LUA questions

Yes, isn't that the crux of all security

Well, if you are an average user, UAC doesn't serve you any better than SuRun or SBIE or DW or MD or MBAM, or any other tool. So yes, I always assume we talk about an average user. Advanced users, you cannot really lump them into the same category, as they are much more likely to understand and implement things that an average user never will.

The same way a LUA does, only in reverse. If UAC allows you to elevate with a simple OK, and what you willingly elevate is malicious, what has it achieved other than showed you a prompt just before the attack? (I know, that is not always the case, just a simplified example taken from real world happening by numerous people I have helped). So even in LUA, you have to (as you already mentioned) know if you should elevate or not, correct? Even in SUA, you have to know, somehow, if you should elevate. As admin, it is much easier, as there is no prompt from UAC or no RunAs needed. But as admin I still have to know if I should execute something. The problem with admin is that all your programs have root, so you want to take that away from them, so they don't do something malicious on thier own. This leaves all the decisions in the hands of the user - he is the one who executes the file. And once you execute, either you will find a way in LUA to do it if UAC doesn't prompt you, or as admin it just executes. The ending is the same, the process starts with root, and you hope you made the right choise in allowing it to.

I find both methods to be bothersome on everyones computer but my own. LUA has its own set of issues to deal with usually, just as admin does. I have helped many people using both methods. It depends on the user as to which is the best choise. If there were no choise, it would be easier IMO.

Just as an example, on a computer I have setup with LUA and SRP default deny (XP), I have had so many issues with it, it drives me crazy. Yesterday I had a problem with a printer not printing an access form. I have used access for years, and never seen that happen. Ends up I installed a second printer (just a copy of the first actually) and it prints, but only if the second printer is set as default. I logged into the admin account, and elevated control panel from user account, and the changes I made to the admin account did not effect the user account. I added the user to the admin group, made the changes I needed to, then set user back to user group only, and then it worked again. That is a lot of messing around. That is why IMHO Vista/7 use LUA/UAC rather than SUA/UAC - so that the actual account in context is elevated to admin rather than admin activities actually happening in a completely different account. This is what I have found happens with people I setup with LUA, it is either problems such as this which are just strange and make no sense, or they don't have any issues at all really because they don't do things like this.

Sul.

 

This is really the only thing that has got me worried. I tried LUA in XP many years ago and the result was that it was almost unusable. I didn't know about SuRun or other similar applications at the time, so I just ran as Admin. The main problem with SuRun-like applications is that it is a 3rd party application for a thing that should be in the Windows core itself. Even if I think I'm a "professional" or atleast very experienced user, I'm still worried about unexplainable errors relating to programs which alter basic OS functionality. I'm all for stability, which means less interfering programs = less data loss and more hairs (as I'm not ripping them off because of frustration).

I don't think I go with the SuRun route this time, altough it seems like a nice program. The reason is written above. Altough I'd really like to run Standard User, it seems that it has it's own problems too, even on Windows 7. Maybe the biggest problem is that when you elevate, the process is run from a entirely different account. Before I started this thread, I thought that "Of course they thought about that, who would think that moving the elevated program to run in a different account would be a good idea?", but well, yeah, it's Microsoft after all. It seems they thought it would be a good idea, the reason behind it is what nobody can seem to explain.

So I have two options basically - to run Standard User with SRP and keep Admin for administrative tasks only. This means that when I install something, it really installs it in the Admin account. This also seems to mean that I can't change some things in day-to-day usage. I talked to my friend about using Standard User in Vista, which I believe is very similar in Windows 7. He told me that when Windows updated itself and needed restart, it went and restarted. There was nothing he could do - it seems that Standard User is not allowed to decide if he/she wants that the computer should restart or not. I don't know for certain if this is fixed in Windows 7.

Other option would seemingly to be what I do now - to use Protected Admin for day-to-day tasks. And maybe add SRP, which I'm currently not using. It is not fully clear to me yet that what this would mean with SRP, and it sure isn't clear to me if UAC is enough as compared to running Standard User. There are different opinions on this in this thread.

If I'm the only user in this computer, and I feel I'm pretty knowledgeable (I've worked at IT-support and I'm currently studying to be a programmer), will it be enough that I answer UAC prompt with No, if I encounter malware? Will it then run as it would run in Standard User, or will it still gain some more benefits? This question is because I'd like to clear this issue from the "Average Joe" stage and continue discussing the scenario where the prompt-answering user is likely to know if there is something wrong.

Also, will SRP apply to all programs which haven't received elevated rights from a UAC prompt? In this scenario I would run Protected Admin and have applied SRP for all but admins.

 

I have no issues with Windows Update restarting automatically in my SUA/SRP account. Overall I have no issues running SUA with Win7. Macrium Reflect and Hitman Pro are the only applications I have that require elevation to admin when they are run. Aside from that everything works as it should do. Google Chrome was the only problem program for me, as it installs by default in user space (v.naughty). Installing Chrome from Google Pack resolves this problem.

 

Thanks for clearing this up for me.