Focus on Apple
Re: What's George Ou smoking? Feb 16 2007 07:35PM
Thor (Hammer of God) (thor hammerofgod com) (2 replies)

On 2/16/07 7:53 AM, "Don Rhodes" <drhodes (at) mail.colgate (dot) edu [email concealed]> spoketh to all:

> However Vista UAC does not behave just like *nix based OSes. To make
> matter worse there are programs out that do not handle running in
> unprivileged mode very well. Firefox for one defaults to downloading
> files to the desktop of the admin account that installed it - I am sure
> that the FF team will fix this. WinAgents free RouterTweak program (a
> Cisco configuration utility) must be run as an administrator otherwise
> you receive an error about not being able to access a key in the
> registry. At this point I have no wish or desire to see how games work
> under Vista, but I am sure that 90% of them will require they be run
> under an admin account.

If you have no wish or desire to see, then you probably not be so sure about
it... Vista's UAC and security model offers excellent choices if you just
exert a tiny bit of effort to configure it properly. Even if you do have
games that require admin (which is not Vista's fault, of course) all you
have to do is use RunAs from the non-privileged user account, even if the
program is not UAC aware (does not prompt for admin creds, rather, errors
out). You still don't have to run the interactive user as admin.

> On top of programs not being program correctly for the new UAC, if you
> are using an admin account you do not have to retype your password but
> simply click OK. Granted it is very annoying since many programs prompt
> you for this at different times the average user will just know if they
> want it to work to click OK; what a great security model. Hopefully
> software developers will figure out how to make the UAC work for them,
> not against; we all know that the malware creators will.

If you are still running interactively as admin, that is YOUR problem, not
Vista's. But even so, the prompting is better than not, and if you really
think it is such a pain, then disable it. I've not been running
interactively as admin for years on my Windows boxes. Vista makes that even
easier with UAC. And for those things that don't support UAC, I just use
RunAs and be done with it. It is trivially simple and much safer than
running as admin all the time. You can even join the box to a domain and
still use "Switch User" functionality to separate user contexts between
domain users and local users simultaneously.

If the real concern is what malware users will do, then don't run as admin.

[ reply ]
Re: What's George Ou smoking? Feb 20 2007 10:23AM
Michael Dalling (mtdalling gmail com)
RE: What's George Ou smoking? Feb 19 2007 02:55PM
Don Rhodes (drhodes mail colgate edu)


Privacy Statement
Copyright 2010, SecurityFocus