Why do idiots disable UAC & claim it's not a security function?

I almost died of frustration until someone saw the light...

Let me put it this way:

I very much appreciate User Account Control and the other features that go hand-in-hand with the system; such as protected mode, file and registry virtualization, etc.

I think the way User Account Control is implemented in Windows Vista and 7 is fine, but the two big things I would really push Microsoft to change are:

1. The text of a UAC prompt and help file documentation. I think Microsoft needs to stop babying people and making UAC prompts read like just another "are you sure" dialogue box. It should say, "Do you want to afford this program administrative rights?", followed by a description something like: "If you were not attempting to install or run the intended function, please click NO." A little user education can go a long way. Forgive me for having faith that people can learn; after all, that is my field of study.

2. The slider bar granularity is of questionable use. They need to make the slider more useful. The top should still be "Always On" or the "classic Vista" setting, but they need to improve the other settings. They should indeed make one setting preset in which it is tweaked to be silent. And, I previously read some other folks disagreeing with how Microsoft implements the "Windows functions" being whitelisted for the 3/4 setting. That indeed could be improved as well.

The bottom line: If User Account Control is annoying you, it is because you are running it on an administrative user. If you were running on a standard user, which you most certainly should have been doing since the XP days in the first place, you would be loving UAC more than an all you can eat buffet.

I'm sorry to say that I cannot believe there are so many that still don't understand this concept (or perhaps they would rather argue it to justify their security setup) here on Wilders, but it is a proven fact that failing to embrace the concept of least user access can and will eventually lead to security problems.

Yes, some malware can run fine without administrative privileges, such as rogue security solutions. These threats are best mitigated with policy restriction or other forms of whitelisting which can also be done in Windows.

But, a lot of nasty stuff out there needs administrative privileges to do its harm and damage your operating system. A lot of the malware that aims to attack Windows itself can be circumvented by least user access.

Also, as I have said before, running full time as an administrator puts your other layers of security at risk, especially antivirus programs. It is common sense that malware will try to disable or tamper with security software in its opening move, (mechBgon's words). Furthermore, those relying on the self-protection built into some security solutions shouldn't place all their confidence in that ability. When malware tries to attack the security software, it can end up being a never ending battle of "YOU START I CLOSE YOU START I CLOSE" until the system crashes. (Rob Koch, MCC at Microsoft Answers, enlightened me on some of the risks of relying on self-protection modules). The best self-protection, therefore, is least user access and reducing attack surface to begin with.

There really is no argument. You are less safe if you are running full time as an administrator. The Admin Approval Mode is designed to allow people to run as an admin and make it reasonably safer, but it is still recommended to run as a standard user.

If you are worried about the prompts, and you turned off UAC, you can set up a standard user account for guests that are ignorant of PC security. That way, they won't get prompts; they'll just get access denied. Of course, they would have to know your password to answer "yes" to a UAC prompt, so that really is a non-issue to begin with.

You'll have to forgive me, but to me it is the definition of insanity to have someone scrape their Windows Vista or 7 down to bare-bones, disable UAC, and then install Sandboxie, anti-executable, antivirus, behavior blocker, HIPS product, etc etc. People that load up like that must realize if they took the time to correctly utilize some of the built-in functions in Windows first, much of that would be unnecessary. Additionally, that other stuff you run would be better sealed from tampering due to any malware installing being denied admin privileges. Not to mention, installing all that 3rd party security software has side effects. Any time you go beyond the minimal effective dose, you get side effects.

Now I am not knocking any of those products specifically. Heck, I use and am in love with Sandboxie and have been for years now. I am a huge advocate of Sandboxie. But the reality is, it is an added layer of protection for me. I chose to pay a bit more for Windows up front and receive the benefits of having access to group policy editor among other features, and getting to specifically define rules for what can run and what cannot run on my system.

The primary intent of this thread for me was to educate, but the reality is, people just don't care. UAC represents an inconvenience for them, even though in all respects it is a convenience, since now they can run as an administrator and be generally more safe if they are willing to use half of their brain.

