(Msg. 9) Posted: Fri Aug 15, 2008 3:14 pm
Post subject: Re: Run As Adminstrator - why hasn't it saved us? [Login to view extended thread Info.] Archived from groups: microsoft>public>windows>vista>security (more info?)
"riix" <guest RemoveThis @unknown-email.com> wrote in message
news:e100bf9a5d61a24164a35762cccd0b06@nntp-gateway.com...
>
> To all that replied - thanks for your comments and no disrespect
> intended please, but seems we missed the issues:
>
> 1) when attempting to run as a Power User, the "RunAs Administrator"
> seems to be completely wrong in concept, yet has been around since ..
> NT3? Can this really be? Or am I totally not understanding how its
> supposed to work?
There is no more Power User on Vista, as stated in the article.
>
> 2) Why does disabling UAC also disable "RunAs.." - again: these are
> totally different concepts, why are they coupled?
UAC and Run As Administrator are tied together on Vista and are the new
security profile for the Admin and Standard user accounts. Even Admin on
Vista is locked down to Standard User and must have its rights escalated, as
stated in the link.
>
> 3) UAC is _not_ a minor inconvenience, it is a *major* hassle for
> members of a development shop. Its not just a click. Its the constant
> jarring effect of the screen going dim (or even black) for a second or
> two, the box, the click, the blink back to reality, then a few seconds
> later .. Event Viewer, IIS Admin, SQL studio, etc.
>
> Doing this, maybe 30-40 times a day? When XP just worked?
>
> And all this because the Vista product, and Microsoft narrow-mindness,
> won't allow me to work in a more intelligent fashion - which is: as a
> Power User and *not* as an Administrator?
1) You disable UAC.
2) You use something like TweakUac.
3) You set your account to be Super Admin so that you still have UAC enabled
because some applications will not work correctly with UAC off, those
applications using the Vista UAC manifest as an example, and by being Super
Admin, UAC will not prompt you as Super Admin, as stated in the link.
>
> 4) and maybe that's a bottom line - why does Vista install and create
> its users as Administrators? A while ago my son bought a new Acer
> computer with Vista Home Exceptional (or whatever its called). First
> thing I did was create an Adminstrator id, write the password on his
> monitor, then downgraded his ID to Normal User. He's now been using it
> for over a month and HAS NOT EVEN NOTICED he's not an Administrator,
> that is, it hasn't affected him at all.
That's because Standard user on Vista has more rights than Limited user on
XP as an example, which was preventing a Limited user on XP from doing
things. This as been corrected on Vista. However, if the user your son was
running a solution as Standard user or as Admin, because Admin on Vista is
locked down to a Standard user, and UAC is enabled, the user is going to be
prompted for credentials for privilege escalation.
>
> Why doesn't Vista do this by default ?
>
Ask MS.
> 5) I've just found references to "UAC Manifest" files - does anyone
> have real, honest, practical experience with this as a way of calming
> UAC?
>
A programs running on Vista with UAC enabled, the developer can present the
UAC credentials to Vista for privilege escalation by using the manifest.
That UAC challenge box is still going to pop in the user's face, to allow or
disallow as Admin or if Standard user give user-id and psw for an Admin
account.
(Msg. 10) Posted: Fri Aug 15, 2008 5:44 pm
Post subject: Re: Run As Adminstrator - why hasn't it saved us? [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
>
> You missed the point. I do not want to run as administrator. I don't
> think I should need such lofty privileges just to write programs. And if
> I turn off UAC then RunAs doesn't work.
>
The whole point of UAC is to allow you to run with an administrator account
when needed (as in a development environment) but still maintain better
security than previous versions of Windows. With UAC enabled when you logon
with an administrator account you get two tokens, a standard user token, and
an administrator token. The administrator token is never used unless UAC
steps in and allows it. In effect you are running as a standard user until
you see a UAC prompt. When you see a UAC prompt if you respond in the
affirmative the admin token is unhidden and the process will run with the
admin token. The key point is only that process has the admin token.
Everything else is still running as a standard user.
For development either turn UAC off or leave it on and run with an
administrator account. With UAC off you will need a different computer
(possibly virtual) for testing.
(Msg. 11) Posted: Fri Aug 15, 2008 8:39 pm
Post subject: Re: Run As Adminstrator - why hasn't it saved us? [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
On Fri, 15 Aug 2008 07:53:00 -0500, riix wrote:
> To all that replied - thanks for your comments and no disrespect
> intended please, but seems we missed the issues:
>
> 1) when attempting to run as a Power User, the "RunAs Administrator"
> seems to be completely wrong in concept, yet has been around since ..
> NT3? Can this really be? Or am I totally not understanding how its
> supposed to work?
>
> 2) Why does disabling UAC also disable "RunAs.." - again: these are
> totally different concepts, why are they coupled?
>
> 3) UAC is _not_ a minor inconvenience, it is a *major* hassle for
> members of a development shop. Its not just a click. Its the constant
> jarring effect of the screen going dim (or even black) for a second or
> two, the box, the click, the blink back to reality, then a few seconds
> later .. Event Viewer, IIS Admin, SQL studio, etc.
