Microsoft Caves, Will Change UAC In Windows 7

CWmike writes "Reacting to intense criticism of an important security feature in Windows 7 (which we discussed a few days back), Microsoft today said it will change the behavior of User Account Control in Windows 7's release candidate. In a blog post, two Microsoft executives responsible for Windows development, John DeVaan and Steven Sinofsky, said 'We are going to deliver two changes to the Release Candidate that we'll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. Second, changing the level of the UAC will also prompt for confirmation.' They said the changes were prompted by feedback from users, including comments on an earlier post Thursday by DeVaan in which he defended the modifications Microsoft made to UAC in Windows 7."

I had a little glimmer of hope

[kcbanner]

When I read the headline...that they were going to implement proper user account permissions (a la UNIX) so UAC wouldn't be needed. Alas, I was disappointed.

Re:I had a little glimmer of hope

Um. You're aware the access controls of the Windows NT line is MORE fine grained than UNIX, right? The entire reason SELinux was created was to give Linux the same granularity of Windows, so the NSA could use it internally. So, I would say Windows has proper account permissions. Even if 99.95% of all users misuse them.

Re:I had a little glimmer of hope

[NeverVotedBush]

I quit hoping a long time ago. Windows gets hit over and over with security problems that are exposed to the outside world. As the stakes keep going up because compromising computers is now a business, it's that much more important for people to protect themselves.

Windows has become the AOL of operating systems.

Re:I had a little glimmer of hope

[Toreo+asesino]

When I read the headline...that they were going to implement proper user account permissions (a la UNIX) so UAC wouldn't be needed. Alas, I was disappointed.

By that you mean "put password in everytime you need to elevate?". UAC does that if you're not an admin. If you are, because you're not really an admin, it just confirms you want to...if the app is digitally signed; if not, it give you a big scary warning box you actually have to read.

Re:I had a little glimmer of hope

[gad_zuki!]

What? Windows' ACL much more complex than the "proper" user, group, and world method in unix. The NSA built SELinux to address this. In other words, Linux needs to catch up to windows.

The UAC wont ask for a password if you are already an admin. if you want to input a password you can run as non-admin, as you should be doing.

Re:I had a little glimmer of hope

No... SELinux goes way beyond the access controls Windows NT has.

What you're thinking of is basically the POSIX ACLs. They've been in Linux for years. They don't see much use, because in the vast majority of cases, the old Unix permissions are good enough, and much easier to manage.

You have the standard owner, group, and everybody permissions on each file. If a file also has an ACL, it takes precedence.

Both Unix permissions and POSIX ACLs, as well as Windows's permissions, are a form of user access control.

SELinux is something else entirely - it's a form of mandatory access control, and it's applied to applications instead of users. A SELinux profile defines what an application is allowed to do - which system calls it may use, what files it has access to, and so on. This runs alongside the Unix permissions.

The closest analog in Windows is IE7's Protected Mode, where IE7 (and only IE7) is sandboxed and is unable to access anything but it's own configuration files. It's not really the same thing though - it's a sandbox, not a MAC implementation. A MAC implementation can be used to build a sandbox, but it can also be used to do far more.

It's not there to prevent users from doing something stupid. It's there to prevent applications from doing something they aren't allowed to, so that in the event of a security breach, an attacker is prevented from doing anything the application wouldn't normally do.

Re:I had a little glimmer of hope

[gzipped_tar]

SELinux is not about account permissions. It is based on security contexts which may or may not involve user accounts. For example, the idea of "root" means nothing in SELinux. A process with uid root can't get out of its confined security context and go rampant just because of its root privilege.

Regarding Windows' filesystem access control, it is similar to POSIX ACLs found in almost all Linux distros. These ACLs define the fine-tuned relationship between users and filesystem objects. However, filesystem access control is only a part (albeit important) of OS security, and I think neither SELinux nor Windows UAC is meant to work only in the realm of filesystem control.

Anyway the above description is based on my vague memory of these stuff and I could be wrong.

Re:I had a little glimmer of hope

[aarmenaa]

Proper user account permissions? Like the ACL system that Windows has had for more than a decade? The one that's more granular than what you can get on Linux? I guess Linux needs to ditch sudo and get real "user account permissions" too?

I don't see what you're getting at here: UAC fills almost the same role as sudo on a Linux system. Okay, I admit - it's a little different "under the hood" from the way sudo works under Ubuntu, but it legitimately works, and Microsoft actually did sit down and think this one through. For example, instead of asking to elevate for every piece of software that does terrible crap like writing into the Program Files directory, it just virtualizes that file system operation into a folder in your user account. Doesn't even ask to elevate. It does kinda cause problems when files don't end up where you expected them to, but most users never notice and it's actually a very nice way to deal with developers who refuse to follow the rules. Thanks to nice things like that, I generally only get prompted for elevation when I install new software or legitimately need access to a restricted directory, which is exactly the way it should be.

Don't misunderstand me here - there's plenty of things wrong with Vista. UAC and the NT security model weren't one of them, though. UAC was a step towards a sane default of limited users instead of having everyone run as an administrator. Defaulting everyone to admin is one of those bad decisions Microsoft made and we've been paying for ever since. Windows needs UAC, and it's the main reason I use Vista on my home box.

Try this: enable Vista's Administrator account (it's disabled by default), give it a password, then make your user account a "Limited User." What happens when it asks to elevate? Yep, a password prompt instead of the regular UAC. It's not technically sudo but it's the same effect and it works extremely well.

Re:I had a little glimmer of hope

[AndrewNeo]

That's funny.. what does the registry have to do with the security in NTFS?

Re:I had a little glimmer of hope

[gzipped_tar]

As I put it in another post (http://it.slashdot.org/comments.pl?sid=1118669&cid=26751749), SELinux is not just a user access control (UAC) system. The NSA didn't build it "to address this" as you said. Instead, they built it to implement a much wider range of ideas e.g. role-based access control and security context/type management.

I'm not familiar with the Windows Vista UAC so I can't make reasonable comparison between it and SELinux. However, if they are designed for different jobs, then we are really comparing apples and oranges.

Re:I had a little glimmer of hope

[ClosedEyesSeeing]

SELinux is something else entirely - it's a form of mandatory access control, and it's applied to applications instead of users. A SELinux profile defines what an application is allowed to do - which system calls it may use, what files it has access to, and so on. This runs alongside the Unix permissions.

Sounds like Group Policy Objects in Windows (running in a Domain).

Re:I had a little glimmer of hope

[sgtrock]

Read this post. NT's POSIX ACLs came from the same place that Linux's did; Unix.

Re:I had a little glimmer of hope

[thethibs]

proper user account permissions (a la UNIX)

You mean "me, us, anybody" permissions? Windows account security is both more sophisticated and more granular. The problem is not with user account permissions, but with the out-of-the-box defaults. On this one, Microsoft can't win. If they do something that's appropriate for the average home user (a breed of cat most of /. can't even imagine), power users and tech writers get all over their case.

In the enterprise environment, the degree of user lockdown is easily adjusted on a per-user basis and runas (Windows' sudo -u) is available for exceptions.

Re:I had a little glimmer of hope

[Cowmonaut]

Here is some info on SELinux. Some people apparently don't Google things they don't know about before posting (still, its only been a few years) and others like to not explain things so they appear to know what they are talking about.

The patches for SELinux have the same goal as UAC (and vice versa). That is, they provide a means of controlling what various applications can actually access on a PC. With UAC, MS makes it pretty intrusive and seems to punish the user but overall it is a good thing. If they can make it not so annoying it'll go a long way in making Windows more secure (for about a week).

By the way, the patches for SELinux are built in to the 2.6 kernel now so every Linux distro can or does do this.

Anyways, all they've done here is make it harder for UAC to be disabled without the user being aware. This is important since they've changed the default behavior of UAC so you won't see it as much since they found people only hate UAC when they see more than 2 prompts in a session.

I imagine in a week and a half someone will have figured out how to still disable UAC without the user being aware or just take the shortcut already suggested and have the programs piggy back on ones that already have admin rights.

It must suck being a large target that didn't start out secure. Securing Windows must be a right pain.

Re:I had a little glimmer of hope

[NatasRevol]

I think I'm changing my sig:
"Windows has become the AOL of operating systems."

Re:I had a little glimmer of hope

[jonadab]

Unless you work for a vendor that sells Linux-based solutions, and have a job title something along the lines of "Deployment Options Specialist", there really isn't any reason to *try* to think about all of the various configuration and deployment options. What would be the point? You're Doing It Wrong.

The right approach is to ask, "In our situation, what do we need the software to do?"

Re:I had a little glimmer of hope

[benjymouse]

What is generally discussed (and ridiculed) on /. is what is termed UAC prompts UAC prompts are merely the visible part of UAC. It's no surprise that the most important parts are hidden beneath the surface (and why it is so stupid to turn it off). UAC introduces a concept called process integrity. One can consider it a subdivision of user accounts as it works by modifying the security token associated with the process. If a process is running in "low integrity" it has virtually no rights to file system, registry database, IPC etc. It may render on the designated desktop and may also use an isolated storage. It is important to point out that because this sits in the security token, it is an intrinsic protection. IE7 and Chrome leverages low integrity mode, so even if an "exploitable" bug is found in IE7/Chrome or in an addin, this presents a formidable barrier to compromising the machine or even to get to sensitive or personal data.

Because a low integrity process is so limited, the browsers cannot even download files, except to their local, isolated storage. Therefore UAC calls for a separate broker process which drives the familar "save" dialog and reaches into the isolated storage and marshals the downloaded files out to userland.

Aside: When Vista was compromised at last years pwn2own it was through a custom broker process which Adobe had bundled with Flash. In their wisdom they had allowed the broker process to launch external programs. They needed at to perform updates or something. Go figure. Other integrity level are normal and elevated. In normal integrity level you cannot perform any actions which requires administrative privileges. In that case you need to elevate your privileges. That is where the UAC prompt comes in. To summarize, while UAC addresses some of the same concerns as SELinux, it does so by reigning in the process as opposed to SELinux/AppArmour which reigns in applications by defining profiles with allowable actions per app. I suppose you could build something like UAC by using SELinux and inspecting the process, but I'm not aware that this is what SELinux does.

One obvious difference - an advantage to UAC if you will - is apparent in the case of browsers. If a browser needs to be able to upload and download files, it must have a policy defined for that under SELinux. Hence, a compromised browser can also read/write files from/to those same locations without the users' knowledge or consent. That's not possible with UAC and IE7/Chrome. There is only one way (if UAC is not buggy) to have files transferred, and that's through the broker process. Assuming that process is not buggy (looking at you, Adobe) the user *will* know when a file is being downloaded and saved.

Re:I had a little glimmer of hope

Sounds like Group Policy Objects in Windows (running in a Domain).

If it sounds like it, I hope you haven't done much administrating Domains recently.

But maybe you're right, so... how can I create a GPO object that gives the following MAC profile to any instance of Firefox, started by any user:

- disallow connecting to ports other than 80 and 443
- disallow reading files in the User's home directory
- allow reading and writing files in %AppData%\Firefox, but not reading anything else in %AppData%
- allow writing files to %TEMP%, but allow reading only of the files created by Firefox itself

Re:I had a little glimmer of hope

You couldn't be any more vague or any more wrong with a text of comparable length.

UAC isn't needed if you just stop using administrator accounts.
What are you missing from UNIX account permissions?

Re:I had a little glimmer of hope

[mweather]

More granular? You mean like Posix ACLs and NFS ACLs?

Re:I had a little glimmer of hope

[Nursie]

UAC is nothing like sudo.

Sure, the prompts are, but it also restricts what can be run at startup (regardless of permissions) and messes around with various directories that MS have decided are sacred, silently redirecting write operations to other places.

It's annoying and broken.

Re:I had a little glimmer of hope

[flyingfsck]

Yup, SELinux is designed to allow government computers to process data of different classification levels, without causing all data to adopt the highest level.

For example, if you copy a confidential file onto an ordinary secret machine, that file then becomes secret. If SELinux is implemented, then a machine can be designed to process both confidential and secret data, without all confidential data becoming secret. However, setting something like this up and getting it certified by the NSA is a friggen huge PITA.

Re:I had a little glimmer of hope

[MooUK]

But to continue on from that question, you need to find out which of the particular options available to you can do what you need it to. That does require knowledge, to an extent, of the options.

Re:I had a little glimmer of hope

[the_B0fh]

OP said:

You're aware the access controls of the Windows NT line is MORE fine grained than UNIX, right?

indicating that more fine grained controls via ACLs etc is better than the ugo model that standard unix uses.

I'm merely pointing out that this is a beyond stupid argument, since Microsoft often claims that the registry is far better than /etc config files, and we all know how fucked up the registry can be. Here's an article on why Microsoft thinks the registry is better than /etc config files: http://www.theregister.co.uk/2002/11/21/ms_paper_touts_unix/

And for the morons who keep harping on SELinux, you either have not implemented this in production, so, stfu, or you're paid too much to screw around on slashdot, so go troll somewhere else. For the rest of us, selinux is a damned pain in the ass, and no sane person touches it.

