Show of Hands--How many of you have disabled UAC Control in Vista?

[stash]

Security folks are paranoid for very good reason. It's a harsh world out there. We're not just talking about annoying script kiddies and spam any more, we're talking about hardened criminals and international terrorists.

That aside, most of this thread misses the point with UAC. It's way more than just a dialog box. Without UAC, you roll your box back to XP in terms of standard user friendliness. Without UAC you lose the significant security benefits of low-rights IE. Without UAC you lose the file and registry virtualization goo that is unfortunately essential to get many applications to work correctly.

That the dialog box and security desktop parts of UAC can possibly prevent you from getting owned is a nice side effect. The real advantage though, is how much easier it makes it to run your machine with a standard user account.

 

[bsobel]

Originally posted by: Soviet
I have it disabled, i see no reason why a savvy user would have it enabled. Ive read many reasons from security people who i think are extremely paranoid and i am actually surprised they have their computers assembled and connected to the internet, they would be much safer unplugged and back in the box! In fact no just ship the thing back to the manufacturer, it'll be safe there

Ive had 0 problems that i know of.

Your savvy? Didn't we just teach you what a virtual machine was last week?

Oh, and 'fixed'.

 

[Smilin]

Originally posted by: Woofmeister

Originally posted by: Smilin

Originally posted by: Woofmeister

Originally posted by: bsobel
Is your experience with UAC from doing a clean install and configuring or are you having constant issues even now?

It's a clean install on two virgin drives and even after configuring, I'm having constant issues with UAC on startup.

No, it's not a clean install...

Pardon me? What do you mean it's not? How do you know? Are you omniscient?

No, I'm not omniscient. I know because you just got done telling me!! Have you gone senile or something??
YOU wrote the next line in this quote? (and you may have left the stove on, better go check )

The apps that are causing this are in the OP: Rivatuner, Nvidia Monitor, Seagate Free Agent.

...and you are not having issues with UAC, you're having issues with what's causing UAC. WTF does a hardware monitor need to trigger UAC each time it's run for? It clearly needs some kernel/admin access during install but that should be the end of it. We're going in a big circle here. You know where the problem is you just want the symptom to go away without fixing the problem....

Yes, we're going in a circle because you continue to absolve MSFT from responsibility for a problem they should have anticipated. I don't know why NVIDIA's Monitoring software triggers UAC, I just know that it shouldn't and there are lots of other programs that do the same thiing.

So you don?t know why NVidia?s Monitoring software triggers UAC but it MUST be Microsofts fault huh?

That MSFT did not make some provision for this with UAC is part of the problem just as much as software that needlessly accesses kernel/admin. MSFT threw lots of elbows to make its operating system the only game in town. Forgive me if I hold them partially responsible for ensuring compatibility with all the software that's out there even if its poorly written.

I never advised anybody to turn off UAC, I simply stated that I had done so. In fact that's why I started this thread, I wanted to know who else had turned off UAC and if not why not. As such, my qualifications don't really matter. However, since you asked, one of my roles at work is the equivalent of being my company's Chief Information Officer and our in-house and off-site IT people are my direct reports. My professional background also includes a stint at a federal agency where I worked on some of the first computer crime investigations.

I don't buy this. As a CIO you would never put up with such craplications being placed on your corporate desktop images. Yet you put them on your personal desktop and gripe when the expected happens?? You're no dummy, why would you gripe at this expected outcome?

Ah, more omniscience. What don't you buy? My current role or my previous experience? Of course I would never allow these applications to be installed in our corporate environment--we don't allow any applications to be installed without approval. We do that to protect our network from the lowest common denominator. You're not seriously suggesting that the same absolute standard should apply to the home enthusiast who wants to install legitimate software on his own machine are you?

What I don?t buy is that you are smart enough to know better as a CIO yet suddenly lose the ability to think and reason when it comes to your home PC. The stuff you are putting on your PC is junk. It may be useful junk but it's still poorly written. It was poorly written under XP and a security risk too. XP just was not clever enough to tell you.

You are smart enough not to put junk on your corporate computers. You must also be smart enough not to do it on your home computer. You've chosen to do it anyway which is not an uncommon thing...and not something I'll necessarily disagree with. What I do disagree with is you griping about the problem that results when you know good and well why it's happening (although based on these most recent comments, maybe you don't.)

Chances are you'll be fine without UAC but please spare us the "I've been hacked thread" if it turns out otherwise.

