Re: "What's the deal with UAC (Windows Needs Your Permission scree
"Alan Simpson" wrote:
> Well said Jimmy. But just a couple minor additions. Using a computer in a
> limited account for day-to-day stuff has been a security "best practice" for
> many years, and totally ignored outside the corporate environment for just
> as many years. Basically Vista makes that practice security best practice
> automatic and as painless as possible by letting you temporarily elevate
> on-the-fly on an as-needed basis.
> Also, for home users, there's a tie-in to parental controls here. From a
> password-protected administrative account you can set parental controls on
> children's standard accounts and monitor their computer and Internet use.
> The kids can't get to any of that from their standard accounts (without an
> administrative password). So they can't tamper with any of that.
> "Jimmy Brush" <JimmyBrush@discussions.microsoft.com> wrote in message
> > Hello,
> > I've noticed that a lot of the questions in these newsgroups are either
> > directly or indirectly related to UAC (User Account Control). In this
> > post, I will go over what UAC does, how it works, the reasoning behind it,
> > how to use your computer with UAC on, why you shouldn't turn UAC off, and
> > answer some common questions and respond to common complaints about it.
> > * What is UAC and what does it do?
> > UAC mode (also known as Admin Approval Mode) is a mode of operation that
> > (primarily) affects the way administrator accounts work.
> > When UAC is turned on (which it is by default), you must explicitly give
> > permission to any program that wants to use "administrator" powers. Any
> > program that tries to use admin powers without your permission will be
> > denied access.
> > * How does UAC work
> > When UAC mode is enabled, every program that you run will be given only
> > "standard user" access to the system, even when you are logged in as an
> > administrator. There are only 2 ways that a program can be "elevated" to
> > get full admin access to the system:
> > - If it automatically asks you for permission when it starts up, and you
> > click Continue
> > - If you start the program with permission by right-clicking it, then
> > clicking Run As Administrator
> > A program either starts with STANDARD rights or, if you give permission,
> > ADMINISTRATOR rights, and once the program is running it cannot change
> > from one to the other.
> > If a program that you have already started with admin powers starts
> > another program, that program will automatically be given admin powers
> > without needing your permission. For example, if you start Windows
> > Explorer as administrator, and then double-click on a text file, notepad
> > will open and display the contents of the text file. Since notepad was
> > opened from the admin explorer window, notepad WILL ALSO automatically run
> > WITH admin powers, and will not ask for permission.
> > * What's the point of UAC?
> > UAC is designed to put control of your computer back into your hands,
> > instead of at the mercy of the programs running on your computer.
> > When logged in as an administrator in Windows XP, any program that could
> > somehow get itself started could take control of the entire computer
> > without you even knowing about it.
> > With UAC turned on, you must know about and authorize a program in order
> > for it to gain admin access to the system, REGARDLESS of how the program
> > got there or how it is started.
> > This is important to all levels of users - from home users to enterprise
> > administrators. Being alerted when any program tries to use admin powers
> > and being able to unilaterally disallow a program from having such power
> > is a VERY powerful ability. No longer is the security of the system
> > tantamount to "crossing one's fingers and hoping for the best" - YOU now
> > control your system.
> > * How do I effectively use my computer with UAC turned on?
> > It's easy. Just keep in mind that programs don't have admin access to your
> > computer unless you give them permission. Microsoft programs that come
> > with Windows Vista that need admin access will always ask for admin
> > permissions when you start them. However, most other programs will not.
> > This will change after Windows Vista is released - all Windows Vista-era
> > programs that need admin power will always ask you for it. Until then, you
> > will need to run programs that need administrative powers that were not
> > designed for Windows Vista "as administrator".
> > Command-line programs do not automatically ask for permission. Not even
> > the built-in ones. You will need to run the command prompt "as
> > administrator" in order to run administrative command-line utilities.
> > Working with files and folders from Windows Explorer can be a real pain
> > when you are not working with your own files. When you are needing to work
> > with system files, files that you didn't create, or files from another
> > operating system, run Windows Explorer "as administrator". In the same
> > vein, ANY program that you run that needs access to system files or files
> > that you didn't create will need to be ran "as administrator".
> > If you are going to be working with the control panel for a long time,
> > running control.exe "as administrator" will make things less painful - you
> > will only be asked for permission once, instead of every time you try to
> > change a system-wide setting.
