ChristopherNls
asked on
How useful is User Account Control
Hello: I'm looking for some informed opinions, (more informed than mine, to be sure,) on the usefulness and even the necessity of User Account Control in Windows 7 Ultimate. 1: has it really be shown to stop malware attacks, or maybe by its presence make them more difficult to create and spread? 2: Couldn't some malware program disguise itself somehow with a counterfeit identity, so that the program name that appears at the UAC prompt is falsely displayed as some other well-known program that is considered safe, leading the user to click "allow"? And finally, 3: in the very least, it slows the boot time of my machine and requires that I sit there waiting to acknowledge the prompts one by one for some of my startup programs- (a minor inconvenience if UAC actually DOES something, a waste of time if it doesn't.) At worst, some users report huge problems with it- something I've never experienced. It always seems to work OK, other than being a little tedious. I do remember once having to fix some permissions in the registry that had become screwed up, and that were making it impossible to apply an update to QuickBooks 2009. In Googling for the solution, I noticed that the issue not only affected QuickBooks, but other apps as well. The solution that worked for me said to disable UAC to make the registry changes. I didn't try the fix without disabling UAC, so I don't know if that was really necessary, or a "just-in-case" kind of suggestion. Bottom line: I'd disable the damn thing and do without it, if it really didn't do much, and gladly keep it on if it did. Thanks for your help.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Re: QuickBooks. You need to be admin to update QuickBooks and UAC facilitates this by requesting permission and then asking for the admin userid and passwords. I do not let clients update their own QuickBooks for this reason. They hold off until the support person can authorize the updates. It goes quickly.
... Thinkpads_User
... Thinkpads_User
ASKER
ThinkPads_User: I am the only user of my machine, with the very occasional exception of my wife borrowing it for a very short time if her machine is unavailable at that particular moment. I, being the machine owner, am also the sole administrator. My account is naturally therefor set up as such. The only loose nut behind the keyboard theoretically would be me! :-} I'm not likely to do any serious damage, because I've had computers since late 1997, am knowledgeable for a home user, and cautious.
BTW: I am also the sole user and admin for QuickBooks, but I was getting the following error when trying to accept an update:
Error 1402. Could not open key: "UNKNOWN\Components\6F949E
In Googling for this error msg, I saw many other similar ones for QB, as well as for other applications unrelated to QB. The data in the keys cited in those other error messages wasn't identical to mine, but the error #1402 and "UNKNOWN\Components" part was. The solution was related to permissions for a large number of registry entries- I don't recall the precise details.
Expert rindi mentions not approving a UAC prompt if the user didn't specifically invoke anything, I guess at that particular moment. To me that sounds like what might happen if malware was attempting to install, run or otherwise make some undesirable change to your computer. I've never seen this myself, or heard about it elsewhere- but I don't see it as impossible. What are your thoughts on that?
BTW: I am also the sole user and admin for QuickBooks, but I was getting the following error when trying to accept an update:
Error 1402. Could not open key: "UNKNOWN\Components\6F949E
In Googling for this error msg, I saw many other similar ones for QB, as well as for other applications unrelated to QB. The data in the keys cited in those other error messages wasn't identical to mine, but the error #1402 and "UNKNOWN\Components" part was. The solution was related to permissions for a large number of registry entries- I don't recall the precise details.
Expert rindi mentions not approving a UAC prompt if the user didn't specifically invoke anything, I guess at that particular moment. To me that sounds like what might happen if malware was attempting to install, run or otherwise make some undesirable change to your computer. I've never seen this myself, or heard about it elsewhere- but I don't see it as impossible. What are your thoughts on that?
Even if you are the only regular user and the admin and owner of the PC, never, ever, do your day to day work in an account with administrator's rights. Only use that account for purely administrator purposes. For normal day-to-day work ONLY use standard accounts. The admin accounts are dedicated o admin tasks only!
It's one of the worst mistakes one can make, and it is mainly caused by the very insecure previous m$ OS's. People got used to be allowed everything and now don't want to learn or use the more secure new features. You have admitted yourself that you have used PC's since 1997, so that makes you a candidate of using those old bad habits.
It's one of the worst mistakes one can make, and it is mainly caused by the very insecure previous m$ OS's. People got used to be allowed everything and now don't want to learn or use the more secure new features. You have admitted yourself that you have used PC's since 1997, so that makes you a candidate of using those old bad habits.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
it slows the boot time of my machine and requires that I sit there waiting to acknowledge the prompts one by one for some of my startup programs-
None of my startup programs do this (I have well over 100 processes running on my laptop when fully started), so you might consider isolating these processes requiring UAC and only start them if needed.
.... Thinkpads_User
None of my startup programs do this (I have well over 100 processes running on my laptop when fully started), so you might consider isolating these processes requiring UAC and only start them if needed.