I promise to spare you the "I've been hacked thread", happy?:gift:

Yep, thanks!
Feel free to do what you want with your computer. It?s yours.

 

[Woofmeister]

Originally posted by: Smilin

Originally posted by: Woofmeister

Originally posted by: Smilin

Originally posted by: Woofmeister

Originally posted by: bsobel
Is your experience with UAC from doing a clean install and configuring or are you having constant issues even now?

It's a clean install on two virgin drives and even after configuring, I'm having constant issues with UAC on startup.

No, it's not a clean install...

Pardon me? What do you mean it's not? How do you know? Are you omniscient?

No, I'm not omniscient. I know because you just got done telling me!! Have you gone senile or something??
YOU wrote the next line in this quote? (and you may have left the stove on, better go check )

It's a clean install of Vista on two virgin drives. Following installation I installed my drivers then my apps including Nvidia Monitor, Riva and Seagate Free Agent.

You may be right about the senility thing, it's been suggested on more than one occasion by my wife, but I'm pretty sure I'm recalling correctly here. :laugh:

Anyway, you and I both know that my problems with UAC have to do with the fact that the apps in question attempt to access something they shouldn't, they've got nothing to do with how Vista was installed. UAC is working exactly as MSFT intended, you and I just disagree on whether or not MSFT should have included some mechanism to whitelist known apps to get them through UAC.

 

[bsobel]

It's a clean install of Vista on two virgin drives. Following installation I installed my drivers then my apps including Nvidia Monitor, Riva and Seagate Free Agent.

Not sure how we got off on the tangient. From my original question I was just trying to determine if this was the week of install or two months later. UAC is certainly more noisy when your installing and configuring than when your system is more or less setup. I think, however, many people dont realize that and think the install experience is what it's normally like.

you and I just disagree on whether or not MSFT should have included some mechanism to whitelist known apps to get them through UAC.

They did

 

[Smilin]

Hm. You can't whitelist stuff in UAC. It just does not work that way at all. It's not antivirus or a malware detector.

It simply just does not work that way. UAC detects when some bits in a security token are being compared to an ACL. There is no way in that process to insert a whitelisted app. It really cares that the bits in the token are being hit, not so much what ACL is causing it.

It is also completely unnecessary to have a whitelist. You just have to write things properly. By "properly" I don't mean you have to write them to work with UAC. I mean you have to write them with common sense security measures.

The perfect example of what I'm talking about: Antivirus.
Most people out there right now are running an XP antivirus on Vista that was written before anyone ever heard of UAC. It just so happens that AV makers are very serious about properly writing their apps with good security practice.

So take a look at your antivirus. You have some sort of doo-dad running in your system tray telling you the status of your realtime monitoring and all that right? You also have a filesystem filter driver running in kernel mode pulling everything off the filesystem I/O driver and analyzing it before passing it on, right? (you do.) Yet each time you boot your machine do you get a UAC prompt for your antivirus to start? I hope not.

So how do you suppose this AV software that was written before UAC was heard of works without triggering UAC? It's because it does not leverage the admin half of your security token to run the system tray app. It only needs the UAC prompt when the filter driver is installed.

Rivatuner is UAC prompting you every time because it wasn't written right and has a big security hole in it. The problem existed in XP you just never heard about it. You realize that all someone has to do to hack your box is hack rivatuner right? Yep, just wipe that sucker and stick their own code in there. Next time it starts up you are done. Vista is trying to tell you this but you're just bitching because you don't want to be told.

I know you do not want to see those UAC prompts each boot. Guess what - you should NOT be. Each time you hit yes to one of them you are in some form or another turning off security on your box for a temporary or permanent duration.

If you are going to leave that software on there stop hitting "allow" each boot.

 

[bsobel]

Originally posted by: Smilin
Hm. You can't whitelist stuff in UAC. It just does not work that way at all. It's not antivirus or a malware detector. It simply just does not work that way. UAC detects when some bits in a security token are being compared to an ACL. There is no way in that process to insert a whitelisted app. It really cares that the bits in the token are being hit, not so much what ACL is causing it.

Ummmmmm. Ummmmm..... Application Compatibility Database Marking and Application Launch Behavior basically is a whitelist. It's just really exposed for corporate users since the environment is more locked down and there are mitigators to a 'general' white list that malware would try to add itself to.

 

[Brazen]

Originally posted by: Soviet
I have it disabled, i see no reason why a savvy user would have it enabled.

