6

Professionally, I've run as a standard user for a decade, and had mastered all the little tips and tricks to administering an enterprise using nothing but runas. Now in trots UAC, and while it makes some situations easier... For the most part all this thing does it get in my way.

I'm an Administrator, Outlook is the only process running on my pc that doesn't need elevated credentials! Yet I spend all day not only accepting prompts, but entering my password 200+ times a day. I believe in the REAL security UAC provides my environment, but the password over and over... it's maddening.

My question is this, with UAC forcing us to run a standard user is it safe? Can we go back to the NT days. Would you trust UAC enough to just log in with your admin account? Does UAC do enough to protect your Domain credentials?

Update: Put another way do we place UAC on the same level as sudo? Yes there will be bugs, but can we start to reorganize how we do business around this feature, or is this to protect my mom(not ready for primetime)?

Glenn Sizemore
  • 131
  • 1
  • 5
  • If Outlook is the only process you start that doesn't need elevation, I'd say there's a bigger problem than pondering over UAC here... what on your desktop could possibly require elevation? About passwords, PKI and smart cards for administrators is one way to cut down on the complexity of the authentication prompts when connecting to servers to administrate. – Oskar Duveborn May 22 '09 at 07:17
  • For server administration, you either log onto the server and do just the task required then log off, no extra tools installed, no browsing and so on - or use a secondary locked down administrative interactive server with the required tools that you hop through to administer other servers... and on it you use a variation of your domain account that is an administrator, which you don't use with "normal" software like your day-to-day stuff (documentation, office, email, chat and surfing). – Oskar Duveborn May 22 '09 at 07:21

4 Answers4

8

NO.

Check this out: http://www.istartedsomething.com/20090131/microsoft-dismisses-windows-7-uac-security-flaw-insists-by-design/

And this: http://www.withinwindows.com/2009/02/04/windows-7-auto-elevation-mistake-lets-malware-elevate-freely-easily/

EDIT

I think I might be out of date, I am not sure the current status of UAC now. According to this: http://blogs.msdn.com/e7/archive/2009/02/05/uac-feedback-and-follow-up.aspx they fixed the first issue.

Pyrolistical
  • 892
  • 2
  • 13
  • 20
  • 1
    You hit on part of my concern Microsoft already messed up once with the W7 beta(they did fix it by the RC1 release). That doesn't guarantee they wont make another mistake... Maybe next time it takes out my exchange infrastructure, but if I were to accept that as a fact then why run UAC at all. I just wish I could trust UAC like a *nix admin can trust sudo. – Glenn Sizemore May 22 '09 at 05:22
  • 1
    +1 The Windows 7 "fiasco" says it all... how Microsoft can still ship a consumer OS where the default first user is an administrator just boggles my mind. You should NEVER be logged on as an administrator on your desktop - not Since Windows NT 4 or whatnot has that been best practice in any conceivable way. – Oskar Duveborn May 22 '09 at 07:18
  • 1
    Glenn, there is no such thing as "trust sudo" in my opinion. You need a carefully crafted sudo configuration in the first place, or you could as well leave your box wide open. – Vincent De Baere May 22 '09 at 10:24
2

A qualified yes, UAC allows windows to treat an administrator as a limited administrator. You have all the rights of an admin but have to do a UAC event each time. Why does this matter? The UAC dialog box is no ordinary MsgBox() it is actually in a separate user space and separate desktop instance. With an image of what you where seeing before it popped up in the background. You can't (at least I haven't been able to) call any user interface manipulation APIs to interact with the UAC from your user session. So this does (it appears) grant some level of security. If your logged in as admin and some application that you didn't expect (or don't remember invoking) pops up a UAC it can't go on with what it was doing without your intervention.

Copas
  • 461
  • 3
  • 8
1

No. UAC is not a security boundary, as stated by Microsoft themselves. Even at home, I run as a limited user.

Orihara
  • 607
  • 5
  • 11
1

No. But my take is that UAC makes it a lot easier to run as a regular user, and elevate (or switch user) explicitly when needed. Once your computer is setup properly, you probably won't need to elevate very often.

Some have pointed out that because a limited user's elevation requires a username and password to be typed, this makes the user more vulnerable to a spoofing attack where a fake UAC prompt is displayed, and used to capture your password. I think you're fine if you are aware of, and vigilant for, such things.

I've personally never been super fond of the 'limited admin' mode of UAC, for what I guess you could call philosophical reasons. I think the person between keyboard and chair is always going to be a crucial part of the security loop. So he should be fully aware of when elevations happen. Typing a username and password to continue an action does force awareness; clicking a dialog, too often, does not. 7's new auto-elevate logic goes further against this principle, imho.

YMMV. Luckily it's a configurable thing, so we can all tune to our own comfort levels!

quux
  • 5,358
  • 1
  • 23
  • 36