Thursday, April 3, 2008

OK...so...

aka "How to never by annoyed by UAC again"
My last post was a lame April Fool's joke. I wasn't seriously proposing that we replace the UAC prompt with a Captcha. It would kinda sorta make sense in some scenarios, but we've already solved the problem* differently. And captchas are annoying. Necessary evil, but annoying. (Isn't it truly weird that Captchas are the first step to Bladerunner-esque interrogations?)

*What problem? One of the things AUC addresses: If you are an admin user on Vista, your applications (mostly) run in normal user context - that is the core feature of UAC on Vista. If any (potentially) malicious software is running on your computer (in user context), you don't want it to be able to silently elevate to system context and open up firewall ports/reconfigure your system/etc.

(Yes, malware, even in user context, can probably send your credit card details to the other side other planet...malware running in system context is worse though, as it can reconfigure anything on the system to turn your computer into a spam zombie or botnet node/spy on other users/etc.)
If we didn't prompt the user before launching code in system context (from user context), malware could do literally anything to your machine (without you knowing) as soon as you doubleclicked on SeeParisHiltonNaked.exe. (Replace Paris Hilton with whoever you really really want to see in the nude.)

The AUC prompt is displayed on a dark background because it is running in a different screen session - the malware (back in user context) can't see the prompt/automatically click on it/etc. (If we displayed a captcha at this point (instead of an Allow/Cancel prompt) the malware back in user context won't be able to see it, or perform any action on it. The black frame means that only you, the user, and the Windows OS, can see (or interact with) any content on the screen.)

So - UAC prompts: Neccesary evil. Well...Neccesary evil to protect you from true evil.

Unless...
Unless, of course, you generally know what you are doing.

You can easily configure UAC to never prompt you. You do, of course, need to be careful when downloading and running any software downloaded from the internet - you don't want random code from the internet to be able to get into system context on your machine.

But, if you always go "Hmm, is this a good idea to do this?" when you see the UAC shield on a button/menu...you don't need to see a UAC prompt, do you?

If you are a user with administrator priviledges:

To remove the prompt - run gpedit.msc, go to Local Computer Policy - Computer Configuration - Windows Settings - Security Settings - Local Policies - Security Options.
Look for 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' in the list on the right, and set it to 'Elevate without prompting'
Then, run 'gpupdate' from an elevated command prompt.

And you'll never see any UAC prompts, ever again.

But you have to promise to never run random executables off of the internet - stick to adobe.com or Paint.Net - stuff people trust. Stay away from SeeHarrisonFordNaked.exe.

10 comments:

[deXter] said...

Uhm, is the "adobe.com" mention a slip-up or sarcasm? (I mean, what with all the holes in Flash and everything..)

Anyways, my question is: If the UAC prompt is disabled in this manner, would it also remain disabled for limited user accounts?

Andrew said...

So are you saying that this will remove the prompt - yet still allow the same protection or capability that UAC provides? For example - is this the same as just turning off UAC or is UAC just in full operation - just without a prompt?

Soma said...

"Is the 'adobe.com' mention a slip-up or sarcasm?"
A 'slip-up' - My point was that software from large vendors is much less likely to be malware. I have Flash installed on my computer, like almost everybody else on the planet. :) (Who wants to go without YouTube?)
Adobe will patch Flash very soon, I'm sure. If you are paranoid, you can uninstall it until they release a patch. Most people aren't that paranoid.

"If the UAC prompt is disabled in this manner, would it also remain disabled for limited user accounts?"
Anybody running in a 'limited' (non-admin) user account will still get the admin-password prompt. As they should - they aren't admins!

"is this the same as just turning off UAC or is UAC just in full operation - just without a prompt?"
This is *not* turning off UAC.
If you turn off UAC, all programs run with full permissions (if you are a user with administrator priviledges)
If you *disable* the AUC prompt, your software still runs without administrator priviledges (even though your user account has administator priviledges) - Any program on your computer can silently (without you knowing) elevate to full admin/system context...so you should only run things you trust.