I don't know why, but I have become very passionate about issues like this over the past year. To borrow a phrase from Al Gore, this is an inconvenient truth.

 

Pretty sure I understand UAC just fine lol

You highlight LUA as a good thing. I agree - access control is (again) at the core of all security.

The problem is that the access control is left up to the users. Why are my programs asking me these things? Why does my OS think I know or care about security? Who says I'm equipped to make these decisions? The fact is that almost every user is not able to make the right decision especially with something as vague as UAC.

UAC is best used as a developer tool, implementing explicit low integrity levels to applications like Chrome/ IE, which won't prompt the User and still use least privilege.

Are people idiots for not liking loads of popups? I don't think so. UAC is annoying when you first install an OS - popups all over the place.

 

Maybe I'm in the minority, maybe not. But I always run as admin on Windows 7, 32 bit and have UAC maxed out. Does UAC do much for me? Maybe so...I've never been infected. Heck I have not been infected in over a decade and even ran Vista and XP as admin. I download and install programs all the time too. I expect to get a UAC prompt when installing something. I've not seen UAC make a second prompt after the program begins to install. But I've got other programs that can do that. I don't mind relying on Mamutu and Sandboxie. Plus there is Hitman Pro and MBAM for on demand scans as well as real time of MBAM and my current av. I hardly ever use IE, mainly because it has few add on abilities and it's slow. So I just use Chrome with js disabled and never encounter much of a problem. Personally I think running as a limited user is very overrated and I don't intend to do it anytime soon.

As far as getting others to use UAC and run as a limited user, that is most likely a problem due to MS marketing. If someone buys Windows 7 Premium then why should they be expected to compromise their "Premium" purchase with a limited user experience? MS should rename the "limited user" with something that does not sound so clinical. Heck what would be the response if MS renamed "limited user" to "Smart User" ? I bet many more people would not be so hesitant to use Windows that way. Well, except me.

 

Are you using the term "idiots" to get attention? I so, you got mine.

 

No...again, I apologize. The idiots comment was directed at the guys writing the tweak guides. The way they write these things, they make it sound like UAC is some conspiracy theory that has nothing to do with security and is something everyone should disable as soon as you even think about buying Windows Vista or 7.

I used the word "idiots" in frustration; not referencing anyone on here nor was I trying to get attention. I figured I would get enough attention being I was writing about UAC.

 

Arguably, from my research, running as an administrator BUT with UAC maxed out (Admin Approval Mode) is fine and safe. My argument does not apply to you; you are using UAC correctly.

 

Tweak guides are usually written by people after one thing - views. They rarely understand what they're talking about and most of the time they're just copying someone else's article. The "I'm a Mac" ads did not help.

I didn't think you were calling anyone here an idiot lol

I wouldn't recommend another user disables UAC but that's only because I'm just not the type of guy to recommend disabling any security of any kind, however useless I find it.

That said I think UAC popups are useless for the average user. Thankfully Windows 7 has helped considerably by allowing developers to continue to make use of low-rights applications without bothering the user needlessly.

 

Thank you for understanding.

I can agree with your statements. And, taking a look at your security setup, you know what you are talking about as do most of the people that participated with this thread. My intent was never to overly criticize anyone.

When I said things to people like "...you are not thinking correctly" I am referring to the general principle of least user access, since there is so much research out there to support it. I was not trying to imply or claim that I am an expert in any way because I am not. I have just spent countless hours research security mechanisms and how to achieve Windows protecting Windows.

No hard feelings.

 

This is starting to feel more like a religious discussion. All hail the mighty and powerful UAC. The way I see it people are going to run with what they comfortable with. I've been fine without it since the 3.1 days of the internet, 95, 98, and so on. It all has do with the person between the keyboard and the chair.

Even with your frustration. I'm sure you educated some people in the long run.

 

You raise a very good point, IMHO. And, that's precisely what I previously mentioned - the user must understand what the UAC prompt is all about. And, for the user to understand it, the prompts must be clear enough for the user to be able to make an educated choice.

