Do you disable UAC?

just adding my seed of discord

NO users should run permanently on Admin Account but on SUA

 

Which is also what I'm saying.

Always, always, always a Standard User Account for all daily chores.

Maybe we should tattoo it permanently on the forehead of the next user that questions this ?

 

yes

The problem is that MS "forced" this bad habits since ages, during Windows installation, users should'nt be allowed to log-in with admin account right away.

Linux users are accustomed to standard accounts.

 

I like being able to do what I want to do in my computers at all times, without restrictions, so its not likely I ll ever use an Standard user account. I have never even tested one. I reckon a lot of people around here feel that way, look at this poll result from last year.
https://www.wilderssecurity.com/thre...run-as-administrator-or-standard-user.372010/

Bo

 

@bo elam :

That the Windows ecosystem has a problem with really bad user habits, are not news.

That even a security forum has a high percentage of users with really bad user habits, are disturbing and I can only shake my head at it.

As both I and others has pointed out earlier in this thread - show me a Linux user that runs as root permanently.

And as I have already said earlier in this thread - only in the Windows ecosystem do you meet users who suffers from this ridiculous idea that they are so mighty advanced that security through design does not apply to them.

First utilize every bit of security a OS offers, then you can begin to investigate if it makes sense to add anything.

 

Sound advice

 

You missing all the fun, Martin. Using a computer doesn't have to be boring, square or restricted. Developing a security strategy where convenience and security are balanced is what is all about. That can be done in various way. I have been able to achieve that on my own, and I tell you a secret, it is easy. The Martin way is one way of doing security, but is not for me. And according to the poll, you are in a minority. You shouldn't try to impose your views on us, or insinuate that we are stupid for not following what you preach, OK.

If your way of doing security works great for you. I think that's fantastic. But its not for everyone. Just because someone prefers to run as Administrator, that doesn't give you any right to "tattoo it permanently on the forehead of the next user that questions this ?"

Question this? Who you think you are, telling me, us, that we cant question what you write, that we have to think like you do or else. The World would be boring if everyone thought alike, dress alike and everyone thinking and doing things like out of a mold. Let freedom reign, Martin. Greetings.

Bo

 

Yes exactly. And I see some are now even talking about that people should run in LUA. But I'm afraid they are in the wrong thread, since this topic is about people who choose to run as protected admin, and whether they think it's worth to keep UAC enabled or not.

Purely from a security point of view, UAC is mostly meant to mitigate exploit attacks, but as we all know, sandboxing and anti-exploit are way more important when it comes to this. And not all malware need admin rights, think of ransomware and banking trojans, UAC/LUA won't protect against that.

 

Yes exactly, I use quite some tools that need admin rights every time they are being launched, think of Process Explorer, AutoRuns, and SpeedFan. When installing software with SBIE, you will also get to see the UAC alert. And M$ hasn't even bothered to implement a user controlled white-list. So thanks, but no thanks, I use security tools and common sense to stay safe, inexperienced users can do the same, with or without UAC/LUA.

 

I use a restricted account + UAC max. I don't feel restricted in any way whatsoever. I actually feel free to use my computer without worrying too much about drive-by-downloads and +90% of malware.

When I first abandoned using my admin account for daily tasks (Windows 2000) I didn't feel restricted or anything like that but I felt offended (!) because sometimes I was demanded to type the admin password when I installed new software and so on. What the heck? I was using my computer and it demanded me to type an admin password! It strikes me how backwards Microsoft has been when it comes to sound & basic computer security if they made users like me feel offended and annoyed about good computer security. It's a bad legacy that Microsoft is trying hard to reverse!

But that feeling of being offended went away pretty fast and now it would never occur to me to use an admin account for my daily tasks including or especially browsing the web. Never mind that the admin account is protected by being given a stripped token etc.
Also having used Linux for couple of years only enforced that notion. You simply do not use root for your daily tasks.

Rasheed mentions some software demanding admin rights but so what. It means that those software either really need system rights or they're horribly designed.
The former I can live with, the latter I try to avoid.

 

Same here, i prefer use all the OS built-in security features first, then add my 3rd party softs. In fact with SUA + UAC max + some registry/GP tweaks , you don't even need 3rd party security softs; but as @bo elam said , where the fun, i love my security softs

Of course, SUA is a bit less convenient but i don't do much admin task when i spend most of the time working on Office or browsing the web. Admin tasks (for home users) are mostly software installations and maintenance tasks; you don't do them all day long, so no need to be permanently on PA. Problem is the softwares are badly designed and request admin rights when they don't really need it.

MS realized their mistake, but so many people are used to run in admin account , if they enforce using SUA, they will raise another tsunami of complains.

That is why Linux eco-system is safer than Windows: less than a hundreds malwares existing, less vectors attacks, apps repositories, users are truly separated, etc...
Some hackers i knew , don't even use Windows as their main OS, one resume me his view as : Windows is the battlefield and Linux his HQ
Problem with Linux, it is less convenient than Windows in term of hardware compatibility, drivers, etc...

The softs @Rasheed187 mentioned can be run in SUA without UAC prompts, they need admin rights only to show full details.

 

You did good, you got where you got regarding security on your own. Personally, I feel doing security in on our personal way is the right way of doing this things, whatever that is.

If you or I, or anyone do security in a non conventional way, and at the end of every day when we turn off the computer, we know the computer is clean and never ponder about being infected. Or, ever, stop doing what we doing, because something happened and we get the urge to do scans. This are great feelings and you have those feelings when you know what you doing is working. Those are my feelings about computing everyday. What works for me, works for me. Being mocked by someone like guest don't make me blink. Greetings to you.

