Second thoughts on Windows 7

Discussion in 'other security issues & news' started by Kees1958, Jan 9, 2011.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    In the search to get running basic user work under Windows 7, I found teh following alarming (old) post.

    So they whitelisted Windows7 binaries to run without elevation request restriction. Besides the lesser functioning of SRP (Vista compared to Windows7), two questions raise in my head:

    1. When some exclusion mechanism exist, hackers can make use of it

    2. Why not offer a certfication mechanism to whitelist third party applications also or offer a proper SUDO mechanism?
    (Why does UAC does not have an option to auto elevate signed applications and throw a pop-up for non-signed?)


    I think I will be falling back to Vista again on my desktop PC and take the longer startup times for granted. Especially the first question is alarming.




    Link: https://groups.google.com/group/mic.../c161787f51027914?hl=en&#doc_8b74c0637c9c5656
     
    Last edited: Jan 9, 2011
  2. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    If you decide to run Vista again as the subject concerns you Kees, use blackviper.com's settings (safe or tweaked), and you should notice little speed difference between the two.
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    THX I will have a look at it
     
  4. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    Yes, and one can also use the Windows Club's SMART (Service Management And RealEasy Tweaking) Utility to smoother this services tweaking process.
     
  5. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
    Thanks ruinebabine for the info on SMART. This will certainly save me a lot of time :) .

    SourMilk out
     
  6. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    hmm, well for me at least this makes no difference, i never even knew about this change between vista and 7 either, but i always run Admin anyways:)
     
  7. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    The change we made in Windows 7 default UAC settings is that any operation that is necessary to manage windows will not require an elevation - which in technical terms translates into a white list of trusted action / binaries which the user can make perform without UAC prompting from an elevation. This list does include windows file operations.


    Seems to me the key word is "default". My understanding is if you set UAC to maximum in Windows 7 you have the same functionality as Vista. Is that not the case?
     
  8. Matthijs5nl

    Matthijs5nl Guest

    That is also the way I always understood it. To have less pop-ups and make it more comfortable for people. So at default level Vista is stronger indeed, but at max the UAC is actually the same. That is why I am running UAC at max on an Administrator Account. And UAC at default on a Standard User Account.
     
  9. wat0114

    wat0114 Guest

    Same here, that's how I've more or less understood it, too. A knowledgeable Wilders member on Windows' inner workings, MrBrian, recommended somewhere to run UAC in Win7 at default. No doubt there's something different, however, with Win7 compared to Vista, as Sully has mentioned the differences he's encountered with his development of his Safe-Admin program. He's had to make changes to it so it's compatible with both O/S'.
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Why running UAC at its default level? People (I'd say the so-called experts) starting whining about things they could not understand, and starting advising people to disable it! (It gives me the creeps!)... so Microsoft pleasured them. At least, at default level, they would still be alerted for other stuff. Way better than disabled. This I agree.

    But, not even once, since Windows Vista I got annoyed by alerts out of the blue.
    Such alerts only appear when something wants to mess with important system parts. And, doubtfully most users would be messing with most of those parts. That would leave installing apps and upgrade/update them. So, users would know when they should make use of UAC. If some alert was given, then with 99% sure it means something is lurking.

    Unfortunately, these so-called experts have no intentions on wasting time to actually educate the masses how xyz security measure means, how it works and how to operate them. Even they are ignorant! Easy root: Disable it. It's annoying.

    :)
     
  11. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    I'm in agreement here and to the previous posters above. I run as Admin, probably shouldn't but I do. Having said that, UAC is set to Highest setting asking for credentials and set this way through GPE. I want to be asked to enter my password. Still though, Kees makes a good point with this info, key word being default
    Now I have to ask the question, where's the list?
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Well, IMO, I'd say it's 50-50. The "problem" is that UAC is not a security tool; it does provide a certain protection/creates certain boundaries... but that's all it does.

    Sadly, the so-called experts started writing articles against Vista's UAC and advising users to disable, and simply because they are not even aware of how it truly worked. I highly doubt they understand it by now.

    Sadly, Microsoft reduced UAC interaction in Windows 7, by making use of a default level.

    The default level is the least of the concerns... There's malware capable of bypassing UAC with its setting at maximum.

    So, while I agree with 1), it's the least of any concerns, knowing malware is able to bypass UAC is a reality.