Re:I had a little glimmer of hope

[wastedlife]

Could you explain how Group Policy in Active Directory is at all similar? For the most part, Group Policy is a way to push registry, system, and application settings out to members of the domain. While it is forced on user accounts, applications can ignore the settings if they so choose, meaning it is nothing like SELinux.

Re:I had a little glimmer of hope

[wastedlife]

They are both bloated and broken paradigms that are often used inappropriately? Or maybe it was just a misplaced attempt at sarcasm from "the B0fh".

Re:I had a little glimmer of hope

[Crazy+Taco]

that they were going to implement proper user account permissions (a la UNIX) so UAC wouldn't be needed.

Most Linux distributions I've used, including Fedora and Ubuntu, prompt me for my password whenever I try to go into some system menu or app, like the networking configuration. That's very similar to UAC popping up and asking for permission. My other option in *nix is to log in as root to make all those changes, but that requires knowledge and taking the time to switch users. Either one of these options is arguably just as intrusive as UAC, so I really don't know what all you people are talking about.

Re:I had a little glimmer of hope

[nabsltd]

For example, the idea of "root" means nothing in SELinux. A process with uid root can't get out of its confined security context and go rampant just because of its root privilege.

First, there are specific SELinux user contexts that refer to root (as opposed to a regular user), so, yeah, SELinux does have the idea of "root".

Second, you have to be able to administer the system somehow, and SELinux is part of the system. And, you really don't want SELinux being the part that restricts what can configure SELinux, because then one screwup and the system is hosed.

For a truly secure system, it might not be the case, but with every SELinux-enabled distribution I have seen, "setenforce 0" as root will let you do anything you want.

Re:I had a little glimmer of hope

[plague3106]

The patches for SELinux have the same goal as UAC (and vice versa). That is, they provide a means of controlling what various applications can actually access on a PC.

No, that's not what UAC does at all. UAC has nothing to do what that applications can access, it has everything to do with USERS can access. It's exactly the same as trying to do something in Gnome that requires administrator access when you're only a normal user and prompting you. The difference is that if you're a normal user in Windows, you need an admin username / password. If you're user account is already a member of Adminstrators, you just need to click a confirmation dialog. But it's the same concept and doesn't doing anything based on what the application is or wants to do.

Re:I had a little glimmer of hope

[nabsltd]

The patches for SELinux have the same goal as UAC (and vice versa). That is, they provide a means of controlling what various applications can actually access on a PC.

They may have the same goal, but UAC is completely different in that it works within the existing security token and ACL framework.

UAC can't do things like stopping "cmd.exe" from writing to a file in C:\, while SELinux can do the equivalent. In Windows, the process runs with the security token of the user, and that completely controls what the process can do.

UAC just alters the security token so that processes aren't always as powerful as the user really is. Although you could implement some form of the same control that SELinux offers by having users like "cmd.exe" and assigning "deny" permissions to that user for objects it should not access, this would add a lot of bloat in the filesystem security descriptors. It would also be very difficult to set up the correct permissions so that all this worked across a network, and wasn't avoided by merely renaming the executable.

Re:I had a little glimmer of hope

[RightSaidFred99]

Bullshit. Try using your POSIX ACL's on NFS. Good luck with that.

Re:I had a little glimmer of hope

[RightSaidFred99]

No. Nobody but single-OS shops use NFS ACLs. And POSIX ACL's are pointless as they only work on the local FS.

Re:I had a little glimmer of hope

[Tom]

How I love it when good info is mixed well with bullshit. :-)

SELinux and NT permissions are not the same thing. SELinux isn't about ACLs, it's about MAC and RBAC and (incompletely when it was released) also about MLS. If you don't know what any of that means, you shouldn't be talking about how it is "like NT".

Re:I had a little glimmer of hope

[Ralish]

Windows Vista introduced Mandatory Integrity Control which is a form of Mandatory Access Control.

Re:I had a little glimmer of hope

[gzipped_tar]

One obvious difference - an advantage to UAC if you will - is apparent in the case of browsers. If a browser needs to be able to upload and download files, it must have a policy defined for that under SELinux. Hence, a compromised browser can also read/write files from/to those same locations without the users' knowledge or consent. That's not possible with UAC and IE7/Chrome. There is only one way (if UAC is not buggy) to have files transferred, and that's through the broker process. Assuming that process is not buggy (looking at you, Adobe) the user *will* know when a file is being downloaded and saved.

I believe in SELinux you can do something similar via "domain transition". If the rule is set properly a browser can have no read/write rights to the files. When it absolutely needs to do so, it must be done by a "helper" process whose security type is transited into the corresponding type capable of doing the requested operations. There are many ways I can think of to do this. Examples would be the browser sending a request to a local authorization daemon, and let it take care of the rest. The daemon then asks the user for authorization. It continues to process the request and run the "helper" in the transited context only when password and confirmation from the user are given. Well this doesn't sound like an optimal solution (the authorizer daemon becomes a single point of failure just like the Adobe one) but that's quite close to what the Windows UAC can do in a similar scenario. By this made-up example I'm merely stating the possibility of implementing this through SELinux mechanism.

And I may be wrong.. I'm no expert in this area. I just happen to be interested enough to get myself into it a bit.

Re:I had a little glimmer of hope

[Simetrical]

Sure, the prompts are, but it also ... messes around with various directories that MS have decided are sacred, silently redirecting write operations to other places.

And on your Linux box, can you write to /usr or /etc as an unprivileged user? It's a security trainwreck if you permit unprivileged users to write to program files. Windows is saddled with the legacy of allowing this, all the way back from its single-user non-networked heritage.

In Vista, MS did the right thing and made Program Files non-writable except as admin. To make sure legacy programs still worked, however, they had to allow programs to think that they were writing to the shared files, without actually affecting other users. The only logical way to do this is to allow the change to go through, but only let the user who made the change see it.

It's also worth noting that this is likely to be a transient issue. New programs should be writing per-user customizations (e.g., runtime configuration) into the user's home directory, as Unix has always done. But old programs still have to be supported somehow.

What would you propose that MS do instead of this rewriting? Let all users write to programs in system directories that other users run, or break huge numbers of legacy programs?

Re:I had a little glimmer of hope

[afidel]

- disallow connecting to ports other than 80 and 443
Proxy server

- disallow reading files in the User's home directory
ACL

- allow reading and writing files in %AppData%\Firefox, but not reading anything else in %AppData%
ACL

- allow writing files to %TEMP%, but allow reading only of the files created by Firefox itself
Hmm, the only way I could do that is have Firefox running under alternate credentials of a user setup just to run Firefox.

Re:I had a little glimmer of hope

[benjymouse]

UAC will only redirect read/write operations for files and registry for virtualized processes. Apps compiled with a proper manifest are assumed to be well-behaved. Only older apps without a proper manifest is assumed to be "broken" and to keep them running the write operations will be redirected per user. It is by no means a perfect solution, but it does allow some apps to run which would otherwise have failed badly.

Re:I had a little glimmer of hope

[Allador]

The closest analog in Windows is IE7's Protected Mode, where IE7 (and only IE7) is sandboxed and is unable to access anything but it's own configuration files.

No, the closest thing in windows is the Mandatory Access Controls used in services.

Services are given specific abilities to read/write only specific things, and nothing else.

Of course, you could always do this with windows just by making each service run as a separate user, and give that user specific access controls. It's just a bit easier with the new system. And no easy way to do it with desktop apps.

There's also integrity levels, which prevents communications (rpc, window messaging, etc) from a lower integrity process to a higher integrity process.

Re:I had a little glimmer of hope

[drsmithy]

indicating that more fine grained controls via ACLs etc is better than the ugo model that standard unix uses.

They are. Provably and demonstrably so. ACLs are a superset of the UNIX security model.

Re:I had a little glimmer of hope

[ClosedEyesSeeing]

Look, I agree. After I posted, I had looked up SELinux (I have no experience with it) and it's very different. Granted in a Windows environment I could achieve a similar effect to what you wanted - but it wouldn't be all Windows' utilities. It would require scripting for most of the work (if not all). As I look more into SELinux I'm very impressed with the application restrictions/allowances and the granularity in which you can control them.

Re:I had a little glimmer of hope

[drsmithy]

When I read the headline...that they were going to implement proper user account permissions (a la UNIX) so UAC wouldn't be needed.

You mean like sudo isn't needed in UNIX ?

Re:I had a little glimmer of hope

[drsmithy]

Sounds like Group Policy Objects in Windows (running in a Domain).

No. It's not even vaguely the same.

SELinux is an implementation of Mandatory Access Controls.

Group Policy is a form of centralised configuration management (a decent implementation of which is something sorely lacking in the OSS world, but that's another discussion).

Re:I had a little glimmer of hope

[Allador]

Why are you conflating utterly unrelated things?

The argument is that windows ACL system is superior because its more fine-grained than UGO type security on unix systems.

Your response is that its not true because you dont like the registry???

Talk about fail-whale.

Re:I had a little glimmer of hope

Ummm...why is a statement of fact considered "Troll"?

I guess the moderation by a windows user pretty well proves the statement, "Its surprising how often Windows users truly believe Windows is ahead of Linux - at everything."

Re:I had a little glimmer of hope

[Allador]

Sure, the prompts are, but it also restricts what can be run at startup (regardless of permissions)

No, it doesnt.

You have 20-30 services (maybe more or less) that run quite well on startup and dont have anything to do with UAC.

messes around with various directories that MS have decided are sacred, silently redirecting write operations to other places.

No, it doesnt.

That is program file virtualization, not UAC. And its not on by default.

Re:I had a little glimmer of hope

[GooberToo]

Exactly. And to be in the position where the "Deployment Options Specialist" has nothing but boilerplate means someone has already gone through the dizzying set of options and configuration possibilities. Many without a moniker such as, "Deployment Options Specialist", are often left with a large set of possibilities to choose from.

Since my original post was moded troll, to be absolutely clear, I was not being snide with that statement either. For many, having a very large set of options is simply too many options, creating confusion. It has frequently been a complaint levelled against Linux. Some consider it an advantage - others a disadvantage.

Re:I had a little glimmer of hope

[MooUK]

However true, you said something anti-linux. With such a low uid, you really should expect to be modded down by now... ;)

Re:I had a little glimmer of hope

[Anpheus]

And you're not supposed to be running as root, EVER, and in a proper installation, only God has that authorization.

Simply put, I highly doubt the NSA gives anyone root access to their machines.

Re:I had a little glimmer of hope

[lgw]

Of course, you can buy expensive software packages that claim to do this for Windows. Look at what the bug AV vendors sell for non-signature AV (for appliances and such). But those packages don't really work - because you need this protection built into the OS, not added on. The packages hijack the Win32 APIs - all well and good, but programs don't *have* to use the Win32 APIs to make system calls, so if you can e.g. launch a 16-bit app, or a Posix app, all bets are off.

The SE Linux thing is impressive because of the dilligance applied against such work-arounds. Dissociating permissions from users really is the way to go for this kind of security (and dead-simple unix permissions are enough for user-based file access control in practice, once you're only using them in a simnple way).

Re:I had a little glimmer of hope

[nabsltd]

At some point, some program has to run as root, or else many things (like starting services, updating software, etc.) can't get done.

Re:I had a little glimmer of hope

[Splintax]

That is program file virtualization, not UAC. And its not on by default.

It's active on my Vista install, and as far as I can remember I never chose to turn it on.

Re:I had a little glimmer of hope

And all that great non-visible UAC stuff is thwarted when grandma clicks OK at the elevation prompt.

Re:I had a little glimmer of hope

[the_B0fh]

Obviously you're unable to relate two separate concepts together.

I'm showing an example where you have shitloads of finegrained stuff, and how it is a failure.

The OP's point here is that a fine grained ACL system (that was copied from VMS) is superior to UGO on unix. My point is that it is not. And I used an example from another part of the system showing that it is a pain to do it properly.

And actually, I took it a lot further than it should have been - ACLs are useful too. But really, implementing on UGO or ACL requires a lot of planning and thought up front.

Re:I had a little glimmer of hope

[GooberToo]

Huh? I said something anti-Windows and marginal at that. It was a fairly pro-Linux posting.

Intense?

[jamesl]

Intense criticism? Define "intense."

Isn't this how it's supposed to work? Release pre-production code to the community. Listen to comments. Respond to comments as appropriate.

Now define "over the top."

Re:Intense?

[Winckle]

You take your logic and you get out of here!

Re:Intense?

[tb3]

That's fine for the colors of a window frame, or the number of items on a pull-down menu, but OS security should not be driven by marketing and 'community feedback'. Microsoft's development methodology is fundamentally broken, and they don't seem to realize it.

Re:Intense?

