What is the point of running as user with UAC enabled?

[floepie]

If a newly-created user account with admin privileges is used as the main "daily user" account, how is this in any way less secure than running as a limited user in light of UAC? Having UAC enabled ensures that the admin account does not have the "full admin" privileges afforded the built-in account, which as I understand it, is not subjected to UAC prompts.

After all, isn't the admin prompted by UAC just as often as the limited user account, the only difference being that the limited user is required to enter an admin password, whereas if running Vista as an admin, no password would be required at the prompt.

[NGRhodes]

By running as a limited user you can do and run less (system configuration, secure areas) and this includes any malware and viruses.
So by running admin (via UAC) privalidges only when required and for as short a time as possible, you greatly reduce the chance of genuine and malicious users/code from causing system damage or accessing privalidged information.

[floepie]

OK thanks. It has been conventional wisdom to run a user account as your "daily driver", but in light of UAC, does a security benefit still exist by running a limited user account (LUA)? It seems that whenever I'm logged onto the console of an admin's account, I am prompted by UAC no less often than if I were logged onto my LUA.

So, wouldn't any malicious code be confronted by the same obstacles in the admin enviornment as they would be in a LUA enviornment? As I'm sure you're well aware, the creation of an admin account does not afford it the full privileges granted it in previous versions of Windows.

[Infinite Luta]

Quote:

Originally Posted by floepie

After all, isn't the admin prompted by UAC just as often as the limited user account, the only difference being that the limited user is required to enter an admin password, whereas if running Vista as an admin, no password would be required at the prompt.

Functionally, yes. There are a few technical differences that may or may not matter.

UAC prompts for standard users are basically just a souped up version of RunAs as it exists in 2000 and XP. The elevated program is ran using the admin user's registry and user profile.

UAC for administrators uses Admin Approval Mode. This creates two versions of your access token: a filtered version without admin rights and a full unfiltered version. Everything is run using the filtered token by default and the UAC prompts are used to unlock the full version of the token.

Groups that fall in the middle - such as Power Users and Backup Operators - use a mixture of both. Like administrators, these users still have both a filtered and unfiltered token. However, UAC prompts are similar to what Standard Users would receive. You have the option of either entering your own password to unlock your own full token, or entering the password of an administrator and running the app as the admin user.

[lodore]

the one that annoys me about vista limited user accounts is that when you need higher rights it uses another account instead of just upping the rights of the current user account. so i cannot do an upgrade install of opera on my limited user account. if i want to do an upgrade install i have to change account to admin logoff install opera upgrade. change account type back to limited user and login back in.
im hoping in windows 7 with the uac adjustments i can change it so it will up the rights of the current account.

[floepie]

Quote:

Originally Posted by Infinite Luta

Functionally, yes. There are a few technical differences that may or may not matter.

Thanks for the explanation. It seems unclear whether or not malicious code then faces the same obstacles to execution in a LUA environment as it does in "filtered" admin environment. And, as the only user on a PC, am I really protecting my system by running the LUA?

[floepie]

Quote:

Originally Posted by lodore

the one that annoys me about vista limited user accounts is that when you need higher rights it uses another account instead of just upping the rights of the current user account. so i cannot do an upgrade install of opera on my limited user account. if i want to do an upgrade install i have to change account to admin logoff install opera upgrade. change account type back to limited user and login back in.
im hoping in windows 7 with the uac adjustments i can change it so it will up the rights of the current account.

Why is there a need to do that? Just upgrade with the admin account. It's not as if user settings are modified simply by upgrading an existing app, right? I've found that the best way to upgrade and install apps is to start the application immediately after installing and while you rights are still elevated. That way, any new databases and files can be created in their proper places. Then, close app and re-open as the LUA. As a result, all your virtualized user folders/files will be stored in the user's appdata folder.

[lodore]

Quote:

Originally Posted by floepie

Why is there a need to do that? Just upgrade with the admin account. It's not as if user settings are modified simply by upgrading an existing app, right? I've found that the best way to upgrade and install apps is to start the application immediately after installing and while you rights are still elevated. That way, any new databases and files can be created in their proper places. Then, close app and re-open as the LUA. As a result, all your virtualized user folders/files will be stored in the user's appdata folder.

Hello,
just a bit of a pain having to up my rights logoff and back on a few times to ensure i dont over write my opera settings with a standard set.
so atm i just use an admin account. everything has lowered rights anyway.
its also annoying when a prompt takes over the screen and having to type in your password. i dont mind the extra security of the password but taking over the screen is annoying.

[jdd58]

This link does the best job of explaining for me.

http://windowsteamblog.com/blogs/win...nvenience.aspx

[tlu]

Quote:

Originally Posted by lodore

the one that annoys me about vista limited user accounts is that when you need higher rights it uses another account instead of just upping the rights of the current user account. so i cannot do an upgrade install of opera on my limited user account. if i want to do an upgrade install i have to change account to admin logoff install opera upgrade. change account type back to limited user and login back in.

SuRun also works with Vista and will solve your problem.

[lodore]

Quote:

Originally Posted by tlu

SuRun also works with Vista and will solve your problem.

Hey thomas,
is there a english page?
i dont understand german.

[tlu]

Quote:

Originally Posted by lodore

Hey thomas,
is there a english page?
i dont understand german.

No, but see this thread for details. The program itself, the readme and changelog are in English.

[lodore]

Quote:

Originally Posted by tlu

No, but see this thread for details. The program itself, the readme and changelog are in English.

thanks thomas i will try it when i have some spare time.

tbh i hope microsoft read about this application and adapt UAC to work the same as surun.