Win7 UAC: Default or Max?

Default: Prevents programs from elevating to admin. Does not prevent the user.

Highest: Prevents programs and the user from elevating to admin.

What are the security benefits of highest vs default? Can malware pretend to be the user or something?

 

Off...unless your a Ree-Ree...then default.

 

I recommend switching it to highest. Highest makes UAC work like it did under the default in Windows Vista. (which wasn't as horrible as everyone makes out)

Don't turn off UAC, as you lose Protected Mode and other security features.

 

Mine is set to default and haven't encountered a virus.

 

I'm just curious as to what exactly it protects me from.

 

^in a nutshell, with UAC, Windows will not let a program make system changes without user interaction.

 

Yes I realize that. I know what UAC does. I'm just curious as to what putting it to the highest does that the second highest doesn't in terms of malware security. It seems the only difference is that it guesses what I do as opposed to just programs, but I'm wondering if that makes me any safer.

 

I have UAC disabled but I have antivirus and HIPS taking care of all of that. I have always found UAC to alert on too many perfectly legit occurances as opposed to actually spotting suspicious ones.

 

I have it on max and I very rarely see it. Only when running ccleaner, otherwise no.

 

Off for me, it can prevent certain program from running properly via not having admin access and its just annoying.

You will get so used to clicking the dialogs that the one time in 5 million that you are opening a file that is a virus instead of safe, you will hit the "ok" just out of muscle memory and get the virus anyways.

 

TweakUAC, or a registry tweak, to keep UAC on but elevating w/o prompting. I've got that set up and I only get prompted on certain, rare things. I won't get desensitized to constant prompting.

 

Notebookreview seems to have eaten the reply I had given to this. TweakUAC's creator doesn't seem to understand UAC or is just a moron. But it would possibly do what I want, I personally don't want a 3rd party program for this.

A registry tweak would work.

 

Yeah, reg tweak will be just fine. I was too lazy to do it that way.

 

not true, all doable. even win3.1 apps still run.

i'll be at my 5 millionth click in about 10000 years, so the chance of getting a virus is not that high for me. i'll die too soon to care.


to the op: i use the default settings. why? because a) i'm not paranoid and b) i want to use the os the same way the ordinary user, the one that calls me for help if he messes up, uses it. that way i'm prepared and know how the stuff works for him/her, and used to it.

 

btw, silent uac (aswell as uac without secure desktop) is absolutely useless and stupid except for one case: where an application might crash while you switch to the secure desktop (the actual dialog box that asks you is not on YOUR desktop. it's on an own one). this is true for one app my dad uses often (some tv recording software for DVB-C, that renders the video on the desktop window, and crashes when the desktop gets disabled due to uac).
so it's mostly there for a fix. if you don't want uac, just disable it and enjoy your viruses. don't pretend anything by having it enabled but in a castrated mode.

 

That's nonsense, of course. None of these is a substitute for proper system security, and anti-virus, in particular, as a general rule takes care of pretty much nothing at all.

 

Pirx, do you have any input on the differences between the two settings? Is it possible for malware to somehow get through the default setting but not the max? And, of course, by "get through" I mean elevate.

 

To answer the actual question in this thread: There are ways to inject malware into the system such that the user will initiate the start of malicious code. With UAC at its Win7 default setting (note that, in Vista, the default is the highest setting), whatever happens then will go unnoticed. In my opinion, there is no reason to not set UAC at its highest level. As Dave has pointed out, if you know what you are doing, you will just about never see a UAC prompt. I never do unless I want to acquire higher privileges, in which case UAC is a great convenience. Which is exactly what it was designed as: UAC is a convenience, not a protective measure by itself. Protection is afforded by running the system as a Standard User. Those people who turn off UAC, by running as administrators all the time, with UAC turned off, deserve whatever hits them. They have, as far as security is concerned, turned their system into a 1980s DOS machine. Real smart...