[benjymouse]

Yeah - but apparently some of the less-technical MS brass preempted the engineers with a knee-jerk reaction something in the line of: "There's nothing wrong; it is as it is by design; you asked for it; move along!"

What's significant here is that they actually did an about face very shortly thereafter. Presumably when the real engineers and UX experts had told the brass what they thought.

Which is actually pretty significant as it hints that the actual MS engineers powers are growing.

Re:Intense?

[aj50]

User: Ummm, this seems wrong...

MS: Nah, that's by design

Lots of users: WTF? No, it's wrong you idiots!

That last bit was somewhat intense but was only brought about my MS's initial attempt to wave away the problem.

Re:Intense?

[thethibs]

Dilbert?! Is that you?

Re:Intense?

[JCSoRocks]

Personally I'm just baffled by Microsoft listening to the community. I think that guy that got a job to spy on them also must have started putting something in the coffee. They're obviously in an altered state of mind at the moment. They'll go back to normal in a week or two and realize this was all a mistake. At that point we can look forward to our usual dose of, "we're microsoft and you're not" when we complain.

Re:Intense?

[recoiledsnake]

That's fine for the colors of a window frame, or the number of items on a pull-down menu, but OS security should not be driven by marketing and 'community feedback'.

Why not? Security levels in many cases(especially UAC) is a tradeoff between usability and security. People have spoken on the Microsoft blogs that they are okay with some inconvenience of elevation prompts for UAC changes and are not willing to sacrifice the security. Microsoft listened to them. This actually looks like a sound development methodology to take into account user feedback.

Re:Intense?

[TheVelvetFlamebait]

Yeah, don't let the door hit you on the brain on the way out!

Re:Intense?

[plague3106]

Really? So my grandmom should have to muddle through sys admin tasks that make it as difficult as possible just so she can use her computer? I don't buy your argument; normal people should be able to use their computer with minimal hassle. So we need to find the right balance of usabilty and security.

Re:Intense?

[thePowerOfGrayskull]

Because... the people using your product clearly don't know what their security needs are? You realize that this fix was a good thing, preventing bypass of UAC by malicious applications - plugging a potential security hole on the basis of what the "community feedback" revealed.

Re:Intense?

yes, because logic did nothing for the entire world, much less the human race, right? yeah...

Re:Intense?

That last bit was somewhat intense but was only brought about my MS's initial attempt to wave away the problem.

Excuse me... your MS?

The entire concept is broken

[landimal_adurotune]

With the initial Vista UAC people were trained to just click yes to everything or they would turn off the function entirely. With Windows 7 it is far less frustrating but the User part of the UAC is what is broken, there is no substitution for actually educating users. That is something that is far out of MS's reach IMHO.

Re:The entire concept is broken

[xtracto]

You might think (as well as I do) that the UAC screens are really annoying.

But just last December a friend (computer illiterate) asked to help him installing a camera on his computer running Vista. While helping him I said something bad about the moronic UAC "cancel or allow" messages and my friend told me the following:

"Although you may find the warnings cumbersome, they are good for me because it warns me if I am sure to do something. Sometimes I press somewhere without knowing and if not because of the warnings I may run programs I do not want"

His logic made me think twice about UAC... of course, people that do not need it (i.e., those of use who know what we are doing) can simply deactivate it, however it may be useful for people who do not know what they are doing.

On the other hand, I still believe that the actual messages that appear could be more explanatory... however, there comes another problem, and it is that most of the people do not care to actually READ what the system is telling them and they just see an alert message with a warning sign.

But that comes from the times of MSDOS... I remember when I was a kid and started programming computers that my father told me it would be a good Idea to make a program that would read the instructions of the programs to the users (his university students) because even when the instructions were there in the screen, they would not care to read them... people are lazy.

Re:The entire concept is broken

[TJamieson]

Here's the secret: UAC has nothing to do with protecting users. Instead, it exists (at least in Vista) to reveal old programming problems lazy developers often made (such as writing within Program Files).

Of course the argument can be made that MS should've locked down Program Files from the beginning, but that's another discussion.

Re:The entire concept is broken

[darkmeridian]

The concept is also out of anyone's reach. As computers become more and more ubiquitous, a smaller percentage of computer users are specialized. The typical user nowadays expects a computer to just work like a TV or microwave. They just want to use the wonderful computer and do not have time to read instruction manuals or even prompts. But when computers do not work, they freak out and blame the computer.

No one is immune once you reach out to average users. As Apple starts to penetrate the market, you will see more and more trojans and spybots for OS X as well. I mean, even Linux users fall for phishing scams through the computer. It will only get worse as Linux gets onto netbooks and low cost computers.

I do not envy Microsoft's problem, but we ought to realize their problem will soon be ours.

Re:The entire concept is broken

[Nursie]

The argument also exists that they should tell the user what's going on rather than silently redirect stuff.

Tell me the program's broken, tell me there's a problem, block writes to PFs, whatever. Don't just silently squirrel stuff away somewhere else and then show different users different versions of the same file...

Just wrong.

Re:The entire concept is broken

[Allador]

Of course the argument can be made that MS should've locked down Program Files from the beginning, but that's another discussion.

Program Files have always been locked down.

The only thing that's changed is that the default user doesnt run with admin security privs in Vista and later, even if they're an admin account.

windows users are STILL more tolerant than ME

[v1]

The pain threshold, it turned out, was just two prompts in a session, which DeVaan defined as the time from turning the PC on to turning it off, or a day, whichever is shorter. "If people see more than two prompts in a session they feel that the prompts are irritating and interfering with their use of the computer," DeVaan said.

I get asked for my password when I do something in terminal that requires sudo, but other than that, I don't get a security prompt more than once a day on the average. Again depending on what I'm doing. I can go an entire day and not see one sometime.

I suppose I'd like to spend a day watching a windows7 user and see WHY they are getting all these UAC popups. I can't believe that if the OS is engineered properly if there would be any reason for it with ANY frequency unless you're doing things that *I* might find common, which is not Joe User.

I have my mother's main account on her machine as a limited user, and she knows the admin l/p when needed. I bet she gets asked for it once every 2 weeks at most. (like when a firefox update wants to install, and then it's behaving exactly as expected and desired) THAT'S how I'd expect ALL "typical" computer users to want to see. I'm absolutely certain I'd be getting a phonecall after she got prompt number two (for no good reason) in the same day. Why does it keep doing that? Fix it!

Re:windows users are STILL more tolerant than ME

[0123456]

"I can't believe that if the OS is engineered properly if there would be any reason for it with ANY frequency"

Yes, but this is Windows, which has been so poorly engineered for so long that roughly 97% of applications expect to be run as Admin; and thanks to the delights of 'backwards compatibility', Joe Sixpack will be running many of those applications for many years to come (heck, I have a copy of Word from the Windows 3.1 era on my Windows PC because I had to open old Word files and current versions wouldn't read the old format).

Re:windows users are STILL more tolerant than ME

[v1]

but this is Windows, which has been so poorly engineered for so long that roughly 97% of applications expect to be run as Admin; and thanks to the delights of 'backwards compatibility'

ya, but wasn't that what Vista was all about? Causing 80% of the existing windows apps to spontaneously combust and force the developers once and for all to fix their crap? What happened to that? (guessing... public outcry from the users and lazy devs pointing at MS as the blame) I thought that was the reason that Windows7 was going to make an even more solid, committed attempt to force the developers to adopt good coding practice. MS can't just continue to roll over on this issue.

Re:windows users are STILL more tolerant than ME

[0123456]

"ya, but wasn't that what Vista was all about? Causing 80% of the existing windows apps to spontaneously combust and force the developers once and for all to fix their crap?"

Well, that was kind of my point: even if they get developers to fix their broken applications that expect to run as Admin for generic tasks that shouldn't need it, the old versions of those applications will still be around for years to come, and people using those applications will complain until Microsoft have to do something to make them less painful to use.

Microsoft grew big and fat on 'backwards compatibility', and now it's turning from a huge advantage into a huge problem.

Re:windows users are STILL more tolerant than ME

[clodney]

I've been running Vista on my home/gaming rig for over a year now. It runs Steam, Fallout, Oblivion, Half-Life, Office, DevStudio, Firefox, Thunderbird, KeePass, Paint Shop Pro, Python, AV, iTunes - lots of stuff, some old, some new, some MS, lots of ISV.

I probably encounter a UAC prompt every week or two. Going into the control panel is pretty much guaranteed to trigger it, ad does updating a device driver, or installing/updating software.

That's pretty much it. I have at least one app that writes settings into its program files directory, but Vista silently redirects that to somewhere in the profile directory without requiring UAC.

The reality is that MS has been pushing ISVs for years to stop relying on admin access. Look at the requirements for getting the Windows logo on your app - one of the reqs is that it has to run as a normal user.

Between that pressure and the fact that Vista does trap and redirect some of the most common accesses to HKLM and Program Files, most shrinkwrap userland apps work fine in Vista.

When you start talking about things that a guy in the IT group whipped up in a few days back in 1998 thinks aren't nearly as rosy, but most home systems don't have to deal with that crap.

Re:windows users are STILL more tolerant than ME

[Rycross]

What happened to it? UAC was panned by Slashdot, panned by the press, panned by Apple, panned by developers, and hated by users. Everyone blamed Microsoft for "breaking things" and "annoying prompts" when it was the crappy application developers' fault in the first place.

The moral of the story is that people don't care what's technically correct. They just want their apps to work. Microsoft absolutely can roll over on this issue, because their customers want them to.

Re:windows users are STILL more tolerant than ME

[Aladrin]

The problem is that Window isn't doing uncommon things, the programs are. They are designed with WindowsXP-do-anything-you-like-as-admin philosophy, instead of restricting their business to their own areas.

In my experience, Vista seems to Admin Popups than Linux because the apps are doing stupid things, not because Vista was designed wrong. When I think about when Vista pops things up, it's the same times I'd be required to sudo in Linux: Installing/changing/deleting stuff globally for all users.

I don't use many apps now that haven't been updated for Vista, so I don't see the annoying behavior on Vista any more than on Linux.

Re:windows users are STILL more tolerant than ME

[nine-times]

I can't believe that if the OS is engineered properly if there would be any reason for it with ANY frequency unless you're doing things that *I* might find common, which is not Joe User.

I can believe that a properly engineered OS would prompt that frequently, assuming enough improperly engineered applications. And there are plenty of crappy Windows apps floating out there to make this thing believable.

Re:windows users are STILL more tolerant than ME

[benjymouse]

My wife stole my old cool acer ferrari 3400 when I got a new dell. It wasn't that it was faster than what she had, but she really liked the color of that thing (all shiny Ferreri red).

Anyways - she runs Vista Business. She's on a user account and she does not know my admin pw. She went a good 6 months using it every day before she experienced the UAC prompt. She had to install a new homebanking app.

I'd say it works as intended. For everyday work - even with Visual Studio 2008 - I don't get UAC prompts. (I did with VS2005, though)

Re:windows users are STILL more tolerant than ME

[Colonel+Korn]

Current versions all read the old formats, you just need to select the obsolete formats you want to be able to open on install. Not realizing this cost you your computer literacy card. Tear it up or burn it within 24 hours, please.

Re:windows users are STILL more tolerant than ME

[Yunzil]

I suppose I'd like to spend a day watching a windows7 user and see WHY they are getting all these UAC popups.

Hell, I'm running Vista and I'd like to know what people are doing to get all these popups. Pretty much the only time I see one is when I'm installing a new game. And for some reason when I start Steam.

Re:windows users are STILL more tolerant than ME

[denobug]

heck, I have a copy of Word from the Windows 3.1 era on my Windows PC because I had to open old Word files and current versions wouldn't read the old format

I think if you install all of the options for the new Word you will be able to open old Word document as old as version 2.1 in Windows. It's been there for years. You just need to modify the installation or at least pay more attention to the custom settings when installing Word.

Re:windows users are STILL more tolerant than ME

[Touvan]

They only panned UAC, because of it's incredibly flawed implementation. All of it was justified.

Before SP1 (which did quiet it down a bit) it came up way more frequently than it should have, and even after SP1 usually you had to click two dialog boxes with no password (and sometimes 3 or 4), instead of just one with a password, like on Ubuntu and Mac OS X.

On report (with a quote) even suggested that MS made it annoying on purpose, to get devs to fix it. That's a horribly disrespectful way to treat people who are developing on your platform - as well as your paying users.

It's even easy to deal with legacy apps - put old apps in a sandbox, and new apps must implement the new security APIs to get out. Other companies have done this masterfully, why is it so hard for the billion dollar Microsoft? It's easy for anyone (including those stubborn people in Redmond) to see how flawed UAC is, by simply using Mac OS X or Ubuntu. This really should not be that hard.

Re:windows users are STILL more tolerant than ME

Can't they virtualize this to accommodate old programs? In sort of the same way Apple did OS9 and 'classic' os programs? There must be a way of keeping all of the old programs useful while pushing a new system that people can program for. I don't get why this is not possible, and possible to do it securely without administrator level in Vista itself. Can anyone clarify this for me?