This is still *somewhat* better than running with AUC off - If your progam gets data off of the internet (eg a Bittorrent client, etc) and it has a buffer overrun...A random attacker on the internet could take over that program. And (now that I think about it) silently (without you knowing) elevate to full administrator/system context code - because you disabled the UAC prompt...

So...as long you are very sure that the programs on your computer aren't malware...and you are sure they don't contain any buffer overruns or other security problems...you are safe.

Unknown said...

Much easier, although I suspect not exactly the same thing: Open control panel, type "Disable UAC", click the first result.

Decoy said...

Hold on

What is AUC?

stryqx said...

UAC = tell the vendor to stop shipping crap software

UAC != enhanced security

Mindless clicking leads to the same old problem. At the end of the day, Joe Average has no idea what UAC is preventing. There's absolutely no useful context provided in the UAC prompt as to what the user is being asked to elevate. The Defender prompts are only slightly better.

Registry virtualisation and system file virtualisation helps, as will behavioural analysis of software, but we've got a way to go yet.

lx said...

Yeah, but if the UAC window pops up while Joe is working with ms paint / [insert other program here] or maybe even doing nothing at all, then the chances are good that he might be sceptical.
UAC is a good start and there isn't really someone who has a better solution implemented to this problem right now (correct me if i'm wrong).

Of course there is and will always be a very stupid user; you can't do anything about it.

To end this post with a quote:

"Programming today is a race between programmers striving to build bigger and better idiot proof programs, and the universe trying to build bigger and better idiots. So far the universe is winning"

Lebegő Alma said...

Hi there!

I was wondering if the next windows could have a real dedicated folder for temporary files.
It has such now.. but there are many other folders where are stuff which I can delete to get more space ( like before a proper defragmentation )( folders like the thumbnail cache, like iexplorer cache etc...).

This would be great when ALL of such files would be placed in to that folder. And maybe other third party software would find it useful to use that folder too.

Thanx!

Lebegő Alma said...

Mugunth Kumar
Thank you for this info, however I think it is much much easier to create such temp folder and tell everyone to use it. This is not a brainer for any software developer, but telling windows Disk Cleanup where to delete and what... I think you know what I mean. And btw, who uses that utility anyway? :D

Anonymous said...

acer btp-620 btp-39d1 btp-39sn ms2103 laptop battery
acer travelmate 22x 23x 26x 28x btp-43d1 laptop battery
acer 916-2350 BT.A0807.002 SQU-207 laptop battery
acer BT.A1007.002 SQU-302 laptop battery
asus a4 a4d a4g a4k a4l a4s a4000 a42-a4 laptop battery
A32-F3 Battery ASUS F3 F3J F3Q F3JA F3JM F3JF Hi-Capaci laptop battery

battery for COMPAQ M300 N400 146630-001 291694-001 laptop battery
Battery fits COMPAQ Presario 1200 1600 1800 116314-001 laptop battery
Battery For Compaq Presario 311227-001 PP2162S Laptop laptop battery
battery for COMPAQ N150 PP2111X 232060-001 231962-001 laptop battery
Notebook Laptop Battery for Dell D9200 D5318 G5260 laptop battery
6600mAh Battery fits DELL XPS M1210 NF343 HF674 NEW laptop battery

3cell Battery for Dell Latitude X1 T6840 312-0342 Y6457 laptop battery
New Dell Inspiron B130 1300 b120 Battery 312-0416 56whr laptop battery
Gateway M360 M460 M680 8-Cell Notebook Battery 6500949 laptop battery
New Battery for HP M2000 Series DV1000 DV4000 laptop battery
Battery For HP F2019 F2019A F2019B 6000 VT6200 XT6200 laptop battery
Battery For HP HSTNN-IB04 346970-001 HSTNN-DB02 DP399A laptop battery