Oh, and all of the people complaining about UAC being annoying fall into one or both of exactly two classes:

• People who don't know what they are doing, and don't understand how to use a modern computer
• People trying to run cr@ppy software that was written by dilettantes and that is not compatible with Windows

 

Alright. I have it on highest because it never pops up anyways. I was just curious as to the benefits of moving up a step.

Thanks.

 

what i would have loved in win7 is to have the option, to chose another aero color for administrative processes. so you'd see a window that is administrative directly. say, they would be in red, instead of what ever you chose (and if you chose red, they would be .. dunno.. yellowblack diagonally striped? what ever warns you that they're dangerous processes, anyways).

and a process that has no window gets a window (simple informational window that the process is running, and the ability to instantly cancel it, or scan it by the installed antivirus, etc), except if it's a service (the proper way to get system level access for an application: have an own service).

that, imho, would have been awesome.

 

My UAC is on maximum to prevent potential punks from messing with my computer when it is on and I am not looking.

 

Oh yes, I fully agree, these are two awesome suggestions. You should give Microsoft a call. No, I am really at least half serious about that; maybe send an email to Russinovich, who knows, he might read it. If he does, these ideas are so good that he might actually push for implementing them.

 

hehe.. i could. while i'm pissing on the leg of paul thurroth, who is quite involved with microsoft (but his cloud dreams are absolute ridiculous), i could contact russinovich (again!). he's at least not way above reality, lost up there in the clouds

 

You seem a bit bias about cloud lol what did cloud do to you exactly? >_> Must have been something bad!

 

the cloud is not a technical term (that would be the internet, servers, etc.. meaning all the tech we already have since years). there's nothing that is "the cloud" that wasn't yet there before. it got invented out of a joke (the cloudy thing in the powerpoint presentations representing "everything else"), and managers liked it. why? because it's so simple. no technical term. no details to care about. just "it's in the cloud" and then, all is solved.

problem is, what does the cloud provide you? nothing. it provides you with dependency (realtime dependency even) on the provider, and everything inbetween.

so f.e. dropbox. you have to rely on dropbox as a company to exist. their server farm to be stable and perfect (both secure against hackers, against failures, against data corruption, etc). you have to rely on their isp. you have to rely on all the countries that the internet goes trough till it gets to your home (dropbox in the usa, me in switzerland). you have to rely on your own isp (you know they aren't 100% as well). and last but not least, you have to rely on your own systems.

i have the same as dropbox, but here at home. my windows home server has all my data, and shares it "to the cloud, iehk" so i can in need access it from everywhere. but it's only me and my hw i have to care about, no one else.

imagine living in egypt, and suddenly the whole internet gets shut down (it just happened, as you might have heard). what if all your data is on google docs. how can you do your school/workstuff, then? hint: you can't.

no provider has proven to be 100% secure against hacking, against own failures, against "being human", in general. none. not google. not microsoft. not amazon. not apple. not even lastpass, which wants to sell you a safe place for your passwords.

there's simply no guarantees in the web. we all know that. that's why there came that new term, the cloud. it has nothing of the bad memorys we have about viruses, about networks going down, etc. but it's still all the same.


so in short: why do you want to give your stuff that you rely on out of your hands so you can't control it anymore? if you could have it with you, rely on it, AND control it?

the answer from the typical user: but it's so simple, and i don't have to do anything (giving a feel of not being the one with the problem if something goes wrong, which is a false belief. i could sue google all i want for my lost job because i couldn't access google docs. i still lost my job (hypothetical)).

and, much more important:

the answer from the typical company: we can bind the customers to our environment, force them to stay with us as they have their data only in our system. by this, we can make sure they will have to pay over time, f.e. monthly payments. that will make is not have to do anything and get money for free, every month. we don't have to improve our stuff to re-sell it to them. we can just sell the same stuff every month again and again.

so, in short, it's the perfect way to make money with stuff you had for free (or fixed price) before. and, you lose all control while paying for it.

so what good is the cloud, again? it does not provide anything i did not have the last 10 years. it's just a beautified pig, thanks to some lipstick.