.... Thinkpads_User
ASKER
Rindi: So I am going to hazard a guess and say that, even though I use a good and reputable anti-malware/firewall program, (Norton Internet Security 2013,) and even though I am well-informed, knowledgeable and cautious, ( at least for a home user,) then working primarily through a standard account adds yet another layer of safety- more always being better. I am assuming that by "standard account" you mean the common "user" account that works without elevated admin privileges in Windows 7. If I do this, is there a way to do something requiring elevated privileges using the "run as" function, like there was in XP ? In other words, "run as" me in my administrator account for that one thing at that particular time, as needed. That wouldn't be very much trouble at all in return for additional security.
McKnife and thinkpads_user: I only have three startup programs that require UAC permission- so I'm really only waiting on three prompts for each time I start the computer. They are all well-known and have been around for years, and were written by reputable software publishers- aren't just silly widgets- but serve useful purposes. So McKnife, I will take your advice regarding setting them up as scheduled tasks.
Thanks all for your very informed comments. Let me know about the "run as" idea.
McKnife and thinkpads_user: I only have three startup programs that require UAC permission- so I'm really only waiting on three prompts for each time I start the computer. They are all well-known and have been around for years, and were written by reputable software publishers- aren't just silly widgets- but serve useful purposes. So McKnife, I will take your advice regarding setting them up as scheduled tasks.
Thanks all for your very informed comments. Let me know about the "run as" idea.
Actually Norton stuff isn't what i'd call reputable at all. I regard those products as some of the most bloated and crappy software available, and they are the first things I remove from a new PC (for me it is "malware"). Actually their only good utility is the one that completely removes their software!
Yes, you should only use the common user account to work with. Whenever something needs higher credentials, UAC comes into the picture and you get a menu of the accounts that are setup, where you can then select the admin account and his password to run the program under.
Yes, you should only use the common user account to work with. Whenever something needs higher credentials, UAC comes into the picture and you get a menu of the accounts that are setup, where you can then select the admin account and his password to run the program under.
ASKER
I've seen people disparage Norton and other anti-virus/anti-malware apps before, and I've never understood why. I know none of them are 100% effective- not possible, I suppose. But in allegedly independent tests Norton consistently ranks at or near the top for effectiveness. I doubt the testing firms are lying. I've also seen Norton on my own machine announce a couple of times, (it is big on announcing things,) how it caught and halted "such-and-such attack" before it could harm my machine. Why wouldn't I want something working in the background intercepting bad stuff on the way in? If not Norton, them what else? I certainly wouldn't run naked on the Internet. I once had Zone Alarm, but the GD thing wouldn't leave me alone. All it ever wanted were decisions on allowing or disallowing things described in nearly incomprehensible gobbledegook language that only someone with a Masters in Computer Science would have any hope of understanding quickly enough to continue what they were doing So, what to do?
I use Symantec Endpoint Protection and so long as I allow it to start hidden, it does not set off UAC.
.... Thinkpads_User
.... Thinkpads_User
> If I do this, is there a way to do something requiring elevated privileges using the "run as" function, like there was in XP ?
Yes, sure: UAC does that automatically. It detects the need for higher permissions, fires the process "consent.exe" that shows you a credential dialogue and there you have your runas.
Yes, sure: UAC does that automatically. It detects the need for higher permissions, fires the process "consent.exe" that shows you a credential dialogue and there you have your runas.
Let us know (if you can) what the 3 programs are. None of what I start needs UAC permission. Either they just done need it, or start via the Task Scheduler.
.... Thinkpads_User
.... Thinkpads_User
ASKER
Thank you everyone for your useful and informative insights into UAC.. I've increased the points for this question, in order to adequately reward more than one Expert, as several have been very helpful. McKnife: thank you for your detailed, insightful and referenced explanation of that UAC is, (besides being just the thing that I have to click allow for a few times when I boot up, or occasionally run some programs,) -plus, what it does and its usefulness. Rindi and Thinkpads_User: you both provided some additional detail, and a view from the perspective of the admin/ and/or consultant. Good job.
ASKER
Just a follow up: I will be changing my account to that of a standard user. I wonder if I should make the built-in Administrator account in Windows 7 visible, just in case something happens to my user profile. I wouldn't want to be locked out of my own computer. Thanks.
I will be changing my account to that of a standard user. I wonder if I should make the built-in Administrator account in Windows 7 visible
Yes, by all means make an account (not administrator which is hidden) that is a member of the admin group. That is, have Chris_admin as an account that you can log into. But do not unhide the administrator account. I do this and the special admin account can do all you need.
Cheers, .... Thinkpads_User
Yes, by all means make an account (not administrator which is hidden) that is a member of the admin group. That is, have Chris_admin as an account that you can log into. But do not unhide the administrator account. I do this and the special admin account can do all you need.
Cheers, .... Thinkpads_User
Just add another admin account, don't enable the built-in administrator's account.
