9 comments
.NET 
On www.windows-now.com Robert McLaws writes about an Idea Symantec has on disabling UAC. I must say I cannot agree more with him. UAC is a very good feature in Vista. OK, it can be annoying sometimes, but on the whole I do think it will help people understand at least WHEN they are doing something that has impact on the security and integrity of the system they are using.
People will say: I did not know that, but they did approve something. It will not stop them doing stupid things, but at least they are confronted with the warning, although they will see it like the screenshot show here.
I do hope Symantec will find other ways to run their antivirus software (like Kaspersky and Sophos have done) other than kernel hooking and disabling UAC.
It sounds like let’s start to make your system unsecure first so we can secure it again for you…
9 comments
The image you posted immediatelly came to my mind when we discussed UAC 2 weeks ago during the ISKA. The fact remains that the normal user will get used to the popup box and will click ALLOW to see the dancing pigs.
Maybe I know too little of the OS to understand, but why do I get a security warning popup when I change the DPI of my screen ? Also by default when I moved my ‘Downloads’ ‘Music’ etc. folders to my D: drive I had to click allow on every download, at this point I was already looking for the fastest way to get rid of UAC 10 minutes after installing Vista.
I think one of the main problems is that the people who really need this kind of protection will click allow on everything to see the pigs dance because they don’t understand what it implies. The people who are more security aware probably don’t need this kind of protection on their workstations.
What Symantec is proposing is a system that is a little more intelligent so that clicking allow doesn’t become a habit, but the boxes do pop up if you really want to do something that compromises the security of your system (like changing your monitors DPI ?).
Bertrand
I know about the image, (that’s why I created the screen, (Yes, I did create it in Visual Studio)) A lot of things do not seem logical when asking for permission to elevate, like changing DPI (although I do not experience this myself). Moving folders is another thing. you change lnks in the registry, and therefore it will ask you for elevation. This is not particularly related to heavy security stuff, but still.
The problem I am having with the Symantec system is, why can they decide better what has impact on the system than Microsoft. When they have to do kernelhooks for checking for virusses when there is another way to do this. Furthermore, if Symantec wants to do kernel hooking, and are granted this right by patches from Microsoft, who guarantees me, no rootkit will be allowed to do the same. I’d rather have no kernelhooks on my system and have these UAC pop-ups than the risks…
AFAIK users WILL click yes buttons without reading (Hence my dancing pigs dialog). But there is no such thing as a dummyproof system, (well, maybe the Miffy laptop my three-year old son has.. it has an on/off switch and is preprogrammed to do just a couple of things.)
EricD
I find it more than logical to be asked for permission to change my Download etc. folders, but I got prompted for every download I did after that, it's a folder option to Move the Downloads folder, so I find it only logical that from that time on I approve of every download from the big bad internet to that destination. It's probally file security related and fixable, but the turn of UAC 'fix' was the quick and dirty way (I installed Vista on the 31st and had to jet to a party ;)). Regarding kernel hooking I agree, I don't want anything messing with that, but after reading the firewall article you posted a while ago where the example with the flying pigs comes from I can only agree with Symantec that users should not see such a security related dialog box unless it's absolutely needed (and then they probably don't have enough knowledge about it to make a proper choice).
Bertrand
I fully agree with Eric on this one. Until we get dummyproof, get me UAC, or get me a XP box running under normal user accounts (something I do on every fresh install of XP, do you? )
wouterv
I do agree with you, someone should decide what is good for a user, and I think Microsoft should do a better job that they did now, by being more verbose in the popups, and restricting the pop-ups to the most needed and not everything, but when i work lika a normal user I do not see pop-ups apear, exept for when downloading stuff from the internet. And I do feel that this is a good thing. Too many people still do not realise the insecurity of that “place”.
What you are experiencing has to do with the “filesystem virtualization” vs “real filesystem” the Downloads folder in your profile is only accessible by you and no other user, Vista is aware of this, once you set it to a location EVERY user on your system can reach it is a hazard, so you have to confirm every download.
there is another feature that you will run into: download a CHM file from the internet, and try to read it. You’ll see you have to go to the properties of the file and “unblock” it first… Vista does this for several filetypes.
Furthermore: Dl-ing from the internet requires write permissions on places on your filesystem outside the temporary internet files. For this you have to elevate your permissions to do this, I do not think it has anything to do with you moving yourdownloads folder. it has to do with the “low-rights IE” vs writing to another location than Temporary internet files.
EricD
This is typical for most virusscanners. Mcafee for example causes all kinds of unrecoverable errors in my system. I had to remove it by hand to fix errors like “The application stopped working” when trying to start a game.
WMeints
This is what I was talking about earlier (don’t have Vista at the office): http://img387.imageshack.us/img387/4342/adjustdpiru5.jpg
Bertrand Rohrbock
This whole UAC thing to me is for idiots. I know a lot of people who use computers that are in this category or close to it, so I guess this is who Microsoft is apparently concerned with and wants to lead around by the hand. It’s been taken too far (moving folders, changing DPI a security deal, give me a break here). I am not in the idiot class, know full well how to run a lean, efficient, security safe machine. I didn’t need it (UAC) in XP and I sure don’t need it in Vista. Whenever I do go with Vista (and from the looks of things, it won’t be any time soon), the UAC will be the very first thing I turn off (and leave it off).
Mike
A follow-up since this subject really has me irritated. A computer is supposed to be useful and user friendly to operate. Or else why use the dam thing! I don’t need to be constantly told by Microsoft that I don’t know how to operate my own computer. Microsoft should have a “Idiot” section with controls to use for the people who have no business operating a computer in the first place (heh heh). Put the UAC in there for the ones who can’t think on their feet. I operate a single computer (not on a network) and no one touches it (with a penalty of being shot) but me period. I am solely responsible for the content, performance, individuality, security, of my own machine. Leave my machine alone Bill!
Mike