    There's even a bug, still not patched by Microsoft in win32k.sys, part of the Windows kernel.
    If a piece of malware is able to make use of such bug, execution is done even from standard accounts. Obviously, the user needs to run something, unknowingly... but it only requires standard user rights.

    That's just one recent problem that was found, which would neutralize UAC. :D
     
  13. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    I agree, excellent info moon!
     
  14. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,572
    UAC can be bypassed even without this exclusion meccanism.
    Here is a way to bypass UAC with the default settings in 7(don't know if microsoft fixed it). http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

    But the recent Vulnerability is far worst.
    Microsoft Windows User Access Control (UAC) Bypass Local Privilege Escalation Vulnerability
    They offer Application Compatibility Toolkit which can be used for creating a whitelist.
    http://www.microsoft.com/downloads/...e9-b581-47b0-b45e-492dd6da2971&displaylang=en
    http://www.ghacks.net/2010/07/08/ge...microsofts-application-compatibility-toolkit/
    An unofficial list is here.
    http://www.withinwindows.com/2009/02/05/list-of-windows-7-beta-build-7000-auto-elevated-binaries/

    Panagiotis
     
  15. wat0114

    wat0114 Guest

  16. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,572
    You are welcome. By the way you may like "UAC Trust Shortcut" if you only want to skip UAC prompts for a handfull of products.
    http://www.itknowledge24.com/

    Panagiotis
     
  17. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I must be missing something, I just must be.

    In my wandering with win7, with UAC set to default, starting something such as regedit requires UAC elevation, every time.

    If I choose to set UAC to quiet mode, then any approved binary by M$ is allowed to elevate without UAC, which is what kees is referring to maybe?

    However, non-approved binaries still utilize the UAC, do they not, or are denied without an appcompatability entry of RunAsAdmin.

    Dropping UAC completely gets us right back to regular admin.

    I (thought) that UAC in quiet mode was finally the answer to my struggle to use LUA because most of the OS works without a prompt, which is what I want, yet unapproved (non signed ?) objects are not approved, again, what I want. And if I do want an unapproved object to not ask me questions via UAC, I just make a registry entry for it in app compat.

    Am I missing something here?

    Sul.
     
  18. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Nice find! Thanks. I was going to ask where the list was stored but it appears that MS is using application manifest flag to auto elevate. This seems to differ from the way some apps, mainly security apps, accomplish this. I think they request Admin privileges but somehow turn the request off for the UI. To be certain, I would have to look at the manifest of an app that does this. Either way, both are done with a manifest. Having said that sparks another question, is the manifest read each time the app is launched are is the manifest info stored locally somewhere? Which brings another question, could the manifest or it's info stored locally be changed/edited to allow no UAC prompt for a certain app?
     
  19. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    I'm not sure if I understand this correctly, but they are talking about 7's default UAC setting so if you put it to max, then it'll be the same as Vista. It's just a security vs usability preference.
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I don't think quite mode is what Kees had in mind, otherwise why make reference to the following:

    Regarding registry... and, perhaps other parts of the O.S... certain things are off limits to be messed with, with UAC's default settings.

    I don't think Microsoft would come to the point of simply removing every permission prohibition from UAC; otherwise, we'd go back to the moments when Microsoft was blamed for not caring about security, at all. lol
     
  21. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    @ Panagiotis

    http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
    This is based on the internal whitelist, so here you go :D


    I have looked into it, comaptibility toolkit, but you need deployment tools not avaible on home / client versions. Did you get it working on a home, single PC, setup?


    Regards Kees
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yes you are correct (I found out later), also the (old) work around of pretentious.website is based on that (the list of 70 windows binaries which are auto elevated)
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    The list of windows binaries which auto elevate without prompt are only related to objects (processes etc), not file protection (of Windows - Program files), is what I understand. That is why you get the prompt for regedit.

    I only use auto elevate on Vista settups (where I can use PGS besides Safe-Admin:D ), on Windows7 I kept it on default.
     
  24. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    user privileges in windows are a false sense of security, falling back to Vista is massive loss of time. there is always a vulnerability or two, and with effort, well designed malware can mess with the NTFS and bypass all your security.
     
  25. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
Loading...
Thread Status:
Not open for further replies.