Greets all: It's Friday, and I haven't had a good rant in a while, so... Recent misconceptions about Vista and UAC posted to the Focus-Apple group, as well as the following article by John Leyden at The Register have prompted me to submit what I consider to be clarifications and corrections on the issue:
http://www.theregister.co.uk/2007/02/19/vista_uac/ I thought about emailing John and Ms. Rutkowska directly, but figured this forum was a far better place to discuss this. Vista's UAC is a huge leap forward in allowing people to move away from interactively logging in as administrator, and combined with the many configuration options Vista supports, is a "Good Thing." When I read stuff like this article, I can't help but think that people are just going WAY out of their way to make mountains out of molehills. Simply put, I think the security model of Vista is the best yet. But if one rushes to judgment regarding a particular aspect of a process or procedure in Vista without performing one's due diligence in research, it is easy to arrive at misconceptions. Let's start with this snip from John's article: <snip> White hat hacker Joanna Rutkowska discovered that users attempting to run an installation file need to do so in admin mode. That means users are confronted with the all-or-nothing choice of granting an installed program complete system privileges or abandoning an installation altogether. "That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry," Rutkowska writes, adding that Win XP gave her the ability to add permissions to her normal (restricted) user account that isn't possible with Vista. </snip> There are several points in those two paragraphs that are simply wrong. First off, the account you create that has administrator privileges does NOT have "complete system privileges." One great distinction is that Vista's WRP protects SystemRoot from write access to all but the SYSTEM service. And even if one chooses to run interactively as the admin account (which you simply do not have to do), the "default" security context is tokenized as a "standard user." Operations requiring escalated privileges require specific allowance to do so. Note that on my system, I have changed the default UAC prompt for administrators from "prompt for consent" to "prompt for credentials" so you can't be lazy and hit "allow." Even if you do allow escalation for a process, spawned processes requiring escalation will also require explicit permissions. For example, if you go to change the permissions on a folder, even if in as admin, you'll have to explicitly pass the admin credentials on to change them. If you then go to change the owner, though you're already in "Advanced Settings," you'll have to approve again. The example of "installing some freeware Tetris game" is a perfect testament to the exact reason for UAC. Don't let stupid people run as administrator, and you won't have to worry about stupid people installing untrusted, freeware Tetris games. If you have an administrator that will download and install executables from untrusted sites that are unsigned and unverified, then THAT is your problem, not the UAC. But, even if you are smoking crack and give your users the admin password, and after sharing the pipe with them they go to install the freeware Tetris game, you can still prevent it by simply enabling "Only elevate executables that are signed and validated" and be done with it. Or use Software Restriction Policies and be done with it. Further, the bit about "the ability to add permissions to her normal (restricted) user account [that] isn't possible with Vista" is wrong as well. This from the blog site: <snip> I see the above limitation as a very severe hole in the design of UAC. After all, I would like to be offered a choice whether to fully trust given installer executable (and run it as full administrator) or just allow it to add a folder in C:\Program Files and some keys under HKLM\Software and do nothing more. I could do that under XP, but apparently I can¹t under Vista, which is a bit disturbing (unless I¹m missing some secret option to change that behavior). </snip> It's no "secret option." Simply change the permissions of Program Files and the software hive in the registry... When you log in as administrator, and go to Program Files permissions and tell it to change them, after you enter your credentials (or just hit allow if still on the default prompt) some will obviously be thrown off by the fact that they can't immediately edit them. That's because the admin user (or "true" administrator account) doesn't own the object: the "TrustedInstaller" does. But it's simple permissions management... Just take ownership of the directory, and feel free to muck up the permissions all you want. Done. Then muck up the registry permissions and get 'er done again. Done, done. Of course, you can re-enable PowerUsers if you really want to by extending the security templates to the UI and go nuts applying whatever security template you want to to further muddy the configuration waters. But calling it a "severe hole" is FUD. So is writing an article about it. People on the Apple list criticize the "allow" behavior because they say stupid people running as administrator will just hit "allow" and malware will run rampant and we'll all end up standing in the Microsoft Cheese Line. Then change the default prompt to "prompt for credentials" as I mentioned earlier. Others say the fact that you can't do anything else when the UAC comes up will further train people to just hit "allow." Then turn off "secure desktop UAC." That's not a smart thing to do, but you can do it. My main point is that we're obviously going to be hit by numerous "Vista sucks" reports by talking heads all over the place, and we should be prepared to provide some thought leadership for those who are prone to swallowing it. Just like the speech recognition "vulnerability" where you turn on speech recognition, leave your microphone on, go to a malicious web site, and play an MPG where they tell your computer to Shut Down. Oh, the horror. It's ludicrous. Stupid, really. Why not just call your users and ask to be put on speaker phone? That way it could be a "remote" attack. Besides, that stuff won't work on my system anyway because instead of saying "Shut Down, please" when training it, I say "Ecky- ecky- ecky- ecky- pikang- zoop- boing- goodem- zoo- owli- zhiv" for a little security in depth. Of course, when I watch Monty Python, my system shuts down, but it's worth it. Anyway, it looks like it's time to set up a rebuttal blog on the ole Hammer of God website. I could use some new content anyway. If you guys come across "real" reports that need stomping on, please forward the to me. And that's the skinny on that. T