> > In short:
> > - Run command prompt as admin when you need to run admin utilities
> > - Run setup programs as admin
> > - Run programs not designed for Vista as admin if (and only if) they need
> > admin access
> > - Run Windows Explorer as admin when you need access to files that aren't
> > yours or system files
> > - Run programs that need access to files that aren't yours or system files
> > as admin
> > - Run control.exe as admin when changing many settings in the control
> > panel
> > * UAC is annoying, I want to turn it off
> > Having to go through an extra step (clicking Continue) when opening
> > administrative programs is annoying. And it is also very frustrating to
> > run a program that needs admin power but doesn't automatically ask you for
> > it (you have to right-click these programs and click Run As Administrator
> > for them to run correctly).
> > But, keep in mind that these small inconveniences are insignificant when
> > weighed against the benefit: NO PROGRAM can get full access to your system
> > without you being informed. The first time the permission dialog pops up
> > and it is from some program that you know nothing about or that you do not
> > want to have access to your system, you will be very glad that the Cancel
> > button was available to you.
> > * Answers to common questions and responses to common criticism
> > Q: I have anti-virus, a firewall, a spyware-detector, or something
> > similar. Why do I need UAC?
> > A: Detectors can only see known threats. And of all the known threats in
> > existence, they only detect the most common of those threats. With UAC
> > turned on, *you* control what programs have access to your computer - you
> > can stop ALL threats. Detectors are nice, but they're not enough. How many
> > people do you know that have detectors of all kinds and yet are still
> > infested with programs that they don't want on their computer? Everyone
> > that I have ever helped falls into this category.
> > Q: Does UAC replace anti-virus, a firewall, a spyware-detector, or similar
> > programs?
> > A: No. Microsoft recommends that you use a virus scanner and/or other
> > types of security software. These types of programs compliment UAC: They
> > will get rid of known threats for you. UAC will allow you to stop unknown
> > threats, as well as prevent any program that you do not trust from gaining
> > access to your computer.
> > Q: I am a system administrator - I have no use for UAC.
> > A: Really? You don't NEED to know when a program on your computer runs
> > with admin powers? You are a system administrator and you really could
> > care less when a program runs that has full control of your system, and
> > possibly your entire domain? You're joking, right?
> > Q: UAC keeps me from accessing files and folders
> > A: No, it doesn't - UAC protects you from programs that would try to
> > delete or modify system files and folders without your knowledge. If you
> > want a program to have full access to the files on your computer, you will
> > need to run it as admin. Or as an alternative, if possible, put the files
> > it needs access to in a place that all programs have access to - such as
> > your documents folder, or any folder under your user folder.
> > Q: UAC stops programs from working correctly
> > A: If a program needs admin power and it doesn't ask you for permission
> > when it starts, you have to give it admin powers by right-clicking it and
> > clicking Run As Administrator. Programs should work like they did in XP
> > when you use Run As Administrator. If they don't, then this is a bug.
> > Q: UAC keeps me from doing things that I could do in XP
> > A: This is not the case. Just remember that programs that do not ask for
> > permission when they start do not get admin access to your computer. If
> > you are using a tool that needs admin access, right-click it and click Run
> > As Administrator. It should work exactly as it did in XP. If it does not,
> > then this is a bug.
> > Q: UAC is Microsoft's way of controlling my computer and preventing me
> > from using it!
> > A: This is 100% UNTRUE. UAC puts control of your computer IN YOUR HANDS by
> > allowing you to prevent unwanted programs from accessing your computer.
> > *Everything* that you can do with UAC turned off, you can do with it
> > turned on. If this is not the case, then that is a bug.
> > Q: I don't need Windows to hold my freaking hand! I *know* what I've got
> > on my computer, and I *know* when programs run! I am logged on as an
> > ADMINISTRATOR for a dang reason!
> > A: I accept the way that you think, and can see the logic, but I don't
> > agree with this idea. UAC is putting POWER in your hands by letting you
> > CONTROL what runs on your system. But you want to give up this control and
> > allow all programs to run willy-nilly. Look, if you want to do this go
> > right ahead, you can turn UAC off and things will return to how they
> > worked in XP. But, don't be surprised when either 1) You run something by
> > mistake that messes up your computer and/or domain, or 2) A program
> > somehow gets on your computer that you know nothing about that takes over
> > your computer and/or domain, and UAC would have allowed you to have
> > stopped it.
> > - JB
> > Vista Support FAQ
> > http://www.jimmah.com/vista/