Is it necessary to run as Standard User on Win7 when UAC is enabled ?

Discussion in 'other software & services' started by Defenestration, Aug 12, 2009.

Thread Status:
Not open for further replies.
  1. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    In my migration from XP to Win7, I'm deciding whether to run as an Admin User or Standard User. Given that UAC results in all processes running with standard privileges, with an elevation confirmation being displayed for actions that require admin rights, then assuming I don't blindly click OK on an elevation prompt, would I be right in thinking that this would be as secure as running as a Standard User ?

    As I see it, the only difference is that an Admin just clicks OK or Cancel on the elevation prompt, while a Standard User has to enter an Admin user name and password.
     
  2. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    525
    Location:
    Arizona
  3. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    The short answer is no. Running as admin with UAC is safer than running as admin in Windows XP, but it still is not nearly as safe as running as a real limited user (standard user, regular user, pick the term you like the most). So, if I were you, I'd run as standard user. But is that "necessary" as in absolutely required? Well, obviously, no. But it would be good.

    For the long version of the "no" answer, you could read this: http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx

    UAC isn't meant to be a security feature. It's just intended to push developers into making software that is compatible with standard user accounts (which is what devs should have been doing since 1993) and to make running as a standard user easier. :)
     
    Last edited: Aug 14, 2009
  4. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    If UAC isn't meant to be a security feature, then what exactly is its purpose? Why not just keep the old paradigm of every program and user running with superuser privileges? If not for security, then why is M$ wanting developers to program for user accounts? You can have more than one admin user, so it seems simpler just to keep things the way they were in Win 9x.

    Maybe I am missing something. :argh:
     
  5. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Well, yes, you are missing something. Obviously MS wants developers to program software that works in standard user accounts for reasons of security as well as just plain compatibility with their Windows NT operating systems where standard user accounts have existed since 1993. Standard user accounts are safer - and they should be able to run software, too. Obviously. Most software has no reason to require superuser privileges, obviously, and MS wants developers to stop writing poor software that requires superuser privileges for no good reason.

    Why not just keep the old paradigm of running everything as superuser? Because it's insecure, unwise, and just plain sucks, that's why. :D

    But that does not mean that UAC is a security feature. Standard user accounts are the security feature. UAC itself is only a way to make running as standard user easier (for example, UAC elevation prompts when a standard user tries to do something that requires superuser privileges, or file system and registry virtualization) and to force developers to make software compatible with standard user accounts. You could say that UAC is a way to make it easier to take advantage of a security feature called standard user accounts.

    UAC forces developers to make software compatible with standard user accounts because UAC makes the default admin account a "Protected Administrator", which is a "kind of standard user but not really" that is only admin when it elevates. Therefore, programs that assume they have superuser privileges now break even when executed by this default "Protected Administrator" account, and developers have to fix their programs to work with standard user accounts. And they seem to be doing just that, so UAC is doing its job.

    But since UAC doesn't make the "Protected Administrator" a real standard user, malware can still get full superuser, admin privileges even when executed as "Protected Administrator", using DLL injection for example. Yeah, it's true that UAC breaks some malware that stupidly assumes admin privileges. But malware coded by someone who knows about UAC can get admin privileges if it wants, when executed by a "Protected Administrator" with UAC. That's why it's still much safer to run as a real standard user, and why UAC isn't a security feature. UAC may help security against a lot of old-fashioned malware, but that isn't its purpose, it's just a side effect.

    In the article I linked to in my previous post, Mark Russinovich says this about UAC:

    And


    That should be a good enough explanation. :D
     
  6. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    What if my HIPS could be configured to watch out for dll injections, would that make up for all the weaknesses in UAC?
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Related discussion at https://www.wilderssecurity.com/showthread.php?t=215470.

    Relevant quote from Inside Windows Vista User Account Control: (about Vista)

     
Loading...
Thread Status:
Not open for further replies.