
- Disable
Only execute executables that are signed and validated.
If enabled an additional check is done after the elevation prompt. If the EXE is not signed the EXE will not be started.
- Enable
- Disable (default)
Virtualize file and registry write failures to per-user locations
- Enable (default)
- Disable
Run all administrators in Admin Approval Mode.
To switch off UAC set this setting to disabled and reboot. All UAC behavior will be disabled, including file and registry virtualization.
- Enable (default)
- Disable

http://en.wikipedia.org/wiki/User_Account_Control

The Hundred Gunner · 04-10-08

Interesting. Is there any way to disable SOME of its features and have others continue?

For example: can I set it to blacklist (or whitelist, rather, depending on how you look at it) certain programs? Like can I set it to always allow Fraps? Because I heard it's supposed to "learn" after time, but it never learned that I'm always going to start Fraps when I turn on my computer...

And can I have it stop asking me to run every damned program but still keep other protection without turning the whole entire thing off?

If it was answered, I posted because some of that stuff in the quote list I don't understand.

pauldovi · 04-10-08

Quote:

Originally Posted by The Hundred Gunner

Interesting. Is there any way to disable SOME of its features and have others continue?

For example: can I set it to blacklist (or whitelist, rather, depending on how you look at it) certain programs? Like can I set it to always allow Fraps? Because I heard it's supposed to "learn" after time, but it never learned that I'm always going to start Fraps when I turn on my computer...

And can I have it stop asking me to run every damned program but still keep other protection without turning the whole entire thing off?

If it was answered, I posted because some of that stuff in the quote list I don't understand.

If you have Vista Business or Ultimate I believe you have more control over how UAC works, I have played with it a bit, but the options are extensive. I am not sure to what extend you can change things.

I also experience what you do with it asking me for permission to something I repetitively grant permission. Like RivaTuner, which is part of my startup registry. I see no obvious work around for this.

Puscifer · 04-10-08

Still seems pointless to me. Its wonderful for people who do alot of clicking where they shouldn't be but if you know what you're doing your security should be tight enough that you don't need UAC. I don't use teamspeak (or even know what it is) so that scenario you brought up means nothing to me. And as for it not being intrusive....I disagree. Its by far the most annoying thing my computer has ever done. Way more annoying than when games ask you 12 times if you're "sure you want to quit". I've never had it on on this comp and never encountered any problems or been hacked or anything, hell I don't even have any spyware. Nice UAC guide though, but mines still staying off.

The Hundred Gunner · 04-10-08

Quote:

Originally Posted by Puscifer

Still seems pointless to me. Its wonderful for people who do alot of clicking where they shouldn't be but if you know what you're doing your security should be tight enough that you don't need UAC. I don't use teamspeak (or even know what it is) so that scenario you brought up means nothing to me. And as for it not being intrusive....I disagree. Its by far the most annoying thing my computer has ever done. Way more annoying than when games ask you 12 times if you're "sure you want to quit". I've never had it on on this comp and never encountered any problems or been hacked or anything, hell I don't even have any spyware. Nice UAC guide though, but mines still staying off.

Well once again, a great concept but poor implementation.

Hopefully vista 2 or windows 7 or whatever will improve this as well as everything else that needs improving... lol

SZayat · 04-10-08

Well, I use Comodo's Defence+ (part of the firewall) which is way more advanced than silly UAC...

Puscifer · 04-10-08

Quote:

Originally Posted by The Hundred Gunner

Well once again, a great concept but poor implementation.

Hopefully vista 2 or windows 7 or whatever will improve this as well as everything else that needs improving... lol

Yeah, thats a great name for their new OS. Windows 7

**ENTERPRISE** · 04-10-08

UAC has its advatanges but I disabled it from day one due to it being rather annoying. I know you can configure it but I wanted the whole thing disabled and out of my way. I think UAC is helpful for the NOOBS so to speak and yes is even good for security in general. However for the people who have common sense and know what they are doing UAC is not a must.

