A Fresh Look at Vista's User Account Control

Art Grimm writes to mention a post at Ed Bott's Microsoft Report on ZDNet. There, he talks about Vista's User Account Control, and the issues he sees with the setup as it exists now. From the article: "The UAC prompts I depicted in the first post are those that appear when you install a program, when you run a program that requires access to sensitive locations, or when you configure a Windows setting that affects all users. But as many beta testers have discovered, UAC prompts can also show up when you perform seemingly innocent file operations on drives formatted using NTFS. In this post, I explain why these prompts appear and why some so-called Windows experts miss the obvious reason (and the obvious fix)."

How annoying

[kimvette]

Could they possibly make that "article" any more annoying? They'd have been better-served to turn it into a flash-animated slide show. I'm not going to click all the way through that thing.

Either put it all on one or two pages (interspersed with ads if you must), or put it into a slide show if the article is written as a slide show.

Re:How annoying

You beat me to it. I have no problem with long articles being broken up but this one is like two sentences, a picture and a "more" button. Screw you, ZDNet.

Re:How annoying

[charleste]

I had to see this for myself! To quote Keanu Reeves: "Whoa!". That was bad. What if I don't have good short term memory? This format, of course, would only be profitable if the ads were for munchies :-) I did wade through the article (retaining what I could) and it just seemed to be either a scare tactic for Joe User OR a warm-fuzzy - I guess depending on the users initial perspective.

Re:How annoying

[AKAImBatman]

this one is like two sentences, a picture and a "more" button.

I think he was trying to capture the "flavor" of Windows Vista. i.e. You'll be spending 90% of your time clicking...

(Click Next to Continue)

through...

(Click Next to Continue)

the dialog...

(Click Next to Continue)

boxes. Each one of...

(Click Next to Continue)

these boxes...

(Click Next to Continue)

will annoy you with something else...

(Click Next to Continue)

incredibly trivial.

Re:How annoying

[Gannoc]

Agreed. I stopped reading after three slides. Was the content on MAYBE 1/8th of the page? Screw ZDNet.

Re:How annoying

[azav]

You're correct. It was an annoying article and with no real solution either.

Bascally, it goes like this: Here's something that sucks and here's no idea solution for it. All spread over three pages that should have been one that a reader could scroll through.

Must be a slow news day.

And on a cooler note about cooler things...
http://www.apple.com/science/profiles/hiperwall/

Re:How annoying

[drpimp]

What even is more annoying is the way it appears to work. I got annoyed just looking at those annoying Vista warning screen shots.

Re:How annoying

[causality]

Sorry guys, I have karma to burn so take your moderator frustrations out on me if you must, but that moderation is bullshit (and damn do mods seem to dislike it when you point this out). Flamebait? What strong belief does it blatently attack in an attempt to start a verbal war? Try reading the FAQ you fucks. Articles like this are shit, and I am also not going to continue viewing this article because I do not wish to knowingly reward shit with ad revenue dollars -- yes, you see, there is a decision to make here involving voting with your feet and whether you wish or do not wish to reward something with real $$. Just think about the kind of traffic the Slashdot Effect generates for a site and its advertisers. Therefore, if anything, kimvette is doing me a favor, and I suspect I am not the only person who can say that. So anyway, it is likely that calling bullshit when I see it, in the only forum in which I can do so (seeing how I do not have mod points right now and there is no section here devoted to discussing this sort of thing) will cost me a few points, but oh well.

Slashdot badly needs a way to moderate articles themselves, and "-1 Conflict of Interest" (for obvious attempts to drive traffic to sites that just happen to be ad-supported and also just happen to be owned by the person who submitted the article) and "-1 Excess Pagination" need to be two of the categories. I'm not even going to mention dupes.

Re:How annoying

[aztec+rain+god]

I looked at two pages of the bloody thing and had to go lie down for a while.

Re:How annoying

[kimvette]

That was not flamebait either, off-topic at worst. We can continue this until you run out of mod points.

Re:How annoying

[ADRA]

Not to prop the article which at least laid the problem definition, but at the end of the article he did say that the thrid 'coming' article would have some suggestions for microsoft that would make most people happy.

Re:How annoying

[Captain+Splendid]

Kudos and and a hearty Hear hear!

For the clueless editors, here's a good summation: If you're going to throw shit at us, expect some back.

Re:How annoying

almost as annoying as the Xerox ad that won't get the hell out of the way on Slashdot's page for this article

Re:How annoying

[el_jake]

Could they possibly make that "article" any more annoying? They'd have been better-served to turn it into a flash-animated slide show. I'm not going to click all the way through that thing.

Oh your Lynx is jamming?

Re:How annoying

[oringo]

You took this wrong, mate. The author is a genius and he's giving you a preview of how annoying the Vista UAC is going to be through a web simulation!

Re:How annoying

[rosewood]

If I had mod points to use, Id try to balance out that bullshit. Here is to hoping I get to do some meta ...

Re:How annoying

[moochfish]

It's web 2.0 in action!

(Click Next to Continue)

We've successfully ported an upcoming feature in Vista

(Click Next to Continue)

to the web!

Re:How annoying

[alx5000]

• DIGG THIS!

Sure. As deep as I can, promise.

Re:How annoying

[scumdamn]

I'm replying to this thread because it's at the top. The article says that the reason that you get all of those messages is that the standard user token doesn't have access to the files that you're trying to change. So as soon as you get your Vista system, add your user token to the Program Files folder and stuff so you don't get those damn messages. I'm not sure what implications that has for security since you wouldn't give your user priveledges to the Windows folder where the registry is, but if you're worried about security, it sucks to be you, pretty much.

Re:How annoying

[kcbrown]

Could they possibly make that "article" any more annoying? They'd have been better-served to turn it into a flash-animated slide show. I'm not going to click all the way through that thing.

You read the article??

You're new here, aren't you? It's much easier to just comment about the article without reading it. As your experience so clearly demonstrates. :-)

Re:How annoying

[Elevator_Inspector]

Quick fix for the annoying article. Change the page id in the URL to "all" as in http://blogs.zdnet.com/Bott/?page_id=all

Re:How annoying

[IthnkImParanoid]

Heh, I take it you're familiar with the "Eject Media Wizard" (at least on W2K server)?

Right-Click->Eject Media

Welcome to the eject media wizard!
The media eject wizard allow you to....blah blah blah
[Cancel] [Next]

Finished:Eject Media Wizard
Congratualtions, you've completed the eject medi....blah blah blag
[Cancel] [Finish]

Wizards are intuitive, and FUN! (Almost as fun as stabbing whoever is responsible for that in the face.)

Re:How annoying

[kcbrown]

Hint to moderators: "Redundant" in the context of Slashdot means that someone else said the same thing in the same thread before the article you're modding as redundant.

Don't go modding down someone's article just because you don't like it.

Re:How annoying

[azav]

aaaand the SOLUTION iiiis in my next installment!

Not to be mean buuut that's just bait.

Re:How annoying

[bungo]

Slashdot badly needs a way to moderate articles themselves, and "-1 Conflict of Interest" [...] and "-1 Excess Pagination"

That's a good idea, which many people have expressed before.

In fact, we sort of have the ability to do it - tagging!

Currently, the tags I see are :
  [+] vista, stupid, microsoft, vaporware (tagging beta)

Now, if the article was tagged with something like "RevenueWhore", then everyone would be able to spot it and skip it.

I know that I normally read the comments first before looking at the article, so this would stop me from visiting the site.

Re:How annoying

[gbjbaanb]

No way. I see it differently, its a fake website set up by CmdrTaco, partly to get some dosh for OSTG but partly to see how many of us clicked the link to actually read the article

This is not a good approach

[jawtheshark]

Franky... Nobody is "Administrator" of the machine anymore? (Administrators Group is not enough) Really? So essentially, they reduced the "Administrators" groups to "Well, you can admin, but you have to know what you do, and we'll annoy the hell out fo you".

The whole point of Administrator is that you know what you do and you can Admin a machine securely. I know Joe Sixpack doesn't know how to, but doing this will put Admins all over the world in the place of "Limited User". In the end our Dear Joe Sixpack will just click and click until the task is done anyway. He will be frustrated and will get spyware anyway.

What we need is the equivalent of a Car Mechanic for administration. You call your mechanic and he'll do the maintenance for a fee. Frankly, it's the only way for home users.

Oh, and those that say that you can't run in Limited User on XP (as in the fine article is stated) are completely ignorant. I'm running Limited right now, and I have no problem. Granted, I have to set the ACLs on both directories and registry settings, but it's never been very hard. The only program I've never been able to run as non-admin is a game called "Children Of The Nile", and I still don't know how to run it as a Limited User. The user that needed it got the "Run As" option checked in the shortcut. Sure she has Admin access that way, but she's my sister and knows that she shouldn't run Admin.

No, all problems are just the cause of the legacy of poor security in the past. Nagging dialogboxes won't help.

Re:This is not a good approach

[kimvette]

And, it's unlikely that Quickbooks will run as Limited User in Vista. See the URL in my sig (it is not my site, just conveniently appropriate for this thread)

Re:This is not a good approach

[Orrin+Bloquy]

Tell me how to get Monsters Inc. Scream Team Training to run on a non-admin account without me manually entering an admin pw into Run As... every time and I'll be unbelievably grateful.

Re:This is not a good approach

[Tibor+the+Hun]

pfft. easy-peasy...
write it down on a sticky and teach your kid to type it in.
call it Monsters Inc. admin rights access team training.
kids will love it.

Re:This is not a good approach

[jawtheshark]

I have no idea... BUT... If you're running WinXP Pro, go to the folder where it is installed and give "Full" access rights to "Users". If that doesn't work, go into regedit (assuming XP Pro...otherwhise go to regedt32) and look for registry entries in HKEY_LOCAL_MACHINE related to your program. Grant them full access rights to "User" on that part of the tree. 99% of the programs I have encountered will work then. You could say that security is compromised because a normal user could kill the program. That is true, but the application programmers are to blame for that.

If you have XP Home, read up on cacls. Alas, in XP Home it is hard to configure access control on folders.
For example:
C:\> cacls C:\MyFolder\ /T /E /G Users:F

Re:This is not a good approach

[PenisLands]

Nagging dialogboxes won't help.

Absolutely. Recently I was watching my dad use his computer, which is kind of messed up at the moment. Some kind of dialogue box with information came up and he just clicked "OK" without reading what it said. I asked why he did that and he said "Oh, sorry. Well, you couldn't do anything, the only option was 'OK'".
Seems like users have learned to blindly click yes or whatever options there are on nagging dialogue boxes that appear at you.

Re:This is not a good approach

[Gnavpot]

Tell me how to get Monsters Inc. Scream Team Training to run on a non-admin account without me manually entering an admin pw into Run As... every time and I'll be unbelievably grateful.

If you are on XP Pro (not XP Home), you should look into the '/savecred' option for the command line version of RunAs.

First time a program is started with 'runas /savecred /user:administrator', you will be prompted for the administrator password. The next time this command is used to start the program, XP will remember that this user is allowed to run the program with administrator priviledges and will not ask for a password. To make things a little more convenient and self-explanatory, you can put the command into a .bat file, make a shortcut to the .bat file and select the program's icon for the shortcut.

It is certainly not a perfect solution, but it can solve some problems.

However, you should not use this solution if you don't trust the user. I am almost certain that the program can be replaced with another program with the same name without revoking the priviledges.

Re:This is not a good approach

[laplandsix]

Right click the shortcut and prepend the following:

C:\WINDOWS\system32\runas.exe /savecred /user:administrator
The first time you run the app it'll prompt you for the admin password (in an UGLY ass dos box) after that it'll run with no prompting. Honestly, this isn't rocket science. Not quite as slick as suid, but it works. Until you change the admin password of course.

Re:This is not a good approach

[Ucklak]

You've just explained how complicated Windows permissions are to use over Mac and *nix.

Re:This is not a good approach

Oh, and those that say that you can't run in Limited User on XP (as in the fine article is stated) are completely ignorant. I'm running Limited right now, and I have no problem. Granted, I have to set the ACLs on both directories and registry settings, but it's never been very hard. The only program I've never been able to run as non-admin is a game called "Children Of The Nile", and I still don't know how to run it as a Limited User.

So, you are supporting your claim that you can run in Limited User on XP by arguing that even you have been unsuccessfully able to run a program in Limited User?

Re:This is not a good approach

[jawtheshark]

Yeah, I prefer chmod and chown too... I did not invent ACLs, but at least I know how they work.

Re:This is not a good approach

[Talchas]

Alternatively, just reboot into safe mode and the Security tab will magically appear and you can do it just like with pro.

Re:This is not a good approach

[jawtheshark]

Thank you. I didn't know that.

Re:This is not a good approach

[jawtheshark]

For exactly *one program*, out of a few bazillion.... On top of that it was a game! Frankly, I blame that one of the Game Developpers and not on the WinXP team.

Re:This is not a good approach

[jawtheshark]

I know. I see this every day: I'm a IT high school teacher (that quit, I will leave in July). Nobody seems to read error messages, nor do they listen to my recommendations. The job is utterly frustrating.

Re:This is not a good approach

[Pusene]

That's just dangerous, hear me out and I'll tell ya:

Works okay until older brother threastens to cause bodily harm the smaller kids, unless he is given said password. Older kid then finds dads pr0n collection and threatens to tell his mother unless given incredible raise in allowance. Spends allowance on new computer and books, and learns how to misuse dads credit card online. Mum discovers dads new credit card bill, complete with $9.99 for unlimited access to alt.sex.beastiality.hamster.duct.tape. Wife divorces dad, takes the house, car and younger kid while dad can keep older kid.

Do not give avay your admin rights!

Re:This is not a good approach

[TheJediGeek]

This is a good point.

My impression was that the way it works is stupid and doesn't solve any problems.

It seems that whenever you try to do something you don't have permissions for, it bugs you to authenticate with permissions. This defeats the purpose of permissions.
What it should do is that when you have permissions, for sensitive system changes it makes you verify those permissions.
That's a big difference between the two.
The current way that operates will only frustrate people and Joe Sixpack will just look for a way to turn it off.

Re:This is not a good approach

[toadlife]

"Tell me how to get Monsters Inc. Scream Team Training to run on a non-admin account without me manually entering an admin pw into Run As... every time and I'll be unbelievably grateful."

Check out the "utility" I advertise in my sig. It's a (ugly) hack, but it works, and it's relatively secure. You would still have to enter a password, but it's your OWN password, which can afford be less complicated since it's a regular user account.

Also, if you want to actually try and fix the program, a utility not mentioned in this thread, aclview. It's freeware a program for managing ACLs for XP. It's particularly useful for XP Home users, as it allows you to modify file permissions without having to use using cacls.exe or reboot into safe mode.

Re:This is not a good approach

[freeweed]

Hey, good thing he didn't have to go editing some obscure text file in /etc!

Thank god for Windows user-friendliness :)

Re:This is not a good approach

[drinkypoo]

They're more complicated, yes, but a user has more of a chance to get the results they want with NT ACLs than they do with Unix octal masks. I've been a new Unix user without help and I've seen others and helped others and that confused damn near everyone a little. I'd used the same concept for some kind of configuration of some Amiga program so I had a leg up on the idea as compared to the average user... But let's face it, opening a shell and typing "chmod 777 filename" is not easier to grasp than bringing up properties, clicking on the security tab, and granting full access to everyone. And, of course, the simple fact is that simple Unix perms are not nearly as powerful. Without ACLs (which are present on Unix systems, too, just not commonly used) you can only have one user and one group with permissions to a file, and you MUST have permissions for the owner, the group, and everyone else. ACLs might be confusing, but basic Unix perms are stupid and limiting.