Unfortunately, as I also have previously mentioned, this isn't just about Microsoft or users. It's also about software developers. I gave Java's example.

For instance, couldn't Java updater run as a service? This would take away the element surprise of an alert the user won't know if it was to be expected. This one is just one example, as I'm sure there are more.

So, when you mention "If you were not attempting to install or run the intended function, please click NO." wouldn't work as expected, and simply because the user did not attempt to install or run that intended function; it's an automatic function that Java created with its autorun entry, which will trigger an UAC prompt. It wouldn't, if it installed the updating mechanism as a service.*

Also, when I mentioned that most people probably don't understand how it works, I wasn't referring to Wilders Security Forums members; I'm talking about people like some of my relatives, friends, etc. People who got no interest in learning any of this. If they got no interest, there's no how to learn about any of this. And, Microsoft doesn't help either, as you pointed out.

-edit-

* And, if the user chose No, then he/she would be at a even greater risk with an outdated Java.

 

I think we can all agree UAC is playing in a safer zone than full blown admin, it is annoying and there are other ways to secure a computer if one chooses, flaws exist in any setup.

Its weird to hear people say "I've never seen UAC protect one of my clients from infection" or things like that because how do you know? Protected Mode and File and Registry virtualization only work with UAC enabled, those things make it much harder to infect a PC and could protect you easily without you even knowing (no popups from those).

 

UAC would be virtually just as effective if every time a popup showed up it automatically said "yes." I just wish more developers made use of integrity levels.

 

All good comments.

I think the biggest issue with UAC is the implementation of granularity. While I will always argue that there should be a maximum option that behaves like "Always Notify" does today, as I said before, they definitely need to find a better way to implement middle ground options.

 

Indeed, the whole topic is about having UAC enabled/disabled, but by default, UAC is set to normal, which is not really UAC enabled unlike when maxed out.

 

Right now UAC is set that if the application is signed the program gets full access. This isn't really good since CA's get hacked all of the time. Still, I don't see it as being an issue if you have other security in place. Win7's default is fine.

 

I work at an IT service (most of the time reinstalling, cleaning infected machines) and I think I'm quite a "geek" and understand most of the security techniques (but not all ).

I always leave the UAC on on all the clients' machines but also on mine. OTOH my boss always disables it on his PCs and on the clients' ones.

I don't think that UAC is a PITA at all. It only shows up a few times a day if you do PC maintenance, and maybe a couple of times a week on a normal user PC (users that know nothing about computers and simply browse FB and TT ).

So instead of dissing it I prefer to use UAC because you never know. I've never been infected as far as I remember but I'm not removing my AV because of that. You never know. I read once that the BBC website got infected and people reading it was at risk. You can't control these situations. Even though I have imaging tools I prefer to keep my system clean.

So thanks to the OP for extending my view on UAC as I never paid too much attention to it.

 

Seems you answered your own question in the very asking of it

 

When running a Windows version with UAC, I make sure it's turned up to maximum. If I can run as an effective limited user I will, thank you very much; and the popup notification stuff is nothing new, you get the same thing on *buntu, or with any HIPS.

(Worse on *buntu actually because it either prompts you for your password or doesn't notify you. Easier for social engineering types to exploit, and less convenient for users.)

OTOH it would help if Microsoft didn't claim that UAC is not a security feature: http://www.networkworld.com/news/2007/021407-microsoft-uac-not-a-security.html

 

Protected mode =/= UAC. UAC is not a security feature really. It's the frontend to the ACL/MIAC backend and that's where the security (protected mode) lies.

 

Lets put the title straight.

Why do idiots believe UAC will make them secure & keep on clicking Yes everytime they open a .rar file.

 

LOL, that too...

But I was more referring (again) to the tweak guide authors and those that are claiming running as an administrator without UAC carries no security sacrifice, because it does. It carries a huge security sacrifice.

