"Synapse Syndrome" <synapse@NOSPAMgomez404.elitemail.org> wrote in message
news:uHt4FP3JHHA.2236@TK2MSFTNGP02.phx.gbl...
> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
> news:e8RvKM3JHHA.4848@TK2MSFTNGP04.phx.gbl...
>>
>> You would be better off security wise to just turn off uac rather than
>> use this tweak.
>>
>
> What?
>
> ss.

This tweak allows any program to silently gain elevated privileges without
warning the user. If you turn uac off some of these same programs will still
fail. With this tweak they succeed. It is a very big security hole. I
haven't tested it. I'm just going by what I read at the link. Personally I'm
not bothered by uac and would never turn it off or try to bypass it, but
then part of my living comes from repairing the damage done by malware and
anything that helps in this fight is a good thing by me. I would much prefer
to not have this as part of my business and go back to doing things like
helping customers get more out of their computers and networks.
Unfortunately because of user's and programmer's habits XP is not secure and
malware authors have a heyday. With Vista there is a chance to stop this
trend unless of course everyone does like you and bypass' the security.

--
Kerry Brown
Microsoft MVP - Shell/User
www.vistahelp.ca/phpBB2

"Synapse Syndrome" <synapse@NOSPAMgomez404.elitemail.org> wrote in message
news:uHt4FP3JHHA.2236@TK2MSFTNGP02.phx.gbl...
> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
> news:e8RvKM3JHHA.4848@TK2MSFTNGP04.phx.gbl...
>>
>> You would be better off security wise to just turn off uac rather than
>> use this tweak.
>>
>
> What?
>
> ss.

This tweak allows any program to silently gain elevated privileges without
warning the user. If you turn uac off some of these same programs will still
fail. With this tweak they succeed. It is a very big security hole. I
haven't tested it. I'm just going by what I read at the link. Personally I'm
not bothered by uac and would never turn it off or try to bypass it, but
then part of my living comes from repairing the damage done by malware and
anything that helps in this fight is a good thing by me. I would much prefer
to not have this as part of my business and go back to doing things like
helping customers get more out of their computers and networks.
Unfortunately because of user's and programmer's habits XP is not secure and
malware authors have a heyday. With Vista there is a chance to stop this
trend unless of course everyone does like you and bypass' the security.

--
Kerry Brown
Microsoft MVP - Shell/User
www.vistahelp.ca/phpBB2

But of course I am saying "defeat" not "disable." As in defeat the
protection as opposed to knowing that you have to take care because it is
disabled.

"Synapse Syndrome" <synapse@NOSPAMgomez404.elitemail.org> wrote in message
news:ume82T3JHHA.1816@TK2MSFTNGP06.phx.gbl...
> "Colin Barnhorst" <colinbarharst@msn.com> wrote in message
> news:B2C8C44F-7619-46C9-B39A-F0B30F19ED1C@microsoft.com...
>> Since you know what you are doing, why are you encouraging those who
>> don't to defeat UAC?
>
>
> I'm not. If you search this NG you'll find that many people disable UAC,
> and this is a way to have UAC enabled but without the prompts.
>
> The title of this converstaion is "Do this instead of disabling UAC"
>
> ss.

But of course I am saying "defeat" not "disable." As in defeat the
protection as opposed to knowing that you have to take care because it is
disabled.

"Synapse Syndrome" <synapse@NOSPAMgomez404.elitemail.org> wrote in message
news:ume82T3JHHA.1816@TK2MSFTNGP06.phx.gbl...
> "Colin Barnhorst" <colinbarharst@msn.com> wrote in message
> news:B2C8C44F-7619-46C9-B39A-F0B30F19ED1C@microsoft.com...
>> Since you know what you are doing, why are you encouraging those who
>> don't to defeat UAC?
>
>
> I'm not. If you search this NG you'll find that many people disable UAC,
> and this is a way to have UAC enabled but without the prompts.
>
> The title of this converstaion is "Do this instead of disabling UAC"
>
> ss.

It makes me laugh. People complained that XP wasn't secure enough, so when
Vista came along, people complain that UAC is annoying, so disable it!