BZZZT! Wrong. By disabling it you are, by definition, NOT a savvy user. I suppose as a "savvy" user you also don't need a firewall or antivirus, right?

Originally posted by: Smilin
<snip>
I don't buy this. As a knowledgeable CIO you would never put up with such craplications being placed on your corporate desktop images. Yet you put them on your personal desktop and gripe when the expected happens?? You're no dummy, why would you gripe at this expected outcome?
<snip>

Fixed

In real life, credentials have little to no correlation to intelligence or capability. This phenomena is compounded exponentially when you apply it to the stated credentials on the internet.

 

[Smilin]

Originally posted by: bsobel

Originally posted by: Smilin
Hm. You can't whitelist stuff in UAC. It just does not work that way at all. It's not antivirus or a malware detector. It simply just does not work that way. UAC detects when some bits in a security token are being compared to an ACL. There is no way in that process to insert a whitelisted app. It really cares that the bits in the token are being hit, not so much what ACL is causing it.

Ummmmmm. Ummmmm..... Application Compatibility Database Marking and Application Launch Behavior basically is a whitelist. It's just really exposed for corporate users since the environment is more locked down and there are mitigators to a 'general' white list that malware would try to add itself to.

Neither App compatibility or App Launch Behavior bypass UAC. The app compatibility toolkit (more specifically the UACCE component) is designed to help your apps stop doing the stuff that triggers UAC. Launch behavior merely causes UAC to trigger when it otherwise would not have (so the app can gain the privledges needed to work properly).

 

[Smilin]

Originally posted by: Brazen

Originally posted by: Soviet
I have it disabled, i see no reason why a savvy user would have it enabled.

BZZZT! Wrong. By disabling it you are, by definition, NOT a savvy user. I suppose as a "savvy" user you also don't need a firewall or antivirus, right?

Originally posted by: Smilin
<snip>
I don't buy this. As a knowledgeable CIO you would never put up with such craplications being placed on your corporate desktop images. Yet you put them on your personal desktop and gripe when the expected happens?? You're no dummy, why would you gripe at this expected outcome?
<snip>

Fixed

In real life, credentials have little to no correlation to intelligence or capability. This phenomena is compounded exponentially when you apply it to the stated credentials on the internet.

In his defense he did already admit he wouldn't put such apps on his corporate desktop. He's given me no reason to doubt he's a knowledgeable CIO.

 

[Brazen]

Originally posted by: Smilin

In his defense he did already admit he wouldn't put such apps on his corporate desktop. He's given me no reason to doubt he's a knowledgeable CIO.

I wasn't really commenting on HIS ability as a CIO (or whatever position he may hold), just on your assumption that being a CIO (or saying you are a CIO, or any position for that matter) automatically implies any level of intelligence.

Throwing out credentials has always been a bit of a pet-peeve of mine anyway, like that should matter when going against industry best practices. Besides, in my experience, throwing out some outlandish work experience or certification is usually a ditch effort by those who don't know what they are talking about. If you are knowledgeable on the subject, you shouldn't have to use things like "Bill Gates asked me to sire his next child, so I must be right!"

Again, this has nothing to do with Woofmeister, just the general misconception that credentials have anything to do with intelligence of the person or validity of the argument.

 

[Brazen]

Originally posted by: Smilin
The perfect example of what I'm talking about: Antivirus.
Most people out there right now are running an XP antivirus on Vista that was written before anyone ever heard of UAC. It just so happens that AV makers are very serious about properly writing their apps with good security practice.

So take a look at your antivirus. You have some sort of doo-dad running in your system tray telling you the status of your realtime monitoring and all that right? You also have a filesystem filter driver running in kernel mode pulling everything off the filesystem I/O driver and analyzing it before passing it on, right? (you do.) Yet each time you boot your machine do you get a UAC prompt for your antivirus to start? I hope not.

So how do you suppose this AV software that was written before UAC was heard of works without triggering UAC? It's because it does not leverage the admin half of your security token to run the system tray app. It only needs the UAC prompt when the filter driver is installed.

Rivatuner is UAC prompting you every time because it wasn't written right and has a big security hole in it. The problem existed in XP you just never heard about it. You realize that all someone has to do to hack your box is hack rivatuner right? Yep, just wipe that sucker and stick their own code in there. Next time it starts up you are done. Vista is trying to tell you this but you're just bitching because you don't want to be told.

And by the way, I really like this explanation :thumbsup: Well put.