Re:windows users are STILL more tolerant than ME

[SdnSeraphim]

I work with Vista, develop software on it, and run in standard user mode (not administrator). I seldom get asked for elevation. The times that I do are when I am installing software, and changing a system setting. Other than that I never get prompts. My wife uses Vista also and she has never gotten a prompt.

I think the complaints about UAC revolve around the unfortunate set of users that think they are "administrators" or power users and run that way and then complain that every time they install the latest malware they get a prompt.

No amount of training will hinder these people. Why do we not see this as much in Linux? The bar to entry is much higher than Windows. This class of user base is smaller on Linux than on Windows.

Re:windows users are STILL more tolerant than ME

[geekoid]

I'm running Vista premium, and I was getting UAC prompts many times a day, sometimes interrupting a process.
I finally had to just turn it off.

Re:windows users are STILL more tolerant than ME

Slow file copying/moving, lower frame rates, bad driver support, a general unexplainable and overall deep feeling of regret/disappointment/irritation on a constant basis; beyond the problems I just listed which is why it is unexplainable. There is more to the annoyance than just UAC, but it contributes.

Speaking from my painful experience using Vista which led to me "upgrading" to XP, it asks you every time you do any of the following:

* Launch a video game that requires use of higher privileges for performance, this is all of them.

* Launch an unknown unsigned third party process or installer; no one, not even Nvidia or Creative sign their drivers. I'd say 98% of software installers don't sign themselves, their applications/drivers aren't signed.

* It asks you two times every time you compile a program with Visual Studio, and then it asks you again when you run it because it is an unsigned executable. This is making developers shut UAC off completely to get any work done.

* I'm certain there are more cases I haven't listed here.

Keep in mind in addition to UAC asking you all this crap, Microsoft never got rid of the "do you really want to run this application" dialog, which isn't part of UAC. So, the problem is compounded every time you run anything.

Re:windows users are STILL more tolerant than ME

[Rycross]

I have a Macbook and a Linux box. I also used Vista. UAC was never, ever as bad for me as the detractors claimed, and I am still left feeling that the hate was completely unjustified. I've never seen it pop up two UAC boxes. Every time I saw it, it was because I was accessing an admin-only area of the system, with the one exception of Visual Studio (one click on startup).

No, I don't think Vista is significantly worse than either Linux or Mac OSX. In fact, I don't really prefer one of these systems over the other. From my point of view, there is not enough of a difference between them for me to care.

Re:windows users are STILL more tolerant than ME

[0123456]

"Not realizing this cost you your computer literacy card."

If I remember correctly, the original problem was that they were Mac documents, and while the old Windows Word would open Mac files, the new ones just turned them into garbage.

However, even if that wasn't the case, how many people do you really expect to know that they need to REINSTALL THEIR SOFTWARE to open old Word files? It's nearly a decade since I've installed a new version of Word on anything, and most people get it pre-installed and expect it to open anything with a .doc extension.

Re:windows users are STILL more tolerant than ME

[man_of_mr_e]

. I'm absolutely certain I'd be getting a phonecall after she got prompt number two (for no good reason) in the same day. Why does it keep doing that? Fix it!

It's not the OS, it's a number of factors.

First, many apps think they can write anywhere they want, and many of them try to write to the programs own directory, which is protected. Some don't try to write, but still open some file with read/write permissions, which again will fail.

Second, Many USERS think they can write anywhere they want. So, they go creating folders at weird places, and again get prompts. It would be like a user trying to save their files to /mystuff on linux, rather than ~/mystuff

Third, some users don't understand the way certain things work in Windows. For instance, Windows has the concept of an "All Users" profile, in which data is shared between all users, but it's not writeable by normal users. So, when you install a program for "all users" to access, it puts the icons in the "All Users" startup menu or the "All Users" desktop. Then, individual users try and move or delete those icons and they get a prompt.

Finally, some actions SHOULD require elevation, but users think they should be able to change them under a normal user, such as system date/time or network settings.
 

Re:windows users are STILL more tolerant than ME

[drsmithy]

I suppose I'd like to spend a day watching a windows7 user and see WHY they are getting all these UAC popups. I can't believe that if the OS is engineered properly if there would be any reason for it with ANY frequency unless you're doing things that *I* might find common, which is not Joe User.

The problem isn't with the OS - never has been - it's with the applications.

Re:windows users are STILL more tolerant than ME

[drsmithy]

Yes, but this is Windows, which has been so poorly engineered for so long that roughly 97% of applications expect to be run as Admin;

It has nothing to do with how Windows was engineered (which is fine), it's completely due to broken applications.

Re:windows users are STILL more tolerant than ME

[fast+turtle]

MS needs to dump the "All Users" concept and switch to the *nix .skel concept. Hell drive space is not a concern anymore so there is no longer any reason not to copy icons into each user profile instead of a shared profile. I suspect that if MS switched to this and used proper folders in the profile directories under Vista/Win7 folks would not see any UAC prompts unless they actually needed to.

Re:windows users are STILL more tolerant than ME

[theurge14]

They rolled over on it because there are a significant amount of businesses running customized apps that are years old and won't be changed (or won't be paid to be updated). Not listening to businesses meant Vista wasn't going to be considered for those businesses. Now that Vista didn't get adopted up by businesses as the rate they had hoped (for other reasons), now they can revisit this issue without that burden.

On another note, not only have I seen custom enterprise apps that expected to be run with Admin privileges, but also did many other ridiculous things like expect hardcoded file and directory locations on C: and such.

Re:windows users are STILL more tolerant than ME

[man_of_mr_e]

Windows already has something similar to Skel, it's called the Default User profile, and it's copied into new profiles when new accounts are created. However, there are some gotchas. For instance, if a computer is connected to a domain and an existing user logs into a new computer, then it's not a "new account", so Default User doesn't come into play (and remember, different computers can have different software installed, so it's not something youc an just copy to all users profiles on the domain).

All Users gets around that problem, because even domain accounts will then share icons and start menu entries. So the Skel approach doesn't really work. I would suspect there are similar problems on Linux when using LDAP.

Caves?

[ukyoCE]

This is hardly "caving". Microsoft was alerted to a security issue, and they're fixing it. How did this get spun into an anti-microsoft story?

Did I miss some story where Microsoft said they absolutely refused to fix the problem, but now a few days later they're giving in and fixing it?

Re:Caves?

[Lostlander]

I agree, I hate Microsoft as much as the next Linux user but seriously agreeing to change something in a beta isn't caving it's feature adjustment. The tittle of the summary is just flamebait. Windows 7 seems to be a functional Microsoft operating system for a change and people are freaking out looking for something to hate about it.

Re:Caves?

[Cro+Magnon]

This is hardly "caving". Microsoft was alerted to a security issue, and they're fixing it. How did this get spun into an anti-microsoft story?

This is slashdot. Nuff said.

Re:Caves?

[the_humeister]

You want to know why? Microsoft eats babies and worships the devil! That makes them EVIL! Ergo, whatever they and anyone else associated with them does anything, it must be spun negatively no matter what.

Re:Caves?

A security issue?

Then it was a security issue being publicly advocated by the senior vice president responsible for Windows' architecture and core components.

Re:Caves?

[DavidR1991]

"This is hardly "caving". Microsoft was alerted to a security issue, and they're fixing it. How did this get spun into an anti-microsoft story?"

They stated it was by design a few days ago, immediately after the issue was posted, that's why

Re:Caves?

[Rary]

Not only that, but this very forum is overrun with people complaining about how many times UAC prompts appear in Vista, and this story is about Microsoft responding to users' complaints and reducing the number of prompts, only to then be told that now it had too few prompts. So, they're listening to users' complaints again and rolling things back.

But apparently that's "caving".

Re:Caves?

Erm, why is this modded troll? Every time I come on /. it's HURR DURR MICROSOFT PRIVACY FUCK THE SYSTEM HURR DURR. A few arrogant fucktards in their basements decide to base their world philosophy on their distro - that's their loss.

Re:Caves?

For all I prefer using a *nix system I want to complain about systems because there is a problem.

If MS go down I want to think that it was because they made a bad product. At the minute I'm worried that if they go down I'll just end up thinking it was because people THOUGHT they made a worse product than they do.

Re:Caves?

[NeverVotedBush]

And of course you know that if you draw lines between the windows in the Windows logo, you can draw a swastika!

Re:Caves?

[BRSQUIRRL]

Yes, that is exactly what happened. Microsoft's previous comments on the matter basically boiled down to "What problem? This works exactly the way we intended it to."

Re:Caves?

[Hal_Porter]

A true slashdot user believes all these things

1) The flaw in XP was that everyone run as admin. Unix's system of running as a limited user and doing a privilege escalation via sudo each time you do something that requires admin rights.
2) The flaw in Vista was UAC, where you do a privilege escalation each time you do something that requires admin rights.
3) The first Windows 7 beta had a flaw where it was possible for malware to disable UAC programatically and thus bypass it.
4) Microsoft have 'caved' and changed UAC in the Windows 7 release candidate.

and he believes them simultaneously too.

Re:Caves?

[Hal_Porter]

This is the good thing about commercial software. The technical people can be overruled by the marketing/management people if their decisions are unpopular with a majority of users. Non commercial software doesn't have this ability.

Re:Caves?

I agree, I hate Microsoft as much as the next Linux user...

Not enough hate.

Re:Caves?

[Touvan]

I thought the criticism was that the way they are reducing the popup frequency, is by "auto-escalating" applications to higher access levels. From and engineering standpoint, that sounds like a huge glaring security hole. I would think that's why this is getting "spun".

Think of it this way. I install some app that accesses a file in program files. In order to do that I have to grand access privs, so it's now been escalated. Now that program has a browser component, that can be exploited. The exploit can take advantage of parent app's auto-escalation to gain access to the program files directory.

That is not a secure design. And it should be pointed out more often, that Unix, Linux, Mac OS X, these have all had better models for decades. MS really has no excuse for not having this fixed by now.

Re:Caves?

Users: "I think I have a bug here"
MS: "No, it is not a bug, it is intendet to work that way."
Users: "But I don't want it to work that way, because <insert reasoning>."
MS: "Ok, we change that."

What horrible mistake did Microsoft make?

That Microsoft stated the truth by saying that this is not a bug, but intended behaviour?
Or that Microsoft changed the intended behaviour to match the expectations of the users?

Re:Caves?

[plague3106]

Ya, you're point? It WAS by design. People complained, apparently enough that they responded by CHANGING THE DESIGN. Yes, that's valid to do.

Of course had they done nothing, I'm sure you'd be posting "see, M$ doesn't listen to their customers!"

Re:Caves?

I hate Microsoft as much as the next Linux user

OK, it's time to grow up and stop looking to a cause to get your identity. Not all Linux users hate Microsoft, k?

It's about time the non-losers started tamping this down.

Re:Caves?

[msimm]

Correction:

kdawson. Nuff said.

Re:Caves?

Every time I come on /. it's HURR DURR MICROSOFT PRIVACY FUCK THE SYSTEM HURR DURR.

Your answer is implicit in your question: Those same people get mod points.

Re:Caves?

[drsmithy]

And it should be pointed out more often, that Unix, Linux, Mac OS X, these have all had better models for decades. MS really has no excuse for not having this fixed by now.

In actual fact all those OSes (and more) have an even more flawed feature to provide equivalent functionality.

Re:Caves?

[ukyoCE]

Thanks for the link! Even if this comes down to bad marketing/PR commentary while the engineers are doing "what's right" (fixing the problem after being notified), it's still Bad.

Re:Caves?

[Allador]

I thought the criticism was that the way they are reducing the popup frequency, is by "auto-escalating" applications to higher access levels.

What you thought was incorrect.

In the default Win7 UAC mode, certain system components that are signed by Microsoft get elevated without a prompt.

Think of it this way. I install some app that accesses a file in program files. In order to do that I have to grand access privs, so it's now been escalated. Now that program has a browser component, that can be exploited. The exploit can take advantage of parent app's auto-escalation to gain access to the program files directory.

So you're saying that the installer that you escalated has escalated rights? Thats correct. If the installer has an exploit, then yes, it will get owned. Same as if apt-get had an exploit, it could get owned while you're doing sudo apt-get.

If you're trying to suggest that by escalating the installER that the installED program gets auto-escalated, then you are not understanding the system.

That is not a secure design. And it should be pointed out more often, that Unix, Linux, Mac OS X, these have all had better models for decades. MS really has no excuse for not having this fixed by now.

The 'that' which you're referring to here is not representative of anything in reality. It's your inaccurate internal model of how you think it works based on some things you read here on slashdot.

Need more windoze 7 articles!

Seriously.

Re:Need more windoze 7 articles!

[the_B0fh]

Please check with the editor for current rates for astroturf articles.

I thought it was a new product

[Hognoxious]

Look like you try hunt mammoth!