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:%23YRYRo3JHHA.780@TK2MSFTNGP03.phx.gbl...
> "Synapse Syndrome" <synapse@NOSPAMgomez404.elitemail.org> wrote in message
> news:uHt4FP3JHHA.2236@TK2MSFTNGP02.phx.gbl...
>> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
>> news:e8RvKM3JHHA.4848@TK2MSFTNGP04.phx.gbl...
>>>
>>> You would be better off security wise to just turn off uac rather than
>>> use this tweak.
>>>
>>
>> What?
>>
>> ss.
>
> This tweak allows any program to silently gain elevated privileges without
> warning the user. If you turn uac off some of these same programs will
> still fail. With this tweak they succeed. It is a very big security hole.
> I haven't tested it. I'm just going by what I read at the link. Personally
> I'm not bothered by uac and would never turn it off or try to bypass it,
> but then part of my living comes from repairing the damage done by malware
> and anything that helps in this fight is a good thing by me. I would much
> prefer to not have this as part of my business and go back to doing things
> like helping customers get more out of their computers and networks.
> Unfortunately because of user's and programmer's habits XP is not secure
> and malware authors have a heyday. With Vista there is a chance to stop
> this trend unless of course everyone does like you and bypass' the
> security.
>
> --
> Kerry Brown
> Microsoft MVP - Shell/User
> www.vistahelp.ca/phpBB2
>
>

It makes me laugh. People complained that XP wasn't secure enough, so when
Vista came along, people complain that UAC is annoying, so disable it!

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:%23YRYRo3JHHA.780@TK2MSFTNGP03.phx.gbl...
> "Synapse Syndrome" <synapse@NOSPAMgomez404.elitemail.org> wrote in message
> news:uHt4FP3JHHA.2236@TK2MSFTNGP02.phx.gbl...
>> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
>> news:e8RvKM3JHHA.4848@TK2MSFTNGP04.phx.gbl...
>>>
>>> You would be better off security wise to just turn off uac rather than
>>> use this tweak.
>>>
>>
>> What?
>>
>> ss.
>
> This tweak allows any program to silently gain elevated privileges without
> warning the user. If you turn uac off some of these same programs will
> still fail. With this tweak they succeed. It is a very big security hole.
> I haven't tested it. I'm just going by what I read at the link. Personally
> I'm not bothered by uac and would never turn it off or try to bypass it,
> but then part of my living comes from repairing the damage done by malware
> and anything that helps in this fight is a good thing by me. I would much
> prefer to not have this as part of my business and go back to doing things
> like helping customers get more out of their computers and networks.
> Unfortunately because of user's and programmer's habits XP is not secure
> and malware authors have a heyday. With Vista there is a chance to stop
> this trend unless of course everyone does like you and bypass' the
> security.
>
> --
> Kerry Brown
> Microsoft MVP - Shell/User
> www.vistahelp.ca/phpBB2
>
>

Hello Kerry :),

This "tweak" only works the way implied in this thread and the referenced
site when logged in with an administrator account.

The benefit in this scenario is that applications that do not request
elevated privileges will not receive them.

In the context of malware, you are absolutely correct - it would be just as
bad to turn UAC completely off, as this setting takes the control out of the
user's hands - applications will get exactly however much privilege they
request, without giving the user a chance to intercede.

However, properly-written applications that correctly request the minimum
privilege they need will still have limited privileges, which provides some
security benefits that would not be available if UAC were completely
disabled (such as IE protected mode).

In either case, this setting does severely weaken UAC, as it takes the C out
of UAC (the "control" part). By changing this setting, one again gives
implicit control of their system back to whatever programs they run. Sure,
some programs may "play nice" by requesting limited privileges... BUT, the
real question here, is do you implicitly trust every program that you run
(or may somehow be ran on your system) to "play nice", knowing that they can
request admin privileges and receive them without you being notified?

It seems some people don't care how much privileges the programs that they
run have over their computer. They must think that if they are running a
program then that signifies their trust in the program and they wouldn't run
it otherwise. Personally, I think that's crazy, especially in today's
interconnected world, but to each their own. I don't want AIM or Notepad to
be able to open up an administrative program that can format my hard drive
without my permission, lol.