 

[Maximilian]

Originally posted by: Brazen
I have it disabled, i see no reason why a savvy user would have it enabled.

BZZZT! Wrong. By disabling it you are, by definition, NOT a savvy user. I suppose as a "savvy" user you also don't need a firewall or antivirus, right?[/quote]

How the hell would you know whether or not im savvy? If i state i am savvy then as far as you are concerned i am. If i state im from the friggin moon, then as far as you know i might well be! You dont have a clue who i am or what i do or exactly how much i know.

Your example of firewall and antivirus is stupid, i never mentioned either of them, you again just assume i dont use them. Ive had no security problems in XP with an antivirus and with a firewall, ill have no problems with vista and the same setup, i personally do not need and will not use UAC because my computer is safe with me using it, always has been, always will be.

 

[Nnyan]

I guess I have to stop being surprised at what threads bring out the FANatics of every flavor. Been awhile since I've seen MS Fanatics though. I have 4 PC's at home (two running Vista X32 and X64 and the other two running WinXP Pro). Now I don't have a great deal of history logged with Vista since its pretty new and I just installed it on the two PCs, but reviewing my problem list (yeah I'm a freak I document issues/tweaks/fixes since I hate trying to find things again) and in the last 4 years (couldn't be bothered looking further) I have had 2 issues with Viruses (the wife loves to run anything sent to her that looks cute) 14 incidents with spyware, 3 driver issues and 5 application issues. Most of that history is in WinXP and all of it more then a year old.

Do I think UAC is evil? Naw, not even close. Do I think UAC's "protection" is worth the hassle? No. Is this a risk? Yes. But one I'm willing to take and not one that is a big concern. As most people I have multiple layers of protection and some of the things that I want to do are more important to me then that extra layer of protection. Lets see, (for example's sake) Rivatuner running fine, Vista x64 running fine, UAC turned off, no security issues in over 12 months. Current images of all my PCs (rebuild from image at every 6-12 months on winxp anyway we'll see how Vista does) if I do run into a problem.

Having said that have any of you guys running Rivatuner (and having it blocked by Windows Defender) tried the Task Scheduler trick? Basically instead of running the application on automatically via the startup folder or via registry (remove it from those areas) you create a task to start your application. It will be blocked by Windows Defender the first time you run it but Vista will allow you to unblock it perm after that first time. Works fine for me and Rivatuner.

 

[bsobel]

How the hell would you know whether or not im savvy?

Well, since we taught you what a virtual machine was about a week ago, I think we all have a pretty good idea...

i personally do not need and will not use UAC because my computer is safe with me using it, always has been, always will be.

:roll:

 

[spyordie007]

I find that most of the time the people who complain about UAC dont understand how it works.

Also, if you turn it off there are some very nice features that you loose (i.e. path/registry virtualization).

 

[compudog]

Originally posted by: loup garou
4 vista machines, all have UAC on, all the time. I hardly see UAC prompts anymore now that my machines are set up properly.

Same here. Vista noob, but I am leaving UAC on. It's not too annoying.

 

[Maximilian]

Originally posted by: bsobel

How the hell would you know whether or not im savvy?

Well, since we taught you what a virtual machine was about a week ago, I think we all have a pretty good idea...

i personally do not need and will not use UAC because my computer is safe with me using it, always has been, always will be.

:roll:

Wasent talking to you for starters.

Second thing, ive had absolutely no need or want to emulate another OS up until last month when simcity 2000 wouldnt run under vista 64. So why the hell would i need to know what a virtual machine is before i actually needed it?? Yes thats right, i had no need to know what it is.

I built my comp, ive installed windows myself, ive solved many a problem with it and have helped many others on this website track down and solve their problems. What... you think these 3900 posts are from replying to fanatic security people like you? heh, no. I am a savvy user, like it or not, my UAC will stay disabled, like it or not.

 

[Woofmeister]

Originally posted by: Brazen

Originally posted by: Smilin

In his defense he did already admit he wouldn't put such apps on his corporate desktop. He's given me no reason to doubt he's a knowledgeable CIO.

I wasn't really commenting on HIS ability as a CIO (or whatever position he may hold), just on your assumption that being a CIO (or saying you are a CIO, or any position for that matter) automatically implies any level of intelligence.

Throwing out credentials has always been a bit of a pet-peeve of mine anyway, like that should matter when going against industry best practices. Besides, in my experience, throwing out some outlandish work experience or certification is usually a ditch effort by those who don't know what they are talking about. If you are knowledgeable on the subject, you shouldn't have to use things like "Bill Gates asked me to sire his next child, so I must be right!"