>
> Doing this, maybe 30-40 times a day? When XP just worked?
> And all this because the Vista product, and Microsoft narrow-mindness,
> won't allow me to work in a more intelligent fashion - which is: as a
> Power User and *not* as an Administrator?
Windows Vista Secret #4: Disabling UAC
"...you probably consider yourself a power user. You pride yourself in the
responsibility of having full and absolute control over your machine
environment..."
http://blogs.msdn.com/tims/archive/2006/09/20/763275.aspx
> 4) and maybe that's a bottom line - why does Vista install and create
> its users as Administrators? A while ago my son bought a new Acer
> computer with Vista Home Exceptional (or whatever its called). First
> thing I did was create an Adminstrator id, write the password on his
> monitor, then downgraded his ID to Normal User. He's now been using it
> for over a month and HAS NOT EVEN NOTICED he's not an Administrator,
> that is, it hasn't affected him at all.
>
> Why doesn't Vista do this by default ?
(Msg. 12) Posted: Sat Aug 16, 2008 6:41 pm
Post subject: Re: Run As Adminstrator - why hasn't it saved us? [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
In message <10878302a19c380ba0d55200d531a8a9 RemoveThis @nntp-gateway.com> riix
<guest RemoveThis @unknown-email.com> wrote:
>I don't disagree. This is why I wonder that Vista Home doesn't
>'promote' creation of basic accounts but instead creates Administrator
>accounts?
This is *exactly* what UAC does. Users are using a basic "user" level
token at all times, until a program requests administrator privileges.
(Msg. 13) Posted: Sat Aug 16, 2008 6:41 pm
Post subject: Re: Run As Adminstrator - why hasn't it saved us? [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
In message <e100bf9a5d61a24164a35762cccd0b06 RemoveThis @nntp-gateway.com> riix
<guest RemoveThis @unknown-email.com> wrote:
>To all that replied - thanks for your comments and no disrespect
>intended please, but seems we missed the issues:
>
>1) when attempting to run as a Power User, the "RunAs Administrator"
>seems to be completely wrong in concept, yet has been around since ..
>NT3? Can this really be? Or am I totally not understanding how its
>supposed to work?
First, there is no such thing as a power user in Vista. If the group
exists from an AD context, it has no particular rights on the desktop.
Second, if you're running as a standard user, "Run As Administrator"
hasn't changed, it still allows the user to run a program under a
different security context.
If you're running as an administrator already, then the UAC popup by
default doesn't require credentials (it already knows who you are, and
that you are authorized), so this is technically a regression as you
used to be able to run programs as any user. Luckily you can use group
policies to change this, if you need to be able to launch programs in a
different user context.
>2) Why does disabling UAC also disable "RunAs.." - again: these are
>totally different concepts, why are they coupled?
UAC controls the elevation process, and is largely what allows processes
from two different security contexts to interact on the same console.
>3) UAC is _not_ a minor inconvenience, it is a *major* hassle for
>members of a development shop. Its not just a click. Its the constant
>jarring effect of the screen going dim (or even black) for a second or
>two, the box, the click, the blink back to reality, then a few seconds
>later .. Event Viewer, IIS Admin, SQL studio, etc.
>
>Doing this, maybe 30-40 times a day? When XP just worked?
If XP "just worked" then you were running with administrative access
already, or you're using a program that requests administrative access
but doesn't need it.
>And all this because the Vista product, and Microsoft narrow-mindness,
>won't allow me to work in a more intelligent fashion - which is: as a
>Power User and *not* as an Administrator?
A Power User is just an administrator who hasn't promoted themselves
yet.
>4) and maybe that's a bottom line - why does Vista install and create
>its users as Administrators? A while ago my son bought a new Acer
>computer with Vista Home Exceptional (or whatever its called). First
>thing I did was create an Adminstrator id, write the password on his
>monitor, then downgraded his ID to Normal User. He's now been using it
>for over a month and HAS NOT EVEN NOTICED he's not an Administrator,
>that is, it hasn't affected him at all.
>
>Why doesn't Vista do this by default ?
Because the majority of users actually use their computers. They
install software (Flash come to mind anyone?), upgrade software, stuff
like that.
iTunes, Adobe Reader, Adobe Flash have all had security updates
recently, so either your son is horribly insecure, or uses the
administrator password. If he users the administrator password when
doing these activities then he's doing what UAC would have done for him.
UAC doesn't pop up randomly, it only happens when Vista detects an
activity happening that requires administrative privileges, or an
application or user specifically requests administrative privileges.
(Msg. 14) Posted: Mon Aug 18, 2008 7:28 am
Post subject: Re: Run As Adminstrator - why hasn't it saved us? [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
thank you. please no more responses. i'm buying a mac for me and my son.
All times are: Eastern Time (US & Canada) (change) Goto page Previous1, 2
Page 2 of 2
You can post new topics in this forum You can reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Home
Forums
Home
FAQ
Profile
Private Messages
Log in
Windows Vista