 

a) From what I skimmed you don't know what cloud computer actually is, you're limiting yourself to cloud storage.

b) You got the cloud storage stuff wrong.

c) I didn't sleep last night so I'm going to nap. I'll respond more seriously tonight.

 

i used storage as an example. apps are even worse. why do you want an app over the internet (the internet is unstable and not reliable) while you could have it at home?

i got the cloud storage stuff completely right (as i always do, young padawan).

yeah, get some sleep.

 

I think his analysis is more accurate than not. The one thing you have to understand is, the reason that cloud stuff is being promoted is that people hope to make money with it, and that's all there is to it. One of the ideas is similar to Apple's iTunes goldmine: Drag people's money out of their pockets in small amounts at a time, and they won't notice how, whoopsie, at the end of the year they have transferred hundreds of dollars to the provider's account, much more than they would have been willing to, or able to justify, if they had seen the total bill in advance. In summary, the cloud is probably an awesome business idea, but whether there is any benefit to the consumer is at least doubtful.

 

the cloud computing model is really just a nondescript variation on the Software as a Service (SaaS) model. in a traditional SaaS application, a client would have to connect to an application running on a discrete server, with a discrete IP address, running at a discrete data center. the real change with "Cloud Computing" is that you don't know or care what, how, or where the application is being delivered to you - your GMail account could be on a virtual server, stored across multiple servers, hosted in multiple locations, etc. physical transparency does not matter.

the first key advantage to cloud computing is risk mitigation. large datacenters are able to utilize economies of scale to implement large, robust physical and logical security. they are also able to take advantage of clustered/virtual computing to spread data across multiple physical servers to prevent downtime in cases of hardware failure. the concept that "i control it, therefore it is safer" is 100% incorrect. this shouldn't need any explanation.

the second key advantage to cloud computing is availability of data. storing data locally is a slow and "dumb" process. if your files are on a hard drive, you need physical access to that hard drive to utilize them. if your files are hosted remotely but still located on a single physical hard drive, then your availability depends entirely on your ability to access that system (if his sweet server goes down, he's ed). when stored "in the cloud" you are ensured that your data will be available and secure, and you can access it from any number of internet-connected devices. also, a multi-tenent cloud-based system can offer data sharing and collaboration tools (improving efficiency and overall value) whereas a one-off file server in your dorm offers no such features.

cloud computing is NOT a money making scam. you might pay a hefty monthly subscription fee for a service like Dropbox or Salesforce, but you are spending FAR LESS than if you tried to purchase hardware and implement such a system yourself. the idea is basically that, instead of everyone going out and designing their own proprietary systems which live on islands and can't talk to each other, we create one unified system that meets the goals of many different businesses and charge them a subscription fee. in the end, you get a cheaper AND more effective system.

also, the crux of his argument seems to be "if the Internet goes down, you're SOL!" well, duh. if the internet goes down, you won't be able to access your server back in the dorm either. and guess what? your little server has it's own unreliable internet connection, whereas Google has backups upon backups of fiber network capacity going into their hosting sites. your risk of not being able to access data has just doubled.

On top of that, cloud computing is not limited to online-only. Yes, to get the benefits of the cloud you do need internet, but look at dropbox. My internet goes out and I still have access to my "local server" where I've got the original files stored. No one has me trapped into a service, I can leave any time because all of that data is right there.

Google docs (back when it had offline mode, it will again soon) can be used as a stand alone non-text-editor. That means YOU still get the service without internet.

Yes, if google's gigantic server farm somehow crashes I'm SOL but what are the chances of thousands of servers going down + their backups compared to my computer/server's single hard drive.

Again, not to mention that cloud COMPUTING is not limited to storage. I can offload processes to a server farm. If it takes my netbook 5 hours to figure out "10x10" and I can offload that huge calculation to a server it's only a matter of sending the question and recieving the answer. Yes, this is limited by significant overhead but the possibilities are tried AND PROVEN. We can see a netbook playiang serious video games because of cloud computer.