Re:This is not a good approach

[afidel]

Actually, you can fix quickbooks by modifying the permissions to a couple folders and a couple registry keys. Warning, the idiots at Intuit tell you to give full access to all of HKLM\Software\Classes\CLSID\, when you really only need to give full access to HKLM\Software\Classes\.qpg, HKLM\Software\Classes\QuickBooks.CoLocator.1 and HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A6 32-72062A99AA7F} which is the key referenced by colocator.

Re:This is not a good approach

[Ucklak]

The part of the comment I was referring to was:

"If that doesn't work, go into regedit (assuming XP Pro...otherwhise go to regedt32) and look for registry entries in HKEY_LOCAL_MACHINE related to your program. Grant them full access rights to "User" on that part of the tree. 99% of the programs"

and

"read up on cacls [microsoft.com]. Alas, in XP Home it is hard to configure access control on folders.
For example:
C:\> cacls C:\MyFolder\ /T /E /G Users:F"

A right-click under KDE or Gnome under Linux would give the user an almost easier to understand matrix of permissions on a particular file or folder.
Command-I under Mac would give easier permissions with the option to delve deeper into *nix type permissions.

Re:This is not a good approach

[Ucklak]

I don't know how any file in /etc would have file permission properties.

I just don't know how

"If that doesn't work, go into regedit (assuming XP Pro...otherwhise go to regedt32) and look for registry entries in HKEY_LOCAL_MACHINE related to your program. Grant them full access rights to "User" on that part of the tree. 99% of the programs"

and

"read up on cacls [microsoft.com]. Alas, in XP Home it is hard to configure access control on folders.
For example:
C:\> cacls C:\MyFolder\ /T /E /G Users:F"

is easier than a right-click under KDE or Gnome in Linux to select file and folder properties.

We know how to change permissions in *nix using the command line, how is it done in Windows again?

Re:This is not a good approach

[clydemaxwell]

We know how to change permissions in *nix using the command line, how is it done in Windows again?

::scratches head::
What did you think that 'cacls' line did, anyway? How the hell did you get modded up?
To further clarify, he was joking about /etc.

Re:This is not a good approach

[kcb93x]

WOuldn't stop someone from copying the file (or would it? security settings are copied if the file doesn't leave the drive letter, IIRC)

Make the file read-only for non-admins. No editing allowed...they can run said batch file, but nothing else. Or just stick with the normal Run As... instructions.

Re:This is not a good approach

[amliebsch]

A right-click under KDE or Gnome under Linux would give the user an almost easier to understand matrix of permissions on a particular file or folder.

It's the same on XP Professional. Has been the same since NT4. It's just the home versions where setting ACL's requires hackery.

Re:This is not a good approach

[udippel]

Frankly, you're right. You're so right.
You even made me smile another time: The first time after really, really, clicking through that story. Since it proved to be a *very* complicated so-called solution. Smiling, because Microsoft will shoot themselves into the foot another time and the users will throw foul eggs at them.
The second time, when you described what you have to do to run Limited right now. Setting ACLs on both directions and setting the registry. And you call this 'no problem'. I really wonder how this can be viewed as 'no problem'. Joe Homeowner will revolt.

Re:This is not a good approach

[CAR912]

Or add the security tab to XP Home without needing to always reboot into safe mode, just follow the advice on this site: http://www.scottxp.com/winxp.php#advuser, scroll down to the "Advanced File Sharing & Security" section, and follow method 3. I did it, and it works well.

Re:This is not a good approach

[SpryGuy]

Mod parent up!!

Re:This is not a good approach

[drsmithy]

Franky... Nobody is "Administrator" of the machine anymore? (Administrators Group is not enough) Really? So essentially, they reduced the "Administrators" groups to "Well, you can admin, but you have to know what you do, and we'll annoy the hell out fo you".

Actually it sounds like that "Administrators" are being made more like the "admin" group in OS X or "wheel" on more traditional unix systems - able to elevate their privileges to a very high level without actually running a high-privilege account all the time.

Re:This is not a good approach

[no_mayl]

The new trend is to have something above admin to control DRM and other such sensitive data. So the system can grant itself more priviledges than the Administrator.

OS vendors are now beleiving they can handle the internals better than the admin. And in some cases they are right. Just look at how many "Admins" end up with viruses running as "Admin" because they don't patch or just feel the love from clicking on that unknown EXE attachement.
The Mac OS X has that same "admin group" vs. "root user" thing going: root access is disabled by default (see Mac's FAQ on that).

But in the DRM-rich future there will be a need for something above admin. Phoenix BIOS is starting that kind of stuff with its TrustedCore product. Maybe even your laptop has on of those partitions that a even Admin can't get too (but just boot linux, or take the drive to another machine ;) ).

Re:This is not a good approach

[RzUpAnmsCwrds]

You've just explained how complicated Windows permissions are to use over Mac and *nix

I don't know how this got modded "insightful". The fact is that the vast majority of Mac and Linux users never actually touch file permissions.

Because, as you know, "chmod 0755" is so easy to understand.

The fact is that having ACLs with inheritence and other features makes setting permissions on Windows easier. Want to give two users (and only two users) read permissions on a file? You have to make a new group.

Re:This is not a good approach

[makomk]

It's the same on XP Professional. Has been the same since NT4. It's just the home versions where setting ACL's requires hackery.

Oddly enough, XP MCE 2005 also seems to give you access to the ACLs in the properties window...

Re:This is not a good approach

[ednopantz]

>I don't know how this got modded "insightful".

Simple. This is slashdot, where even the most spectacularly ignorant MS bashing is considered "insightful." As an aside, does anyone know a slashdot clone where the ignoramuses don't mod up crap like that? Because /. is damn near useless for any tech news that touches MS or Google or anything the fanboys have strong feelings about.

Re:This is not a good approach

[amliebsch]

It's not odd at all, because MCE is just XP Professional with extra apps, except the ability to connect to domains has been nerfed.

Warning: TFA is unreadable

[jeblucas]

I went to the first three pages, which corresponds to about the first 19 words of this "article". He has room for about a sentence and a half and a graphic of the windows he's complaining about before you have to click (more) or Next >>. In fact, I can confidently say

(more)

Re:Warning: TFA is unreadable

[jeblucas]

...that this is the most annoying article I've seen posted in a long time. I even tried the "trick" of looking at the "Print this Article" and "Email This Article" links, which actually want to PRINT SOMETHING (it opens a Print dialog) or email a LINK to one page of the article. Garbage garbage garbage.

Re:Warning: TFA is unreadable

[jandrese]

Yeah, my first reaction was to use the "print this article" feature, only to discover that it's just a javascript:print() button, and it's going to print out the 12 or so words of actual content AND the 30 graphics on only that one page...

Seriously, who designed that page?

Re:Warning: TFA is unreadable

[dynamo52]

Firefox's antipagination extension doesn't work either.

Well, it figures

[Giant+Ape+Skeleton]

With more and more people using Firefox, all those popups had to go somewhere...

Re:Well, it figures

[Duhavid]

So, are you claiming that there is a conservation of popups law?

Where were they all before computers started doing popups?

Re:Well, it figures

[mctk]

They were being designed!

Re:Well, it figures

[Keith+Russell]

Where were they all before computers started doing popups?

X10 was the big bang.

Re:Well, it figures

[tgone]

I support FF because they believe in web standards. Too bad 1.5.0.2 is one of the buggiest programs I've ever used though...

Re:Well, it figures

[Duhavid]

Hard to call it a big bang. Times 10 is only
one order of magnitude greater..

Re:Well, it figures

So switch to Opera? FF isn't the only thing that support web standards... and (IMO) it's hardly the best.

Re:Well, it figures

Opera > FF

Re:Well, it figures

And Konqueror > Opera. Don't like it? Too bad, truth hurts.

Re:Well, it figures

[Lord+Ender]

The Law of Conservation of Popups?

I wish they would fix XP's account control

[Oldsmobile]

I wish they would work a bit on account control on WinXP, it is a total disaster. I WANT to use my computer as a limited user, but when I need to do something in Administrator, I shouldn't be bothered to switch users. Why oh why can't they just make it so that is asks for the admin password like with every other goddamned OS!?!

Vista is nice and all that, but how about fixing XP first!!!!

Re:I wish they would fix XP's account control

[kansei]

There is no need to switch users.

- You can right-click on any program and select "Run As", type the admin credentials.

- For systems functions, "Run As" IE (as an admin) and change to the Control Panel in the address bar.

- From the command prompt, you can use the "runas" command.

Re:I wish they would fix XP's account control

[Trigun]

runas command not good enough? I haven't had any problems with it.

Re:I wish they would fix XP's account control

[jawtheshark]

RunAs does that pretty much for you. For example: I want to run Programs->Administrtive Tools->Computer Management. I navigate to that option, hold down shift and right-click and then I select "Run as". The system asks me my Administrator password and I don't have to log off.

This also works with Internet Explorer, which gives you pretty much access to the full file system... Including ACLs (if you run XP Pro... else you'll need to learn the cacls command on the command line)
You can also invoke runas in the command line by the way...

Re:I wish they would fix XP's account control

[Oldsmobile]

Yes yes, I know, that's what I mean is really annoying, why not just ask for an admin password straight up?

Of course if there is a program that requires admin rights, it will just tell you (and sometimes it WON'T even tell you) that you don't have the rights to do this or that.

Also deleting stuff that has been say, placed on the desktop with admin privliges is a bother and the list goes on. Everything would be fine if it would simply ask me every time there is a problem for the admin password.

Re:I wish they would fix XP's account control

Why would MS put this feature in XP when they can instead milk cash from their loyal sucke^Wusers?

Re:I wish they would fix XP's account control

Vista is nice and all that, but how about fixing XP first!!!!

Just think of Vista as Service Pack 3. That's about right by now.

(-27, troll)

Re:I wish they would fix XP's account control

Why oh why can't they just make it so that is asks for the admin password like with every other goddamned OS!?!

Runas is your friend.

Re:I wish they would fix XP's account control

For systems functions, "Run As" IE (as an admin) and change to the Control Panel in the address bar.

There's a more versatile way to solve this.

* log on to your preferred administrator account
* open explorer (the file kind) and go to Tools/Folder Options
* on the View tab, "Launch folder windows in a separate process"
* OK, Log off

You'll now be able to start an instance of explorer for that administrative account under any another account. There are a few annoyances to deal with (the shell doesn't receive notification this way so you'll have to manually refresh a lot when you do file operations in that explorer instance) and a few obvious things to note (running programs will inherit the administrative account's credentials, and not the running user's, etc).

Re:I wish they would fix XP's account control

[AnyoneEB]

Uh, isn't that exactly the feature that the article says that MS is adding to Vista?

Re:I wish they would fix XP's account control

What I want is the ability to unlock someones screen without knowing their password. It says at the prompt that only the logged in user or an administrator can unlock this machine, but when the administrator credentials are entered it merely logs the user off first. How can I fix their "Outlook" when they're not there? I have to reset their password? And more, I would like to be able to log on to a computer as another user using the administrator privs. I want a real 'su' for Windows.

Re:I wish they would fix XP's account control

[Oldsmobile]

I guess I should have been slightly more spesific with my wording. RunAs is what drives me nuts, though it only helps when I actually want to run something as an admin, deleting stuff for instance won't work, also it bugs the hell out of me when something simply says "You can't do that". And sometimes it won't even say that.

Also, there appears to be no way to start an admin only program automatically at log on.

Re:I wish they would fix XP's account control

[jawtheshark]

Well, I've run into "Run As" problems too. Mainly when I want to install something and I donwloaded it as a regular user. I have my regular users setup with ACLs that exclude Admin. So I have to copy the installer to a directory that the admin has access to.

For deleting stuff, I really never had a problem.... I don't really see when that is an issue, but you can always give me an example. Perhaps I have a workaround.

Re:I wish they would fix XP's account control

[Oldsmobile]

"For deleting stuff, I really never had a problem.... I don't really see when that is an issue, but you can always give me an example. Perhaps I have a workaround."

Say I install a program with RunAs and it creates a shortcut on the desktop. I can't delete that shortcut in limited user. I can start, say notepad with RunAs and delete it through there, or switch to admin, or switch to admin and (apparently) start (file)explorer.

But all of the above is a helluva lot of trouble just to delete a shortcut off my desktop.

Oh well, ain't nothing anyone here can do about XP sucking at this, so I guess I'll just wait for Vista and shell out $100 and deal with the problems mentioned in TFA.

Re:I wish they would fix XP's account control

[jawtheshark]

Actually, I simply run "Run As" iexplore.exe and I'm done. It's a bit awkward at first but it does the job.
The intgeration of IE in the OS did have some advantges.

Re:I wish they would fix XP's account control

[daviddennis]

His complaint is that there are two extremely annoying dialogue boxes you have to go thorugh first.

MacOS X handles this by saying that by running a certain program, you're doing something special, you have to type your administrative password. Simple.

Windows handles this by saying "Here's something a program wants to change. Here's what it is. Shall I continue?"

and then if you do say you want to continue, it asks AGAIN.

And then, from what I gather (I haven't used Vista but have read some reviews of this problem) it will ask you again and again if the program continues trying to do priveliged things; you can't just give the program carte blanche, as you would want to do for an installer, for example. This is why there are reports of Vista beta testers really and truly loathing this feature.

I predict 90% of users will just shut it off, which unfortunately appears to eliminate many of Vista's security advantages.

If Microsoft had simply copied Apple, they would have been doing a much better job for their users.

D

Re:I wish they would fix XP's account control

[Keeper]

That's what LUA friggin does.

Re:I wish they would fix XP's account control

[holden+caufield]

You apparently haven't tried to run Windows Update with runas, then.

Re:I wish they would fix XP's account control

I just run winfile.exe (remember winfile, the Windows 3.1 file manager?) as admin. Whenever I need to do basic file operations, winfile is there for me. I can even run programs from within it. I forget if I copied it from an older windows box (95 or 98 perhaps?) or if this particular one came with windows xp. Regardless, there is a little menu option labeled "Security". It contains menu options for Permissions, Auditing, and even Ownership of files. Do you want to access this wonderful program? Open a command prompt (or click start > run) and run 'winfile' as an admin (using runas). Basic file operations, etc. It can even access any drive that you could access through My Computer. In this scenario, all that legacy code is actually useful!

Re:I wish they would fix XP's account control

[afidel]

You can't do this in a network environment because you can only have one set of ACL's between your machine and a server or other workstation. This is a fundamental problem with the way ACL's and GUID's work currently with SMB and the windows workstation client, does anyone know if Vista fixes this?

Re:I wish they would fix XP's account control

[syousef]

Well why would you bother with a password anyway then? If a sysadmin could just bypass the password and act on behalf of the user if they're not there, the a rogue admin can act as a user and do anything (e.g. transfer money from company accounts) and it would be tracked back to the user.

What you should be doing is what you do now - make sure the user is there if you need to work on their account.

Re:I wish they would fix XP's account control

no vista does not ask you again and again. It will ask you the once when the program tries to access something that requires admin rights as to whether you want this program running with administrative rights.

Re:I wish they would fix XP's account control

[drsmithy]

Well, I've run into "Run As" problems too. Mainly when I want to install something and I donwloaded it as a regular user. I have my regular users setup with ACLs that exclude Admin. So I have to copy the installer to a directory that the admin has access to.

I'm not quite sure I see where the "problem" is here. The system is behaving exactly as you have configured it to (a configuration that is not the default).

Re:I wish they would fix XP's account control

Say I install a program with RunAs and it creates a shortcut on the desktop. I can't delete that shortcut in limited user.

Sure you can, if it created a shortcut on your desktop, and not on everyone's desktop. In your example, the program created a shortcut in "C:\Documents and Settings\All Users\Desktop\". If you tried to delete a shortcut like that, then all users would lose that shortcut. The program should have installed a shortcut on your desktop, not on everyone's.

Blame the program. This shit is easy and MS has been telling developers this since Windows NT, but they keep developing programs like they're running on single-user PCs with no permissions.

