Re: I turned off UAC

---

• From: Jack the Ripper <Jack@xxxxxxxxxxx>
• Date: Tue, 17 Feb 2009 11:14:41 -0500

---

Saucy wrote:

"Not Even Me" <cargod01@xxxxxxxxxxx> wrote in message news:uNylAgOkJHA.5732@xxxxxxxxxxxxxxxxxxxxxxx

"Jack the Ripper" <Jack@xxxxxxxxxxx> wrote in message news:eUh6F1LkJHA.4760@xxxxxxxxxxxxxxxxxxxxxxx

Justin wrote:

Jack the Ripper wrote:

Justin wrote:

Jack the Ripper wrote:

+Bob+ wrote:

On Sun, 15 Feb 2009 15:43:31 -0500, Jack the Ripper <Jack@xxxxxxxxxxx>
wrote:

Nothing is bulletproof, but one doesn't see a lot of posts by Vista users about virus or malware issues, not like you see on XP.

No, but you do see a lot of posts about how UAC sucks. Good idea, bad
implementation.

It's the posts of the ignorant. I would rather have it enabled so that I am not on the Internet with full admin rights, like the previous versions of the NT based O/S(s,) which are open by default O/S(s) and wide-open to attack/compromise by default.

Is that so hard for you or anyone else to understand?

As long as you're not logged on as admin you should be fine. At most I keep users at Power User rights.
While I understand running as admin is unsafe, simply having the account enabled is not a security risk.

I am going to try to explain this again. The out of the box admin account on Vista that is given to a user or any subsequent admin account that is created on Vista with UAC enabled is NOT a full-rights-admin account. It's only a Standard user account, which must be escalated to a use the full-adminrights token to do anything requiring admin-full-rights as an administrator.

I get it.
I don't need any escalation to admin. The problem is, what if there's some malware. Some malware named "winenhancer." The user sees the UAC prompt "Winenhancer must access the internet!" and the user clicks on yes.
So UAC only works when the user knows everything about the PC, which is unrealistic for a standard dumb user whose job is to type out proposals and reports.

Oh, I get it. It's not the responsibility of the dumb user to know what he or she is dumbly clicking on as they point and click. It's their responsibly to know the situation, but they don't and most never will.

However, network admins take that responsibly for this type of worker by using a network proxy that only allows the users to go to approved sites closing the attack vector and mitigating such damage, as its their responsibility to protect company's interest and not some office clerk, lock them down.

Just like with Linux which has the same kind of an approval process within its O/S, they point, click, approve and it's all bets are off. But with UAC enabled when one does this, the damages are mitigated to a certain degree as UAC protects critical areas and also not allowing the malware to continuously run under the context of the user-admin full-rights access token, to spread damage.

But rather with UAC enabled, the compromise runs under the context of the admin's Standard user token, because admin user on Vista is returned to using that token upon privileged escalation completion, and it's a limit rights token, which mitigates/limits damage.

Like I said, nothing is bulletproof not even god's O/S Linux, but UAC on the MS platform is better than have nothing at all, which is the case in fact with the previous versions of the NT based O/S platform, open by default O/S(s), to help protect the O/S.

Real time scanning by (even free) third party programs provides (in many cases) superior protection with less annoyance.
So why put something in the OS that just pisses many people off and is (by MS admission) made irritating on purpose?

Didn't he just explain it to you? Re-read his post:

"But rather with UAC enabled, the compromise runs under the context of the admin's Standard user token, because admin user on Vista is returned to using that token upon privileged escalation completion, and it's a limit rights token, which mitigates/limits damage."

Combining secutity features such as UAC and real time scanning makes systems more difficult to compromise both directly and indirectly [say, by social engineering].

EXCELLENT!
.

---

• References:
  • I turned off UAC
    • From: Justin
  • Re: I turned off UAC
    • From: Kayman
  • Re: I turned off UAC
    • From: Justin
  • Re: I turned off UAC
    • From: Jack the Ripper
  • Re: I turned off UAC
    • From: Jack the Ripper
  • Re: I turned off UAC
    • From: Justin
  • Re: I turned off UAC
    • From: Jack the Ripper
  • Re: I turned off UAC
    • From: Justin
  • Re: I turned off UAC
    • From: Jack the Ripper
  • Re: I turned off UAC
    • From: Not Even Me
  • Re: I turned off UAC
    • From: Saucy

• Prev by Date: Re: %appdata%\
• Next by Date: Re: NLS data is missing - cannot repair
• Previous by thread: Re: I turned off UAC
• Next by thread: Re: I turned off UAC
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: I turned off UAC ... I would rather have it enabled so that I am not on the Internet with full admin rights, like the previous versions of the NT based O/Swhich are open by default O/Sand wide-open to attack/compromise by default. ... The out of the box admin account on Vista that is given to a user or any subsequent admin account that is created on Vista with UAC enabled is NOT a full-rights-admin account. ... what if there's some malware. ... Like I said, nothing is bulletproof not even god's O/S Linux, but UAC on the MS platform is better than have nothing at all, which is the case in fact with the previous versions of the NT based O/S platform, open by default O/S, to help protect the O/S. ... (microsoft.public.windows.vista.general) Re: Run As Adminstrator - why hasnt it saved us? ... UAC and Run As Administrator are tied together on Vista and are the new security profile for the Admin and Standard user accounts. ... You set your account to be Super Admin so that you still have UAC enabled because some applications will not work correctly with UAC off, those applications using the Vista UAC manifest as an example, and by being Super Admin, UAC will not prompt you as Super Admin, as stated in the link. ... (microsoft.public.windows.vista.security) Re: Compiling DLL & Vista: Follow up ... running as an Admin or setting a program to run as Admin will ... The biggest problem I've found in my cool little registry hack to register ... Try reading the Vista newsgroups....lots of complaining about the UAC. ... (microsoft.public.vb.general.discussion) Re: I turned off UAC ... Vista users about virus or malware issues, not like you see on XP. ... I would rather have it enabled so that I am not on the Internet with full admin rights, like the previous versions of the NT based O/Swhich are open by default O/Sand wide-open to attack/compromise by default. ... The out of the box admin account on Vista that is given to a user or any subsequent admin account that is created on Vista with UAC enabled is NOT a full-rights-admin account. ... (microsoft.public.windows.vista.general) Re: I turned off UAC ... I would rather have it enabled so that I am not on the Internet with full admin rights, like the previous versions of the NT based O/Swhich are open by default O/Sand wide-open to attack/compromise by default. ... The out of the box admin account on Vista that is given to a user or any subsequent admin account that is created on Vista with UAC enabled is NOT a full-rights-admin account. ... what if there's some malware. ... However, network admins take that responsibly for this type of worker by using a network proxy that only allows the users to go to approved sites closing the attack vector and mitigating such damage, as its their responsibility to protect company's interest and not some office clerk, lock them down. ... (microsoft.public.windows.vista.general)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Vista  > microsoft.public.windows.vista.general  > 2009-02