Do you disable UAC?

Martin_C knucked up Rasheed, so agreeing to disagree works for me

 

lol Kees, you made me laugh me too i can play on words...

he said "you" not "I"

 

@Rasheed187 :

You are still entering this discussion on the incorrect assumption that UAC are an opt-in feature on top of your OS.

And you still think those "top rated security tools" as you call them, can substitute the OS design even though they are merely applications running on top of the OS.

You need to take those ideas, lock them in a drawer in the basement and throw away the key.

Next you need to go back and read my earlier posts.

"UAC design as a whole", "LUA vs. PA" you said ??
You are not making sense.

All of these are different levels in the same privileges structure. Look at it as steps on a ladder.

System is in one end with full privileges granted.
PA account in the middle with less privileges the further you turn up UAC.
Standard user account with the least privileges of those mentioned and without the split token, in the other end.

This is the structure in the OS.

It's not "a feature" you opt-in on, in case you have a prompt fetish.

This is how all OS's are designed and how system protects itself.

The only reason you have difficulties wrapping your head around this is due to a enormous early-days mistake in the Windows design of those days, that made default account an admin account.
This is not normal. No other OS does it. Windows are desperately trying to get away from it.

The PA account with UAC on max are the closest thing to doing it right, that you can get without taking the jump to the sane choice with the Standard user account (a limited user account)

It's not perfect, but Microsoft has been massively closing the silent auto-elevation bugs with the rolling Windows 10 releases.

That combined with the SmartUAC addition to the equation in Windows 10, provides a very strong protection of the OS itself.

The "top rated security tools" you mention are applications on top of the OS. When they fail - and they will fail occasionally - then the one thing that can save your behind are the structural design of the OS.

With your constant posts about turning off UAC and install "top rated security tools" as you call them - then what you are actually saying to people are to : "install some applications and wait for them to fail, and when they fail then take down the entire OS with them".

That is not wise to say. Especially not on a security forum.
And that is exactly why I jumped into this debate with my somewhat lengthy post earlier in this thread.

 

if @Rasheed187 used Linux , he would then understand why UAC is important.

to put it simply : Windows' LUA + UAC = Linux's sudo

but i guess he will never use Linux since he hates prompts; and in Linux you need to enter the whole password every time you do something that deeply modifies the system (updates, etc...)

I used Linux for a while so UAC's prompts are quite normal to me, i even tweak my Admin account so UAC ask my password like in Linux.

 

And that's a best case scenario. Since these "top rated security tools" are usually (even guaranteed) imperfectly coded in that they can fail in a way that crashes the entire O/S. Some people forget or don't realize a feature like UAC is built into the O/S and as a result are superior in working harmoniously with the O/S than that of 3rd party "top rated security tools" that are usually rife with bugs.

I can't help but shake my head in bewilderment at those in the "What's your security setup these days" thread who even after a number of years still pile on numerous 3rd-party "top rated security tools" to defend their O/S

 

I couldn't agree more. The issue has been posted at Wilders I think, it being a security forum and all but it doesn't hurt to remind people that top rated professional tools such as AV / anti malware / anti this and that could actually severely weaken your system because coding mistakes are inevitable. Some are less serious, perhaps resulting in a software crash or OS crash. But if these bugs can be exploited to gain system access, that's really scary. What looks like a quick remedy from the AV producers doesn't make me calm either - if they found 1-2 bugs and rectified those, what other undiscovered bugs are there?

Less is more.

 

For people not participating, but watching, this interesting thread:

Old, long, and excellent description:
https://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx
I don't know if there exists a newer writeup, since this is from a link I saved ages ago.

One recent link I read is this
http://www.ghacks.net/2015/08/22/make-uac-prompts-less-intrusive-on-windows-10/
but it's mostly about lots of settings rather than a thorough explanation of purpose.

 

Now I know how it feels like to be stuck in an endless loop. Look, it's true that "security experts" advice it's best to run in LUA or to keep UAC enabled when running as admin. But it's also true that a lot of people find it annoying and pointless. I know it's difficult to wrap your head around this, but this is called real life. But to claim that people who choose to disable UAC are putting themselves at great risk, even with security tools installed, is spreading FUD in my opinion, not a wise thing to do on security forums.

In theory they might fail, in practice they don't. In general, hackers don't even try to bypass AE and sandboxing, too much work. It's easier to bypass AV's, so that's why most of them have implemented behavior blockers and features like safe banking, to interfere with malicious actions even when malware is already running. And there's this trick called "download software only from trusted sources", that will also help a lot.

So the bottom line is, no matter what you guys say, you won't be able to change my opinion about UAC not being needed. Again, 9 out of 10 UAC alerts are triggered by the user themselves, so they will allow it without thinking twice. There is no white-listing, so people might become annoyed. Of course, if you're not bothered with this, then by all means, keep UAC enabled.

 

I tend agree with you on this one. I have UAC set on max. on my wife and daughters computer, but they click yes on any prompts without thinking. And when I say something, they will respond: Well nothing ever happend anyway! So it's hopeless.

 

Amazing - you still claim it's FUD to say that people are putting themselves at risk when disabling UAC, and you still find it pointless and ridiculous.

To be honest, I think you have reached a point where you realize that your ideas about this are wrong - but you absolutely do not want to admit it to yourself.

I get it - you want solutions to be complicated and be delivered with a 600 page manual.

But if you looked around you, you would notice that practically every new "earth-shaking" malicious findings that make headlines due to their destructiveness have one thing in common - they fail when they don't have admin rights.

Life really does not need to be so complicated.


Next about applications and your "top rated security tools", you say :

You are simply saying that applications in general and those "top rated security tools" of yours in particular with those "wonderful" KMDs - they only fail in theory.
They never ever fail in practice.

