Arggghh VISTA64 security

Dear members,

In a moment of utter madness I installed Vista64 on my son's gaming PC. After the first nice impression, you will soon be driven mad by UAC (User Account Control).

UAC can be best described as retarded 98 year anti executable who keeps forgetting who you are (not a trusted family). I thought that UAC might have an Administrator escape like unix offers for instance, but no they (intentionately) designed it that way. The goal of Microsoft's engineers was to protect users against themselves, but the effect is that PC is protected from being used.

So best solution I can come up with:
1. Define a admin account and set UAC of (nice lttle program TweakUAC) OFF.
2. Define a surfer account with limited rights.

I really wonder why people should upgrade:
a) Advanced security?
Because it will only be a matter of time before average hackers will produce malware which is able to break into Vista64. Today just to little people are using 64bits to have fun of your hack. So please please PC users do not buy Vista64. I think I can not handle more interpretation of MS engineers of user friendliness.
Thanks Joanna Rutkowska (Red Hat) for tipping MS on the unsigned driver hack (NOT). MS solution was simple, only allow signed drivers. Now ligitemate drivers like my wireless driver card could only load silently after executing CMD and entering "bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS" plus enter.
I fear the day when MS will come up with a solution to handle recursive VM hacks. Aaaarrrggghhhhh the unsane stalinistic ridgidness of MS security measures effectively reduce the improvements to zero.

b) The performance increase?
Experts estimated that 64bits would provide a 20% performance gain over 32 bits. This should be the case when MS would not have OPTIMISED the code. Under XP the 3Dmark06 was 10184, under Vista64 with a higher overclock, a newer bios version (optimised for multi cores) and the corresponding new optimised 64 bits drivers, it just pushes out 8892 marks? While it should have displayed over 12000 3d marks!.
Obviously the VISTA delays has caused for much stress. As any cognitive science expert will tell you, fun is a great way to focus the mind. Developers that aren’t enjoying themselves will slow down, write buggy code, make poor decisions, leave the project, which in itself causes other problems: knowledge loss, new learning curves and less consistent code. Poor game devlopers always walk on the edge of stability because they have to push the code to its limits for the required fast and furious gaming experience. So you either have to buy a new X-box (MS I presume?) or trust your money to MS partner in crime Intel for quatro cores. Have fun

c) Ease of use?
Just when you thought you could handle the MS logic of grouping (hiding) functions in XP, they placed a lot of old functions in NEW places, WHY? The only reason I can think off: being an User Interaction manager at MS, you have a hard job. So after X years of XP, you split the team and sent them to a Zen/Tantra workshop in Nepal, a traditional drum/dance course in the Andes, meditating in a traditional Inuit sweat tent. Then you mingle them together in creative session and hand the output over to the programmers. They just came back from a holiday in Vegas, with late parties and drinks. So their clowded minds had to make sense of the brown paper farts produced by the UI-designers (whose feet had not touched ground yet). The result of this total make over: Mork calling Orson, come in Orson . . . .

Be warned when your kids buy a DirectX10 game!

 

Edit:

NoN Security:
- UAC OFF, switched off user management notification (with TweakUAC you will have easy access and 1 extra option)
- disabled driver integrity checks (see post 1)

Added:
- Hardware FireWall and Default Windows Firewall of Home Premium (XP Pro users should buy Ultimate)
- Admin Account and Surfer Account with limited rights
- Using the IDS of Winders Defender (don't laugh it is all I have)
- Avast AV (free), with the seperatemodules (for early detection in incoming streams enables),
- VistaFireWall control (free), to get control on outbound traffic also
- Haute Secure 64Bits (beta, first go to the download page to select X64 version)
- Comodo Boclean (free)

Usefull extra:
- Autoruns works on Vista64


Note:
1. Would be nice to place a sticky with Vista64 bits security aps
2. Feels like being thrown back to early XP time, with a seperate FW, AV, AT, AS and having to walk through your autoruns again.

Regards Kees

 

Great source of medium info about MS products like Windows Vista is at IT's Showtime.

The point is, that UAC should appear, when a malware would try to perform an some admin action.
MS wants to force developers to create soft able to work in a limited account, so no UAC prompts.
By the way, UAC can be altered to ask less and it can be disabled via Run - msconfig - Disable UAC.
Also, UAC is quite simple and easy to use limited account. Security and comfortability do not get along.