 

No one said anything about a substitute for proper system security and Antivirus is useful as part of a layered defense. HIPS and Antivirus are barely the tip of the iceberg but they have their uses.

 

I did not say nor imply that it's a scam. What I did say is that the motivation is not to improve the consumers' computing, but to make more money for the providers.

Read any newspapers lately? Google's gigantic server farms did go down recently. Even more recently, Amazon's servers went down.

As a matter of fact, I did.

 

You said "I have UAC disabled but I have antivirus and HIPS taking care of all of that." With "all of that", you were presumably referring to system security as a whole. I repeat, this is complete and utter nonsense. By "disabling UAC" you have, as a matter of fact, just turned off all of your OS' built-in system security, and thus eliminated "proper system security". "Antivirus and HIPS" cannot "take care of that", at all.

 

Pirx, the scam bit was to david

Nothing was lost when google's server farm went down. Within 24 hours everything was back up and .02% of th gmail population was initially effected to begin with. I'd say a .02% failure rate is pretty good. Compare that to buying a hard drive.

 

I see where you are coming from now and I agree, Previously I did not know what you were referring to because after dismissing it as nonsense, you provided no further explanation.

However, I find UAC inflexible, it does not remember any settings and asks me whether I want to start a trusted program in my start up folder on every single boot, it prevents some trusted 3rd party CPU temp monitoring programs from starting up with no warning and decreases the overall usability of the system. For UAC to be useful it needs to be more configurable.

 

Ah yes, sorry for being unclear.

Well, UAC was not designed or intended to do any of this. In addition, the issue with the kind of whitelisting you suggest is that this opens up a substantial attack vector. See, the rule is that user-mode programs should never cause a UAC prompt to appear. If they do, they are poorly coded. Those hardware monitoring programs you are referring to, in particular, are simply poorly coded pieces of kiddie software that are not compatible with modern operating systems (any modern operating systems, mind you). The way to code something like that is to have a portion of the code run as a service with appropriate privileges. If this is done, you could have your monitor, without requiring privilege elevation.

So, the real issue, in my opinion, is not with the way UAC works, but in the way some poorly coded hardware requires privilege elevation for no good reason.

 

Some programs do need admin privileges. CCleaner is an example. It accesses hidden/ system folders.

 

Yes, and if that is the case you shouldn't complain about them throwing up a UAC prompt. I know you don't, but others shouldn't, either. Having said that, I don't get prompts from CCleaner, unless I ask it to delete files I don't own or have modify access to as the user that is initiating the CCleaner process. This is the way it should be, I would argue. Personally, I have CCleaner only delete my own files if I am logged in as a standard user. Otherwise, I log in as the admin, and have it delete system files this way. Actually, I hardly ever use CCleaner anyway; I can delete my temp files myself. It's only to delete the browser cache and history where I find CCleaner handy sometimes. Even that is, of course, unnecessary, as I'm sure Dave would argue...

I should say that, coming from good old Unix tradition, I use my systems slightly differently, in that I log in as the (Windows built-in) Admin for all system level work. Note that the built-in Admin account has admin-approval mode turned off by default, so I will never see a UAC prompt for anything while logged in in that role. Of course, along with that goes the discipline to not do anything but system maintenance work. In particular, no web-browsing, email-reading, or any other spurious or otherwise frivolous activities. :wink:

 

That's probably because you've had UAC installed since before you installed ccleaner. I activated it afterwards.

Ccleaner is a very rarely used program, so it's not a big deal. Same goes for coretemp, only when playing games.

 

...well, that means you DID download it onto your computer in the first place.

honestly, the real use i've found for it was when the process tries to make an admin call and a prompt comes out out of NOWHERE.