ASKER
Thanks, guys. I've heard elsewhere that it is more secure not to make the built-in administrator account visible. This confirms what I've read. Thanks again for your help.
About the built-in admin and why it is better/not better to keep it disabled:
Any windows system has this account, so attackers will try to use it in scripts in order to elevate their privileges. That special account is not even governed by UAC! What does that mean?
That means, that if you have the account enabled, and set the password "admin", a script like this:
psexec -u administrator -p admin meanexecutable.exe
guessing the correct password would ruin your computer in seconds. No UAC prompt to stop that script!
BUT: what if you set a complex password like HGiuez93zrexx##sw3! ? Yes, this would be save against scripts that simply guess passwords or use other dictionary attacks. But would you like to type (and remember) "HGiuez93zrexx##sw3!"? Not really.
So let's have a look at the option of setting a blank password.
By default, blank passwords can not be used in any kind of scripts! They cannot be used with psexec/ runas, neither can they be used for rogue network connections in (for example) your not-so-trusted WLAN: net use x: \\yourpc\c$ will ask for a password and won't accept a blank although the pw IS blank!
Blank passwords are indeed not so bad as many people think. Problem with those are the local logons. If you fear that someone could login to your computer, then a blank admin pw is of course an invitation.
I hope you now will understand why using an extra admin is different but not necessarily safer than the built-in admin with blank password.
Any windows system has this account, so attackers will try to use it in scripts in order to elevate their privileges. That special account is not even governed by UAC! What does that mean?
That means, that if you have the account enabled, and set the password "admin", a script like this:
psexec -u administrator -p admin meanexecutable.exe
guessing the correct password would ruin your computer in seconds. No UAC prompt to stop that script!
BUT: what if you set a complex password like HGiuez93zrexx##sw3! ? Yes, this would be save against scripts that simply guess passwords or use other dictionary attacks. But would you like to type (and remember) "HGiuez93zrexx##sw3!"? Not really.
So let's have a look at the option of setting a blank password.
By default, blank passwords can not be used in any kind of scripts! They cannot be used with psexec/ runas, neither can they be used for rogue network connections in (for example) your not-so-trusted WLAN: net use x: \\yourpc\c$ will ask for a password and won't accept a blank although the pw IS blank!
Blank passwords are indeed not so bad as many people think. Problem with those are the local logons. If you fear that someone could login to your computer, then a blank admin pw is of course an invitation.
I hope you now will understand why using an extra admin is different but not necessarily safer than the built-in admin with blank password.
ASKER
McKnife: Then is it safe to say that the built-in admin account with a blank password is no more vulnerable than any other accounts that use passwords from a remote attack? I have two different boot passwords on both my machines. Granted, they aren't difficult-to-remember complicated gobbledygook, rather they are a couple of words from a language that relatively few people speak - especially on this side of the Atlantic - not English. So they might as well be random letters, from the perspective of an English-speaker. Now if I go out and leave the machines on without locking the screens, then someone could theoretically logon while ransacking my house looking for valuables. --- An amusing example of this happening and back-firing on the dumb crook who accessed his own Face Book page, and then left it open when he split the premises is here: http://huff.to/15GHMUL. Instant Karma, or room-temperature IQ? - you decide! :-} --- Is there any other reason that having the built-in admin account visible on the welcome screen is unsafe? When I hear it referred to as not-enabled, I take that to mean just not visible, as I am guessing that this is the same admin account that is available through safe-mode. I could use some clarifications on this- not that you are unclear- I just get the feeling that my own understanding of the subject is incomplete. Once again, thanks for your help.
ChristopherNls
ChristopherNls
I see no way to remotely exploit a blank-pw-account at all. All possible attacks need interaction. There is no reason to hide it apart from local logins.
About visibility: you only need to remember that disabled accounts cannot be used in any mode, so if you want a fallback admin account, no matter if builtin or self-made, don't disable it. [Given the fact that it is very easy to use boot media to enable and pw-reset that account, this won't really matter, anyway, unless you encrypt the computer, but that's a whole new story]
Having it visible does not introduce security concerns.
About visibility: you only need to remember that disabled accounts cannot be used in any mode, so if you want a fallback admin account, no matter if builtin or self-made, don't disable it. [Given the fact that it is very easy to use boot media to enable and pw-reset that account, this won't really matter, anyway, unless you encrypt the computer, but that's a whole new story]
Having it visible does not introduce security concerns.
What it does is prevent a loose nut behind the keyboard from installing software. It does that quite well. Users in a business or like organization should not be allowed to install software because they can easily wreck a machine.
It was improved in Windows 7 from its first appearance in Vista and works well in Windows 7 and 8.
You should leave it enabled on all machines including those machines where the user is a standard user. It should not be disabled (no need to) and in Windows 8, disabling UAC prevents Windows Store from working.
... Thinkpads_User