It is not imposible to achieve the ultimate security, because they are the intelligent people on both sides.
The point is to be ahead and Vista 64-bit is, creating a malware for it is quite a challenge, which takes time.
There will be more sofisticated malware for Vista 64-bit, so at least we will not to deal with some script kiddies.
Well so far you actually do not any security aplication on Vista 64-bit, just 64-bit hardware DEP enabled, IE7, ect.

Vista 64-bit is indeed better, but the problem is, that there are almost no 64-bit aplications, which can take advatage of it.
Vista has much more better memory management, OS self-maintenance and so on, also Aero, which decreases CPU's usage.

Common users will benefit from simple interface and IT users use templates, which do not change, in fact Vista improved them.

 

The TOM, Ronjor,

As I have illustrated I defined a surfer account with limited rights. In old XP you have the option when running in a limited account (control via registry setting) to get pop-up offering the user the possibility to run on other (admin) account. This had the same effect as UAC.

From the user perspective UAC is a 98 retarded Anti Executabe who keeps forgetting who is trusted, with no containment when once allowed (e.g. not SSM for instance which also protects code against each other).

So from a user point of view it is the annoying pop-up you have to click yes. In daily practise the average user is tought a dangerous type of behavior (allowing everything).

So the benefits of running as a limited rights user with occasional elevation to admin rights when needed is reduced to zero by the "oh yes, just click okay" behavior. May be in future when sufficient software is available which is able to run as a limited user, UAC will become exception reporting and thus adding meaning to its warning.

That is why I choose to setup a surfer account. I can explain that to my son. When you are going to do some risky surfing, log on to the surfer account. I can not ask him to think deep at every UAC pop-up, check the internet first before allowing those numereous pop-ups.

Regards Kees

 

Kees, I don't have Vista on my computer but I had the opportunity to test it for about 3 weeks on another PC. And I don't follow you. First of all, if you setup a limited account and you're doing something with admin rights needed, you're getting a pop-up, too, with the only difference that you have to also input the admin password. So that doesn't make that much difference. It does make a difference from a security point of view, though, if you purposely didn't reveal the admin password to your son - in this case he wouldn't be able to install most types of malware.

As for the popups themselves - yes, I had them in the beginning when I installed applications/tools and configured them. Once that was done, I surfed, wrote and received emails, wrote documents and created spreadsheets with OpenOffice etc. etc. - and didn't get even one popup over several days. What on earth are you doing with your system that you find these rare popups annoying? Or are you really permanently configuring your system and turning some screws

 

Tlu,

I was replying to the other mail and the article (link) posted. All accounts have UAC off.

No my son has full access to his own PC. When gaming he visists servers he knows, so there is acceptable risk involved.

Only screws which are loose are the ones in my head.

The point that I am trying to make that UAC offers you to put the admin hat on when needed. Which in itself is a great idea. When you change from XP to Vista64 you have problably a lot software with unsigned drivers and are not compliant to requirement to operate in a limited user environment. When taking into account the limited number of users which have now an entiexecutable WITH containment (UAC is without containment), problably most home users will allow these pop-ups anyway. So the added security in practise is will be reduced.

 

Hello,

I have tested Vista and found it simply useless.

The enhnaced 'security' is only perceived - nothing substantial. You are merely forced to click twice for everything, have drivers die on you and such.

Furthermore, you get 50% decrease in performance, 1000% inflation in hard disk space usage by the OS. You might say it would not matter if the extra security offered anything.

But look at XP. Just use Firefox and you solve all your problems. So why should one bother clicking through everything twice when it worked perfectly in XP with just one click?

Mrk

 

Windows Vista Integrity Mechanism, a sort of inbuilt sandbox
UAC isn't a security feature

 

Mrkvonic,

DirectX10 was the reason, but onofficial DirectX10 for XP is available, so think twice before starting


Lucas,

Indeed, UAC does not provide containment

All,
Okay I have found a signed driver for Rivatuner and was able to get a workaround for our wireless from the chipsproducer, so we are now running in UAC quite mode. This runs programs standard in limited mode, but allows the administrator to install something. In simple words, when you deliberately install a program, UAC won't throw pop-ups. Programs themselves are not able to install something.