Re:I wish they would fix XP's account control

[MrNemesis]

Bologne. If he's a sysadmin, by definition, he can already impersonate any user he wants.

John Smith logged in this morning
Reset j.smith password
Log on to another machine as j.smith
Do lots of naughty stuff
Log off
Either change password back to original before j.smith logs on next, or coincide your dirty deeds with scheduled downtime, password expiration, etc.

And why the hell should I have to wait for a user to turn up before I can fix their computer? Why, for that matter, does the user have to tap teir toe whilst I fix their computer? My company has about 20 teleworkers who, if I'm lucky, I get to see in person once a year. Our directors spend most of the time out of the office in meetings. If I'm only meant to do work on their machines when they're there to look over my shoulder, it means that:

a) they don't trust me as a sysadmin and therefore they're mad to keep employing me
b) getting anything fixed requires at least two people with busy schedules to find time to meet each other, instead of having it all done by just one person, effectively doubling the time it takes to fix things.

The effective lack of "su - user" whilst resuming from a lock in windows is a bad design flaw, plain and simple.

Re:I wish they would fix XP's account control

[Trigun]

I consider Windows Update as an administration task, so I use the administrator account.

If I need a quick fix, runas, spawn an MMC or explorer link, and do what I need to do. Albeit, that's in an enterprise setting. I don't run XP pro at home, and just have an isolated XP home laptop which I run everything as an admin user anyway.

Re:I wish they would fix XP's account control

Yours must be from an earlier version of NT (3.51 or 4.0), not from 3.1/95/98 since those do not handle long file names or security. I personally cannot live on XP without NT's File Manager. I just copy winfile.exe, winfile.hlp, and glossary.hlp to the WINXP directory and I'm set.

Re:I wish they would fix XP's account control

I have, many times. What's the problem?

runas /user:administrator wupdmgr.exe

Or just use the shortcut that's in the start menu by default (I usually delete it), right-click -> Run As...

Always worked for me.

Re:I wish they would fix XP's account control

[syousef]

You're basically talking rubbish, and if that's how you admin your systems good luck to you.

The sysadmin should not know the user's password, and password changes etc. should be audited. If you have to change their password to fix their problem, it should be on the books. You should never be able to impersonate them transparently and whining like a child about the limitations that imposes on you as an admin just shows you have no understanding of security. Life's not always meant to be convenient. You're paid to deal with those inconveniences.

Trust of the sysadmin should only go as far as it has to if security is important. That's nothing personal about not trusting the sysadmin - it protects the sysadmin from being accused of fraud too.

First post

I saw screenshots of 5365 (and tried it) and now whenever you do one of the several operations that triggers the authentication prompt, it goes into some "Secure Desktop" mode. I say that is:
1. Way too confusing for users seeing that you can't go to anything in the background while the dialog is there, and anyway
2. It's a really stupid gksu rip.

Come on, there needs to be better ways to get security across than raping people just to change their cursor theme. (it doesn't do that but I bet it will in the RTM considering all of those "free mouse cursor ads")

Didnt like it...

[Virtual+Karma]

I didnt quiet like the dialoge boxes because all of those are jarred on the right and bottom borders, as if someone has tore them off..... oh! wait...

Re:Didnt like it...

Please tell me that English is not your first language.

Re:Didnt like it...

[miller701]

The disturbing thing is that someone went through the trouble of making it look "torn-out"

Windows experts?

"I explain why these prompts appear and why some so-called Windows experts miss the obvious reason (and the obvious fix)."

Well, good thing MS targets this OS exclusively to Windows experts. What utter fools we've all been for assuming this would effect our non-expert friends and families!

Re:Windows experts?

[R3d+M3rcury]

It's "People-Ready", but some people are more ready for it than others.

Gah... Useless link.

I just... Next >>
Love reading... Next >>
Things... Next >>
Like these... Next >>

Seriously, don't bother visiting the site, or you'll destroy your mouse by the zillion clicks needed. I'm not exaggerating. I haven't had the patience to click through it all, but I wouldn't be surprised if it spanned through 20+ pages.

Next >>

It's nice!

[CCFreak2K]

It's about time something like this came into Windows. Programs will fail with cryptic error messages if they don't have access to some part of the system. Usually it's because it wants write access to something in Program Files, which isn't writeable under normal circumstances by restricted users. I think quux on freenode said it best (I may have misquoted):

thou shalt not write session data to the program directory!

Unfortunately, most of the time, the program doesn't even tell you why it had the error. I know that 3D Studio MAX 8 may or may not work if you run it under a LUA.

Now, I won't fault anyone in particular for this (it's both Microsoft's fault and the programmer's fault), but it's nice that something like this is finally coming.

Re:It's nice!

[NoMaster]

Usually it's because it wants write access to something in Program Files, which isn't writeable under normal circumstances by restricted users. I think quux on freenode said it best (I may have misquoted):

thou shalt not write session data to the program directory!

Damn right - this is Windows we're talking about!

The correct place to write session data to is the registry...

Answers:

In this post, I explain why these prompts appear (it's Windows) and why some so-called Windows experts miss the obvious reason (and the obvious fix (Linux) ).

bitter irony?

[Burlap]

anyone else see the irony in an article talking about annoying click-throughs needing so many bloodly clicks to read?

Re:bitter irony?

[jandrese]

I thought it was genius myself. The Windows Vista experiance on your home machine today!

Re:bitter irony?

[AnyoneEB]

Your comment reminds me of the Penny Arcade comic about Silent Hill .

Just wonderful

[Tibor+the+Hun]

fucking teriffic...
3 series of articles, half a dozen pages each, just to tell me why I have to slow down my workflow when deliting or renaming files.

Re:Just wonderful

[drsmithy]

3 series of articles, half a dozen pages each, just to tell me why I have to slow down my workflow when deliting or renaming files.

Your "workflow" involves deleting files that aren't yours ?

How innovative.

[C10H14N2]

The 70's called. They want their security model back.

Yawn. ...and yeah, these damned one-paragraph-per-page ad-whoring blog articles suck big time.

Re:How innovative.

[Trigun]

ZDNet, Where Technology meets Business...

And business stabs tech in the face!

Re:How innovative.

1995 called, they want their joke back.

Re:How innovative.

[drinkypoo]

This is way better than a one-paragraph-per-page ad-whoring scheme. There was practically no content in this one (just a bunch of screenshots of dialog boxes, whoopee shit) and the story is spread out over three "stories"... That's right, not only do you not get to read the whole story on one page, you have to read three of these bullshit articles to get one "complete" article (as if it would be worth a shit if you combined them all.)

The options

[eclectro]

This is the crux from the end of the article;

"How do you work around this annoyance? You have three choices:

        * You can take ownership of the files on the external drive. That gives your account Full Control permissions at all times and prevents other users on the same computer from changing the files unless they do so as an administrator.
        * Or you can change the permissions assigned to the Users group so that members of that group have Write or Full Control permissions. That solution allows everyone with a user account on the computer to manage files without having to OK a consent dialog box."
        * Or you can play a Sony music CD with a rootkit."

Re:The options

[jandrese]

Those sounded like terrible solutions to me. Basically: manually adjust the permissions of every file you create or turn off the security stuff and pray.

I'm hoping that these articles are hyperbole and in fact when you create your own files you are marked as the owner with read/write/execute permissions on them. Granted, administration looks like a total nightmare, but MS has been working for years to make administration as hard as possible so this is no big surprise.

What I think the real fix should be: When you get a dialog box like this, there's a "validate me for X minutes" option that you can check to tell the machine that you're going to be administrating for some minutes and stop showering me with dialog boxes. Sort of like how most modern operating systems work.

Re:The options

[caluml]

Wasn't Microsoft's line for years: But UNIX permissions aren't finely grained enough?

Simplicity is the hallmark of genius. User, Group, Other. Read, Write, Execute.

Re:The options

[drinkypoo]

In software, simplicity is usually the hallmark of one of the following items: Laziness, limited resources, a lack of imagination, or a lack of talent. In the case of Unix permissions, I think we can safely say that it was one of the latter two. Original Unix systems were less powerful than a not-particularly-modern cellular telephone - we call that progress. However, Unix perms suck ass. This is why every modern Unix system supports ACLs.

Re:The options

[drinkypoo]

The problem with that approach is that it does nothing to prevent malicious software from taking actions you weren't interested in during that time. As such, it is completely wrongheaded. It should either never prompt you, or always prompt you, or have different levels and let you pick a prompting level (so that it never prompts you to just say rename an ordinary file, but renaming a file in a system folder requires a prompt.)

Re:The options

[sparkz]

Dropping my mod privs to post this ... Simple, clear, well-understood and documented solution for - as you say - very low-powered devices, by modern standards, have lead to a still simple, well-understood and documented solution for today's needs. As you also say, ACLs have been added for additional control should that be required (and whilst it sometimes is required, it often indicates a lack of simple, clear, well-understood and documented system configuration in the first place). If the best workaround is the list provided in this article (ignore security completely, give all control to a single user, or give all users full access) is certainly not an improvement.

Re:The options

[jandrese]

Why is this so hard when basically the same thing (sudo) in Unix works so well?

It's apparently really hard to figure out what a mailicious action is in Windows, so the options are: never prompt (no security) or always prompt (no securty because nobody will read the prompts after a few days).

Re:The options

[drsmithy]

Those sounded like terrible solutions to me. Basically: manually adjust the permissions of every file you create or turn off the security stuff and pray.

Article writer is clueless.

If the external drive is new, you don't need to do anything - the default permissions will work fine.

If the external drive is existing, you need to add your user with "Full Control" to the top level of the drive. By default this permission is then inherited by all the files and subdirectories on that volume. New files/subdirectories will also inherit this permission.

The situation will be *identical* on Vista has it would be - and has been - on any other platform.

Re:The options

[drinkypoo]

It's hard to find out which actions are malicious because windows programs are typically so poorly written and they so frequently require Administrator access. Part of this is probably Microsoft's fault though, not providing ways to do routine things without it.

Summary...

[MosesJones]

If you made your user "superuser" on a Linux box, the did a kernel upgrade and decided this was stupid so just allowed you to sudo certain commands then you'd have a devil of a time accessing all those files that you created while you were the super user.

Or put more simply

XP didn't have sudo so you were always admin, Vista has sudo, enabled via annoying popups rather than a config file.

Re:Summary...

[ivan256]

Close, but no.

XP didn't have sudo so you were always admin, Vista has sudo, enabled via annoying popups rather than a config file.

It's not the config file part that is broken, it's the UI part.

You see, first of all sudo specifies you want the permissions up front rather than asking for permission after the fact. If you try to do something using the legacy windows APIs, and you don't have permission, you shouldn't get a series of popups, the program's system call should fail, and the program should die. Programs should either ask you for permission (once) up front (like installers do on OSX), or you should specify that a program should run with permissions (via the right click menu "Run As..." or maybe with a modifier key held down). Second, sudo caches your authentication, so if you want to do multiple privlidged operations in a row, you aren't continually annoyed.

It's the post-authentication rather than the pre-authentication that Microsoft got wrong though. Microsoft clearly doesn't get it, and this implementation is completely broken.

Re:Summary...

[Sylver+Dragon]

XP has an equivilent to sudo. Right-Click - Run As. Or, at the command prompt runas /user:domain\username CommandToRun.exe
The problem is that everyone is used to just being a local admin on their box, so we get what we have today, malware ridden computers.
The alternative is unacceptable to a lot of people. XP has some good security features, the problem, as always, is the interface between the chair and the keyboard.

Re:Summary...

[misleb]

The problem is that everyone is used to just being a local admin on their box,

That, and programs that shouldn't require admin do require admin. This is partially the fault of developers but MS is also to blame for not enforcing such things or at least making them clear in the API.

XP has some good security features, the problem, as always, is the interface between the chair and the keyboard. XP has some good security features, the problem, as always, is the interface between the chair and the keyboard.

Seriously, the problem is with Windows. Once you start blaming the majority of users for the failing of the system, you know it is the system that is broken, not the users. Mac users seem to have no such problems. Are they smarter? Nope. It is because the security model is simple on the Mac. "Oh, I see you want to do something that needs admin privs, type your password here." And it doesn't come up when it shouldn't. Simple and effective. No teaching users when to, and when not to use a "RunAs" feature. It is an unnecessary step in other systems. Vista has apparently gone the opposite direction by promting users with all kinds security related windows and dialogs. Big mistake.

-matthew

Re:Summary...

[drinkypoo]

XP has an equivilent to sudo. Right-Click - Run As. Or, at the command prompt runas /user:domain\username CommandToRun.exe The problem is that everyone is used to just being a local admin on their box, so we get what we have today, malware ridden computers.

No, the problem is that RunAs doesn't work properly. It doesn't work properly because NT has two functions for launching child processes, and the ordinary one that everyone has been using forever executes processes with the context of the logged in user, regardless of what context the executing process has. There is an entirely separate function for launching a child process under a different user context. It is up to the application developer to support this.

Thus, when you start an installer that uses a 16 bit launcher to start a 32 bit executable which actually does the install - disturbingly common even today, when you don't even need an executable at all, since we have MSI - the install will fail if it requires Admin rights, or even if it thinks it needs Admin rights, and checks to see if it has them before doing the install.

RunAs solves some problems, but due to the architecture of NT, it doesn't solve all of them.

Re:Summary...

Sorry to be noobish, so I may not understand what you're saying, but can't

If you made your user "superuser" on a Linux box, the did a kernel upgrade and decided this was stupid so just allowed you to sudo certain commands then you'd have a devil of a time accessing all those files that you created while you were the super user.

be fixed with "chown -R user:group /home/user" as root? I was (noobishly) always root for a long time and just created a user account when I installed Gentoo a month ago. All I had to do was do that to a directory with all the files I wanted to keep and I was set. I probably didn't understand what you were trying to say, though.

Re:Summary...

[drsmithy]

It's the post-authentication rather than the pre-authentication that Microsoft got wrong though. Microsoft clearly doesn't get it, and this implementation is completely broken.

No, this imlementation (which is basically the same as OS X's) merely recognises that the vast majority of users won't know they'll need elevated privileges before they try and do something.

Re:Summary...

[ivan256]

No, this imlementation (which is basically the same as OS X's) merely recognises that the vast majority of users won't know they'll need elevated privileges before they try and do something.

They can be informed by a simple "Permission Denied" message.

This system is nothing like the OSX system. They OSX system obtains authentication before attempting the operation. Apple got away with that mostly by breaking backwards compatability, but there is no reason legacy apps can't use pre-authentication with the proper error messages.

Treating your users like idiots creates an application for idiots. Treating your users like intellegent people creates intellegent users.

Re:Summary...

[drsmithy]

They can be informed by a simple "Permission Denied" message.

Clearly UI design is not your strong point.

This system is nothing like the OSX system.

Yes, it is (well, the UI is similar, under the hood it's very different).

They OSX system obtains authentication before attempting the operation.

Only in situations where a developer has anticipated the need for elevated privileges. For example, the System Preferences application and applications installers.

In other situations, however, OS X prompts after the fact. For example, in Finder, trying to copy something into /Applications as a non-admin user, or trying to delete files in /System will detect that the user does not have sufficient privileges, and then prompt them for a password and/or user account that does have the necessary privileges.

Clearly you've not used OS X much.

Apple got away with that mostly by breaking backwards compatability, but there is no reason legacy apps can't use pre-authentication with the proper error messages.

Yes, there is. It's confusing, disruptive and alarming for end users.

Treating your users like idiots creates an application for idiots. Treating your users like intellegent people creates intellegent users.

A system that automates where possible is not treating the users like "idiots". It is recognising that the users don't - and shouldn't have to - have the necessary knowledge.

Re:Summary...

[drsmithy]

This is partially the fault of developers but MS is also to blame for not enforcing such things or at least making them clear in the API.