Again, this has nothing to do with Woofmeister, just the general misconception that credentials have anything to do with intelligence of the person or validity of the argument.

Dude, bsobel asked me for my credentials . . . twice.

 

[stash]

It's the thread that won't die!

 

[bsobel]

Dude, bsobel asked me for my credentials . . . twice.

Yep that was me, trying to get a better idea if I was talking to someone who was even in a position to understand the threat (see my response earlier). So any flack you get from answering should be sent my way....

 

[xtknight]

Originally posted by: Woofmeister

Originally posted by: stash
Easy. Don't use crap startup applications.

Oh, I see, it's the startup applications fault, not Vista's fault that you can't whitelist a trusted application even as an administrator.

:thumbsup:

I haven't used Vista much, but if it's true you can't whitelist any startup application you want, then I'm going to have to agree with him.

The argument that malware could add itself is flawed. They have somehow prevented malware from adding rules to the firewall (or maybe they haven't). But it's a double standard. Of course, it is good to want companies to improve their apps and conform to Vista specs, but meanwhile there are many users who are suffering. That's just the way it is: some devs are lazy. They must accept that and offer an alternative for users.

Myself, I've left UAC on during my use of Vista. I'm used to gksudo prompts and what not and enjoy the extra security. But some people aren't as forgiving. I'd probably deal with the annoyance a lot longer simply because I understand the situation. When security robs myself of my own control of the PC, it has gone too far IMO. But that is just my opinion. I have nothing to complain about, and that's why I haven't been using Vista.

I know that a whitelist may be abused (if implemented improperly), and I don't think that MS did "everything wrong". Far from it. But I simply think that a whitelist could have properly been implemented. It would be something that a regular user would never find, like under group policies. You should have to go through UAC every time you want to modify that value. But it would be there, at least.

Is it going to add attack vectors if holey programs get added to the startup list? Sure, yes, but not as much as disabling UAC completely as many apparently aren't afraid to do.

 

[Sunner]

Originally posted by: stash
It's the thread that won't die!

Well, it's a reasonably civilized thread, involving far more sharing of opinions than flames and trolling, and even some education such as Smiley's excellent post about UAC a little bit up, so why not?

 

[Brazen]

Originally posted by: Woofmeister

Originally posted by: Brazen

Originally posted by: Smilin

In his defense he did already admit he wouldn't put such apps on his corporate desktop. He's given me no reason to doubt he's a knowledgeable CIO.

I wasn't really commenting on HIS ability as a CIO (or whatever position he may hold), just on your assumption that being a CIO (or saying you are a CIO, or any position for that matter) automatically implies any level of intelligence.

Throwing out credentials has always been a bit of a pet-peeve of mine anyway, like that should matter when going against industry best practices. Besides, in my experience, throwing out some outlandish work experience or certification is usually a ditch effort by those who don't know what they are talking about. If you are knowledgeable on the subject, you shouldn't have to use things like "Bill Gates asked me to sire his next child, so I must be right!"

Again, this has nothing to do with Woofmeister, just the general misconception that credentials have anything to do with intelligence of the person or validity of the argument.

Dude, bsobel asked me for my credentials . . . twice.

Hmmm, I said twice that I was not refering to you specifically. I wonder if three times would have made a difference? I doubt it.

 

[bsobel]

The argument that malware could add itself is flawed. They have somehow prevented malware from adding rules to the firewall

Actually, they haven't. UAC was seen as the answer to this.

(or maybe they haven't). But it's a double standard. Of course, it is good to want companies to improve their apps and conform to Vista specs, but meanwhile there are many users who are suffering. That's just the way it is: some devs are lazy. They must accept that and offer an alternative for users.

It's not a double standard, it's growing pains. Just like when they added one of a zillion base technologies that third parties needed to support for logo certificaiton (UAC is required for Vista logo cert). Six months or so from now this won't be nearly as big an issue as most mainstream apps (including things like RivaTuner etc) will have been updated.

Is it going to add attack vectors if holey programs get added to the startup list? Sure, yes, but not as much as disabling UAC completely as many apparently aren't afraid to do.

This isn't a representative set. UAC is basically universally enabled so adding an attackable whitelist would just create a wider vector (vs the idea that soo many people are turning it off this would convince people to leave it on)