Not to be funny but MANY Windows OS did not have UAC and I survived lol

pauldovi · 04-10-08

Quote:

Originally Posted by Puscifer

Still seems pointless to me. Its wonderful for people who do alot of clicking where they shouldn't be but if you know what you're doing your security should be tight enough that you don't need UAC. I don't use teamspeak (or even know what it is) so that scenario you brought up means nothing to me. And as for it not being intrusive....I disagree. Its by far the most annoying thing my computer has ever done. Way more annoying than when games ask you 12 times if you're "sure you want to quit". I've never had it on on this comp and never encountered any problems or been hacked or anything, hell I don't even have any spyware. Nice UAC guide though, but mines still staying off.

If you truly "know what you are doing" you will have multiple user accounts with different privileged levels, and your primary account would be limited access. Thus, everytime you tried to perform a elevated action you would have to prove your credentials as an administrator.

Using this alternative security method to UAC requires more clicking and more wasted time. UAC significantly simplifies the process and allows you to maintain a proper security environment even though you have only 1 user account (that is also an elevated account).

Your comment's about my teamspeak example indiciate that you don't understand the point of the example. It has nothing to do with your use of teamspeak, on the contrary. It deminstrates the usefullness of UAC at preventing malicious execution of code on your computer.

You cannot tell me you know that you have no spyware or anti-virus! How can you possibly know! The good stuff doesn't "pop out" and spam your screen with pop ups. It silently runs in the background collecting goodies (personal data) and then sending it back to the originator. Although much easier to discover, your computer can be taken over by a botnet, running instruction from the hacker like a massive server. None of these "high end" virus's or malware will ever notify you that you have been attacked.

Quote:

Originally Posted by ENTERPRISE

UAC has its advatanges but I disabled it from day one due to it being rather annoying. I know you can configure it but I wanted the whole thing disabled and out of my way. I think UAC is helpful for the NOOBS so to speak and yes is even good for security in general. However for the people who have common sense and know what they are doing UAC is not a must.

Not to be funny but MANY Windows OS did not have UAC and I survived lol

UAC is not about preventing "NOOBS" from deleting "My Computer". UAC is more importantly about requiring authorization from the user to run elevated tasks. It prevents malicous code from doing things like changing the links on all the shortcuts on your desktops to running virus.exe. It prevents keyloggers and data miners from running.

Previous Windows OS's did not have UAC... That isn't a very good arguement. UAC was introduced because too many people has poor security habits in terms of administrator accounts.

**ENTERPRISE** · 04-10-08

Quote:

Originally Posted by pauldovi

If you truly "know what you are doing" you will have multiple user accounts with different privileged levels, and your primary account would be limited access. Thus, everytime you tried to perform a elevated action you would have to prove your credentials as an administrator.

Using this alternative security method to UAC requires more clicking and more wasted time. UAC significantly simplifies the process and allows you to maintain a proper security environment even though you have only 1 user account (that is also an elevated account).

Your comment's about my teamspeak example indiciate that you don't understand the point of the example. It has nothing to do with your use of teamspeak, on the contrary. It deminstrates the usefullness of UAC at preventing malicious execution of code on your computer.

You cannot tell me you know that you have no spyware or anti-virus! How can you possibly know! The good stuff doesn't "pop out" and spam your screen with pop ups. It silently runs in the background collecting goodies (personal data) and then sending it back to the originator. Although much easier to discover, your computer can be taken over by a botnet, running instruction from the hacker like a massive server. None of these "high end" virus's or malware will ever notify you that you have been attacked.

UAC is not about preventing "NOOBS" from deleting "My Computer". UAC is more importantly about requiring authorization from the user to run elevated tasks. It prevents malicous code from doing things like changing the links on all the shortcuts on your desktops to running virus.exe. It prevents keyloggers and data miners from running.

Previous Windows OS's did not have UAC... That isn't a very good arguement. UAC was introduced because too many people has poor security habits in terms of administrator accounts.

Yes I am fully aware of that. I was talking more in my case where I know how to properly secure my Network and PC to not allow malicious applications to get on my system in the 1st place. Granted UAC is a useful tool for everyone but a little less so for the more experienced. Thus why I said its especially good for the more NOOB user...Its not just for noobs but especially good for them.

Out of all the Vista installs I have ever had on my PC has had UAC disabled and to this day I have a nice clean PC free of malicious code/programs.

The main reason I removed UAC is I like to work fast and having UAC pop up in my face when I am trying to get something done IMO is counterproductive.

		Overclock.net - Overclocking.net > Software, Programming and Coding > Operating Systems
Windows Vista: When you should use UAC

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)