 

about the cloud:

all the google 100% uptime will not save you if your isp goes down. or your government decides the internet has to be shut down. or some natural disaster wipes out the connection between google and you at any point. it all happened, more than once by now, each of them.

i know the benefits of cloud computing. they all existed way before that term existed. but i do know the losses of cloud computing, too. giving away control to foreign servers in some not-known places controlled by companies who only have one main goal: making loads of money (google does, microsoft does, apple does, amazon does). i don't want my data in such hands. i don't want my apps in such hands. i want them here with me, in my control.

about chance of hardware failure locally? yes, that can happen. but when my local system fails, i have to replace it, too, to access the cloud.

btw, all my storage is in the cloud, but here at home. my desktop died last night, so i just move to my laptop and continue as before, nothing lost. all without having to rely on any form of uptime of ANY company, isp, internet, etc.

i like having access to my stuff from everywhere. i like having everything in sync on different clients. i like having my data redundant and distributed. i like all that. but you know what? i HAVE all that. without ever having to rely on any active server outside of what i can trust: myself, family, friends.

i have backups of my home server synching to a friends home server, a families home server, and even a friends home server in another country on another island. my data is save, my data is always there. and every company in this world can collapse in some economic crysis. every cloud system can be hacked by anonymous. every data corruption can replicate and kill all backups (yes, this happened, too), every country can go to war with everyone else and block internet and more.

and i can still, 100% of the time, access all my data. without any chance of loss, even if the house here burns down completely.


so what gain does the cloud have? none. it is only there to make money with users that have everything in some company-hosted form.


to pirx:

my only use for ccleaner nowadays is when i get hands on a system that was not a clean installation. uninstall all the crap, then clean. so yes, everything else is unnecessary. system-cleaning-free and happy since about one year.

well, that's exactly the concept of the ordinary user with administrator rights and uac. when ever you do system level work, you elevate. other than that, you're a standard user.
so it's just an old habit that has no gain anymore, and got replaced by a more convenient solution.

i personally still have to get used to being always admin on windows home server 2011 again. i'm missing the savety of uac there.

 

I just don't see your point. If my electricity goes out I'm screwed too. No system is perfect... You're literally saying "this isn't good because [insert random act of god/natural disaster]"

Everyone wants to make money. There's always an "Are you willing to trust them?" situation, whether you're using cloud computing or getting your internet from a service provider. I assume you use an ISP? I assume you trust them?

Yes, one time I had forgotten an assignment and I got it from google docs. Both systems have their pros and cons.

No. You don't. Even if you carry around an external hard drive with you everywhere (kind of ridiculous) there's simply no way you can have information as accessible and redundant as the cloud. Barring some natural disaster/ government being overthrown of course.

Wrong. You have a weird bias that makes no sense. Dropbox is free. Google docs is free. You CAN pay for extra storage... this is not some mindblowing idea. Did you get all of your external hard drives for free?

The idea that the cloud doesn't provide anything that you couldn't already do is ridiculous.

Can you use your external hard drive to speed up a computer 5 miles away?

 

No, they're not free. Nothing is free. None of these companies can justify giving stuff away for free. There's always a catch, even though that catch may lie in the future. I, and we all should, dread the day when Google figures out that everybody is using their crappy Google Docs the way people now use Office. When people depend on this stuff, the time will be ripe to cash in. God help us all if that ever happens...

 

Pretty sure that's a baseless opinion Pirx.

At the moment they make their money through advertising and, quite frankly, have no reason to move on to anything else and risk their advertising revenue. 99.9% of Google's revenue is through advertising... if they gave up their "we're not evil" crap they could lose a lot of that revenue.

And dropbox is "free" but the fact is they give you 2GB free and then have you invite more people to earn more MB. So it's free, but they assume that you'll advertise for them and you might even buy from them eventually.

So there's a mutual exchange of services. The fact is they're already profiting off of us, we just aren't paying them. I'm ok with that.

edit: And let's take your worst-case-scenario into account. Then what? They start charging? Oh no... we're right where we started, except now M$ is forced to start pumping out cloud options to compete. It's like I really live in a capitalist society lol

 

Why would they have to give that up? It is, and always was, just what you said: Crap.