Do you want:

* Use pointy stick
* Use big rock
* Install bow and arrows plus pack?

At least they're trying

[javacowboy]

First of all, Microsoft screwed up initially because DOS and the non-NT versions of Windows didn't implement the concept of a multi-user, networked operating system like Unix and NT did. This means that when the internet took off, Microsoft was selling an operating system for the masses that was not architected to be used securely over the internet.

The consequences were disastrous. Malware, including viruses, warms, trojans, adware and spyware spread like wildfire over Windows systems over the internet. Zombie machines became common. Software was written to require admin privileges to install and run correctly.

By the time Microsoft realized they needed to fix the problem (between XP and XP SP2, depending on how you look at it), there were too many legacy dependencies for Microsoft to switch whole-hog to a Unix style multi-user, restricted user by default system.

Still, they did try to do something about it. They merged NT and 9.x into a single operating system and kernel, namely, Windows XP. It was now possible to create multiple users, including admin and non-admin users. They implement the Run As functionality, to allow non-admin users to temporarily escalate their permissions.

I know Run As mostly worked, because I spent a few hours setting up my dad's XP and Vista computers with regular user accounts. There's the odd program that doesn't run correctly (or at all) as a regular user, but they all run correctly with Run As. I think there was only one program he had that used to run correctly under his old account that didn't work at all under the new setup.

Still, there are third party software developers that perpetuate use of the old system, and force Microsoft to enable admin users by default. Among those are game developers, that require users to run as admin *AND* stay connected to the internet (I believe Half-Life 2 requires this, but I'm not sure). This is grossly irresponsible, and Microsoft needs to do more to discourage this practise.

Still, as awkward as it initially was, UAC was a step in the right direction. It was too obtrusive in Vista, so they toned it down in Windows 7. Now, they realize they need to go partway back in the opposite direction again.

I'll give Microsoft credit for trying really hard to fix their past mistakes. However, some third party developers need to be smacked down hard for forcing Microsoft to maintain its past mistakes.

Re:At least they're trying

[plague3106]

First of all, Microsoft screwed up initially because DOS and the non-NT versions of Windows didn't implement the concept of a multi-user, networked operating system like Unix and NT did. This means that when the internet took off, Microsoft was selling an operating system for the masses that was not architected to be used securely over the internet.

I don't even see it as a screw up. They were at the time targeting computers used by one person that wasn't on a network. The problem was the internet blew up and they HAD to add internet features, but they couldn't also do the whole multi-user, network thing all in one shot. It would have immediately failed.

If they saw the internet coming years ahead, they may have been able to add the needed features before... but that's not how it happened. They (and I think most people) were suprised, and reacted. When they reacted I'm guessing many of their developers were still in the single user no-network mindset. Not a shift you can make overnight.

Sandboxing?

[Seth+Kriticos]

I still don't understand why they don't just sandbox any application that wants to be installed and only when it tries to access user data there should be a prompt.

You know, something like "Market watch X wants to inspect your porn collection [allow] [yes]" instead of "blah blah privileges blah [allow] [maybe]"

Re:Sandboxing?

performance?

Re:Sandboxing?

[geekoid]

Becasue that would take proper micro kernel design. M doesn't seem to really want that instead of going for the everything depend on everything else approach to OS design.

Brilliant!

[Saija]

Second, changing the level of the UAC will also prompt for confirmation.

Oh great!
a confirmation for the confirmation dialog...

Re:Brilliant!

[quickOnTheUptake]

One of the recent issues discussed on /. was that it was a huge security threat to have scripts able to turn off UAC without any notification. This is exactly what MS needed to do.

"Do not alert me again." Checkbox

[FathomIT]

Couldn't they set it up with all the crazy user restrictions in place and then just add that nice little checkbox that says: "Do not alert me again."

Most of the computer users on the planet will think twice if the alert is made simple and clear.

Re:"Do not alert me again." Checkbox

[AndrewNeo]

The UAC dialogs on Windows 7 have a 'change how often this dialog appears' text link in them.

Application for Windows

[jgtg32a]

There was an article a while back about some application programmer complaining about the security model in Vista and what a pain it was to develop for.

What it actually came down to was the programmer was complaining about having to separate privileged code from non-privileged code.

Just about every app made for Windows run in admin mode and UAC will complain about it.

In *nix it would be like requiring root to run the tar or ls commands.

Re:Application for Windows

[NSIM]

"just about every app runs in admin mode" is the most utter rubbish I've seen for a while. I have a wide selection of apps installed on my system, the only ones that trip UAC are:
DVDdecrypt (runs without admin, but bitches about it)
Core Temp (has to run as admin)
Handbrake (can't update profiles unless it's running as admin)
Everything else runs just fine. (Office, Paintshop Pro,Firefox, Thunderbird,utorrent, Omea RSS reader, and dozen or more other applications that I'm too lazy to list)

Re:Application for Windows

[Anpheus]

Since the launch of Vista, the number of UAC prompts triggered by programs has fallen a staggering amount. People who opt in to the customer experience improvement thinger will report which executables caused UAC prompts and other generic information. Vista has reduced this amount by approximately half. Half of the applications no longer require Admin.

So it would be absolutely insane to say that apps aren't needlessly running with excessive privileges. Almost all applications are running with excessive privileges.

Re:Application for Windows

[adolf]

DVD Decryptor hasn't been updated in ages.

It works fine without admin rights. It just that it tries (and fails) to write data to protected (system) directories, apparently to save user preferences at exit. This is bad design -- user preferences should only go into user directories, and these have been pretty well defined since Windows 95.

I don't know what Core Temp is, but if its name is descriptive, it's a gadget that looks at core temps. I don't want users on my systems to be running things which access hardware at the level of directness which it sounds like it wants. So for me, this looks like correct behavior.

Handbrake's profile issue is, again, the same as DVD Decryptor. It's obviously trying to put data in places it shouldn't: Again, user files go into user directories. The rest of the filesystem is for the system.

Rightmark's rmclock program also cannot run without admin under Vista, again for very good reasons: This is a program which can directly manipulate CPU clocks and voltage. I REALLY don't want users doing that.

FWIW.

Still missing...

[Mascot]

the one thing that will make me consider not turning it off. A "do not ask again for this application" checkbox.

Come on. Every firewall/HIPS system I can remember trying the past decade or so has an option to remember the answer.

This obviously won't work for settings, but for when starting an application? God, it's so needed.

Re:Still missing...

[MBCook]

Why should any application need that checkbox?

No application should be asking for privileges that much, unless it accesses special hardware (easy example: something akin to WireShark). A normal application (like FireFox) shouldn't need to ask for permission all the time. If it does, it probably has a design flaw.

If you grant full permissions in the way you are suggesting be made possible, then if a new version of the application alters it's functionality (or some time-bomb kicks in) then it can do things you didn't authorize (like erase other programs) because it was given blanket authorization by you so you wouldn't be nagged about some stupid thing it was doing (like changing your wallpaper).

You want the "always" button to be more granular? So now I have to check 5 different "always" boxes on 5 different prompts so some poorly written application won't bug me... until I use some new function and it asks for a 6th time. Having the "always" box not mean "always for everything" will confuse a great many users.

Well written programs don't have this problem. I've been using OS X for years and the only two applications that prompt me on any kind of regular basis are Software Update (which has to touch all sorts of software and the system software, I'm going to include MS's Office Update in here too) and the Installer used by some applications (because they may need to install libraries or check for other installed software). User space applications almost never trigger these questions. They don't NEED to.

Re:Still missing...

[SuiteSisterMary]

You're almost there!

UAC was never about the user; it was about the developers. For ten bloody years now, everything necessary to write apps without admin requirements, without needing to write to places like program files, and so on, have been in Windows.

You could do it in WinME, you could do it in Win2000, you could do it in XP. Developers didn't bother. I *still* find programs that want to write user data to program files. Hell, I just about fell over when I discovered,installing the 'network' version of Quickbook 2008, that it sticks a file on a network share with a lockfile. Like dBase and Foxpro and what not for WfWg 3.11 did.

UAC is a big FU to those developers. It just didn't work as intended. People bitched at Microsoft for all of the 'unnecessary' prompts, rather than bitching at the developers for writing software that expected crazy access to the computer.

Re:Still missing...

And what if the application you always allow is infected with a virus or what if the hacker is running as that application or using it in their session as you? No, it doesn't need an always allow check box, it needs to go the opposite direction and require a password and log the transaction. To have an always allow check box would completely defeat the purpose of UAC, it is neither a firewall nor a traditional HIPS. It is a "User" access control system and makes the user responsible for access control decisions. It does not and should not manage the access control, it makes the user manage it so that the user is aware of what is happening, or trying to happen on their system. If, as a user, you don't want that control you can disable it completely.
I am a consultant and on my home and office computers I run Debian Linux and when a client needs windows I only install Vista because of its security features including, and especially, UAC.

Re:Still missing...

[OneSmartFellow]

This issue is exacerbated by the stupid security policies that Microsoft introduced (I think they came with the UAC) which prevent developers from debugging stuff unless they're an administrator. So you see, it's not all the developers fault after all.

Re:Still missing...

[somenickname]

There are valid reasons to do something like this. In Linux you have /etc/sudoers where you can define that certain applications can be run as root by certain users. It's actually a very useful feature. Though, it's not exactly the same as, "Don't ask again for this application" because you still have to proceed the command by sudo so, you are still aware that you are escalating your privileges.

Re:Still missing...

[Mascot]

At some point you have to trust something. I've installed and ran thousands of applications over the past few decades, never has one included a time bomb that suddenly turned it into an evil machine-destroying demon.

If this by some miracle became a common thing to do for application developers, well, that's what we have anti-malware software for.

Point is, it _is_ an issue. It wouldn't be if UAC would let me tell it I trust the application I'm about to run, and accept that I won't be changing my mind about that between now and the next time I choose to start it.

I don't have a computer for the OS it runs, I have it for the applications. I'm not going to stop using an application because its developer can't wrap their heads around how to not trigger UAC. I'll disable UAC. Which defeats the purpose completely, as opposed to allowing me to selectively defeat its purpose for the applications I choose. If UAC is finely grained enough, there should be no problem with it alerting me if the application tries to elevate to do something it has never attempted before. So it won't alert me cause of some updater triggering the UAC, cause I told it not to, but it will when it tries to format my drives.

Bottom line, I know better than UAC. If not, it'd never need ask me anything at all. All I'm asking is for it to stop asking me again and again about the same thing. If it won't, I'll turn it off and either use a third party HIPS, or nothing at all.

Re:Still missing...

[Mascot]

I should add that I'm fine with all of this being UAC settings and keeping it working like now by default.

That way UAC specifying _what_ the application is trying to elevate in order to do won't confuse the average user, while giving me the information I need to make a judgement.

Re:Still missing...

You shouldn't even get a UAC prompt when starting an application. That means the application developer did something wrong, this isn't a problem with UAC.

Re:Still missing...

[DavidD_CA]

But what happens if an application that you previously trusted is then discovered to have a fault that can be taken advantage of?

Suppose you trust Firefox, and then a few months later someone finds a vulnerability that allows some script to be run or whatever.

With the way people like to "set it and forget it", I don't think that would be a very good idea. I would rather know whenever an application is trying to do something critical. And for how rare that is, I'm happy to confirm that with a UAC prompt.

Re:Still missing...

[Mascot]

If we were to play devil's advocate, none of us would ever be able to turn on our computers. Who knows what kind of bugs could be lurking just waiting for the magical combination of things to manifest itself.

Back on point. I've not needed UAC before, I don't _need_ it now. But I'm all for an extra layer of security as long as it stays out of my way as much as at all possible.

If it's going to keep nagging me whenever I start some application I use several times a day, UAC will lose the battle between whether to kill UAC or stop using the application. It doesn't matter to me whether it's UAC being stupid or the application requesting elevation it doesn't really need.

So, the options here in my case are: Lower security a bit by allowing users that claim they know what they're doing to white-list some applications (by all means, make it a manual registry tweak to enable for all I care) - or get turned off completely.

Re:Still missing...

[DavidD_CA]

If it's going to keep nagging me whenever I start some application I use several times a day,

But that's just it. It doesn't.

It earned its reputation pre-SP1 when it would prompt you 2-3 times whenever you moved a system file or change something in your start menu, a control panel setting, something like that.

I have never seen any of that behaviour since SP1.

There might very well be certain applications that are doing that, but I would consider that to be the app's fault for requesting an operation that would require admin access. Quickbooks, for example, does not need to run as admin. And I'd hesitate to check "Always let this program do whatever it wants" in the event that it becomes compromised.

Re:Still missing...

[Mascot]

But that's just it. It doesn't.

But that's just it, in my Win7 beta, they do. That doesn't mean the applications won't behave differently on release, but currently I have at least three applications that do it (and I've probably used Win7 less than five hours total, so god knows how many of my daily applications do it that I haven't even tried there yet).