Also, the website that contains this tip seems to imply that this same
behavior can be applied to non-administrator accounts. This is false. There
is no mechanism to allow "automatic" elevation in a non-administrator
account, because the credentials of an administrator are required for
elevation to occur. UAC must have the account name and password of an
administrator to elevate an app from inside of a standard user account, and
it must have the user/administrator type this info in.

Accordingly, the only options for the policy "User Account Control: Behavior
of the elevation prompt for standard users" are Prompt for Credentials and
Automatically Deny Elevation Requests.


--
- JB

Windows Vista Support Faq
http://www.jimmah.com/vista/

On 24/12/2006 in message <tOyjh.23343$HV6.14341@newsfe1-gui.ntli.net>
Brian W wrote:

>It makes me laugh. People complained that XP wasn't secure enough, so when
>Vista came along, people complain that UAC is annoying, so disable it!

I found it a good idea but poorly implemented, perhaps it will be improved
with SP1?

--
Jeff Gaines

Hello Kerry :),

This "tweak" only works the way implied in this thread and the referenced
site when logged in with an administrator account.

The benefit in this scenario is that applications that do not request
elevated privileges will not receive them.

In the context of malware, you are absolutely correct - it would be just as
bad to turn UAC completely off, as this setting takes the control out of the
user's hands - applications will get exactly however much privilege they
request, without giving the user a chance to intercede.

However, properly-written applications that correctly request the minimum
privilege they need will still have limited privileges, which provides some
security benefits that would not be available if UAC were completely
disabled (such as IE protected mode).

In either case, this setting does severely weaken UAC, as it takes the C out
of UAC (the "control" part). By changing this setting, one again gives
implicit control of their system back to whatever programs they run. Sure,
some programs may "play nice" by requesting limited privileges... BUT, the
real question here, is do you implicitly trust every program that you run
(or may somehow be ran on your system) to "play nice", knowing that they can
request admin privileges and receive them without you being notified?

It seems some people don't care how much privileges the programs that they
run have over their computer. They must think that if they are running a
program then that signifies their trust in the program and they wouldn't run
it otherwise. Personally, I think that's crazy, especially in today's
interconnected world, but to each their own. I don't want AIM or Notepad to
be able to open up an administrative program that can format my hard drive
without my permission, lol.

Also, the website that contains this tip seems to imply that this same
behavior can be applied to non-administrator accounts. This is false. There
is no mechanism to allow "automatic" elevation in a non-administrator
account, because the credentials of an administrator are required for
elevation to occur. UAC must have the account name and password of an
administrator to elevate an app from inside of a standard user account, and
it must have the user/administrator type this info in.

Accordingly, the only options for the policy "User Account Control: Behavior
of the elevation prompt for standard users" are Prompt for Credentials and
Automatically Deny Elevation Requests.


--
- JB

Windows Vista Support Faq
http://www.jimmah.com/vista/

> Are you one of those people that had lots of malware problems with XP? I
> never did, as I know what I am doing.

This isn't the issue here. UAC is not about "do you know what you are
doing".

UAC is about do you trust every program that runs on your machine to have as
much privilege as it wants? Do you want to be notified when an app attempts
to run privileged and be able to stop it?

Because changing this settings and/or disabling UAC takes this control out
of your hands and puts it right into the grasp of any application that runs
on your computer.


--
- JB

Windows Vista Support Faq
http://www.jimmah.com/vista/

On 24/12/2006 in message <tOyjh.23343$HV6.14341@newsfe1-gui.ntli.net>
Brian W wrote:

>It makes me laugh. People complained that XP wasn't secure enough, so when
>Vista came along, people complain that UAC is annoying, so disable it!

I found it a good idea but poorly implemented, perhaps it will be improved
with SP1?

--
Jeff Gaines

> Are you one of those people that had lots of malware problems with XP? I
> never did, as I know what I am doing.

This isn't the issue here. UAC is not about "do you know what you are
doing".