It is 100% the fault of developers. Microsoft have been telling developers to write LUA-friendly apps for nearly 10 years now.

Re:Summary...

[ivan256]

A system that automates where possible is not treating the users like "idiots".

Selective automation at the expense of a uniform interface *is* treating the users like idiots.

Any automation that doesn't have the intermediate steps exposed to allow the user to execute manually or seperately *is* treating the users like idiots.

Clearly, you're one of the people who thinks he's good at UI design, yet remains responsible for the crap-piles that are modern applications. Of course, I am a bit biased. I think the "desktop" paradigm is broken, and I think dialog boxes shouldn't exist. Windows, and Windows-like GUIs maintain no visual history. Any good UI would show you at least a hint of the last few things you did. There is also no reason to interrupt user input do display errors and informational messages. Designers should eliminate the dialog box and look towards game designers for clues on how better to alert the user to important events. How can we put all this effort into into interface design and still have interfaces which wouldn't look all that surprising to a user from 1985? We don't have the limitations we had back then, and we've seen other ways to do it, so we should get with the times.

Yes, there is. It's confusing, disruptive and alarming for end users.

It doesn't need to be confusing if there is uniformity and a decent description of what is happening easily available. It's not any more disruptive than what they've implemented here, and it's only alarming if you assume the user is an idiot.

Clearly you've not used OS X much.

I do, actually, but I'm not a drag and drop kind of guy. I open a console for file operations. I can probably count on one hand the number of times I've used the finder to move files around in the last five years.

You're right, of course, and I think it's broken, but at least it's not as rediculous as these Vista screenshots.

Re:Summary...

[misleb]

It is 100% the fault of developers. Microsoft have been telling developers to write LUA-friendly apps for nearly 10 years now.

I'm just saying that "telling" developers to do the rigth thing isn't quite enough. That kind of thing needs to be either enforced or the right way nees to be clear in the API. Other systems manage it. Are Windows developers just especially stubborn and rebelious?

It is too bad Microsoft never had to the courage to just start a new API from scatch. Instead they chose to make almost everything backwards compatable. And now they have a monster API set that few people know how to use correctly.

-matthew

Re:Summary...

[drsmithy]

I'm just saying that "telling" developers to do the rigth thing isn't quite enough.

Well, there's rather a limit as to what else can be done.

That kind of thing needs to be either enforced or the right way nees to be clear in the API.

Enforced how ? How is the Win32 API not unlear ?

The closest they could come to "enforcing" it would be making the default user non-Admin, which is just going to break a lot of software (and blame will subsequently be placed on Microsoft) and just end up with users manually adding themselves to the Administrator's group anyway. That's why there's all these ugly hacks in Vista to "fake" admin-level privileges to broken applications, without actually requiring them.

Other systems manage it. Are Windows developers just especially stubborn and rebelious?

No, their mistakes are just a lot more noticable because 95% of the world's computers show them off and because the end users are more tolerant.

It is too bad Microsoft never had to the courage to just start a new API from scatch.

.NET.

Instead they chose to make almost everything backwards compatable. And now they have a monster API set that few people know how to use correctly.

By far the most common problems with applications not working with non-Admin users have nothing whatsoever to do with any possible API issues and everything to do with laziness, stupidity and ignorance. Things like trying to store runtime data in the application's directory, trying to open system files read/write, trying to write to system areas of the Registry, trying to store user data in the application directory, etc, etc. In fact, I don't think I've *ever* seen an app that needlessly required admin-level privileges, that wasn't requiring them because of some obviously boneheaded decision the developer had made. Probably 95% of "needs admin to run" problems are either an application trying to write data to its own directory, or trying to write to system areas of the Registry.

If a user can fix it by twiddling file/registry permissions and without access to the source, it's got nothing to do with the API and everything to do with the developer.

Executive Summary:

[darkonc]

The new Windows 'protection' scheme will browbeat the user until they disable the security system (in some way or another).
That way, when the inevitable virus and spyware hits the system, Microsoft can wash their hands and say that it's all the user's fault for making use of their computer bearable.

Re:Executive Summary:

[moochfish]

Too bad the consumers will still blame Microsoft. Why do you think IE gets blamed for identity theft when (dumb) people click on emails from "the bank" asking for their PIN?

Re:Executive Summary:

[dioscaido]

Actually, it will brow beat the user until they force the dumb app writers to stop requiring administrator rights. You should only need Admin rights when you are, oh, administering the machine. I should be able to run Quicken without giving it full access to my first born child. Once you are done setting up Vista, and installing your software, you rarely see a elevation dialog except for badly written 3rd party apps. I'm glad they are finally going this route... And yes, finally forcing themselves to fix their own shit too -- in XP you can't bring up the clock control panel as non-admin, for example.

Article text

Thank goodness for antipagination

A fresh look at Vista's User Account Control, Part 2
Posted by Ed Bott @ 6:59 pm

In the first post in this series, I provided a close-up look at a major new security feature in Windows Vista. User Account Control (UAC), which will be enabled by default in all versions of Windows Vista, monitors a user's actions and prompts for an administrator's credentials before allowing any action that has a potential impact on system security.

The UAC prompts I depicted in the first post are those that appear when you install a program, when you run a program that requires access to sensitive locations, or when you configure a Windows setting that affects all users. But as many beta testers have discovered, UAC prompts can also show up when you perform seemingly innocent file operations on drives formatted using NTFS.

In this post, I explain why these prompts appear and why some so-called Windows experts miss the obvious reason (and the obvious fix).

File operations trigger a UAC prompt anytime you try to do something with a file or folder where your current set of user rights doesn't grant that access. For example:

If you try to create a new file in a system folder, you see this dialog box.

[pic]

f you try to delete a file, or create a new subfolder, or move a file, or do anything that directly affects the file system in a drive or folder whose contents are restricted to administrators, you see this dialog box:

[pic]

Similarly, if you try to rename a file or folder in a location where you don't have explicit rights to do so, you see this dialog box:

[pic]

In all three cases, your clue that UAC is involved is the Windows shield on the Continue button. When you click that button, the regular desktop fades to gray, the Secure Desktop appears, and you see the following consent dialog box:

[pic]

So, why does this happen? These dialog boxes appear when Windows Vista security meets NTFS permissions, which are stored in Access Control Entries (ACEs) applied to file system objects and displayed in Access Control Lists (ACLs). UAC is new; NTFS ACLs are old. But most Windows users, even some with years of experience, don't understand how ACLs work. And changes in the Windows Vista security model mean that a lot of people will be very frustrated until they understand how to work with those permissions.

Here's the problem, stated as simply as possible:

When you use Windows XP, you are almost certainly using an account that belongs to the Administrators group. (The challenges of running as a Limited user in XP are well documented.) As an administrator, you can do just about anything with just about any file. The exceptions are rare - you're locked out of the folder that contains System Restore files, for instance - but for the most part, if you can see it, you can change it.

That all changes in Windows Vista. When UAC is enabled, all users run as standard users. That's true even if you're logged on using an account in the Administrators group. Your working environment, including Windows Explorer, has the rights of a standard user account, and you can only run applications with administrative privileges if you provide explicit consent. In technical terms, your parent process token is that of a standard interactive user.

If you try to delete a file, or create a new subfolder, or move a file, or do anything that directly affects the file system in a drive or folder whose contents are restricted to administrators, you see this dialog box:

[pic]

Windows sees that the Users group has Read permissions only on that folder, and it has no way of knowing that you created the folder on another computer and that you should be listed as the Creator-Owner of all those files. It applies permissions based on the standard user process token and tells you if you want to change anything you'll need to supply your Administrator credentials.

How do you work around this annoyance? You hav

Soon, Same As It Ever Was

[ausoleil]

Microsoft is trying to make users have good hygiene -- that is, don't run as a super-user unless you need to. Well-meaning and well intended -- and a good idea. Ultimately, however, Aunt Sally is not going to deal with it for long, and you, the unofficial family Helpdesk tech, are not going to like all of the calls you get from apoplectic relatives dismayed that they suddenly can't open this that or the other because they do not understand the paradigm.

What will happen is what always happens: when there is a "problem" someone "fixes" it. In this case, the "problem" is the security model. I suspect that there will be a 3rd party "fix" that blasts through all the well-meaning security and basically restores the user-as-root scenario that Windows has operated in since forever.

Re:Soon, Same As It Ever Was

[dr-suess-fan]

I always thought the best model for Aunt Sally would be a keyswitch on the front of the computer. Similar to those round-key locks that used to prevent boot-up.

If a program wants write access to Program Files, a dialogue box will pop up asking the user to turn the keyswitch to admin mode.

Now, hopefully Sally won't turn the keyswitch unless she knows she's trying to install something.

Re:Soon, Same As It Ever Was

[wo1verin3]

>> Microsoft is trying to make users have good hygiene

Hah. Good luck on that with the slashdot crowd.

Annoying slideshow article..

[wfberg]

Damn, that's annoying.. having to click next a zillion times to "read" (mostly pictures) the "article".. And the remarkable revelation? You'll be getting popups because of restrictive file permissions! Well, gee, I would certainly never have figured out THAT was the reason for popups that say "you lack the required permissions"....

This is not flamebait, someone mod it back up

[moultano]

When I first clicked on the article, I couldn't even figure out immediately where the rest of it was. It was like 90% crap, a tiny bit of text, and a tiny more link that disappeared amidst all of the crap.

No one says that you cannot.

[khasim]

Oh, and those that say that you can't run in Limited User on XP (as in the fine article is stated) are completely ignorant.

What the article actually said was:

When you use Windows XP, you are almost certainly using an account that belongs to the Administrators group. (The challenges of running as a Limited user in XP are well documented.)

What was that about "ignorant"?

Granted, I have to set the ACLs on both directories and registry settings, but it's never been very hard.

Go ahead and ask 100 people on the street whether they use Windows and whether they know what an ACL is and how to change it.

Running as a Limited User is not impossible.

It just requires spending a LOT of time and effort to LEARN how to do so ...

and that pre-supposes that the person understands the risk of running as Administrator.

So, someone has to already be aware of the threat ...
Then that person has to choose to try to avoid that threat ...
Then, then that person has to spend time becoming further educated ...
Then, then, then that person has to spend time fixing the ACL's and such.

Or just choose to run as Administrator and all those problems go away (and you get new problems, but all your apps run).

Re:No one says that you cannot.

[jawtheshark]

My point was that the additional warning will add nothing. That is why I added the "Mechanic" part. People need an expert to service their machines. I'm the mechanic of my family and nobody has problems.

The additional prompts do nothing.

Damn, slashdot is getting a MS-fanboy club.

Re:No one says that you cannot.

[greed]

Go ahead and ask 100 people on the street whether they use Windows and whether they know what an ACL is and how to change it.

It doesn't help that one of the features left out in XP Home Edition is the ACL Editor. Sure, it's obtuse and hard to figure out--but it's a damn sight simpler than trying to get anywhere with CACLS.EXE.

It would be one thing to leave out the ACL Editor (and the advanced features of the user editor, you know, like more than "Limited" and "Administrator" choices) from XP Home Edition if the underlying operating system didn't have those concepts, either. But, all the system features all there, you just really, really, really have to know how to drive the command line and/or hack the registry to do the work.

Frankly, I think it's fairly repellent that Microsoft wants a premium price for those two features--for an "advanced" home user, those are pretty much the only useful things in XP Professional. (Nearly everything else is relevant only for those working in Windows Server domains.)

Re:No one says that you cannot.

[Mancat]

You can gain access to the "Security" tab in XP Home by installing NT Security Configuration Manager:

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/ tools/scm/SCESP4I.EXE

Run the executable and extract it to a folder, then open the folder. Right-click on "setup.inf," click Install, and restart once it's done. Works with all service pack levels of Home.

Re:No one says that you cannot.

[AeroIllini]

Go ahead and ask 100 people on the street whether they use Windows and whether they know what an ACL is and how to change it.
Running as a Limited User is not impossible.
It just requires spending a LOT of time and effort to LEARN how to do so ...
and that pre-supposes that the person understands the risk of running as Administrator.

Here's a wildly divergent idea ... what if Windows by default forces the person using the computer to run as a limited user? This could be accomplished by a forced username creation during install (or during FirstBoot for the Dell users), and by "crippling" the Admin account, so that the only thing admins can do is install software/drivers. If the Administrator account does not have access to the sound card, or the resolution is crappy, or the colordepth is bad, or whatever, then Joe Sixpack won't run as Administrator unless he has to install software.

Yes, Microsoft would have to break some backwards compatibility with older software, but frankly, that's not their problem. The third-party developers were given access to the API and "Best Practices" when it comes to registry/filesystems permissions in their programs. If a company is still forcing people to run their software as Administrator this late in the Windows NT game, then it should be considered a bug and fixed.

Re:No one says that you cannot.

[SuperMog2002]

Except breaking apps is their problem, and has been for a very long time. Apps are one of the main reasons people stay with Windows rather than migrating to Linux or OS X. If the new version of Windows breaks all their apps anyway, then users are a lot more likely to take the oppertunity to migrate to a new OS altogether.

Re:No one says that you cannot.

[powerlord]

You're right about not many people knowing how to deal with ACLs, even if they know how to deal with Windows rather well. Part of that, of course, is transitioning experience from Win3.1x, and Win9x where there were no file permissions. The other part is that for your average home user, they never were forced to learn before ("Oh, its just me and the missus, so I'm not worried about security. No need to set up accounts and have to deal with it.")

My brother and sister-in-law recently got frustrated with visitors (and my niece) playing with their desktop, and trashing bookmarks, etc.

My solution? They now have a Parents log-in, and a log-in for everyone else. With WindowsXP there is no excuse for NOT doing this.

My favorite quote from the article was " This poses a potential support nightmare for Microsoft, which will have to deal with frustrated users who just want to get to their data files."

As if MS deals with user support calls themselves, as opposed to letting the hardware vendor such as Dell or Gateway handle those (or your local technical expert). :)

Re:No one says that you cannot.

Not to mention the inevitable "Microsoft broke my app on purpose" lawsuits that would follow.

Take this goddamn article down.

[Gannoc]

Seriously. How many pages was this article for how much text? ./ shouldn't reward this type of bullshit ad-revenue-sucking crap with more hits.

Lame article, Lame suggestions

[flakier]

So, in the end he recomends giving Users full control or write access as means to get around the annoyance. Hell, why dont we just chmod -R 777 /* and end all the "annoyances" of my Linux box too while we're at it?

Can't he just suggest that application designers get a clue and write apps that don't write uneccesarily to sensitive areas of the system? Hopefully annoyed end users will "motivate" lax companies when this happens instead of working around the issue.

Re:Lame article, Lame suggestions

[_the_bascule]

chmod -R 777 /* would almost certainly render your machine unbootable, thats why.

Re:Lame article, Lame suggestions

[denis-The-menace]

Maybe he doesn't bother because he know what I've been preaching:

Windows developers are always willing to trade end-user security for fewer support calls.

Meanwhile, as an admin, I have to try to make these crapola, "we still live in a Windows 95 world" applications work with limited user accounts.

Heck, I've heard IE not working right if your not admin. (I would know directly myself, I use FF under Limited User)

Re:Lame article, Lame suggestions

[larien]

I'm not sure it would, actually; most of the initial boot sequence is run as root anyway, so dropping the set[ug]id bit wouldn't break most software. You'd get a booted system although some software may not work (e.g. login, ps, ping, sendmail...).

In short, it's a stupid idea, but I think you'd still get a bootable system.

Re:Lame article, Lame suggestions

chmod -R 7777 /
don't forget that extra 7. Makes all the difference. ;)

Re:Lame article, Lame suggestions

[gnud]

OK, point taken. OP probably meant the equalient of `chmod -R a+rxw /*`, though.

Windows expert?

[anzev]

Hm, I fail to see the point in having written such an article. It helps me solve nothing I couldn't really have solved myself, it explicitly states that the average user can't do this because they don't know how -- rather insulting them than helping them.