Re:Still missing...

[DavidD_CA]

I'd be curious to know which applications are doing this. Could you list them?

Usually it's because the developer has ignored best-practice programming techniques which have been documented by Microsoft for almost a decade now.

I hope you've reported them to Microsoft using the Send Feedback tool.

Re:Still missing...

[Mascot]

The three I've noticed so far are O&O Defrag, Xfire and manually starting an Avast update check.

Re:Still missing...

[Allador]

Hell, I just about fell over when I discovered,installing the 'network' version of Quickbook 2008, that it sticks a file on a network share with a lockfile

Slightly off-topic from the main thread, but you need to make sure you are installing the server portion of quickbooks if you're running it that way.

It will run with a standard file-shared db (ie, old style) if you force it to, but the performance is pretty bad.

The standard way with quickbooks for the past few years is to install the server, which intercepts all requests and handles locking itself on the server.

Re:Still missing...

[Allador]

You dont have to be an admin to do debugging.

You just have to be part of the group that is setup when you install VS that has those rights.

Re:Still missing...

[DavidD_CA]

I read that Avast has an update they are working on to prevent the UAC from appearing.

As for XFire and O&O Defrag, I would hope that they're doing the same. They should have never designed these programs to run as administrator on every run. Upon installation, sure.

Re:Still missing...

[Mascot]

I'm not disagreeing, in principle. What I started out trying to say was that if it's between UAC, and an application, UAC will pretty much always lose.

With UAC like it is now I rely on people fixing their apps to prevent it from appearing. With whitelisting capabilities in UAC I could "fix" those apps myself and let UAC run. It doesn't do me much good if those apps get fixed a few months after release. Once UAC is off odds are it will remain that way.

Re:Still missing...

[SuiteSisterMary]

Oh, I did, but never the less, the fact that they can't be bothered to write a proper client-server architecture, what, twenty years later, is a prime example of the problem.

Re:Still missing...

[OneSmartFellow]

That has not been my experience. After hours of painful reading/research and attempts at ensuring my developer user has the correct permission, I give up fighting, and make that user a member of the admin group. If this is somehow not the same as being administrator, forgive me, I don't see the distinction. In *nix, this would simply not happen.

So in other words...

[PontifexMaximus]

to change anything in the UAC I'll get a 'confirmation' box that I'm running something with Admin privs, I'll need to authenticate, requiring another dialog, then when I change the level I will get ANOTHER dialog asking me to confirm my changes?

Man, that's brilliant, let's add yet another dialog asking 'Are you sure you want to do this? Really, really sure?'

Wow. I have to admit, this level of bureaucracy makes the Federal Government look lean and mean by comparison.

Re:So in other words...

[Tony+Hoyle]

Changing the UAC level is something you do maybe once (or maybe never, since in Win7 the UAC is a lot less annoying).. you'll never see it again.

However if an app manages to exploit a hole in one of MS' signed apps, run itself elevated silently and attempt to change the UAC level, you'll be warned (Of course if said app manages to do that changing UAC will be the least of your worries...).

UAC is useful

[DarthVain]

While many may scoff at UAC, it does do something very well. It foists responsibility on the user. While this may not be the nicest thing to do, it enforces perhaps the most difficult ideal. That being of awareness of security. User that have no idea, will not be aware of how to protect themselves. Perhaps I am being too forgiving but perhaps someone in Microsoft has actually come up with the philosophical crux of security argument in that no matter how well you design a system, no mater how many updates, patches, or how secure a system you make, someone at some point is going to break it. If DRM, or adware, malware, virus, or Trojans have taught us anything, is that no matter our perceived security we are all vulnerable at some level and all that it takes is someone willing to go the distance and break it. I think microsoft would be correct in its thinking that they will always be target #1, and for the foreseeable. That said, how do you protect yourself from all the bad guys in the world. Well you could create some wonderbar new technology that will secure your systems, and update it constantly to try and keep up with attacks, knowing that it will eventually fail. Or you can implement that and make your users aware of basic security issues, which would probably be about a thousand times more useful as most of the time these things happen when a stupid user opens a file he shouldn't or downloads something sketchy, etc...

I mean when you hose your box you have no one to blame but yourself. Usually it become apparent shortly after you tell UAC to go screw itself. Then you know. Now in the future when you download that mp3 and try to open it with media player, which doesn't reconize the file type, you might actually think. "Ok this may be a codec it doesn't know, or it is a very bad idea to get it to try and open it anyway, perhaps I will just update my codecs and see what happens".

Anyway I am sure some security professional (both IT and otherwise) will attest to having a user informed and aware of potential threats is far more useful than anything else.

Of course perhaps I am just giving Microsoft too much credit.

Re:UAC is useful

But windows even without UAC has so many dialog boxes that users have been essentially trained to click "OK" without reading them. (I don't have the link, but there was actually a study that showed this to be true.) So, especially because no password or other significant action is required of the user, UAC is just another set of dialog boxes to click through.

Re:UAC is useful

[Tom]

While many may scoff at UAC, it does do something very well. It foists responsibility on the user. While this may not be the nicest thing to do, it enforces perhaps the most difficult ideal. That being of awareness of security.

I challenge you with the claim that you understand neither users, nor security.

Or, to bring up a car analogy, UAC is like asking the user for tire pressure, the mixture rate of gas and air, and the precise timings of ignition in order to drive a car. Then telling drivers they're stupid fucks because most of the cars on the streets stutter around or burn up.

Security education is an utter and total failure and most serious security professionals have long moved away from it. Today we train security awareness, which is a lot simpler and more basic, or on the car anology: We teach people to call the garage when any red lights flash.

And no, UAC isn't a red light. It doesn't indicate that something is wrong, it asks the user if something is wrong, and most of the times while the user clicks on "no, go on" what he really means is "how should I know? shut the fuck up already and let me work.".

Re:UAC is useful

I'm with you on the utility of UAC.

I had some peripheral exposure to Vista on machines around me at work, and basically all I heard were people complaining about this and that about UAC.

Recently, I was sort of forced to take Vista with a new machine at work because of cost bundling issues, and to be honest, I like Vista a lot more than I thought I would, and UAC in particular.

Now, I'm not saying Vista is a great OS--I still think it's not worth upgrading from XP for, which I believe is the crux of the problem--but I think it's nicer than others would have you believe.

As for UAC in particular, I like being notified when programs are trying to do something without me being aware. UAC has helped me identify all sorts of crapware put on there by the supplier that I thought I had removed. It also has allowed me to identified processes that programs I installed are running (e.g., update processes, etc.). I really like having that control over things.

Coming from linux (KDE 4 most recently), where you're prompted to sudo with various functions, the UAC didn't seem that annoying to me at all.

To be honest, if/when Windows 7 comes around (and I will probably get it, because it sounds better than Vista), trying to make sure UAC is enabled at the same level as Vista is one of the first things I'm likely to do. There's a lot irritating about Vista, but the UAC-ish things aren't one of them for me at least.

Re:UAC is useful

It foists responsibility on the user.

Oh yeah, give 'em what they really want.

That is the last thing they want.

Re:UAC is useful

[DarthVain]

I challenge you with the claim that you understand neither English, nor analogies.

First of all, a car analogy? Really? Come on!

Second:
Me: "That being an awareness of security."
You: "Today we train security awareness..."

OMGWTFBBQ! :)

Re:UAC is useful

[Tom]

I challenge you with the claim that you understand neither English, nor analogies.

We can continue this discussion in my native language, if you insist. Or you can be thankful that foreign people take the pains to learn yours and stop being so self-absorbed. Your choice. :-)

Re:UAC is useful

[DarthVain]

Yes I am oh so thankful you learned English. Just thrilled really! :)

To be fair about Vista (can you do it, /.?)

[Dystopian+Rebel]

I agree about the flawed permissions architecture.

I use Ubuntu ("Canonical's Debian") and OS X. But not everything runs in WINE so I do have an occasional need to run MS for contract work. I have no more patience for WinXP's constant updates (many requiring a reboot) and it's growing harder to find Win2K drivers, so I tried Vista. It is availble for 64-bit (more addressable RAM) and it has outbound firewall blocking (that's good). Vista looks better than previous versions and the UAC is truly NOT so annoying as has been portrayed by Apple's advertising. I see the super-user password dialog in Ubuntu and OS X just as often.

I *have* run into problems with the Program Files folder in Vista. Some applications need to write in there and sometimes *I* want to write in there, but "for safety", Vista won't let me do it even if I accept the UAC dialog. It's inconsistent behaviour verging on buggy.

I would consider Vista a worthwhile upgrade. But the biggest problem with Vista -- the deal-breaker -- is the licensing model. It's my business where I install the OS. It will only be on one computer at a time, but if I pay the money, the OS goes where I decide when it suits me to reinstall, without a penalty to ME. I want a long-term investment in my favour. It looks as though Win7 licensing will be the same as for Vista.

Re:To be fair about Vista (can you do it, /.?)

[nine-times]

It's my business where I install the OS. It will only be on one computer at a time, but if I pay the money, the OS goes where I decide when it suits me to reinstall, without a penalty to ME.

I agree completely. I always get modded as a troll, but forced activation really is one of the things that keeps me from using Windows Vista. Every product that I've used that has activation has, at some point or another, made it needlessly difficult for me to do something legitimate. I just refuse to deal with that stuff anymore.

I have enough problems with software working properly without the developers embedding kill-switches in their software.

Re:To be fair about Vista (can you do it, /.?)

[benjymouse]

I *have* run into problems with the Program Files folder in Vista. Some applications need to write in there and sometimes *I* want to write in there,

NO you do not want to write into program files. UNLESS you are an installer. Period.

YES some programs do - buggy programs violating coding practices for years. For THOSE there is another part of UAC (it is not all about prompts) called file system virtualization. As the name gives away it virtualizes some of the file system, such as "program files" and "windows". When switched on it lets the program believe it writes to the folders, while in reality the files are being stores below the current users folder below "Users". This little trick cheats some older apps into running, even though they perform the stupid action of writing into the hand-off folders. This little feature can be configured in the app's manifest.

Re:To be fair about Vista (can you do it, /.?)

[Tibor+the+Hun]

Not to sound like an Apple apologoist (thoug I am a fan and a user) I think Window's UAC's annoyances go beyond 1 Apple commercial which hasn't ran in months.

Re:To be fair about Vista (can you do it, /.?)

[Vectronic]

"NO you do not want to write into program files. UNLESS you are an installer. Period."

Personally, I like to think of myself as a continuously modified script, running a bio-mechanical machine.

Far more often than not (nearly always) you do not want applications to write into the ./Program Files/. folder, however, I am not a program, and I need to write to various (program files) folders for many reasons, what if I need to install a plug-in that does not have an installer, perhaps a file got corrupted, and I need to edit it, or maybe I am just bored and/or curious and feel like poking around, it is "My Computer" which includes every file and folder contained on any of its hard drives, I am not renting it from the OS, or the applications on it.

Although, you generally do not want your average e-mail checking user to be able to do those things, not because it is some mysterious taboo, but because they will generally fuck it up and not know how to fix it, but even then, if it is their personal/home use computer, they should still be able to do so, given enough dialogs/warnings... trial, error, money spent, they'l learn, but never completely locked out.

Re:To be fair about Vista (can you do it, /.?)

[Nursie]

Why the hell not?

What about applications that have system-wide (NOT per-user) configuration that is changed very infrequently? What's the problem with me, the system administrator, editing those so that when the service next reads its config it can grab them?

Silently redirecting things to a secret, non-shared location is just wrong.

Re:To be fair about Vista (can you do it, /.?)

[benjymouse]

What about applications that have system-wide (NOT per-user) configuration that is changed very infrequently?

They go into "\Users\All Users\" which is a symlink to (usually) "\ProgramData".

Or they go into the registry (if it is not large binary data). Yeah, I know this is /. and everyone is supposed to hate the registry. But that's the standard, anyway.

What's the problem with me, the system administrator, editing those so that when the service next reads its config it can grab them?

What's wrong is that it is a *nix paradigm used on a non-nix platform. When in Rome...

Silently redirecting things to a secret, non-shared location is just wrong.

Perhaps. It was merely intended to help those app which had blatantly been ignoring coding-standard for years. Really, using "program files" for sharing users' data is pretty horrific, once you think about it. It was always an abuse.

Re:To be fair about Vista (can you do it, /.?)

[benjymouse]

Personally, I like to think of myself as a continuously modified script, running a bio-mechanical machine.

Ok, then open PowerShell (or cmd - but that sucks) with the "run as administrator".

Also, as an admin you *do* have the right to write/modify those files (when properly elevated), although you *may* want to remove the "read only" attribute from the files first ;-)

Re:To be fair about Vista (can you do it, /.?)

YES some programs do - buggy programs violating coding practices for years.

Unfortunately, that means I need to be able to write there, too. To fix what the other broken software broke.