My only comments to that will be that we have VERY different opinions about that, and when looking around at reports/findings daily then it seems that a lot of people will disagree with you on that.

No point in the two us keeping this up. We will just agree to disagree.

 

@Antarctica :

There's the always golden answer - setup a standard user account, password on admin.
Click happy fingers will not cause you nightmares any longer.
Works beautifully in enterprise and home.

And if you move to Windows 10, then the situation of UAC has been improved a lot with SmartUAC.
Anything requesting elevation will be scanned and if found to be malicious, then no UAC consent possible. Instead target is blocked, removed and user informed.

If not known malicious, then usual consent prompt shown - but process behavior tracked and can be taken out later if deemed malicious.

Granting admin approval should never be taken lightly, but with these improvements in Windows 10 a huge portion of the worries have been removed.

Hope that can change your sad smiley to a happy smiley instead

 

It is going to be a loop, so to resume:

- @Rasheed187 is clearly annoyed by UAC prompts (at least on Win8/10, i remember he said he would use it on Win7) and has more trust on system monitoring security tools, so he disables it. Of course, i won't forbid him to do so, after all it is HIS system.

- Others like us think UAC is still very useful even with dozen of security tools present. We gave enough infos about it.

From this, i can conclude, that now it is more a matter of taste that a real debate about UAC effectiveness.

Just a question for @Rasheed187 : Do you consider using UAC with registry tweaks to make it silent? ( i saw @Windows_Security using them) or you just don't trust UAC effectiveness at all to mitigate possible attacks?

 

Lah-la-Lah, Dee-de-Deee... this discussion has beat the horse to death long ago... but some people just won't give up.

Dig the hole. Fill it back in. Dig the hole again. Fill it in again. Repeat... ad infinitum.

 

This is the point that I disagree. Security softwares in a smart multi layer defense make UAC redundant and useless. Still, I' m not sure that it can't do conflict with an HIPS or others.

 

So you clearly misunderstood UAC's purpose. read this : https://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx

UAC is made to block then prompt about rights elevation requests (getting admins rights) made by any process/executable legit or not, no HIPS or any security tools does that.
What those softs (HIPS/BB, etc.) does, is to monitor the system and block the execution of unknown/suspicious/not-whitelisted processes unless you allow them.

The built-in feature of Windows that block the execution is Smartscreen (based on the executable's reputation determined by MS) not UAC.

No other softs does what UAC does. so it is not redundant nor useless. UAC never conflicts with HIPS because it does something different.

That is what we said , UAC should be used even with other security tools because it can, and having another mitigation tool in the pocket isn't a bad thing; especially when it works flawlessly at kernel level.

What UAC afford:

 

We agree 115%.

The quoted above ought to be a mandatory lesson to be repeated 500 times, before being allowed to register as a user on a security forum.

And when a user starts to deviate, then mandatory biweekly urine samples.

 

Yes, this makes a lot of sense. That's why I have been running as admin for all of my life, have never been infected, even on a not fully patched machine, protected with HIPS, sandbox and Cloud AV.

Complicated? This depends on the user. Just like some people find UAC annoying and others don't.

That's true, but not the point. UAC is not a system that wil automatically block malware from running. It will always rely on user input, so if you make the wrong choice (assuming that AV also failed) it's still game over.

In all of those stories that you're reading, they never mention anything about which security tools are being used. And I don't believe that security tools are the problem, it's users who are the main bottleneck. And since UAC relies on user input, it doesn't guarantee a malware free system either.

 

This was my main point all along. UAC needed to be improved, especially white-listing would have helped a lot. And what you're describing sounds a lot like what behavior blockers are already capable of doing combined with AV. The only difference is that I don't get to see the UAC alert.

LOL, guess what. By using several layers of security, that can either block malware from running, or interfere with malicious actions, the worries are already removed, without even having to use UAC. BTW, M$ could have implemented something like this, to make UAC more useful and less annoying:

https://4sysops.com/archives/free-smart-uac-disable-uac-prompts-for-particular-programs/page/2/

 

You guys have made this thread way too complex. It's very simple, some people are annoyed with UAC, and choose to disable it. The ones that are not, will keep UAC enabled. For the ones who choose to disable it, I would advice to use a layered security strategy combined with common sense, this will keep you safe with or without UAC/LUA.

http://www.techsupportalert.com/safe-hex-safe-computing-practices.htm

No, those tweaks are not good enough. For the 1000th time, the only time when UAC may be useful is when alerts are UNEXPECTED. This may happen during some exploit attack, but even then it's still a 50% chance that a user will allow it to run. That's why AE and sandboxing are a better solution, they will block or contain malware automatically, even when malware doesn't require admin rights.

 

Yes exactly, because it's pretty much pointless. Just because some app asks for admin rights doesn't mean it's malicious. And UAC is pre-execution so it doesn't know if some apps has malicious intentions. HIPS/BB is post-execution, and tries to block suspicious actions even if the user has made the wrong decision to let some app run, with or without admin rights. And yes I know, UAC and HIPS are two separate things, but I'm trying to make a point.

It's indeed not a bad thing, unless you're annoyed with it. Remember what I said about finding a balance between security and usability? And you could think of UAC as an extra layer, but IMO it's a layer that's not needed per se.

 

I do not disable UAC. Always set on the default level, which is good enough for me.

 

Well, that's the problem, some people think your solution sucks. You should always put UAC on Max, and stop the whining about it being annoying. Because remember, if you don't get to see any UAC alerts, all hell will break loose.

I keep hoping they will finally understand my point, but I guess it's just wishful thinking.

 

Wait a minute, I just turned on UAC and now every time I want to sandbox some app, I get a UAC alert about the SBIE Control app? Is this some joke or what? Can anyone confirm, or is there something wrong on my system?