But what's even more funny is that, in the end of the article the author says that in his final instalment he will write a few suggestions HOW MICROSOFT COULD SOLVE THIS PROBLEM. Ok, that's something we really need, a smart-ass teaching MS developers how to do something... I mean, why waste valuable internet space. I hope the author realizes that nobody at MS will even consider his solutions.

I think this is a blatant attempt to just get paid by the page, even if the page contains nothing more than an image, I mean, come on, and a blatant attempt at free advertising on slasdhot. I fail to see why this even makes good news. But, that's just my two cents.

Turn it off?

[BSAtHome]

Well, you can turn UAC off? How about that for a security measure... A joke would be cheaper to develop than vista. sigh...

Two Words

[SuperKendall]

Granted, I have to set the ACLs on both directories and registry settings, but it's never been very hard.

Your Momma.

As in, ask Your Momma to do that.

You see, my mother uses a Mac and is able to install updates herself and keep things running just fine, all without knowing what an ACL is much less how to set it.

Saying the average user needs the equivilent of a car mechanic to deal with computers is just sweeeping the issue under the rug and letting Microsoft off the hook for a half-assed solution to the problem. And also ignoring there are a hell of a lot more people that can fix thier own car problems than computer issues.

Re:Two Words

[jawtheshark]

Oh, is it sweeping the issue under a carpet? Is it really? NO IT IS NOT! A computer is sensitive equipement that needs adequate servicing, exactly like a car. The thing is that nobody seems to understand that!

Administrator access is something a normal user should not have. My wifes computer was spyware ridden machine until she met me. I'm the mechanic... I know how to fix it. Hey, I can't service my own car. I pay someone to do it. My wife would have had to pay for someone to secure her computer too! Except, such services do not exist.... (Not really, at least)

Installing an application is not something a normal user should do, and that is all I have to say. If you do not agree... then fine...

Your mommy has a Mac.... That's fine... but how Mircosoft has handled security, there is no way to go to the "Mac Way". My Mommy has a WinXP machine and she doesn't need any intervention either. Go figure... (Of course, that's partially because of the OpenBSD firewall and the obligation of useing Firefox)

Re:Two Words

[AnyoneEB]

And it will probably be the same on Vista. The average user will only be dealing with data within their home directory, which they will have ownership of. The idea of worrying about the ACLs on removeable devices is crazy because they all use FAT or FAT32, not NTFS, and there is no reason to expect this to change any time in the future.

Re:Two Words

[Changa_MC]

computer is sensitive equipement that needs adequate servicing, exactly like a car.

You're talking about Microsoft Windows, not about computers in general. Computers don't need servicing, they are solid state devices. They are either working, or they are not.

Re:Two Words

[jawtheshark]

Busted me on that one.

Still strange that I need to patch my OpenBSD firewall when a new vulnerabilty shows up.... Oh, wait... doesn't that mean I just negated your claim? Computers need servicing: not because of the hardware, but because of the software....

Re:Two Words

All of my removable devices are formatted under NTFS. Just disable the 'optimized for quick removal' setting.

The issue then is not ACLs but rather that most people don't realize the proper way to 'eject' a removable USB device is through the Add/Remove icon in the tray.

Copying a file to an NTFS removable device and then instantly unplugging it will mess up NTFS' transaction log which (at best) will result in the file not showing up under the directory listing.

Instantly unplugging your device after a copy when it's been formatted with FAT tends to be less risky in that regard.

Re:Two Words

[heinousjay]

Listen, jerky, I learned as a fact here on Slashdot that Windows sucks and everything else is fantastic and great. The fact that nothing has managed to even come close is only because Bill Gates is the devil. It's a fact.

Re:Two Words

[iminplaya]

Computers don't need servicing, they are solid state devices.

I could believe that...if they were sealed in epoxy, away from dust and humidity, and all the salt that's in the air around here. Many computers are outside, under nothing more than a thatch roof. We're lucky to get six months without the need for a good cleaning(servicing). And they don't always "just quit". They act very bizarrely as the contacts on the RAM corrode and become intermittent. Computers are sensitive equipment...made more so by poor design and manufacture processes. Made more ironic by the fact that my VCR ran for ten years without so much as a head cleaning. And these are precision machines with lots of monkey motion going on in there. A VCR should not be more reliable than a solid state computer. A computer should last almost indefinitely with no need to open it at all, considering there are no exposed moving parts(floppies and CDROMs excepted). But that's what we get for buying junk.

Re:Two Words

[clydemaxwell]

Er...computers being solid state doesn't mean they exist in a binary universe of working and not working. For one, they have integrated components which may stop working, then the pc is working but not fully functional. Furthermore, any given component could have individual capacitors fail and experience random issues. Frequently a dying motherboard manifests itself as odd software issues.

Re:Two Words

[AnyoneEB]

Oh, I didn't know that the filesystems were different in that regard. I use the add/remove icon anyway because I have managed to lose a couple (FAT16 formatted) USB flash drives to unplugging at a bad time. I use FAT because it's default and because it's compatible (Windows/Mac/Linux). The average user will probably be using FAT anyway. I doubt that Microsoft would push for using NTFS on removable drives if it makes them easier to corrupt accidently.

Re:Two Words

[Changa_MC]

That's a great example of what I'm talking about. You can patch openBSD or not, and it still works just fine. Because it's not made by Microsoft

Re:Two Words

[Changa_MC]

And do you perform "maintanence" on that dying motherboard? Or do you just replace it, as I indicated originally?

Re:Two Words

[Changa_MC]

I'm not claiming that computers should miraculously work forever, I'm claiming that the car mechanic analogy makes little sense for the majority of the cases.

Re:Two Words

[jawtheshark]

I don't think you can follow that logic. Usually, when it's not a remote exploit, you can keep your system "as is", but if a remote one is found in a service that you use, you damn better patch.

finally

[MyDixieWrecked]

I'm glad windows is finally gonna know how to say "I need credentials, please provide an administrator password" when you want to do something that requires said permissions.

OSX's been doing this for 6+ years. It's annoying to always be hit with a "permission denied" error when trying to do things as a limited user, then realizing that I've gotta log out and back in as an admin.

all I can say is FINALLY.

Re:finally

[wandazulu]

You don't need to log out and back in as an admin in OSX...just supply the username and password of an admin on the box.

Re:finally

[MyDixieWrecked]

erm... the logging out/in part was in regard to windows.

Re:finally

[wandazulu]

Sorry 'bout that; the first sentence in the paragraph refered to OSX so I thought that's what you were talking about.

Re:finally

[MyDixieWrecked]

yeah, I just reread that post and it's completely unclear. sometimes I wonder if I was high or something when I posted some things.

I need a nap.

Flamebait

[ewhac]

So how is it that running as a "limited user" under Windows is an arcane, difficult process, whereas doing so under UNIX is nearly trivial?

I'm not saying UNIX is "better," since the primary issue here is social, not technical. If UNIX were in Windows' shoes, then third-party applications and slickly packaged malware would be popping up dialogs reading, "This application requires root priviliges to install. Please enter the root password: _____" So UNIX's user model doesn't really solve the base problem. However, I've been using Windows (mostly for gaming) for a while now, and I run with administrative privs all the time, because running as a limited user (in the UNIX sense) just doesn't work. Or, perhaps more precisely, it doesn't Just Work.

So what's the deal?

Schwab

Re:Flamebait

Short answer: lazy third-party programmers

Long answer: I've been running and programming as a 'limited user' ever since Win2k (at work and at home) and for the most part I never run into any issues that can't be solved by a simple 'Run As'. Depending on the software I have a good sense of whether or not it should require admin privileges to install (most plainly don't).

One self-imposed hassle is that I'll try to get my hands on trial software of commercial products, just to make sure that they'll install and run as LUA and if they don't they get a polite semi-standard email noting that's why I'm shopping elsewhere (not that I imagine them caring).

Installation failures usually happen because the installer assumes it'll have write access to HKEY_CLASSES_ROOT or HKEY_LOCAL_MACHINE. The first is most likely due to a COM control (which can be installed just fine under HKEY_CURRENT_USER) or file associations or some other crap you don't want to have happen anyway. The second usually relates to programs wanting to store their settings machine-wide rather than per-user which again, is the result of poor design. File-system wise it'll be because it wants write access to the Windows directory or the Default User/All Users settings directories (to make sure their shortcuts shows for all users, rather than the current, or starts in the background for all users, rather than the current one, etc).

I have to say that I've been pleased that I haven't personally come across too much software that doesn't run as it should under an LUA. There are some annoyances that relates directly to WinXP (such as the fact that installing a codec requires Admin and a log out/log in of the currently logged in user before it's available - starting your favourite media player under alternate credentials fixes that problem however, and you can remain logged on).

To cut to the chase. Most of the hurdles against running an LUA that are baked into Windows XP are trivial, or can be worked around (like customizing your power settings on a laptop as an LU). The rest of the problems are all due to developpers programming and testing under an administrative account or casting a wide net (is_running_as_admin()) vs checking for what they need (does_user_have_access_to()). That's not to say that Microsoft hasn't (doesn't) violate their own guidelines, but their latest products have at least played well with LU (despite needing to install as admin).

I should probably note that I don't ever play games, which are probably one of the worst things to get running under an LUA, but then again that's due to poor software design, not due to the OS.

Re:Flamebait

[ratboy666]

The reason that "limited user" operation works on Unix is that most software is ported.

To AIX, Solaris, HP/UX, IRIX, Linux.

It isn't limited to a single user environment (the bigger boxes support many users).

Administrators would have fits if the software required access to priviledged directories and resources, beyond what is vital. That includes NOT writing into your own program directory.

Linux can then leverage from this. The rule is: /usr and /opt should be mountable READ ONLY. /bin and /sbin should also be mountable READ ONLY. There are other conventions as well: A system should be bootable and can be maintained WITOUT access to /usr.

Since developers who break these rules get smacked by administrators, the "user account" model "just works".

This is NOT the environment and mindset that Windows comes from.

Ratboy

Re:Flamebait

[AnyoneEB]

DOS and Windows 9x did not have multiple user support because they were simply badly designed, ignoring Unix design concepts. As a result, developers got used to assuming the user had administrator access because that was the only kind. (Doing things like storing data in c:\program files\program name\data instead of %appdata%, not having a concept of per-user settings, making installations outside of the program files directory (ex. single user install) difficult, etc.) On the other hand, the Windows NT line has proper multi-user support, although it does use more complex ACLs instead of Unix's simple user/group/everyone access levels. (Yeah, I know, you can use ACLs on Unix.) Before Windows XP (a.k.a. NT 5.1), the Windows NT line was not targetted toward consumers. Now that Windows does have multi-user support, devs are not used to using it, or don't bother because everyone already runs as an admin, so why not? Now it looks like Microsoft is finally saying that they are not putting up with that policy anymore and want devs to design their programs to correctly multi-user systems or have lots of error dialogs pop up.

Re:Flamebait

[colinrichardday]

How about having /tmp and /var as separate partitions, and mounting / as read only?

Re:Flamebait

[Bill+Dog]

Everything else was right, but saying this:

DOS and Windows 9x did not have multiple user support because they were simply badly designed, ignoring Unix design concepts.

Is like saying the Honda S2000 does not have seating for 8 because it was simply badly designed, ignoring Chevy Suburban design concepts!

Re:Flamebait

[drsmithy]

So how is it that running as a "limited user" under Windows is an arcane, difficult process, whereas doing so under UNIX is nearly trivial?

Because of lazy/ignorant/incompetent/stupid developers writing broken software that needlessly requires elevated privileges.

Re:Flamebait

[weapon]

fstab and mtab and passwd all need to be modified (well maybe not fstab) for a system to function correctly, maybe you need a seperate /etc/ for files that need to be changed

Re:Flamebait

[MrNemesis]

UNIX has been a multi user OS since the year dot. I'm no computer historian, but it seems to me that every version of UNIX I've seen places system configs in /etc and user configs in ~/.appname (or localised equivalents). THis has been around for donkeys ages, with the result that pretty much any app written in the last 25 years knows to put user configs in ~/.appname, since filesystem permissions meant that users would either have to run everything as root (equivalent to telling a qmail admin that he has to convert to sendmail within a week - likely to result in an explosion), chmod -R 777 /etc or end up with unconfigurable programs.

By contrast, Windows only got the concept of multiple users circa a decade ago, and lack of coercion of third party devs by MS has still left a boatload of programs expecting to be able to write to Program Files, HKLM, c:\windows\system32 and all the rest of them. In recent years even some of MS's own products (there were a few games that would only run as admin IIRC) are guilty of said offence. Even Winamp only got multiuser support very recently. And there are still a million and one stupid shareware apps used by J Random User everywhere that haven't been updated since the days of 9x.

As an aside, does XP's legacy compatability option redirect any reads/writes from program files, HKLM, etc to user-writable areas? That would have seemed like th esensible thing to do.

Re:Flamebait

[colinrichardday]

One can use the -n option in mount (does not record mount in /etc/mtab), but I don't know how to avoid writing to /etc/passwd.

Re:Flamebait

[innate]

The deal is, Microsoft software is designed by programmers run amok. The permissions system is one of those "let's handle every possible scenario that might ever come up, so we don't have to change the specification later" things.

You can do just about anything you can conceive of with NTFS permissions, even bizarre and useless things.

As a result, the permissions system is so complex that most users (and software developers, and system administrators) ignore it, defeating the whole point of having a permissions system in the first place.

We're all lucky

[reverend_rodger]

Good thing we'll never have to worry about these issues, since Vista seems to be delayed at least once a month.

Part of their master plan

[suggsjc]

Vista is nice and all that, but how about fixing XP first!!!!

How else are they going to get you to upgrade?
Look, our new OS doesn't suck as much as the one of ours that you are currently using. For only $100's more you can "upgrade" and probably have to buy new hardware to run it on as well.

just change your thinking...

[DoctorDyna]

Every time that box pops up, just think to yourself:
"Good thing spyware can't click this button."

Re:just change your thinking...

"Good thing spyware can't click this button."

yet

Re:just change your thinking...

[toadlife]

It can't because it uses the same security mechanism as "ctr+alt+delete" logon, where only a local device (keyboard/Mouse), *OR* a process that already has the administrator token (like the RDP or a VNC service) can touch it. Even if the user is an administrator, with UAC enabled, (s)he has a regular user security token by default, so spyware, if executed would start out with the regular user token and not be able to touch the UAC dialog box.

Funny stuff!

Hey that is worth the click. Trick or treat goatse.

Interesting only because...

[xx01dk]

everyone's still bummed out about the delays announced in the past few weeks. It's almost like someone is pulling the strings thusly:

PR machine: "Yeah, we know you feel real let down by the delay but OOH, LOOK! Something SHINY! Right.. over.. THERE!"

Teaming masses: "Ooh, we love shiny things. Vista is going to be so great again!"

Games -vs- firewalls

[MobyDisk]

I'm curious how this handles applications that constantly modify system settings inappropriately. Does it prompt you every time, or just once? Does it remember the setting? Ex: Most games still save their save files into C:\Program Files. When I save my game, am I booted from my DirectX environment back to the desktop to answer the prompt? If so, does it happen every time I save? Or can it work like a firewall and say "let me do this every time."

Re:Games -vs- firewalls

[denis-The-menace]

Limited users have read-only rights in Program files.

Developers will have to do what Firefox has done:
write user settings to the User's profile.(application data)

Re:Games -vs- firewalls

If the game wants to write in certain registry keys or system directories like Program Files, Vista is going to do copy-on-write and store the actual modified files somewhere under your user profile, where they will only be visible to that program. Or you can configure this not to happen, and the game will get ERROR_ACCESS_DENIED unless you elevate it when starting (run it from an elevated command prompt, or click "Run as administrator" from the context menu of the executable or shortcut, which gives you the UAC prompt).