Sure, of course. Which does not fit the definition of "free". Mind you, I am not criticizing anybody for not giving stuff away for free. Why would they? What I am criticizing is the starry-eyed idiots blabbering about all the "free" stuff in this brave new world...

Yep, which is at the very basis of the quite serious problems this country is facing. But that's an entirely different topic, and completely unsuitable for a forum such as this.

 

Free as in I'm not paying money. Not free as in I provide a mutual service that takes close to 0 energy from me.

And I agree. Talking about what caused the problems we see today definitely is not relevant to whether cloud computing is a scam or not.

 

This may be subject to debate (in general, but possibly not in your specific case), but, again, that's a debate that does not belong here, as does a debate on the naive belief in the miracles of capitalism...

 

UAC @ Default

Cheers
3Fees

 

microsoft never charges me to allow me to start an app. they charge me to get the license, then i can do what i want with it.

web apps are not apps, they are services. you never OWN them, you RENT them. and you have no reliability guarantees except THEIR WORD. you 100% depend on them not cheating on you, them not failing themselves, etc.

what if dropbox's plan does not work out? i've seen so many great startups going out of business over the years, i don't want to depend on any of them. for some services, i obviously have to, and do so.

when you start to rely on webapps, you give up on owning functionality.
when you start to rely on webstorage, you give up on owning that data.

as i want my computers to own functionality, webapps are not the way to go there.
as i want my data to be mine, webstorage is not the way to go.

 

If you don't trust a service don't use the service =p it's not "either use the cloud or don't" you can use both.

 

the problem is, there is nothing that guarantees you anything. that's different to stuff you have in your own control in your own environment. office does not simply dissapear on my system. and in worst case, i could reinstall it again from the medium i got it. this guarantee is not given on any online office tool.

that has nothing to do with who creates the app. it's just plain logic.

do you want to have your data be gone because a company goes bankrupt? or because of some natural disaster? or war? or a bug in their software that "imploded their data" (happened before, the bug essentially erased everything including the backups).

what do you win from it, compared to have it available on your disk, where it never goes away except you delete it?

the problem is, you give away control, but not the need to rely on it. that is a huge issue. if you can't understand that, then you have a big problem. it's really easy.

my typical example is dropbox. they recently got proven to lie about the way they store their data. trust them? do you think they're the only one?

still waiting for your cloud-only online playing with ps3? sorry, you can't just connect to a friend directly p2p, cloud is better, as we guarantee the service will always be there, and we have your data save under control. nothing can happen.
heard that before?

it's not about who, or how. it's about giving away stuff you, till now, owned yourself. a webapp is not a replacement for an ordinary app, as it's not in your hands. it can update, change, go offline, get hacked, etc without your control.

i see the pros of that stuff btw, but most of it is just laziness. DEVELOPER laziness. it's harder to write that stuff with the same functionality without relying on a main server. and the company loves that need for that server as a middle man. why? because it forces the client to come back to them.

i can use office without ever caring about microsoft again. after i bought it, i'm done with them. i can use it for a lifetime without ever caring anything about that company, ever again.
every single moment you use google office, you need them available and serving you. that is a HUGE massive dependency. and they love that.


i use the cloud, daily. this here is the cloud, too. it's an online communication and information sharing service, in the cloud. namely, in the internet. and i have no problem using it that way. but i know, if nbr goes down one day, all that knowledge stored on here will be lost. which is sad.

but using such tools with your personal data and stuff and tools, that is not only sad, but an actual problem.

anyways. we'll learn how stupid the cloud-idea is during the next years. stuff like the psn will happen more and more frequently, and with bigger and bigger consumer impact.

one cloud system that exists since years is any card payment system. connection down, no way to pay. happened about two weeks ago for over a day. quite a problem if you for example need to fill your car, but can't pay as you don't have "local storage money".

enjoy the weekend, i'm out.