Due to the signe drivers I have undo the bcdedit with the -set loadaoptions ENABLE_INTEGITY_CHECKS.
So we are protected against unsigned drivers installation (I hope rootkits do not have signed drivers )

Regards Kees

 

OpenGL 3.0 should expose SM 4.0 hardware without D3D10.

Signed drivers can be used to install kernel-level malware. Purple Pill

 

Mrk, I disagree. There are substantial security improvements as described in this posting.

I think you know that I'm a strong Firefox supporter, too. But Firefox alone is not the solution of all security probems. Besides - as already mentioned in my reply to Kees - I haven't seen the need to permanently click popup messages once everthing is installed and configured. And one of the big improvements of Vista is that it is much more comfortable to use a limited user account - this is an issue which you've always critisized in XP.

 

Hello,

Agreed on the issue of limited account.

But there's a price to everything. I am not sure I want the performance degradation and hassle involved as the price for improved limited account management and usage.

By the way, all of the things I have written are my observations only. My approach to 'security' differs much from what many people think. Security is not just being NOT infected, it is how you get to that state - or what is required of the user to accomplish that.

I'll leave Firefox aside. Use K-Meleon, Opera, any other browser and you solve 99% of Windows problems. Then, replace MS Office with OpenOffice, messenger with Pidgin, and so forth, and you end up with 100% problems solved, whether you use Windows 2000, XP or any other.

Of course, the problems refer to inherent failures of the software, not the deliberate failures of the user.

So what remains is the platform itself, where convenience becomes factor number 1 in my lexicon. Like the British like to say, I'm not rich enough to be poor - I value my laziness over anything. And I don't see a point of spending hours upon hours tweaking Windows so it can serve my lazy needs.

I don't want to spend my time trying to solve inane problems that MS thinks will prevent users (re. bad users) from shooting themselves in the foot.

Now, regarding Vista security. I don't really care what whitepapers say. The only test is the MRK test of reality. I sit in front of the screen, click and clack, and wait to see what happens.

My experiments show that getting infected in Vista is a very simple thing if you put your heart to it, not much different from XP.

How come when you get all the extras, you may ask?

Well, from what I have seen, most of the extra security aims at "unwanted" installations of drivers, software etc, exploits that occur along the way.

All of the above are relevant when you use IE and default software.

But if you do not use them, then the advantage becomes a major disadvantage.

A simple analogy - anti-spyware etc in Windows XP. Useful if you run IE, but a complete waste of resources if you don't.

UAC and such might work well for someone who's only ever heard of Norton and never will try anything but what comes preinstalled on the machine, but someone like me, it's a moron-proof-test that will self-defeat me any time my logic fails.

That's about it.

Limited account (modular of course) is the way to go, but we still have to see a quantum leap from what it is today in Windows to what it should be, like in Linux.

Cheers,
Mrk

 

Dear all,

Thanks for the info/replies. Would you also have a look at https://www.wilderssecurity.com/showthread.php?t=184349

Thanks

 

Last time I looked, not many PC games run on Vista 64-bit anyway

 

Hello,

Just to add more details about Vista's security, I've made an article few months ago about Vista and the leaktests :
http://www.firewallleaktester.com/articles/vista_and_leaktests.html

I describe the most interesting new Vista's security features. It would be really dishonnest to say that Vista's security is not better than XP.

However, as the tests show, I could still manage to make 50% of the leaktests tested, successful. Althought there is more safeguards on Vista, if you "want" to be infected (e.g you have risky habits and click "OK" on every popup), then you will.

Then it comes down to your own choice, some people will use happilly an AV having a 90% detection rate (which is good), and others won't use any AV under 97% detection rate. 97%+ detection rate is better, and althought not bulletproof, it worths using it. Same for Vista, it's not invincible, but it is a great security improvement over XP.

At the end remains Vista's disadvantages I won't disagree with : price, harware required, ressources hungry, (in)compatibility.

Regards,
gkweb.

 

Agree fully,

I posted a way to configure a sort of safe way to run in quite admin mode https://www.wilderssecurity.com/showpost.php?p=1075022&postcount=1