Elevation can only happen when a process is created, so you won't be prompted mid-game unless the game starts another executable (or explicitly creates an elevated COM object and host process, which wasn't possible before Vista) to do that work.

Metrics

[InfiniteWisdom]

I just measured things on my 1280x1024 screen. Excluding browser menus, toolbars, scrollbars etc, the window is 1265x856 pixels. The content occupies a 414x331 portion of the screen. This means that 87.3% of the area is junk.

Oh No...

[googleaseerch]

The UAC's involved in this now, too? All hell's gonna break loose.

just turn it off

[signore+pablo]

ya know, i have been running vista 5365 and the first thing I did was to turn off UAP... It's still horribly implemented and the screen black out is kind of annoying too.. i know why they did it, because of the supposed spoof that could be displayed where users click ok thinking its the cancel button, but it would have been better if the screen simply faded to gray rather than look like a resolution change to the input screen... also, its still waaay too frequent. when you have to enter your password for deleting shortcuts thats silly... furthermore, i personally think that it should be more like web browser password memory. while you have one particular section open, you put your password in once and it works until you close that particular section, such as the device manager section or copying files to a location or something like that. It needs to have better AI. The good news is they'll have plenty of time now that Vista has been delayed to fix that :D. Vista can be better than XP. Given that its been 5+ years since XPs release thats not too much to ask for, but I wish it could have been better. Aero is not as nice as aqua but if microsoft releases the API for aero and makes application developers able to integrate their gui better into aero, that will go a long way. Right now, many applications stick out a bit with the transparent windows and nothing else that blends into that theme. IE7 and media player look better in Vista because they were designed for it. Hopefully this won't be like the Office API where that looked nicer than the API that other developers were given to develop with. (i dont know too much about that but anyway better application integration with aero would be a big plus) We'll see how it turns out...

oh, those are the simple solutions

[stinky+wizzleteats]

Here are the simple solutions all the windows experts are missing:

Set yourself up as the owner of all files on the drive.
Set full permissions to all files to the "user" group.

Oh gosh gee. I don't know how we could have been so stupid. Please forgive us for doubting the security, power, and flexibility of Microsoft operating systems.

Dear Microsoft "experts": You just permanently lost the user privilege security argument, and you probably don't even know why.

Re:oh, those are the simple solutions

[joelleo]

Well, a couple of things:

1. Some directories have permission inheritance turned off. Doing what you suggest wouldn't work without additional ACEs set for %systemdrive%\documents and settings, %systemdrive%\program files & %systemdrive%\windows among numerous others.
2. Some directories and files SHOULDN'T allow users to read, write, modify etc - %systemroot%\system32\drivers\etc\hosts & lmhosts, %systemdrive%\system32\config & more
3. Many applications and capabilities require access to the registry for configuration info, real time data etc. Setting fs perms don't address this aspect. Even if you did something similar for the registry, you'd break far, far more than you'd "fix", as well as open up (more) drastic security holes

its not as simple a solution as you apparently think. I understand, obviously coming from the limited world of Owner, Group and Other, that you probably don't have a very firm grasp on the concepts, but ignorance doesn't grant you right to slag on folks that aren't as ignorant.

OT: sig reply

[NotQuiteReal]

Vehicle Collision Detected! Deploy Airbags?

[YES] [NO] [CANCEL]

You selected YES - please enter administrator password:

Run on non-admin account without manually entering

[CyberSlugGump]

You can use the free program AutoIt

; Example AutoIt script to run a program as admin
RunAsSet("Administrator", "", "adminpassword")
Run("C:\Program Files\example\foo.exe")
RunAsSet()

The script can be compiled into a stand-alone executable so that you don't need your password sitting in a plain text file on your hard drive

easy to fix

[rcamans]

I got this from somewhere:

        Start an elevated command prompt window, and from that window run secpol.msc.

        Find all the policies that start with "User Account Control" (there are only, like, six of them) and set them to either no prompt or disabled.
That's all there is to it. You'll never need to "run elevated" and you'll never be bothered by those pop-ups again

Thank you, whoever posted this fix.

Administrator vs. Admin group

Try doing something like, oh... creating a symlink from the command line. (Yes: Vista has real symlinks).

Turns out, at least in the beta that I'm using, that you can't do this. Even if you belong to the Administrators group. In order to accomplish the task, you have to actually *log in as the Administrator account*. Completely retarded.

I can't think of them off the top of my head, but there are other instances where being in the Administrators group didn't offer the same level of permissions as *being* Administrator.

Get a Mac.

[khasim]

My point was that the additional warning will add nothing. That is why I added the "Mechanic" part. People need an expert to service their machines. I'm the mechanic of my family and nobody has problems.

First off, the additional warning WILL add something.

It will further de-sensitize people to clicking "okay" whenever a fucking popup pops up. You want the warning boxes to be so rare that the user actually stops and thinks.

Secondly, get a Mac. It doesn't take a dedicated mechanic to keep a Mac happy. And Macs use the old *nix security model. There's no reason to claim that a computer needs a mechanic.

From that review, it seems that running as a regular user will be easier under Ubuntu today than under Windows whenever it is released. There's no excuse for that.

Re:Get a Mac.

[AnyoneEB]

Actually, it sounds to me like the Mac OS X sudo dialogs are just like the dialogs being described for Vista? What's the difference?

Re:Get a Mac.

[jawtheshark]

It will further de-sensitize people to clicking "okay" whenever a fucking popup pops up. You want the warning boxes to be so rare that the user actually stops and thinks.

Look, it has not much to do with the discussion, but I'm a IT high school teacher right now. (I end in July, I don't want that crap anymore) Virtually all pupils click before they read. It's a matter of fact.

I agree on getting a Mac, but that is not what people will do. When I met my wife (a preschool teacher) she had a WinXP machine. I told her: "Why didn't you get a Mac, it would be perfect for you". The answer was simple: "I didn't know they existed until I met you..."

Mac are the solution... sure, but not if you don't know them.

Re:Get a Mac.

[jacksonj04]

Vista has the potential to turn around the eternity of warning boxes. I would consider myself a computing professional, and sometimes even I've automatically clicked OK before going "Oh shit, what exactly did that just say?"

Vista's security model doesn't seem to ask for credentials in stupid places, unless the article writer believes that modifying the system folder should be the perogative of every user. What it does (Especially when running user apps) is show just how much applications rely on priveledged accounts. If the developers can get the program to work as expected without relying on admin rights, it will make users stop and think "Woah, why is this asking me for the admin password? What is it trying to do?"

I have no objection to being prompted every time something wants to mess with a system file. I object to being prompted every time something wants to mess with a system file because the application is piss-poorly designed.

Re:Get a Mac.

[misleb]

According to TFA, there are several dialogs that Vista will put you through which will unnecessarily confuse users. OS X has a single dialog that just asks for your password. You don't even need to know the password for another user (unless you are not in the admin group).

-matthew

Re:Get a Mac.

[SparkEE]

I use Ubuntu on one of my machines at home and the sudo password prompt dialog scares me a bit. It's not a real concern now as I'm always expecting it to show up when it does, and I consider myself to know what I'm doing. But it would seem easy to me that a program could use a look-alike dialog box to fool a user into typing thier password. Then, that program could sudo anything it wants.

So, how is the user supposed to authenticate the dialog box that's asking for the password? The only means I see right now is whether you expected it or not, but I don't think that works well for beginners.

Re:Get a Mac.

[VGPowerlord]

How many average OSX users have an account in the admin group? Did you forget we were talking about average users?

Without an account in the admin group, you need to know the root user's password in OSX. Just like you need to know the Administrator's password in Vista.

In a sense, I like Vista's explanation dialog. It tells you why you need to type in a password. The explanations need to be dumbed down a bit, though.

I do think you're right about a single dialog. Merging a dumbed down explanation dialog together with the password prompt dialog would make considerably more sense from a usability point of view.

For example, it would make more sense if it said...

Programname wants to create a directory in a location it is not allowed to

C:\path\here

Do you wish to allow this?

Note: In order to allow this, you must have your Administrator password handy.

where clicking no makes the box larger and adds a username/password dialog.

The trick is more into getting the user to read the dialog each and every time it pops up...

Re:Get a Mac.

[CableModemSniper]

Without an account in the admin group, you need to know the root user's password in OSX. Just like you need to know the Administrator's password in Vista.

There is no root user by default. You need to know the password of an account in the admin group.

Re:Get a Mac.

[misleb]

How many average OSX users have an account in the admin group? Did you forget we were talking about average users?

The initial user is in the admin group. And since average users only have that one account...

Without an account in the admin group, you need to know the root user's password in OSX. Just like you need to know the Administrator's password in Vista.

The average user does have an account in the admin group.

In a sense, I like Vista's explanation dialog. It tells you why you need to type in a password. The explanations need to be dumbed down a bit, though

You mean like in OS X?

where clicking no makes the box larger and adds a username/password dialog.

The trick is more into getting the user to read the dialog each and every time it pops up...

The "trick" to gettign users to read the dialogs is to not display it often. Again, like in OS X.

-matthew

Re:Get a Mac.

[clodney]

I agree that the warnings that come up seem reasonable. I'd like to see them consolidated into a single message box, but given the nature of communications between the app and the OS that seems unlikely.

But I think the TFA probably did an upgrade install of Vista, which is why he was accustomed to having access to spots he shouldn't be messing with. I suspect the huge majority of Vista installs will be done by an OEM on a clean box, and that should deal with a lot of the problems right there.

I've been running as a limited user on my XP box following a recent rebuild, and aside from working around apps that do obnoxious things like store data in Program Files, I haven't had any problems to speak of. Keep your data in profile directories or in some tree you have access to and everything is fine.

My point is, a fresh install of Vista running apps made for Vista (again, like a store bought PC will have), and most users won't hit these security dialogs.

uh..

[DoctorDyna]

But, if you disable the run elevated functions, wont the popup be replaced with a dialog that says "This program needs administrator priveleges to run. Unfortunatly, you disallowed elevating you, dumbass. please log on using an account capable of running this."

Re:uh..

You'll only get the "can't elevate" warning if your user account is not in the BUILTIN\Administrators group. If it is, you will effectively be elevated from the moment you log in (because Vista no longer disables that SID in your token) and everything will work like XP did.

Let the windows experts speak.

[skyryder12]

Just go to the UAC blog. They tell you how to really turn it off:

http://blogs.msdn.com/uac/archive/2006/01/22/51606 6.aspx

OT sig

[LunaticTippy]

Since you brought it up, why not make your sig a real hyperlink? It'll save hundreds if not thousands of people a couple of seconds.

<a href="linkURL">linkDescription</a>

SHGetFolderPath()

[tepples]

Most games still save their save files into C:\Program Files.

Games certified to run on Windows Vista don't. Instead, they'd use SHGetFolderPath() to look up the current user's My Documents folder and end up saving to e.g. C:\Documents and Settings\Pinocchio Poppins\My Documents\GTA Hot Coffee\ or something like that.

Re:SHGetFolderPath()

[MobyDisk]

Surprise! Games certified to run on Windows XP don't either:
http://www.microsoft.com/winlogo/software/swovervi ew.mspx

They have never enforced the certifications. Does anyone bother to certify anymore. Is Vista going to refuse to run non-certified applications?

Re:SHGetFolderPath()

[misleb]

Well, I hope they aren't putting save files in My Documents because that is for... uh.. my documents, right? I noticed that Oblivion does this. Kinda dumb if you ask me.

-matthew

Re:SHGetFolderPath()

[DragonWriter]

Games certified to run on Windows Vista don't.

If I'm going to dump much of my existing app library (games are particularly ill-behaved, but hardly the only pre-Vista apps that are) to upgrade to Vista, why wouldn't I stay with XP and/or "upgrade" to Linux or OS X?

Re:SHGetFolderPath()

[tepples]

why wouldn't I stay with XP

Because your computer wore out, and your existing OEM copy of Windows XP won't activate on a new computer. Or because new apps require more RAM than your computer's motherboard can hold, and your existing OEM copy of Windows XP won't activate on a new computer. Or because Microsoft has stopped maintaining Windows XP.

Re:SHGetFolderPath()

[tepples]

I hope they aren't putting save files in My Documents because that is for... uh.. my documents, right?

How are PC games' save files not documents?

Re:SHGetFolderPath()

[misleb]

Uh, no. They are applicaiton data.

-matthew

Re:SHGetFolderPath()

[tepples]

What is the difference between application data and documents? Do you accept this definition or another definition? And based on your definition, why would you call a saved game state "application data"? As far as I can tell, a saved game state documents your progress in a campaign. Worse yet, what is the difference between "local settings" and "application data"?

But I will agree that "Application Data" > "Program Files" for this type of data.

Re:SHGetFolderPath()

[RobertLTux]

umm no they are part of a users documents since Game can be installed and then Fred runns the game closes it and then barney runns the games and closes it and then wilma ....

Re:SHGetFolderPath()

[Sigma+7]

Surprise! Games certified to run on Windows XP don't either:
http://www.microsoft.com/winlogo/software/swovervi ew.mspx

Section 3.4?

If you download the actual specification, you can read the fulltext: "Applications must not require users to have unrestricted access (for example, Administrator privileges) to make changes to system or other files and settings. In other words, the application must function properly in a secure Windows environment. Complying with the previous requirements in this section will help to ensure that the application meets this requirement. " (Emphesis mine)

If the game is a hard limitation that requires administrator privilages for day-to-day use, then it is not compatible with Windows XP. Some copy protection systes ruin this certification (e.g. old versions of SecuROM, which doesn't support LUAs, and early versions f StarForce, which granted Admin privilages), which is why you don't see too many games designed for Windows XP.

They have never enforced the certifications. Does anyone bother to certify anymore.

That's actually a seperate issue.

While a lack of certification is not a problem itself, any application that does not attempt to meet the certification guidelines generally has quality on par with the early Windows 3.11 applications - even if you did have administrator privilages, you can most likely expect to have stability issues.

Just ask yourself the following question - do you want your immature sibling to have administrator privilages just because your parents say you have to allow him to play the game?

Re:SHGetFolderPath()

[misleb]

What is the difference between application data and documents? Do you accept this definition [msdn.com] or another definition? And based on your definition, why would you call a saved game state "application data"?

Because it is data not intended to be viewed or manipulated by the user directly.

As far as I can tell, a saved game state documents your progress in a campaign.

While a save file may "document" my progress in a game, it isn't a document in any common sense of the word. BTW, Oblivion is also storing ini files in My Documents. From what I read on that blog entry, it sounds like lots of applicaitons are "bending" the meaning of My Documents such that it is cluttering the folder up. Not that filesystem clutter isn't par for the course in Windows as a general rule....

Worse yet, what is the difference between "local settings" and "application data"?

AFAIK, Local Settings is "per-user per-machine" data. It isn't included as roaming profiles. And I contains its own "Application Data" folder. It is intended for non-critical files like caches.

All that said, I don't really care. It isn't like I am using Windows for much more than playing games. When I'm done playing the game, it is back into the dark depths of Linux I go...

-matthew

Re:SHGetFolderPath()

[misleb]

You do realize that the "Application Data" folder is not shared between users, don't you?

My Documents is intended for documents that the user will manipulate directly. That includes renaming and moving to subfolders. If you do either one of those things to saved games, the game will have problems. Saved games belong in Application Data.

-matthew

Re:SHGetFolderPath()

[drsmithy]

Worse yet, what is the difference between "local settings" and "application data"?

Same as the difference between /usr and /usr/local.

"Local Settings" is supposed to be used for storing data only relevant to that machine. That's why it is not part of a user's Roaming Profile. An example of appropriate data for this location is a browser cache.

Re:SHGetFolderPath()

Two words: race condition.

Re:SHGetFolderPath()

[tepples]

True, the user could move My Documents while the game is saving, but is that a problem in practice?

