Some interesting stuff. :)

http://www.symantec.com/enterprise/security_response/weblog/2007/02/an_example_of_why_uac_prompts.html

Some more info:

http://www.symantec.com/enterprise/security_response/weblog/2007/03/the_impact_of_malicious_code_o.html

Btw, I have been reading a bit more about UAC since I´m planning to run Vista soon, but what do you think about this, why did MS leave such holes in Vista? ::)

-{ Quote: "
One thing that I found particularly annoying though, is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges. So, when you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing e.g. to load kernel drivers! Why Tetris installer should be allowed to load kernel drivers?" }-

http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html
http://www.codeproject.com/vista-security/RunNonElevated.asp

Because Microsoft doesn't care about security.

Well, I´m not sure if they don´t care about security, because Vista has improved a lot, but it´s kind of strange that they manage to make such dumb mistakes. I mean how can they overlook such things? Don´t they have the smartest people working over there? I´m starting to doubt this.

And the same thing with IE7, yeah they improved it in certain areas, but they also screwed up quite a lot of other things. I´ve also read that the only way to make the Windows OS truly secure is to rebuild it from scratch, and perhaps that´s why it´s so difficult to get things right. But surely it must be possible to fix the things mentioned in these articles? ::)

Yes MS is still using the same model, base code and a re-write from scratch is probably how to achieve a secure Windows OS. Before the internet MS didn't need to think much about securing their OS and therefore we have an about face sort of system, that and the fact Microsoft concern themselves mostly with the productive side of things, getting stuff to work and keep working gives us what we have today.

UAC
Read these some time ago, you gotta wonder how MS can miss these things.

-{ Quote: "but it´s kind of strange that they manage to make such dumb mistakes. I mean how can they overlook such things?" }-
You'd be surprised by the amount of "backdoors" that Microsoft has left open in their security measures.
DEP (http://en.wikipedia.org/wiki/Data_Execution_Prevention)
-{ Quote: "
OptOut: This setting is the default configuration for Windows 2003 SP1. DEP is enabled by default for all processes. A list of specific programs that should not have DEP applied can be entered using the System dialog box in Control Panel. Network administrators can use the Application Compatibility Toolkit to "opt-out" one or more programs from DEP protection. System compatibility fixes, or shims, for DEP do take effect. Also note that Windows silently disables DEP for certain executables, such as those packaged with ASPack
" }-

Btw, does anyone know if you can tell UAC when to prompt you, and how to do this? For example, you might not want to be prompted when changing the system time, or when you run a .exe file, know what I mean?

-{ Quote: "Btw, does anyone know if you can tell UAC when to prompt you, and how to do this? " }-AFAIK you can either disable it or use it. There appears to be no way to tell it when to prompt you. :-\

BTW UAC is enabled here, but it doesn't bother me much with those prompts and the longer you work with it, the more you get accustomed to it. :)

Hi,

I´ve done some reading, and I´m a bit disappointed, I had hoped that you could control UAC a bit more. For example, on XP I have disabled the annoying popup you will get to see when you execute a .exe file which is not signed. But in Vista this is not possible, correct?

http://blogs.technet.com/asiasupp/archive/2007/02/08/configure-uac-settings-via-policy.aspx
http://www.winsupersite.com/showcase/winvista_ff_uac.asp

-{ Quote: "But in Vista this is not possible, correct?" }-There's no way to control it AFAIK, so it's correct. ;)

Been useing Vista a while now and I don't even notice the UAC as an annoyance. It is just another security app.

But let´s say you run in "protected admin mode" and you have turned off UAC, will you still be able to install apps? Wait a minute, I think the answer is yes, because I just read that you can also switch UAC into "quite mode", this way you won´t get to see any popups at all, but all (?) processes still run in limited mode. However, this way it´s not really a security tool anymore, this really sucks, MS should have given more control over UAC. :dry:

Honestly guys, you need to chill out and quit sweating the small stuff like a UAC popup. How long can the popup delay you in a days time? Life is to short for this. If you really want to gripe and complain about something you might consider World hunger, War, Global warming. Now that will give you something to worry about unlike something as inconspicous as a UAC popup.

bigc

-{ Quote: "Btw, I have been reading a bit more about UAC since I´m planning to run Vista soon, but what do you think about this, why did MS leave such holes in Vista? ::)



http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html
http://www.codeproject.com/vista-security/RunNonElevated.asp" }-

Rasheed have a look http://www.wilderssecurity.com/showpost.php?p=1072777&postcount=3

Disable the EnableInstallerDetection and try what the effects are when for instance runing tetris. Vista should apply the normal elevation flow now (I have not tested it).

Regards Kees

@ Kees1958, but will UAC still alert you about everything else? Because I do want to see all the other UAC alerts, otherwise it´s not really a security measure anymore. And I don´t have Vista yet, I will wait a couple of months, but the plan is to run as "protected-admin" with UAC enabled, but I don´t want to be prompted when I´m about install something, my HIPS already takes care of this. ;)

This behaviour of Vista has some logic as all applications are usually installed in c:\Program Files - and you need admin rights for that folder in order to get write access. However, of you install into another folder where you have write access as a limited user, the UAC prompt doesn't make any sense (provided that the installation procees doesn't require write access to other critical areas like HKLM). I'm not sure if you can configure Vista's behavior in such a way with the settings decribed (http://www.wilderssecurity.com/showthread.php?t=185220) by Kees.

Thomas,

There is so little info on what exactly is protected, that I figured out these settings. It seems to work for 32 bits aps, 64 bits applications seem to elevate silently (a pity that you can not set the ValidateAdminCodeSignatures for 64 bits aps only).

Regards Kees

-{ Quote: "@ Kees1958, but will UAC still alert you about everything else? Because I do want to see all the other UAC alerts, otherwise it´s not really a security measure anymore. And I don´t have Vista yet, I will wait a couple of months, but the plan is to run as "protected-admin" with UAC enabled, but I don´t want to be prompted when I´m about install something, my HIPS already takes care of this. ;)" }-
Hello Rasheed...I just saw this old post and by now you must know of TweakUAC
http://www.tweak-uac.com/