 

So is it basically agreed disabling UAC technically makes you more vulnerable, but for average users it doesn't matter because they will just click yes all the time anyays?

 

My position remains that at the highest priority of computer security, if there was one thing I would want "simple" computer users to learn, is how to run on a standard user account full-time with the help and convenience of UAC. They would likely find that they would almost never see any prompts, and if they do, they should be clicking NO by default, NOT YES! Most "simple" computer users go online and check e-mail, log on to Facebook, etc. Assuming and justifying that "simple" users are bound to click YES is a cop out. In fact, truly "simple" users could be told the opposite - JUST CLICK NO. That takes the decision/knowledge element out of the equation.

Oh well; it's really not that complicated. I have confidence that people can learn the basics. I could go on and on about it but I think adding an outside source is appropriate here...

Renowned PC (and thankfully security also) expert, Leo Notenboom, goes over the basics on how to know when it is safe in general to allow a UAC prompt here.

So in conclusion, summing up my standing by my original viewpoint: If you choose to disable UAC because for YOU PERSONALLY it will result in you just clicking yes every time, regardless of whether or not you are capable of being educated (or care to be), then disable it, but understand you are making a huge security sacrifice, and in many cases, putting your other security layers at risk of tampering by running full-time as an administrator. Most importantly, what I am really arguing in this thread, is to keep that practice to yourself. It should never be advised anywhere to turn UAC off, regardless if it is being "recommended", or simply "introduced" as a concept. It's just a stupid thing to put in a tweak guide.

I believe that if just a tiny bit of time and effort are made, people could learn to make informed decisions about when to grant things keys to the heaven. Stated in other words, I feel UAC, both the prompting and the other functions it provides, are necessary security technologies built into Windows Vista and 7, and should not be, in almost any circumstances, turned off.

Sure, it is not perfect, and there always will be scenarios in which UAC simply draws a line in the sand and the user crosses it. But the fact of the matter is, UAC COULD have prevented it in those cases. Again, with what I observe a lot of "simple" people doing with their computers, they could be just as easily told to always hit "NO", and chances are they would never see a UAC prompt unless it was malware, because they tend to do nothing that legitimately requires UAC prompts, other than of course updates. I generally recommend turning auto-update for stuff like Java/Adobe off, as it degrades performance even when unneeded (no surprise there), and instead install Secunia PSI and run it twice+ a month. So simple to use, very quickly scans your PC for ALL out-of-date/end-of-life software, and can update a lot of them for you, AUTOMATICALLY, and you only have to answer a UAC prompt once to launch the Secunia application! Of course, you have to be disciplined to run it manually, or use their automatic background service.

Anyway, no solution is perfect, but I tend to back one that starts secure from the ground up, rather than turning foundation stuff off and adding a bunch of 3rd party stuff later on, which can yield side effects.

Not trying to rant on and on; just sharing my thoughts. I do like security, as is likely quite evident.

 

Here's the thing... if you have a privilege escalation exploit it doesn't matter if UAC is on or if you're on a SUA. If the user is socially engineered into installing it also doesn't matter, they'll hit "yes" or switch accounts.

SUA could potentially stop some drive-by's if their payload can't function without admin rights and if the user is wary. It's useless for social engineering.

If the user already believes the file is malicious, they won't run it anyways regardless of UAC.

It's just not secure in that way. What's secure is the integrity system that developers can make use of. This has been shown with IE and Chrome. Unfortunately no other applications really make use of the integrity levels even though they easily could.

 

For the average user is better to make them run as standard users (as they should and as I do ), while having UAC enabled at default settings. Windows 7 default settings aren't bad, provided the user runs as a standard user.

On top of that, I'd install a kind of application that would allow to create a whitelist of application that need administrative rights to perform their tasks, without asking the user. There's SuRun, BeyondTrust PowerBroker Desktops Windows, etc. Those two are free.

Then simply alert those users that whatever applications need administrative privileges have been allowed, and if the they see such kind of alert, then it's bad news. From that moment on, it's their own problem.