SUDO on Windows

[MobyDisk]

Actually, Windows has always had SUDO. A limited user can right-click the icon and select "run as." It will then prompt them for credentials. It really isn't that different from how other OS's work. You can also do it from the command-line.

To modify Windows to operate the way other OSs do (prompt you the password at the right time) is trivial. They could just modify the user interface to prompt when you run the app. I modified the shortcuts in my "Administrative tools" folder to do this.

Microsoft's boneheaded mistakes are that:
1) They didn't do this by default.
2) The UI takes at least 3+ to do what requires 0 clicks in Linux.
- Windows: Right-click, run as, other user, type user name, tab, type password, enter.
- Linux: Click, type password, hit enter.
3) They don't support, or encourage 3rd-parties to support, non-administrative users.
4) They don't clearly separate administrative actions from normal ones.
Ex: "System restore" and "Windows Update" are under Accessories along with "Calculator".

Re:SUDO on Windows

[Tim+C]

Actually, Windows has always had SUDO.

Actually, Windows has had "run as" since Windows 2000. (And to pick a nit, sudo should not be capitalised)

Re:SUDO on Windows

[drsmithy]

Actually, Windows has always had SUDO. A limited user can right-click the icon and select "run as." It will then prompt them for credentials. It really isn't that different from how other OS's work. You can also do it from the command-line.

"Run As" is not sudo. "Run as" is more like su.

To modify Windows to operate the way other OSs do (prompt you the password at the right time) is trivial. They could just modify the user interface to prompt when you run the app. I modified the shortcuts in my "Administrative tools" folder to do this.

It's not that easy. Your shortcuts are modified with the assumption that the user will always want elevated privileges when they use them. This assumption is wrong.

What Windows is doing (and OS X does) is determing whether or not the user needs elevated privileges when they try to do something, and then prompting them after the fact.

2) The UI takes at least 3+ to do what requires 0 clicks in Linux.

This is a technical, not UI, issue. A more complex and capable security infrastructure requires more information to work.

3) They don't support, or encourage 3rd-parties to support, non-administrative users.

In fact, Microsoft have been telling developers to write LUA-friendly apps for nearly ten years now.

4) They don't clearly separate administrative actions from normal ones.

That's because 90% of users don't understand the difference between "administrative actions" and "normal actions". Nor should they have to.

Re:SUDO on Windows

[drsmithy]

Actually, Windows has had "run as" since Windows 2000.

Technically, it's always had it. Just that for versions before 2000 you need to download a little "PowerToy" from Microsoft to get the handy right-click menu entry (and maybe the commandline app as well).

Problem/Issue is obvious if you understand Unix

[fortinbras47]

Windows is continuing its transition to the Unix user/security model, but your average user (and many IT people) neither understand the user/admin distinction nor permissions.

As I understand the article, EVERYONE in Vista is a normal user. Administrators have the ability though to take administrator actions on a case by case basis after supplying credentials.

To me, this sounds exactly like "sudo" under unix/linux or the "Authenticate: blahblah requires that you type your password" under Mac OS X. This model is more secure and works great, but there are some legacy transition issues.

For you unix people, the problem the article describes is, "what if you mount an old drive, the drive has restrictive permissions, and the file owner UIDs don't match the new system?" (your user account doesn't have permission to do anything on the drive)

NTFS has file permissions, but they rarely came up in practice because everyone in Windows was doing everything as the Unix equivalent of root. In Unix, the obvious fix is to do a sudo chown -R newuser /mnt/olddrive (or an ultraghetto sudo chmod -R o+rwx /mnt/olddrive) . The user/permission concept is totally foreign to your average windows user though, and hence the problem.

Re:Problem/Issue is obvious if you understand Unix

[DoctorDyna]

Can you blame MS for wanting to make it not un-familliar? Even the most ignorant of computer duphises can be trained to click a dialog or supply a password here and there.

Re:Problem/Issue is obvious if you understand Unix

Windows is continuing its transition to the Unix user/security model, but your average user (and many IT people) neither understand the user/admin distinction nor permissions.

Or want them? I am not using my computer on a network. I'm the only person that uses my computer. I dont run networked apps. Why should I want (or have to put up with) an operating system trying to tell me what I can and cannot do with my own files and programmes ?

Why should a home computer operating system be trying to function like a universities OS?.

Re:Problem/Issue is obvious if you understand Unix

[value_added]

NTFS has file permissions, but they rarely came up in practice because everyone in Windows was doing everything as the Unix equivalent of root. In Unix, the obvious fix is to do a sudo chown -R newuser /mnt/olddrive (or an ultraghetto sudo chmod -R o+rwx /mnt/olddrive) . The user/permission concept is totally foreign to your average windows user though, and hence the problem.

Foreign is the right word, but the problem is more extensive and pervasive than familiarity or experience. First there is that mess called the registry and its tortured permission structure. Then there is an incoherent file system hierarchy where anything can be just about everywhere, except for what's supposted to in SYSTEMROOT or system32, which is where everything gets dumped anyway to avoid creating a path that's a mile long. Then there's Windows bizarre concept of file ownership. I create a file, but some other group owns it instead, but it's almost always executable by everyone, so no worries, right? Executable JPGs and GIFs and text files. LOL. Short of right-clicking one's way through the registry and file system, I doubt anyone knows and or manages anything, Microsoft included. And then, of course, there's all those services ...

Sorry, but Microsoft will have to reinvent themselves a few more times before they discover Unix and these problems go away. These perennial discussions of "running as Administrator" vs. "running as a member of the Administrator's Group" vs. "running with limited privileges" obscure the real problems, and New and Improved Changes by Microsoft only mitigate the existing chaos. Get a typical home user to run with low privileges? Woohoo. That takes care of everything, doesn't it?

DOS-style attributes in combination with an overcomplex ACL/policy-based system and a nutty bunch of default user and group acounts (SYSTEM, anyone?) is painful enough without the embarassing lack of tools. I give it a few more years before they get round to giving us a terminal window in which perms and ownership are clear and visible, using chmod and chown become standard practice, and an appropriate umask can be defined. Should I hold my breath, I wonder?

Re:Problem/Issue is obvious if you understand Unix

[colinrichardday]

And how many people use Windows XP/Vista in this manner? Are businesses supposed to forgo this feature because you don't like it? What about families with children? How many users aren't connected to the internet? Microsoft has always tried to have broad appeal, do you represent a sufficient market to make it worth Microsoft's effort to satisfy you in this regard?

Re:Problem/Issue is obvious if you understand Unix

I thought the obvious workaround is to use FAT for removable drives...?

Re:Problem/Issue is obvious if you understand Unix

[Forbman]

You know, it was so hard to just do "runas /user BOFH cmd" (where BOFH, of course, is an administrator-priv'd account). Then, do this: "explorer" (which starts an admin-level Explorer window). Then just run things you need to from there.

Oh well.

Re:Problem/Issue is obvious if you understand Unix

[drsmithy]

Foreign is the right word, but the problem is more extensive and pervasive than familiarity or experience. First there is that mess called the registry and its tortured permission structure.

What's "tortured" about it ?

Then there is an incoherent file system hierarchy where anything can be just about everywhere, except for what's supposted to in SYSTEMROOT or system32, which is where everything gets dumped anyway to avoid creating a path that's a mile long.

Just because you're unaware of where things should go, doesn't mean proper locations don't exist.

Then there's Windows bizarre concept of file ownership. I create a file, but some other group owns it instead, but it's almost always executable by everyone, so no worries, right? Executable JPGs and GIFs and text files. LOL.

Once again, your lack of understanding means nothing.

Re:Problem/Issue is obvious if you understand Unix

[Viol8]

MS will never switch to Unix style permissions and filesystem setup because
that would be a tacit admission that they've got it wrong for the last
13 years. If MS had just bitten the bullet and made the original NT unix-like
(or even VMS-like) they'd have spared themselves years of grief, bugs, exploits
and hassle. But no , they knew better.... yeah right.

Re:Problem/Issue is obvious if you understand Unix

[blockquote]
And how many people use Windows XP/Vista in this manner? Are businesses supposed to forgo this feature because you don't like it? What about families with children? How many users aren't connected to the internet? Microsoft has always tried to have broad appeal, do you represent a sufficient market to make it worth Microsoft's effort to satisfy you in this regard?
[/blockquote]

I think that the home user that want their and their families computer(s) to just work - without any hassles represents a pretty big market.

This was the model in the 90's 95/98 for home users, NT for businesses and such.

Re:Problem/Issue is obvious if you understand Unix

[colinrichardday]

Having all users run as Administrator is not a way to have computers just work.

Re:Problem/Issue is obvious if you understand Unix

[drsmithy]

MS will never switch to Unix style permissions and filesystem setup because that would be a tacit admission that they've got it wrong for the last 13 years.

Actually it's because it would be a dramatic step backwards in capabilities.

If MS had just bitten the bullet and made the original NT unix-like (or even VMS-like) they'd have spared themselves years of grief, bugs, exploits and hassle.

Internally, NT and VMS are so similar that Microsoft was sued by DEC because of it.

But no , they knew better.... yeah right.

They certainly knew well enough not to repeat the mistakes of unix's primitive and coarse security model.

We're DOOMed!

[mmell]

"That's one doomed space-marine!"

lol..

[DoctorDyna]

Windows experts explain how to disable security features, how quaint. Honestly, the whole time i was using Vista it never occured to me to turn this "feature" off.

Anybody who needs instructions on how to disable something using gpedit has no business running a beta operating system that was intended for a serious testing audience.

Come to think of it, having a meaningful conversation about an un-finished product is also quite silly. Ok, so in the light of this, I offer this comparison / excersize.

Test 1.) In Windows Vista, make a shortcut to a program you know needs admin to run. Time this part Click the icon, then click the resulting dialog as quickly as you normally would to grant it permission.

Test 2.) In Linux (for argument, lets say Ubuntu) pop open a term. Think in your head the name of an app or process / shell script that needs root or super user to run. Time this part type sudo then the name of the program or command.

Did clicking the box take longer than typing SUDO? meh. what a shame were wasting so much of slashdot's disk space on a coversation over a few milliseconds.

Re:lol..

[kindbud]

Did clicking the box take longer than typing SUDO?

Yes. It has to. My hand has to move over to the mouse, move the mouse cursor to the dialog, and click. My hands are already on the keyboard when working in a terminal program, so I do not need to interrupt my task to tell the computer it's OK. It takes a couple seconds longer to confirm via mouse than with keyboard, for sure.

Re:lol..

[lee1026]

Figuring the process of typing in the password and it is even longer.

Re:lol..

[complete+loony]

Make it a fair contest then. Remember that all those shortcuts you don't use often are buried under 2 or 3 subfolders in the start menu. In some cases the apps you need to run as administrator aren't even in there. You need to time the whole progression, Click start, Program Files, Administrative Tools, etc.

Re:lol..

[VGPowerlord]

Yes. It has to. My hand has to move over to the mouse, move the mouse cursor to the dialog, and click. My hands are already on the keyboard when working in a terminal program, so I do not need to interrupt my task to tell the computer it's OK. It takes a couple seconds longer to confirm via mouse than with keyboard, for sure.

You'd be in a terminal program in Windows? Regardless, you can see from the screenshots that Continue is the default button in the dialog, so pressing Enter would be the same thing as clicking it.

Besides, if you were in a terminal program in Windows, you'd probably use the runas command to start it rather than creating a shortcut.

Re:lol..

[VGPowerlord]

Also remember that while the majority of programs install to /usr/local/bin, not all of them do. Therefore, you may have to cd to the appropriate directory, or type in the entire path.

Did I mention that I have a Windows XP desktop, but use Linux servers? (FreeBSD to a lesser extent)

Re:lol..

[Slashcrap]

Come to think of it, having a meaningful conversation about an un-finished product is also quite silly.

Is that why you've posted at least 3 fucking comments to this story?

Obvious choices

[Smorkin'+Labbit]

I like the options "Continue" / "Skip" / "Cancel". Very obvious for a normal user what the difference between Skip & Cancel is ;-)

Re:Obvious choices

[skastrik]

What's not to understand? It's just as plain as Abort,Retry,Ignore,Fail? normal users dealt happily with all the time.

Re:Obvious choices

[mgblst]

Wouldn't the skip try the next operation, and cancel would stop all operations? Say you were trying to copy over a bunch of files, and one already existed with the wrong write permissions.

It's worse than that actually

[apankrat]

What's worse is that there is no way to distiguish between authentic "User Account Control" dialog and a fake one that is poped up by a malicious application trying to collect admin credentials.

Unless Vista allows customizing generic "UAC" dialog (with an image or a text) or easily authenticate it in some other way, UAC being ON appears to pose a greater risk to a system security then when it is OFF.

Re:It's worse than that actually

The article mentions that the dialog will run in its own window station. Not to say that you won't be able to trick a clueless user that way, but there won't be any way for software running on the interactive window station to automatically click and dismiss the dialog.

The most common window station everyone's familiar with is the logon station (doubles as the Ctrl-Alt-Del one when logged on if I remember correctly). A more practical uses for them is to implement multiple separated desktops (one of WinXP powertoys actually demonstrates that).

A window station contains a clipboard, an atom table, and one or more desktop objects. Each window station object is a securable object. When a window station is created, it is associated with the calling process and assigned to the current session.

The interactive window station, Winsta0, is the only window station that can display a user interface or receive user input. It is assigned to the logon session of the interactive user, and contains the keyboard, mouse, and display device. All other window stations are noninteractive, which means they cannot display a user interface or receive user input.

.

Re:It's worse than that actually

[JeffBean]

What's worse is that there is no way to distinguish between authentic "User Account Control" dialog and a fake one that is poped up by a malicious application trying to collect admin credentials.

Actually there is a way to distinguish the UAC prompts from ones generated by a malicious application. This question is addressed in a post on the UAC blog:
http://blogs.msdn.com/uac/archive/2006/05/03/58956 1.aspx

Re:It's worse than that actually

[apankrat]

Here's what they say (it's a bit long, but it's worth reading) -

The Secure Desktop's primary difference from the User Desktop is that only trusted processes running as SYSTEM are allowed to run here (i.e. nothing running as the User's privilege level) and the path to get to the Secure Desktop from the User Desktop must also be trusted through the entire chain.

So what does this experience look like? When you click on a UAC shielded control, your user desktop will appear to dim and the window that caused the elevation request - typically the window you were most recently using - and the elevation UI will be made more prominent. This is to provide you with the highest level of context possible when interacting with the elevation dialog.....

So - again - how exactly are they planning to prevent arbitrary application from mimicing this behaviour ?

It will not need to bother with "Secure Desktop", but rather just make a copy of a screen, dim it, show in a topmost window covering entire screen and then superimposing fake, but otherwise OK looking UAC dialog.

Re:It's worse than that actually

[RzUpAnmsCwrds]

So - again - how exactly are they planning to prevent arbitrary application from mimicing this behaviour ?

They aren't. That's not the risk - an application "faking" the UAC dialog does absolutely nothing (you don't type your password into the UAC dialog, you just click a button).

It will not need to bother with "Secure Desktop", but rather just make a copy of a screen, dim it, show in a topmost window covering entire screen and then superimposing fake, but otherwise OK looking UAC dialog.

Which does absolutely nothing. If the UAC dialog asked for your password, we might be on to something - but it doesn't.

The real reason for the "secure desktop" is to prevent attacks (e.g. using API to click continue, sending signals to the window, etc.) that would allow an app to bypass the UAC dialog.

Re:It's worse than that actually

What the heck is this then ?

http://uacblog.members.winisp.net/images/SecureDes ktop/UnsignedApp.png

Re:It's worse than that actually

[dioscaido]

If a user will enter their username and password into random dialogs, then there are deeper issues here. Ones that would exist no matter what OS you are running.