UAC is about do you trust every program that runs on your machine to have as
much privilege as it wants? Do you want to be notified when an app attempts
to run privileged and be able to stop it?

Because changing this settings and/or disabling UAC takes this control out
of your hands and puts it right into the grasp of any application that runs
on your computer.


--
- JB

Windows Vista Support Faq
http://www.jimmah.com/vista/

I hate removing malware. The only reason I do it is because my customers
request and need it. I would much rather be spending more of my time helping
them get more out of their computers and networks rather than helping them
just to maintain the existing level of productivity. I prefer working in a
positive environment. Malware forces us to work in a negative environment.

--
Kerry Brown
Microsoft MVP - Shell/User
www.vistahelp.ca/phpBB2


"Dale" <nospam@nospam.ever> wrote in message
news:uh3MQo4JHHA.1912@TK2MSFTNGP03.phx.gbl...
> Well, Kerry should be telling people don't use UAC - he'll make a lot more
> money that way. :)
>
> Dale
>
> "Daze N. Knights" <Daze@microchip.com> wrote in message
> news:O4bH5c4JHHA.2232@TK2MSFTNGP02.phx.gbl...
>>
>>
>> Kerry Brown wrote:
>> but then part of my living comes from repairing the
>>> damage done by malware and anything that helps in this fight is a good
>>> thing by me.
>>
>> :) ;)
>

I think it's obvious to most of us that it's the concensus within MSFT and
on the outside of MSFT. that UAC and security in general is Vista and
Longhorn Server's most compelling selling point or lead selling point. This
applies strongly to business in general, and somewhat to the home user
although many other features will be marketed for the home environment.
Others will be the use of AD/Group Policy for businesses. It's going to
account for a lot of the migration decision I would think though for
mid-level and enterprise businesses who go Vista.

What will be interesting to me is how many users who have the choice will
elect to dilute, modify or turnoff UAC. I'm not sure how you get those
figures. There will be focus groups. Gartner and similar organizations will
of course generate them.

I've been trying for a good while to get accurate figures on how many
machines on the planet are running XP within large and midrange businesses
and for home and small business users. You see figures around the 800
million range, but I'm not sure how that breaks down into categories.

CH

"Synapse Syndrome" <synapse@NOSPAMgomez404.elitemail.org> wrote in message
news:eofw592JHHA.4068@TK2MSFTNGP03.phx.gbl...
>I can't live with the UAC prompts, so I had it turned off. But I just came
>across this tweak to keep UAC active while turning the prompts off.
>Security Centre still reports that UAC is turned off, but it seems to be
>working as you can see that IE7 runs in Protected Mode.
>
> http://www.tweakvista.eu/show_tweak.php?tweak=84
>
> ss.

I think it's obvious to most of us that it's the concensus within MSFT and
on the outside of MSFT. that UAC and security in general is Vista and
Longhorn Server's most compelling selling point or lead selling point. This
applies strongly to business in general, and somewhat to the home user
although many other features will be marketed for the home environment.
Others will be the use of AD/Group Policy for businesses. It's going to
account for a lot of the migration decision I would think though for
mid-level and enterprise businesses who go Vista.

What will be interesting to me is how many users who have the choice will
elect to dilute, modify or turnoff UAC. I'm not sure how you get those
figures. There will be focus groups. Gartner and similar organizations will
of course generate them.

I've been trying for a good while to get accurate figures on how many
machines on the planet are running XP within large and midrange businesses
and for home and small business users. You see figures around the 800
million range, but I'm not sure how that breaks down into categories.

CH

"Synapse Syndrome" <synapse@NOSPAMgomez404.elitemail.org> wrote in message
news:eofw592JHHA.4068@TK2MSFTNGP03.phx.gbl...
>I can't live with the UAC prompts, so I had it turned off. But I just came
>across this tweak to keep UAC active while turning the prompts off.
>Security Centre still reports that UAC is turned off, but it seems to be
>working as you can see that IE7 runs in Protected Mode.
>
> http://www.tweakvista.eu/show_tweak.php?tweak=84
>
> ss.