Bo

 

i don't mock you lol , i approved what you said... you are getting paranoid Bo. Lately i observed when someone (mostly me ^^ ) "criticize" your point of view, you take it in the wrong way or maybe you have a latent grudge against me

 

So I think and so I do ! This thread is sliding in a kind of " prohibitionism " that wish that nobody can run his system, on his pc, a admin.

 

With experienced users , i don't mind much, they know the potential risks and how to reduce them; but personally i won't let beginners (aka family, friends, etc...) doing their daily stuff on Admin Account.

 

Because of all number of softs I run with their associated frequent updates (thanks @Kyle_Katarn and SUMO), I choose the convenience of running from an Admin account. I think running in a limited account might drive me crazy.
And if I mess up (can't remember when this was last due to malware), there are always MR system images. Can go back in minutes.
Each to his own I guess, even though it's not the 'right' way. I still have UAC on Max though. )

 

@bo elam :

I know you have been mad at me ever since my post in the "sandboxing Chrome"-thread, where I summarized about AppContainer, Chrome sandbox and Sandboxie.

You apparently took it as a personal insult and you have been a bit grumpy towards me ever since.

Lighten up, @bo elam

Tzuk before and now Invincea spend 90% of their time dealing with compatibility issues, so there's no reason for you to become grumpy at me for stating facts.
As I said back then - Sandboxie are a very, very powerful tool, but it requires its users and developers constant monitoring for and dealing with compatibility issues.

If you think I'm a nasty individual for saying so, so be it

Next to repeat myself :

There are no other OS in the world that has made that terrible mistake, of making default user account an Admin account.

And Microsoft are fighting a tough fight, getting away from that early days mistake.

There's nothing heroic about running a Admin account fulltime. So why some users sound proud about doing so, is beyond silly.

As for your statements :

I will say a dose of reality would do wonders here. No offense.

Users who actually uses their computers, do not use them to conduct a colorful symphony from a dozen "amazing" security products.

If you take the tour around every single security forum in existence, you will soon find out that it's pretty much the same users that shows up in all of them.

Put them all together, and you won't have to find a big stadium to house them all.

It's a rather small group of users.

As to every single other computer user in the world, I can guarantee you 100% that not a single one of them feel it "to be boring, square or restricted" as you claim, when they do not get to play with the "security app of the week". Not a single one will agree with you.

End users want a OS to be secure out of the box, without the need to worry.
Can they have it ? Of course they can.
Install Windows 10 and Office 2016, both fully updated.
Out of the box the user will have Windows Defender activated including the two cloud options activated, SmartScreen activated both systemwide as well as in both browsers and UWP apps, all internet facing apps running sandboxed and restricted in AppContainer.
Can they increase security ? Sure they can.
Enable PUA detection in Windows Defender, set SmartScreen to require Admin approval, set up a Standard User Account and only use that account for all daily chores, password protect their Admin account, set UAC to max, set UAC to only elevate signed and validated executables and have network profile on Public everywhere except when on their own locked down LAN.

With that easy to set up setup, you have covered everything your average user needs to think about and they can get on with their life.

The users that put a lot of thoughts into their setup can next begin to evaluate if it makes sense from a security point of view to add anything.

Personally I have found that adding an Exploit Blocker due to some legacy programs I use, and adding an Adblocker to make the web tolerable are all I need to add to perfect my setup.

You have found that all you need to add are Sandboxie for containment since you are on Windows 7, and NoScript to make the web tolerable.

Others find they only need to add an Anti-Executable and a Adblocker to perfect their setups.

Enterprise will sign own in-house binaries and use Device Guard.

Those setups I have a lot of respect for, since they utilize what is actually available in the OS and just add the few things that can benefit in a given scenario. Plus Windows is a powertool on its own with further restrictions and lockdowns, that can be adjusted to your individual needs.

What I have zero respect for are users who doesn't utilize the security by design options available to them, simply because they either do not understand them or have the wrong idea about them, but still they dedicate their forum presence to repeatedly call these security implementations retarded.
Another thing I have zero respect for are users that disable everything in the OS and then install a dozen "amazing" security products and then show up everywhere claiming to be super advanced users and super secure - and if anyone asks these users why they install all that crap, then they just provide a link to a webpage or PDF that uses tons of colors and lots of words with at least 20 letters in them and they somehow thinks that colorful marketing and long words equal great protection.

Anyway @bo elam, your posts are usually a lot more smiling then they have been for the last few weeks.

This a security oriented forum. Not a battle arena where we fight to the death.

You know very well what I mean with my posts, and none of it is an attack on you.

Time to put on a smile again and enjoy your Sunday.

 

You Bo were once considered a friend as anyone can be in internet. But I got a post from you that felt manipulated as from my worst enemy. So I lost all trust in any you say, except in SBIE, there your words are good.

Stupid to advocate this thing to run in an admin account when this is a security forum. All I can say to this.
Does not matter what most people running Windows do as default, this is a security forum.

 

What does this have to do with this thread?

 

anyway, nothing is bulletproof (check the attachment) , i didn't tested it...yet

 

Surun works really well for this. The download link is near the bottom of the page. There is also an English forum.

 

Which is why UAC on max and Standard User Accounts are wise.

The bypasses on UAC default level are known.

(We both mentioned it a couple of times during the last 16 pages )

I do however notice another option in those settings, that another user here will find disturbing.

I will politely refrain from commenting on that, in order not to bring new chaos in this 16 page journey

Naughty, naughty @guest

 

I guess (and hope) the bypasses focus products in default settings.

 

I think the anti-SBIE function will simply stop the malware from running at all, that's another advantage of sandboxes, when malware know they are running virtualized, they simply terminate themselves or try to hide bad behavior.

He is known for these kind of weird posts.

Yes I remember this tool, but I don't like to use any third party tools for this kinda stuff.

 

I guess you may be right.