File system virtualization just means that I have to look in multiple places for the same friggin' data. Some apps leave it "here", others leave it "there", and all of it's multiple directory-levels deep in pathnames that can't be typed. Annoying doesn't even begin to describe it.

Re:To be fair about Vista (can you do it, /.?)

[nmg196]

> ...the Program Files folder in Vista.
> Some applications need to write in there
> and sometimes *I* want to write in there

So which part of "Program Files" don't you understand? Microsoft explicity says nothing and nobody should attempt to store any kind of data or user files under this folder.

Re:To be fair about Vista (can you do it, /.?)

[Nursie]

It's not sharing user's data, it's system-wide server/service configuration. It's not for all users, it's not even for any users!

I do understand it's the windows way, but it's not one myself or my (highly skilled, highly intelligent but admittedly mostly *nix focused) department knew about. Took aaaaages to figure out why the admin making changes to the server config didn't seem to have any effect on the service, which was running under a different system account.

I don't think it's an abuse, really.

Re:To be fair about Vista (can you do it, /.?)

[drsmithy]

I do understand it's the windows way, but it's not one myself or my (highly skilled, highly intelligent but admittedly mostly *nix focused) department knew about. Took aaaaages to figure out why the admin making changes to the server config didn't seem to have any effect on the service, which was running under a different system account.

Microsoft are optimising for the common case of 99.999% of ignorant users for whom their engineering decision is correct, not the 0.001% of ignorant users for whom it is not.

Find a better complaint.

Re:To be fair about Vista (can you do it, /.?)

Ever heard of /etc? The configuration files on *nix aren't stored with the programs either. And programs aren't generally supposed to write to /etc which is good.

If you want to write to /etc, su to root or sudo vi or something. Not very different.

Re:To be fair about Vista (can you do it, /.?)

[aix+tom]

Amen, brother.

In our company we achieved a pretty good uptime of our major systems last year.

We had only 3 major outages of something longer than a few hours. Two of them where because some kill-switch in the software was triggered.

One bug in a Citrix License server, one was this vmware problem.

The third outage was a backhoe cutting a cable.

Re:To be fair about Vista (can you do it, /.?)

[Nursie]

Then why is this "feature" present on win 2k8 too?

I can see your point with Vista, but a server operating system?

Its still broken and wrong,

Re:To be fair about Vista (can you do it, /.?)

[drsmithy]

Then why is this "feature" present on win 2k8 too?
I can see your point with Vista, but a server operating system?

Because there are plenty of broken server applications as well. NOTHING should be storing volatile data in %PROGRAMFILES%. Conceptually it's similar to /usr - it *should* be mountable read-only.

Its still broken and wrong,

No, it's an engineering decision. Annoy the vast, vast, vast majority of users very frequently, or a vanishingly small minority of users (who should know better anyway) extremely infrequently.

If your application is storing data there then it's doing the wrong thing. It's not Microsoft's responsibility to pander to every possible variation on "broken" - only the most common ones.

Re:To be fair about Vista (can you do it, /.?)

[Nursie]

I'm sorry, but you'll never convince me that overriding what users with admin privileges can do to their system, silently, is in any way a good thing. It's not.

Re:To be fair about Vista (can you do it, /.?)

[drsmithy]

I'm sorry, but you'll never convince me that overriding what users with admin privileges can do to their system, silently, is in any way a good thing. It's not.

It probably wasn't "silent". Did you look in the Event Log ?

Also, users with admin privileges *can* write to %PROGRAMFILES%, so the the redirection doesn't kick in for them. The "Virtual Store" (I think it's called) is only activated when a user who doesn't have privileges to write to a protected area (like %PROGRAMFILES%) tries to. In other cases (ie: a read, or a write by someone who has privileges to do so) the "real" file is accessed (unless a user has previously tried to write and had a 'virtual' file created - in which case reads will continue to redirect).

Wait, isn't it a beta?

[Nick+Fel]

Beta had something wrong with it, beta testers spotted it, company fixed it prior to release. How is this news? Next headline: release candidate close to final version!

Re:Wait, isn't it a beta?

[yakumo.unr]

Because at first MS declared it 'by design', and 'wont fix'. The 2 fixes they have implemented a great news, they claim at least one of them was planned anyway. I don't care how it happened, I'm just very glad it did.

ANOTHER new product tied to Windows?!?

[Astadar]

When _I_ read the headline, I thought it was an announcement of a new product called "Microsoft Caves", which would change security in Windows 7.

I figured that in order to improve security, they would put you in your own "cave" (figuratively or, perhaps, literally). Seemed like a terrible concept, but from the makers of "Bob", who knows...

"User switching now called 'visiting another person's cave'!"... uh... wait... maybe not.

Re:changing 6 with half-a-dozen

[recoiledsnake]

the uac model is inherently broken.

Citation needed. Along with suggestions on a better alternative.

From WhoCares to Astroturfing

[Dotren]

These Microsoft article responses are funny.

First it was tagged "whocares" which I thought was somewhat silly considering the related article ended up with 379 comments, many of which were condemning said UAC security hole. Obviously, a lot of people, even those who don't even use Windows, did care or at least found it interesting.

Of course thats all in the past since the tag seems to have been replaced by "astroturfing", which would be correct since the article was about a positive change. After all, we wouldn't want anyone to come under the false belief that anything positive from Microsoft is anything other than a PR scam to make you forget that they're evil.

Come to think of it, this article clearly needs the "itsatrap" tag!

Re:From WhoCares to Astroturfing

[SwedishPenguin]

The reason it's tagged astroturfing is because of the recent onslaught of Windows 7 articles about every little thing, from multiple articles about how many versions it will have to individual articles about every little feature improvement. Not a day has gone by without a new Windows 7 article recently, and we're still months away from release, they're still a few months off from RC.

If any other operating system release got this kind of publicity, that's all slashdot would be filled with, news about tiny improvements in that operating system and speculation as to how many different versions that other operating system will be released in.

There's certainly nothing wrong with positive news about Windows 7, but when every single piece of news gets it's own article, and with the amount of dupes this is getting, it's getting a bit annoying.

Re:From WhoCares to Astroturfing

[Dotren]

Valid point. Does /. have a filter option? Would be interesting if you could select which news you want to see on the front page and maybe have another page you can visit to browse the articles that got filtered out of your main view.

On the other hand, I think a lot of the Windows 7 links have definitely been relevant and news-worthy. Not all of them have been from Microsoft either (well, that we know of). The benchmark comparisons between Ubuntu, Windows 7, and Vista for example was interesting and I'm glad they posted the news about the UAC exploit as well as the fact that they're fixing it now (this article). I guess I could sign up for some Windows 7 RSS feeds from other sites but the beauty of /. is you get articles showing different perspectives as well as a range of issues and products.

Re:From WhoCares to Astroturfing

[drsmithy]

The reason it's tagged astroturfing is because of the recent onslaught of Windows 7 articles about every little thing, from multiple articles about how many versions it will have to individual articles about every little feature improvement. Not a day has gone by without a new Windows 7 article recently, and we're still months away from release, they're still a few months off from RC.

The typically negative spin on said postings kind of makes any claims of 'astroturfing' rather laughable, however.

If any other operating system release got this kind of publicity, that's all slashdot would be filled with, news about tiny improvements in that operating system and speculation as to how many different versions that other operating system will be released in.

At a _minimum_, every point release of the Linux kernel, or of FreeBSD, or of OS X, gets an article on Slashdot.

Re:From WhoCares to Astroturfing

[SwedishPenguin]

All publicity is good publicity. ;) Anyways I would say most posts have actually been generally favorable towards Windows 7.

Yes, the point *releases*, sometimes rc and in a few cases beta, and then usually one article per release, sometimes an article highlighting some particularly high profile feature in the latest release. Never the onslaught of articles like with Windows 7.

Re:Windows 7 Windows 7 Windows 7 Windows 7 Windows

[Terrasque]

Pepsi. Pepsi pepsi pepsi. Pepsi, pepsi pepsi. Pepsi. *boom*

Re:changing 6 with half-a-dozen

And explanation of how what Windows does is different from what KDE, Gnome or OSX do.

Blah blah blah

Cwmike, who links directly to computerworld, who have been sucking microsoft dick since the beginning. OH WOW another Microsoft Windows 7 ad. WE'RE NOT GOING TO BUY THAT ONE EITHER, REDMOND. Take your Microsoft tax and shove it.

Re:changing 6 with half-a-dozen

[benjymouse]

And explanation of how what Windows does is different from what KDE, Gnome or OSX do.

From the style of the statement I'd gather that it is not something Windows does or does not do. It's about something Windows is not: Linux. Very mature.

Microsoft Caves

[PinchDuck]

Home of Microsoft Trolls?

Re:Windows 7 Windows 7 Windows 7 Windows 7 Windows

[bunnyman]

6 seconds, Pepsuber!

blah blah blah ....

[yvesdandoy]

blah blah.

Again and again.

Integrity requires elevation?

"First, the UAC control panel will run in a high integrity process, which requires elevation."

So.. what happens if the user does not have enough rights to display the UAC prompt? Will the OS attempt to spawn an UAC prompt to acknowledge the display of the first prompt? Oh my, headaches have begun already...

Error...

Did anyone else see that "Error" on the screen, from 00:59 - 01:01? Fail! :)
It probably had to do with an Internet connection not being available, although I can't tell for sure, because I am a Gnome boy.
(And) I'm not perfect.

Re:changing 6 with half-a-dozen

[Tibor+the+Hun]

The super-shotgun? Or alternatively BFG? (Though you may need a red key for that one.)

Union Aerospace Corporation

[HisMother]

It's been years, and I still chuckle when I see a reference to Microsoft's UAC. They couldn't have chosen a more appropriate name for it!

Re:Windows 7 Windows 7 Windows 7 Windows 7 Windows

[Spatial]

Flamebait mod :(

The idea was to make a joke about how although Slashdot is pretty anti-Microsoft, there's a veritable advertising campaign here for their latest product iteration. Irony, you know? Clearly I bodged it though...

Security smurity

As a linux user the features that I like best about Vista, and upcoming Windows 7, are the security features including UAC. Consider a virus that is new and undetected by your antivirus software trying to run as the user currently logged in. Should it be allowed to do it's thing silently or should the user be prompted for every little step the virus wants to take? I, for one, would like to be warned and have the option of saying no multiple times before I lose data, time, productivity, money, etc one time. Personally, I think it should do what Debian does and require the admin password when it prompts for a UAC issue. It's a last line of defense. But if you don't want it it is very simple to disable, so why are you bitching bout it to Microsoft? Take some responsibility for your own user experience and just turn it off.

Misunderstand on SELinux

[EXTomar]

SELinux provides a consistent mechanism for runtime policy rules in terms of a execution context. That isn't to "provide the same granularity of Windows" so if you want that you need to look elsewhere.

The reason why SELinux is important is that it goes to the next step of control. For instance, assuming a system is configured correctly to access the Firefox binaries and necessary files, a problem still arises: The Firefox process, once launched, has access to everything the user that launched it has access too. There is no earthly reason why Firefox would load "libsmb.so" or any number of things in "common directories" by nefarious people may try. A way to protect that is start refining the system to "contexts" where it is recognize many processes shouldn't have such broad access. Under SELinux, one can create a policy for Samba enforcing only Samba tools can load Samba shared objects. Now it doesn't matter what user is running Firefox (even the all mighty "root"), the system won't allow Firefox to dynamically load "libsmb.so".

The trick is that creation of these polices takes time and a lot of tweaking and hard to keep generic. SELinux is very much a work in progress but I'm glad it is work being done. And importantly, this isn't done on Windows yet either. The analogous mechanism on Windows is an AV Scanner which isn't desirable due to be inconsistent (one AV vendor may handle Firefox loading "smb.dll" differently than another) and not as desirable since it is "watching and catching abuse" instead of preventing it by design.

Re:Windows 7 Windows 7 Windows 7 Windows 7 Windows

Google "micro$oft shill". There's your explanation. There cannot be too much astroturfing.

Re:changing 6 with half-a-dozen

KDE and Gnome do an awful lot diffrent than the Explorer shell. How does that have anything to do with security or user account architectures?

This change is not enough.

[Myria]

There is another feature that auto-elevates that can and will be used.

When you use Explorer to drag and drop files into a directory you don't have write access to, Explorer will ask whether you'd like to use your Administrator permissions to complete the task. If you say yes, it will launch a program as Administrator that does the actual copy.

The problem is, this program in Windows 7 is one of the special ones that self-elevates without the UAC dialog box. Because Explorer doesn't run with Administrator privileges, and because the confirmation dialog box is within Explorer, a malicious program can use the file copy program to do any file operation with Administrator privileges, and it will happen without any user input in the default installation.

Surely that will be abused...

Direct Link to the Flv

[phantomcircuit]

ZDNet's flash player sucks and didn't load so I found the actual flv.

http://media.cnetnetworks.com.au/video/2009/02/22470997/22470997.flv

This does NOT fix the issue

[jcupitt65]

It's good they've responded, but this change does not fix the fundamental problems with win7's UAC whitelist.

