A Windows Vista forum. Vista Banter

Welcome to Vista Banter.

You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!

If you have any problems with the registration process or your account login, please contact contact support.

Go Back   Home » Vista Banter forum » Microsoft Windows Vista » Security and Windows Vista
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Security and Windows Vista A forum for discussion on security issues with Windows Vista. (microsoft.public.windows.vista.security)

Disabling UAC doesn't actually decrease security?



 
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old September 16th 06, 11:45 PM posted to microsoft.public.windows.vista.security
Roof Fiddler
external usenet poster
 
Posts: 121
Default Disabling UAC doesn't actually decrease security?

With UAC enabled in Vista build 5536, I get confirmation prompts in admin
accounts, and I get password dialog boxes in standard user accounts. And of
course standard users can't read each other's home directories.
Then I ran secpol.msc and under Local Policies\Security Options I disabled
User Account Control: Run all administrators in Admin Approval Mode, and
then rebooted. Now, as expected, admin accounts silently grant privilege
elevation and no longer give confirmation prompts, but in standard user
accounts, instead of getting a password dialog or a silent granting of
privilege elevation, I get automatic denial. And standard users still can't
read each other's home directories.
So, if non-admin users are using standard user accounts, and the admin
accounts are used only to run trusted software, then what security is
actually lost by disabling UAC? Standard user accounts haven't gained any
new privileges by having UAC disabled.

  #2 (permalink)  
Old September 17th 06, 12:01 AM posted to microsoft.public.windows.vista.security
Jane C
external usenet poster
 
Posts: 349
Default Disabling UAC doesn't actually decrease security?

That's because you haven't actually disabled UAC itself

--
Jane, not plain 64 bit enabled
Batteries not included. Braincell on vacation :-)
"Roof Fiddler" wrote in message
...
With UAC enabled in Vista build 5536, I get confirmation prompts in admin
accounts, and I get password dialog boxes in standard user accounts. And
of course standard users can't read each other's home directories.
Then I ran secpol.msc and under Local Policies\Security Options I disabled
User Account Control: Run all administrators in Admin Approval Mode, and
then rebooted. Now, as expected, admin accounts silently grant privilege
elevation and no longer give confirmation prompts, but in standard user
accounts, instead of getting a password dialog or a silent granting of
privilege elevation, I get automatic denial. And standard users still
can't read each other's home directories.
So, if non-admin users are using standard user accounts, and the admin
accounts are used only to run trusted software, then what security is
actually lost by disabling UAC? Standard user accounts haven't gained any
new privileges by having UAC disabled.


  #3 (permalink)  
Old September 17th 06, 12:15 AM posted to microsoft.public.windows.vista.security
Roof Fiddler
external usenet poster
 
Posts: 121
Default Disabling UAC doesn't actually decrease security?

"Jane C" wrote in message
...
That's because you haven't actually disabled UAC itself

Ah, right. Oops.

  #4 (permalink)  
Old September 17th 06, 09:07 PM posted to microsoft.public.windows.vista.security
Jimmy Brush
external usenet poster
 
Posts: 827
Default Disabling UAC doesn't actually decrease security?

Hello,

This actually does disable UAC.

The security loss comes into play because all programs now silently run with
the full privileges of the user. When logged in as an administrator, all
programs run with full admin privileges, even the ones that don't need it.
This is bad news in today's world, regardless of operating system.

UAC does three things for you, and you see the most benefit when running
under the admin account, but this also benefits normal users by allowing
them to elevate:

1) Programs run only with the least privileges necessary. Notepad shouldn't
be able to take control of your domain and format all the hard drives on
your network. Why give it so much power?

2) Programs that NEED admin access MUST be approved to run by YOU at the
time that they start, every time. So, if somehow some nasty software burrows
onto your system and gets itself to start somehow, you can stop it from
starting. There is no way to bypass this behavior with UAC enabled - if you
allow something to run elevated, you can no longer blame Windows for the
intrusion.

3) UAC provides the infrastructure for more advanced security controls such
as Internet Explorer protected mode. I would expect that future versions of
windows will add more security controls based on the core UAC model.


--
- JB

Windows Vista Support Faq
http://www.jimmah.com/vista/

  #5 (permalink)  
Old September 19th 06, 10:00 PM posted to microsoft.public.windows.vista.security
Michael Palumbo
external usenet poster
 
Posts: 43
Default Disabling UAC doesn't actually decrease security?

"Jimmy Brush" wrote in message
...
Hello,

This actually does disable UAC.

The security loss comes into play because all programs now silently run
with the full privileges of the user. When logged in as an administrator,
all programs run with full admin privileges, even the ones that don't need
it. This is bad news in today's world, regardless of operating system.

UAC does three things for you, and you see the most benefit when running
under the admin account, but this also benefits normal users by allowing
them to elevate:

1) Programs run only with the least privileges necessary. Notepad
shouldn't be able to take control of your domain and format all the hard
drives on your network. Why give it so much power?

2) Programs that NEED admin access MUST be approved to run by YOU at the
time that they start, every time. So, if somehow some nasty software
burrows onto your system and gets itself to start somehow, you can stop it
from starting. There is no way to bypass this behavior with UAC enabled -
if you allow something to run elevated, you can no longer blame Windows
for the intrusion.

3) UAC provides the infrastructure for more advanced security controls
such as Internet Explorer protected mode. I would expect that future
versions of windows will add more security controls based on the core UAC
model.


--
- JB

Windows Vista Support Faq
http://www.jimmah.com/vista/



Sounds similar to how XP was set up . . . but at least new users in Vista
are defaulted to Standard (only the first user set up is defaulted to
Admin).

Mic

 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 01:22 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.Search Engine Optimization by vBSEO 3.0.0 RC6
Copyright ©2004-2024 Vista Banter.
The comments are property of their posters.