At least w/ the secure desktop approach it will be slightly harder for, say, web page pop-ups to fool the user into submitting their data. But lets me honest here, a pop-up can barely resemble a windows dialog and probably some percentage of the users would still submit their info.

Dialog Boxes

[Zan+Lynx]

What dialog boxes need is a quiz at the end instead of an OK button.

Instead of:
Format C:
This will erase all data on this disk!
OK?

It would be:
Format C:
This will erase all data on this disk!

Erasing means:
1. My data will be copied to Microsoft for safety in case I miss it later.
2. My data will be scanned for dangerous viruses.
3. My data will be GONE and I will NEVER SEE it again.

Enter the correct answer: ___

And of course, the questions would be randomly selected from a list, so the user cannot memorize "3" as the correct answer.

Re:Windows Expert?

ha ha, u made the funnay ha ha!

how refreshing to hear a joke about microsoft, don't see that often here.

ha ha, thanks for sharing.

Terrifying

[bcmm]

I really cannot think of a scarier idea than Microsoft working with the Union Aerospace Corporation.

Re:Terrifying

[kc32]

We'll be just fine as long as we have a shotgun.
 
A BFG9000 couldn't hurt, either...

Windows easy to use, HAH

[mrraven]

Jawtheshark sed:

"Oh, and those that say that you can't run in Limited User on XP (as in the fine article is stated) are completely ignorant. I'm running Limited right now, and I have no problem. Granted, I have to set the ACLs on both directories and registry settings, but it's never been very hard. The only program I've never been able to run as non-admin is a game called "Children Of The Nile", and I still don't know how to run it as a Limited User. The user that needed it got the "Run As" option checked in the shortcut. Sure she has Admin access that way, but she's my sister and knows that she shouldn't run Admin."

Jeezus that's as difficult as editing config files to get your mouse or sound to work on Linux. If you really think Joe Six pack is going to edit their access control lists to enable their limited user account on XP you are really dreaming. Even if Joe Sixpack figures out how to use access control lists they are going to be damn annoyed to go to all that work and STILL not have all their programs work, I know I'd be annoyed...

At the risk of sounding like an utter Mac fan boy, OS X gets it exactly right, it creates a user level account and no root account by default and then has a slick gui that (sudos or sus???) and asks for a password ONCE when you install software that modifies system files. Cleanly implemented and secure what's not to like? That's the way a secure simple desktop OUGHT to work.

Ubuntu Linux is set up in a similar fashion though I had to modify xorg conf files to get my mouse working and NEVER got sound working despite RTFM, ubutu forums, blah, blah. Linux/BSD makes a great server but isn't ready for the desktop and NEITHER is Windows.

Re:Windows easy to use, HAH

[jawtheshark]

Whoooha. I did not say that Linux was the answer. If you do not believe me read this .

The problem is that most users do not understand that computer needs a competent person to manage them.

I had a iBook once.... I was the happiest user ever. It died. I'd still recommend Macs to anyone who asked, but most poeople do not ask me.

Re:Windows easy to use, HAH

[mrraven]

I know you didn't say Linux was the answer I could tell in fact you were being an M$ b.s. apologist. MY point was that those who complain that Linux is hard to use compared to Windows are only fooling themselves. In order to use Windows as a stable secure platform is just as difficult as using Linux. Only OS X more or less works for a casual user desktop out of the box. Yes perhaps using chat or whatever requires tweaking the firewall, but by default the firewall is on, users run at user level, and application installs are password and drag to the application folder which most average people CAN handle unlike editing ACLs, or editing con fig files to get the sound or xorg to work right.

Re:Windows easy to use, HAH

[SparkEE]

So, what happens when a malware program copies that "slick gui that (sudos or sus???) and asks for a password"? That malware program can now go ahead and do anything it wants. I've used both RedHat and Ubuntu and they both have a similar concept. While I'm a fan of Ubuntu, I think this slick gui concept is timebomb.

For now, I think the best practice is to open the command line and use the sudo command manually. That way, you know exactly what program is asking for your password.

Windows users would say they can do this by shift-right-clicking and using Run-As. But, a new dialog box is envoked to ask for your password, which introduces a possible hole IMHO.

The command line is good. Learn, use it, love it.

Re:Windows easy to use, HAH

[mrraven]

That's all well and good advice for those of us on slashdot. It doesn't fly for a DESKTOP for 99.99% (literally) of the population who use computers. Will no one think of the users?

Re:Windows easy to use, HAH

[SparkEE]

Okay, since I know that slashdotters are such big fans of the Trusted Computing Platform concept....

Lets have a trusted perifrial, say a fingerprint sensor, that can return a password or print directly to the platform, encrypted by a session key based on a previously established root of trust from boot. Then, the dialog box simply needs to instruct the user to authenticate itself to the system, without that dialog ever getting to see the authentication data.

All this leaves is the possibility that some malware will get the user to authenticate and run it, but at least it won't be able to capture the authentication data and its authorized session would eventually expire.

This could also work with a trusted keyboard that has an indicator light to show the user when it is in trust mode. This indicator light would be controllable only by the hardware TPM and thus the user couldn't be fooled into giving his password to a piece of software.

Note: I'm not trying to pass this off as my original idea. Just illustrating that the Trusted Computing Platform concepts do make some sense.

Re:Windows easy to use, HAH

[FKnight]

Let's not forget that it's Bill Gates' Fault that developers intentionally ignore the reams of documentation Microsoft has published on writing applications that run properly under a limited user account, while at the same time, those same vendors seem to have no problem following the instructions for doing the same under *IX.

Now attackers wil use social engineering or

[Beryllium+Sphere(tm)]

privilege escalation attacks.

What's the likely outcome when $USER hits a web site that says "download this and type in your administrator password to get DANCING WEATHER REPORTS!"?

runas /user:administrator cmd

[dillee1]

runas /user:administrator cmd

This will give you a root shell. Just spawn whatever applic that need admin rights there. Only thing that can't run that way on winxp is the file manager(explorer), which is already running as the current user's desktop manager. One can spawn IE and use it as file manager though.

I usually have cygwin installed and use Bash root shell instead. cmd sucks cock.

idiot

[toadlife]

...Dear Microsoft "experts": You just permanently lost the user privilege security argument, and you probably don't even know why."

You are one to talk. Giving the "BUILTIN\users" security principal full controll is all that's neccessary. Taking ownership of the files would be at best redundant, and at worst, completely useless.

Re:idiot

[stinky+wizzleteats]

Giving the "BUILTIN\users" security principal full controll is all that's neccessary.

I was right. You don't know why.

Quick question

[martinultima]

“and the obvious fix”

If it's so obvious, why can't they just make it a built-in part of the operating system anyway? I'm sure that there's got to be some sort of secure way of doing so. I know that if I were Microsoft, I'd want to provide all the "obvious fixes" as part of the default install, no stupid tweaking involved.

Re:Quick question

[Sigma+7]

If it's so obvious, why can't they just make it a built-in part of the operating system anyway?

It already is - it involves either taking ownership of the folder in question or making sure that your account can read/write to that folder. This is the exact same thing that I did when I was using a hard drive caddy - if I couldn't access the folder, I adjusted the permissions. This is not done by default - there is no way that Windows can tell if it was an archaic configuration or an intended configuration.

If you instead belive the obvious fix is to grant read/write permissions to users on an external drive, then that means anyone can access it. Just remember that Windows XP and later are capable of supporting Remote Desktops, and with a special patch, allows remote desktops to run while a user is logged into the system. If you have an immature sibling, you can guess what happens next.

BTW, the word "obvious" was written by a journalist that is experienced with computers. Most people aren't - and even if they are, they cannot make the change using Windows XP Home (which comes with most OEM computers and laptops.)

Re:Quick question

[martinultima]

Either way, I'm pretty sure that with all the money those Microsoft guys have, they should be able to find a solution that works by now. Although by now, I honestly couldn't care less, because I'm a full-time Linux hacker and have more important things to worry about (like my own operating system ;-)

Ultimate irony

"My wifes computer was spyware ridden machine until she met me. I'm the mechanic."

So what you're saying is that PCs are so frustrating to use that women will actually marry losers just to keep Windows working properly?

Wow.

Thank Hector J. Rodriguez

[Barlo_Mung_42]

Here's where you saw that:
http://www.osronline.com/article.cfm?article=461

Mod parent up

[SamNmaX]

This feature, file system and registry virtualization, is something I'm very glad to see in Vista. It will act as a stop-gap until programs are written properly so they don't require admin level access just to run them.

clue

[stinky+wizzleteats]

It's called sarcasm, jackass. My point is that it is most certainly not simple.

Re:clue

[toadlife]

"It's called sarcasm, jackass. My point is that it is most certainly not simple."

Classic. Get called on your lack of a clue and then defend it by claming you were making a joke.

You can go back to your corner and play with your USE flags now.

Re:clue

[stinky+wizzleteats]

I don't think I've ever seen anyone troll another conversation because theirs isn't going well. That's actually quite fascinating, in a morbid sort of way.

Saved game: document or application data?

[tepples]

Because it is data not intended to be viewed or manipulated by the user directly.

Define "manipulated directly". Most people do not hex-edit Microsoft Word documents, yet they're still documents.

While a save file may "document" my progress in a game, it isn't a document in any common sense of the word.

Which "common sense of the word" are you talking about? Unless you state otherwise, I'll use the computer science related definitions in American Heritage Dictionary:

A piece of work created with an application, as by a word processor. [or] A computer file that is not an executable file and contains data for use by applications.

And the same dictionary defines an "application" as "A computer program with a user interface." Going by the strictest application of this definition, even a spreadsheet isn't a "document" in the common sense of the word, as each cell may contain a declarative program written in the spreadsheet app's formula language and executable in the spreadsheet app's built-in interpreter.

It isn't like I am using Windows for much more than playing games.

Perhaps an argument by analogy might help: Where should a Linux game's saved states go?

ObTopic: Unless this dilemma between Application Data and My Documents is solved, Windows game developers will just not bother changing the saving code that currently writes to Program Files, Windows games will continue to require administrator privileges, and Windows games will continue to pop up the sudo style dialog boxes described by The Article.

Re:Saved game: document or application data?

[misleb]

And the same dictionary defines an "application" as "A computer program with a user interface." Going by the strictest application of this definition, even a spreadsheet isn't a "document" in the common sense of the word, as each cell may contain a declarative program written in the spreadsheet app's formula language and executable in the spreadsheet app's built-in interpreter.

Oh give me a f**kin' break. I'm not goign to play these semantic games. When you write a game, put the save files wherever you please. You can put them in C:\ for all I care.

A good rule of thumb for me would be: If the program presents the user with a save file dialog (either once or every time), it is appropriate to default to My Documents. If it is an automated file write operation and the files are not intended for the average user to manipulate (move, rename, delete, email), then they belong in an Applicaiton Data directory. The point being that the user should not see anything in My Documents that he or she did not explicitly put there.

Perhaps an argument by analogy might help: Where should a Linux game's saved states go?

Usually they go in a "hidden" folder inside the home directory for the user. I've also seen them in a global game data directory such that special process permissions are required write the files. Not a good idea IMO, because it poses security problems. The point being that, in linux, saved game data is usually not treated as user documents.

ObTopic: Unless this dilemma between Application Data and My Documents is solved, Windows game developers will just not bother changing the saving code that currently writes to Program Files, Windows games will continue to require administrator privileges, and Windows games will continue to pop up the sudo style dialog boxes described by The Article.

Then they're idiots.

-matthew

Re:Saved game: document or application data?

[tepples]

If the program presents the user with a save file dialog (either once or every time), it is appropriate to default to My Documents.

Quite a few games and emulators for Windows use this method. Now we're in violent agreement.

Re:Saved game: document or application data?

[misleb]

Quite a few games and emulators for Windows use this method. Now we're in violent agreement.

*shrug*

Most games I play on Windows simply have save slots with no file selection.

-matthew

Games that use common file dialog boxes

[tepples]

My Documents is intended for documents that the user will manipulate directly. That includes renaming and moving to subfolders. If you do either one of those things to saved games, the game will have problems.

A lot of games for Windows and Mac OS that I've played use either the operating system's common open and save-as dialog boxes, or an appropriately themed workalike, for loading and saving games. If you move or rename a saved game, nothing will happen except that you have to navigate through the file system to find it. Quicksave is just Ctrl+S in a word processor, and quickload is just revert.

You're lucky you didn't try and print it...

I thought maybe if I printed it, and previewed as a pdf, I'd have a reasonably easy version to read. I was wrong. It created a pdf of the current page (10% content/90% banner, ads & other garbage), then my browser froze with a stupid 'Processing page:2' dialog box.

I stopped viewing zdnet a long time ago, now I remember why.

Can we auto-censor the "V" word?

I find everything about MS V**** offensive.

2007? Yeah right

[AaronLawrence]

This looks like early stages of fooling around with new security models. Interesting, but extremely irritating in implementation. To their credit, they seem to have finally accepted a decent security approach, but somehow I doubt they will try to force this on people or get it working managebly by 2007.

chmod -R 777 /

[Vandil+X]

So, in essence, he's saying you can get around Vista's UAC nag screens by making yourself have Full Control permissions on everything.

"Duh."

Not that I recommend doing such a thing.

What'll be more interesting is seeing how OEMs preconfigure Vista PCs. Joe Sixpacks most assuredly don't want to know of or care about Administrator credentials. They just want Deer Hunter 5 to install. Now. If it works on their old XP computer without raising dialogs, but raised dialogs on their new Vista PC, they'll return it as defective and/or flood the phone lines of third world country call centers.

k, im prolly just being stupid but ...

NTFS and win xp pro are great. why?
first i can surf the web as a limited user and
click any damn like i want. if i get infested with
spyware, virus etc. i just delte the user account
and make a new one. problem gone!
(mind you if i get hit by a buffer overun
or such NTFS file permissions aren't going to
safe me, but that's a problem for all OSes).

second i can install a "trial" version of
any program, in my case 3ivx codec. they work for
30 days. BUT if i access the codecs as limited user
only, after 30 days, it pops-up a "yadda yadda" 30 days
expire, BUT WILL STILL WORK, because since i'm
accessing the codec as limited user, the codec (or install
routine whatnot) CANT delete or block me from accessing
the codec. (of course once im stupid enough to use
the codec after 30 as admin it'll be gone ... t-hehehe).

third: bragging rights. :))

please MS: for VISTA, if i'm admin i'm FREAKING admin, k?!
(looks over to suse box)

sudo done wrong

[l3v1]

Basically, as I see it, Vista UAC is sudo done the wrong way. Nobody will tolerate dozens of popups asking for permissions, and sometimes you can't even know what they ask for (e.g. when doing something with lots of files they might popup for every file asking permission for some file operation). If a spyware/trojan/etc. want to do something and you get a file-operation-permission-asking popup, people will probably just automatically click on allow-and-go-the-f*-away button. Well, if they don't disable the whole UAC from the beginning.

Nethack

[noims]

Is it just me, or does reading this feel like playing nethack, only less rewarding? -- more --

Your Rug

[SuperKendall]

Your mommy has a Mac.... That's fine... but how Mircosoft has handled security, there is no way to go to the "Mac Way". My Mommy has a WinXP machine and she doesn't need any intervention either. Go figure... (Of course, that's partially because of the OpenBSD firewall and the obligation of useing Firefox)

Your rug you are sweeping the issue under is the OpenBSD firewall and Firefox. My "Mommy" has just an OS X box directly connected to the internet, with no further need of external security devices to confuse her (and support people she might need to talk to for her ISP). Because there are no open ports I do not need to worry about external intrusion, only spyware/viruses coming via the web or email - your solution really doesn't address that any better than mine does as vulnerabilites can exist in any browser (though of course it's a better choice than IE).

Fundamentally though the Mac security model lets any exploit through the web embed itself to a lesser degree than on a Windows system, such that a software update would likley be able to remove it and thus require no intervention on my part.