The problem is that 70 applications are on the whitelist and are allowed to silently elevate without the user's knowledge. You just have to inject code into one of these 70 applications and you have admin rights. There are multiple ways of doing this. You can use the debug API, you can get them to load a DLL, use your imagination.

Here's a page with a sample exploit and a lot more information:

http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

Re:This does NOT fix the issue

[drsmithy]

The problem is that 70 applications are on the whitelist and are allowed to silently elevate without the user's knowledge.

$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.2 (Tikanga)
$ sudo find / -type f -perm -4000 | wc -l
Password:
58

Re:This does NOT fix the issue

[jcupitt65]

True, but not the same. Those are chunks of the core OS, they are not common desktop programs. On the current win7 beta, by default calc.exe (!!!!!) effectively runs elevated.

Re:Haunted Moon: Linux or Windows?

Couldn't get your question on Ask Slashdot eh?

you can't fix UAC

[Tom]

It's simple, really. The concept of UAC is broken, not the implementa... ok, they're both broken, but you can only fix one of them.

The idea that the user can even make these decisions is fundamentally flawed and shows that MS is run by either geeks (who don't understand that human life is possibly with knowledge of stacks, heaps and pointers) or lawyers (who don't care about users at all and only want to see responsibility shifted to parties outside the company as much as possible).

90% of windos users can not decide security questions. You could probably put "process X wants to wipe your harddisk and anally rape your kids, Allow or Deny?" up and they'd click "Allow". Part by habbit, part by stupidity, and part because they've been asked questions they can not possibly know the answer to for years now and learnt that unless they click "Allow", they can't continue doing what they want to do.

Re:you can't fix UAC

How is this any different than a unix trojan asking the user to run it as root? The same security decision must be taken by the user. This has nothing to do with UAC "broken concept".

Re:you can't fix UAC

[Tom]

root is not a concept, it's a system user. UAC is not a user account, it's a concept. You can't compare the two.

So what exactly do you want to compare? Any Unix GUI that copies UAC is just as broken. I'm not saying "UAC on windos is a flawed concept", I'm pretty clearly saying "UAC is a flawed concept".

Re:you can't fix UAC

[drsmithy]

root is not a concept, it's a system user.

Actually root is a concept, it is the concept of a superuser. root is just the most common username given to UID 0.

So what exactly do you want to compare? Any Unix GUI that copies UAC is just as broken.

You may have heard of sudo. The concept is the same. There are numerous GUI implementations of same.

Re:you can't fix UAC

[Tom]

Actually root is a concept, it is the concept of a superuser. root is just the most common username given to UID 0.

Oh dear. If you want to step to that level, then root is a word. It even has several meanings. Thought we'd not be nitpicking here. :-)

You may have heard of sudo. The concept is the same. There are numerous GUI implementations of same.

Errr, no? sudo is absolutely not the same as UAC. I've yet to see sudo jump up and down, telling me that some other program wants to do something on my system, asking me for permission.

That's the core point. UAC is a disruptive excuse for security, sudo is a program that allows user-triggered priviledge escalation. Pretty much the only thing they have in common is that they both ask for a superuser password.
The fact that UAC is not triggered by the user is not a minor difference, but very important.

Re:you can't fix UAC

[drsmithy]

Errr, no? sudo is absolutely not the same as UAC. I've yet to see sudo jump up and down, telling me that some other program wants to do something on my system, asking me for permission.

So you've never used Ubuntu then ? Or OS X ? You know, the platforms Microsoft keep getting accused of copying ?

UAC and sudo do the same thing, and have remarkably similar implementations, given the fundamentally different underlying security models.

Re:you can't fix UAC

Pl0nker.

Re:you can't fix UAC

[Tom]

So you've never used Ubuntu then ? Or OS X ? You know, the platforms Microsoft keep getting accused of copying ?

UAC and sudo do the same thing, and have remarkably similar implementations, given the fundamentally different underlying security models.

I have, apparently you haven't or you would be aware that the windows they pop up are not "sudo", unless you're the one imprecise with words and what you're really trying to say is not "sudo" but "priviledge escalation".

Look, I already said that UAC by any other name is still crap.

When I've usedd Ubuntu, I saw nothing like UAC. There is a GUI-based sudo on Ubuntu, but it is always triggered by user action. I've never seen it pop up unexpectedly, say why I was reading mail. But it's been a year at least since I last used Ubuntu, so that might have changed.

On OS X, which I use daily, there are two things. One is like Ubuntu, when you do something that requires super-user rights, it asks you for a password. Nothing to see here, definitely not UAC. Then there's the other thing that is a bit like UAC, namely that OS X asks you for permission when a program wants to open a port or such things. That is probably what you have in mind, because it's somewhat close to UAC and yes, one could start discussing the pros and cons of that.

But frankly, I don't feel like discussing that with someone who insists on a precise definition of "root" while using "sudo" as a generic term.

Re:you can't fix UAC

[drsmithy]

I have, apparently you haven't or you would be aware that the windows they pop up are not "sudo", unless you're the one imprecise with words and what you're really trying to say is not "sudo" but "priviledge escalation".

The privilege escalation prompts in Ubuntu and OS X are done with sudo.

When I've usedd Ubuntu, I saw nothing like UAC. There is a GUI-based sudo on Ubuntu, but it is always triggered by user action.

Then you couldn't have used it much. Installing packages, applying updates, changing system settings, attempting to copy files into system areas. These are just a few things in both Ubuntu and OS X that will trigger a prompt just like they do in Windows.

I've never seen it pop up unexpectedly, say why I was reading mail. But it's been a year at least since I last used Ubuntu, so that might have changed.

I've never seen a UAC prompt appear unexpectedly either. Perhaps you can give an example of how it might be done ?

On OS X, which I use daily, there are two things. One is like Ubuntu, when you do something that requires super-user rights, it asks you for a password. Nothing to see here, definitely not UAC.

That is exactly the same as UAC.

Re:you can't fix UAC

[Tom]

Then you couldn't have used it much. Installing packages, applying updates, changing system settings, attempting to copy files into system areas. These are just a few things in both Ubuntu and OS X that will trigger a prompt just like they do in Windows.

I'll just address this, because it's the core argument and I'm getting too tired for the rest.

I run OS X, every day, for maybe 8 hours on average (because I use it both at work and at home). So that's what I'm going to talk about and if Ubuntu is considerably different, so be it.

I have, just today, changed some settings, installed a new program, applied three updates and done a bunch of other stuff. I was asked for my password once, for the updates. Yes, that means I can install a program without a password prompt, and change settings without one, either.

I can not recall the last time, or if ever, I was disturbed by a "do I have permission?" popup on OS X unexpectedly.

At home, I sometimes run XP for gaming on my MacBook Pro. The total use time is considerably less than the time I spend with OS X, and I spend probably 99% of the time inside one game or the other. Despite that, I've had several instances where some windos popup has forced me out of a fullscreen app/game unto the desktop to ask a stupid question. Now this being XP, that's not UAC, and not all of them would be UAC on Vista/7, but the majority would. Let's not even get to the point where the stupid thing reboots on its own if you didn't say "no" within a predetermined time, totally ignoring the fact that while running fullscreen you probably didn't even notice that it's waiting for a reply.

Now given that experience, please explain to me how I could even remotely not be upset about the claim that one thing would be just like the other.

Re:you can't fix UAC

[drsmithy]

I have, just today, changed some settings, installed a new program, applied three updates and done a bunch of other stuff. I was asked for my password once, for the updates. Yes, that means I can install a program without a password prompt, and change settings without one, either.

Wow. Just like I just did on a Vista machine.

Maybe you missed the part where I said *system* settings, and copying files to *system* areas, and the like. Obviously if you avoid these, on both platforms, then you will not have to elevate. (OS X does have somewhat lax file permissions on /Applications, though, which probably helps a bit in terms of how often you might need to elevate - at the expense, naturally, of some security).

Now given that experience, please explain to me how I could even remotely not be upset about the claim that one thing would be just like the other.

Holy crap, talk about non-sequiturs. You've not just moved the goalposts, you've completely changed games. After spending the last however many posts (just in this thread, probably more in others) asserting that UAC in Vista and its counterparts on other OSes aren't at all alike, you've now changed to talking about completely unrelated aspects of a different version of Windows.

Mod parent up

[SwedishPenguin]

I completely agree. This ad campaign is getting seriously annoying. Not a day goes by without a story about Windows 7, an operating systems months from even RC, and which from what I understand, is essentially to Windows Vista what Windows 98 was to Windows 95.

Do we really need 5 articles speculating about how many versions Windows 7 will be released in?
Do we really need separate articles about every little supposed improvement over Vista?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:problem, soon as you say "i have ben running vi

[SBrach]

4-5? Is the maths really that hard?

Re:Planned bleating

[geekoid]

Now if we could only replace UAC with DRM

Re:changing 6 with half-a-dozen

[geekoid]

It redirects to 'silent' directories, won't allow a user to delete a directory they create, becomes a nag.

Bases your security on application behavior, implement proper sandboxing, stop using shared dll's.
Just as a start.

Re:Haunted Moon: Linux or Windows?

What do the users of Slashdot think?

I think that these so-called moon ghosts are a plan by the nefarious Italians to distract attention from their plan to take over the world via some dire means involving Tutti Frutti ice cream.

Re:Planned bleating

[benjymouse]

Removing DRM from Vista would only result in users being unable to playback DVDs, BlueRay, and other DRMed media.

If you are unhappy with DRM (who isn't?) go bug your government, senator etc.

You are not still buying into that Peter Gutmanns BS are you? If so then I have some stocks left for a very popular tower in central Paris. I will let you have them really cheap, their high profile considered.

Re:Planned bleating

[benjymouse]

I didn't believe this was a marketing ploy. But, I have noticed that "news" about Windows 7 seems to hit the press almost every week, almost like clockwork. I myself have wondered whether there is a new marketing regime in Redmond who knows how to play the "open" game.

Re:changing 6 with half-a-dozen

Every single time that Windows pops up a UAC dialog, every other modern GUI would do the exact same thing. Installing a program? Windows: UAC dialog, Gnome: sudo dialog. Modifying system-level settings? same thing. Changing Program files, yup they all require the same thing.

Make up your mind

[icepick72]

First you wanted a more secure Windows and then you didn't like the way it was done, then wanted it removed or changed again. Kudos to you.

Want 'Uber Die Topp'? Hier die ist!

Here is 'over the top' for you! It doesn't matter what the user manager in XP, Veeeesta, or whatever says. Microsoft will always have a backdoor to sell to whoever has a buck and a plan to give you 'the business'! Microsoft in win2k had some user account control. It took it away in XP. In XP home the user has no control whatsoever. In XP Pro the user, as so called 'admin', has some limited control if he wants to live in a fool's paradise. This is because the user account control in XP and beyond is a facade; the real account control and user access list is maintained by the true root user in windows, microsoft corporate or its delegates. There exists in every on of these 'systems' a parallel user account control mechanism to which the so called 'purchaser' has neither access nor input yet is subject to none the less. These shadowy superusers can pass like wraiths into and out of your system at will and changing it however they like, and you, sucker, are stuck with the result! They can use your box to store whatever data they like, take whatever files they shop you for, grab your half written books and copyright them before you even have them written and then sue you for possessing the manuscript, etc. This on top of the 'windows default share' which is a whole 'nuther subject. Suffice to say that in windows all 'your' machine is 'shared' to the whole corporate world whether you like it or not due to the 'default share'. Try it. Go as admin to the 'sharing section of a drive that has not been shared only to find a default share of the form "$". If the drive was 'C', then the default share that you can delete only until it reappears on bootup will be 'C$'; and that's a fact Jack! That default share comes complete with a password, only the hapless sucker that paid for the machine and had to suffer the insults of the operating system 'licensor' will never have that. Some one does, rest assured! No windows average user will ever know this, but no linux user will ever need this. Linux users don't have to live with a grinning Steve Ballmer staring up at them from the inside of the legs every time they put on their underdrawers. Linux users don't have to live with the knowledge that the enemy at the gates, the Chinese, are roaming free inside of their window's boxes every moment of every day for every 'remote login by manufacturer's default enabled window's XP and above box. They are one that we know have the source code for windows and use it every day in every way to invade our country.

Fail

[benjymouse]

2 mistakes:

1) the prompt does not elevate to administrator, it elevates from "low integrity" to "normal integrity". UAC has more levels than sudo, you know.

2) The prompt comes from the Internet Explorer broker process. It is not under control of IE. IE can request (send a message) to the broker process requesting it to "marshal out". The broker process is not under control of the low integrity IE process running the rendering.

Will you allow this change?

[jwsmith00]

Will you allow this change?
ALLOW CANCEL

Allow

SANDBOXIE

XP + www.sandboxie.com (ftw)