What is the point of running as user with UAC enabled?

Discussion in 'other software & services' started by floepie, Oct 29, 2008.

Thread Status:
Not open for further replies.
  1. floepie

    floepie Registered Member

    Joined:
    May 25, 2008
    Posts:
    29
    If a newly-created user account with admin privileges is used as the main "daily user" account, how is this in any way less secure than running as a limited user in light of UAC? Having UAC enabled ensures that the admin account does not have the "full admin" privileges afforded the built-in account, which as I understand it, is not subjected to UAC prompts.

    After all, isn't the admin prompted by UAC just as often as the limited user account, the only difference being that the limited user is required to enter an admin password, whereas if running Vista as an admin, no password would be required at the prompt.
     
  2. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    By running as a limited user you can do and run less (system configuration, secure areas) and this includes any malware and viruses.
    So by running admin (via UAC) privalidges only when required and for as short a time as possible, you greatly reduce the chance of genuine and malicious users/code from causing system damage or accessing privalidged information.
     
  3. floepie

    floepie Registered Member

    Joined:
    May 25, 2008
    Posts:
    29
    OK thanks. It has been conventional wisdom to run a user account as your "daily driver", but in light of UAC, does a security benefit still exist by running a limited user account (LUA)? It seems that whenever I'm logged onto the console of an admin's account, I am prompted by UAC no less often than if I were logged onto my LUA.

    So, wouldn't any malicious code be confronted by the same obstacles in the admin enviornment as they would be in a LUA enviornment? As I'm sure you're well aware, the creation of an admin account does not afford it the full privileges granted it in previous versions of Windows.
     
    Last edited: Oct 29, 2008
  4. Infinite Luta

    Infinite Luta Registered Member

    Joined:
    Mar 26, 2008
    Posts:
    19
    Location:
    Illinois, USA
    Functionally, yes. There are a few technical differences that may or may not matter.

    UAC prompts for standard users are basically just a souped up version of RunAs as it exists in 2000 and XP. The elevated program is ran using the admin user's registry and user profile.

    UAC for administrators uses Admin Approval Mode. This creates two versions of your access token: a filtered version without admin rights and a full unfiltered version. Everything is run using the filtered token by default and the UAC prompts are used to unlock the full version of the token.

    Groups that fall in the middle - such as Power Users and Backup Operators - use a mixture of both. Like administrators, these users still have both a filtered and unfiltered token. However, UAC prompts are similar to what Standard Users would receive. You have the option of either entering your own password to unlock your own full token, or entering the password of an administrator and running the app as the admin user.
     
  5. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    the one that annoys me about vista limited user accounts is that when you need higher rights it uses another account instead of just upping the rights of the current user account. so i cannot do an upgrade install of opera on my limited user account. if i want to do an upgrade install i have to change account to admin logoff install opera upgrade. change account type back to limited user and login back in.
    im hoping in windows 7 with the uac adjustments i can change it so it will up the rights of the current account.
     
  6. floepie

    floepie Registered Member

    Joined:
    May 25, 2008
    Posts:
    29
    Thanks for the explanation. It seems unclear whether or not malicious code then faces the same obstacles to execution in a LUA environment as it does in "filtered" admin environment. And, as the only user on a PC, am I really protecting my system by running the LUA?
     
  7. floepie

    floepie Registered Member

    Joined:
    May 25, 2008
    Posts:
    29
    Why is there a need to do that? Just upgrade with the admin account. It's not as if user settings are modified simply by upgrading an existing app, right? I've found that the best way to upgrade and install apps is to start the application immediately after installing and while you rights are still elevated. That way, any new databases and files can be created in their proper places. Then, close app and re-open as the LUA. As a result, all your virtualized user folders/files will be stored in the user's appdata folder.
     
  8. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Hello,
    just a bit of a pain having to up my rights logoff and back on a few times to ensure i dont over write my opera settings with a standard set.
    so atm i just use an admin account. everything has lowered rights anyway.
    its also annoying when a prompt takes over the screen and having to type in your password. i dont mind the extra security of the password but taking over the screen is annoying.
     
  9. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    526
    Location:
    USA
  10. tlu

    tlu Guest

    SuRun also works with Vista and will solve your problem.
     
  11. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Hey thomas,
    is there a english page?
    i dont understand german.
     
  12. tlu

    tlu Guest

    No, but see this thread for details. The program itself, the readme and changelog are in English.
     
  13. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    thanks thomas i will try it when i have some spare time.

    tbh i hope microsoft read about this application and adapt UAC to work the same as surun.
     
    Last edited: Oct 31, 2008
Loading...
Thread Status:
Not open for further replies.