Jump to content


Photo
Issue

[Suggestion] Recommend always disabling UAC



  • Please log in to reply
8 replies to this topic

#1 Drakonas

Drakonas

    Citizen

  • Citizen
  • 11 posts

Posted 04 July 2014 - 07:06 PM

Before you all assume I am simply making an unprepared statement, please read this post.

 

I am suggesting that the third bullet underneath the "Setup DDSOpt" header (found on this Wiki page) be changed to recommend disabling UAC. I shall explain why.

 

User Account Control (UAC) is a Windows feature built to, in layman's terms, request users to allow a program Administrative access. It was first seen in Windows Vista, in which it was at its most annoying form. Every time a program asked for Admin access, UAC would prompt the user.

 

This changed when the Windows 7 beta rolled out. Microsoft made UAC a little less annoying, allowing most Microsoft-signed programs to run without asking the user for Admin rights, but still requiring a UAC prompt for anything else. UAC was now less annoying, however this change set the path for the majority of the world's malware to obtain access to every Windows computer's system.

 

In 2009, a UAC bypass proof-of-concept was announced. This bypass only worked for Windows 7 at the time, but newer UAC bypass concepts have been created for Windows 8 and even Windows 8.1. You can see an example video of this flaw in UAC being used to remotely obtain access to a fully-updated Windows 8.1 system with enabled antivirus, and UAC set to default settings, here.

 

Microsoft refuses to fix this issue. In fact, they very well shouldn't, because fixing the issue would most likely require a complete rewrite of how programs obtain access from UAC, and thus breaking compatibility with nearly every program available, requiring every developer to change their code to reflect Microsoft's changes.

 

The only way to prevent the bypass from working is to set UAC to the highest security level (which prompts for every program's initial access to admin rights, meaning every time a new program is called (Even when that program starts another process), it prompts for access. If you have ever tried using Windows with that security setting, you will agree that it gets annoying...fast.

 

This flaw in UAC is real, and renders UAC pretty much useless. More than that, UAC by itself is quite intensive on resources, especially for low-end systems. 

 

I personally recommend everyone disable UAC. Considering that performance will increase and security will be essentially no different than when UAC is enabled (because every real hacker knows of this flaw), there isn't a reason not to!

 

In any case, even if UAC prompted a user for giving Admin rights to a piece of malware, most malware are designed to look like real software. They even hide in other legit program's locations to make you think they are not malware! My point is that most end-users won't know the difference between a real process or malware. In fact, I have met many people that just hit "Yes" on any popup without even reading what the popup said. UAC doesn't know the difference between a virus and a legit program. It just asks the user whether to allow it or not, so if the user always clicks "Yes", why are they leaving the UAC feature enabled? It's called User Account Control for a reason.

 

I can say I'd expect that a lot of people playing around with Skyrim mods don't know when to say yes or no to a UAC prompt. I, personally, prefer to have it turned off because I get better performance and a good Antivirus generally blocks malware anyways, so UAC is pointless... for me at least.

 

 

The main reason I initially decided to suggest this is because of the ending phrase on that Wiki page that states you can disable UAC, "but it is also a security risk".

 

I'll respond, and conclude, with the following statement. Based on the information I've provided above, the statement on the STEP wiki, that states "disabling UAC is a security risk", is quite false, and gives an idea to users to leave UAC enabled (usually at the default, flawed setting), which in turn decreases overall system performance and provides virtually no extra security. I recommend changing the way that bullet is written.

 

 

You can find more information regarding the UAC flaws and bypass attacks on an originating page found here; and you can find a more recent article explaining in layman's terms how the attacks work, as well as information regarding Windows 8.1 vulnerability, on the article found here.

 

Thank you for your time. In any case, I hope I have educated some people.


Edited by Drakonas, 04 July 2014 - 07:22 PM.

  • 0

#2 DoubleYou

DoubleYou

    Wiki Stepper

  • Step Admin
  • PipPipPipPipPipPipPipPipPipPipPip
  • 4,868 posts

Posted 04 July 2014 - 08:43 PM

The problem with your suggestion is that for Windows 8 users, disabling UAC does not have the same effect that it had on Windows 7 and earlier. You would still need to edit security settings or Run as Administrator. And if you disable UAC at its core in Windows 8, you cannot use any start menu apps. Therefore, disabling UAC is not a feasible suggestion for STEP.


  • 0

#3 Drakonas

Drakonas

    Citizen

  • Citizen
  • 11 posts

Posted 04 July 2014 - 10:01 PM

The problem with your suggestion is that for Windows 8 users, disabling UAC does not have the same effect that it had on Windows 7 and earlier. You would still need to edit security settings or Run as Administrator. And if you disable UAC at its core in Windows 8, you cannot use any start menu apps. Therefore, disabling UAC is not a feasible suggestion for STEP.

I did not realize this. However, my main point was the incorrect statement that disabling UAC is a security risk. Could that at least be changed? A lot of people seem to think it helps with security, but in my experience it never does. (The fact that UAC in 8.1 can still be exploited proves it)

 

EDIT 2: Granted, a lot of malware seem to not take advantage of the exploit. However, I've only seen a handful of malware produce a prompt for UAC.

 

UAC really only protects the system if the slider is at its max setting (Always notify).

 

Edit: Lol, I have 0 posts. XD


Edited by Drakonas, 04 July 2014 - 10:07 PM.

  • 0

#4 TechAngel85

TechAngel85

    Akatosh

  • Administrator
  • PipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPip
  • 13,040 posts

Posted 05 July 2014 - 07:49 AM

This is really a non-issue (and this coming from myself who is trained in the IT field) and I see no reason to change it. We're not going to be instructing users to change anything on their computer systems that has nothing to do with modding. That is outside the scope of STEP.



#5 phazer11

phazer11

    High King

  • VIP-Supporter
  • PipPipPipPipPipPip
  • 3,110 posts

Posted 05 July 2014 - 12:14 PM

Plus, most computer users are bad enough with safety that they'd make even worse decisions about what they download and run on their systems. Heck some of the friends I've known for a while don't scan executables or archives, etc before they run or do anything with it; this is not Linux people (though even then be cautious)! I've gone in and tweaked everything but I've also built Linux from the ground up and compile some of my own programs so I can do the more complex edits required to do things properly.


  • 0

#6 TechAngel85

TechAngel85

    Akatosh

  • Administrator
  • PipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPip
  • 13,040 posts

Posted 05 July 2014 - 09:34 PM

I decided to and removed that line from the DDSopt Guide entirely as it has nothing to do with the Guide and the information needed in provided in the bullet point above it.



#7 Drakonas

Drakonas

    Citizen

  • Citizen
  • 11 posts

Posted 05 July 2014 - 10:14 PM

Plus, most computer users are bad enough with safety that they'd make even worse decisions about what they download and run on their systems. Heck some of the friends I've known for a while don't scan executables or archives, etc before they run or do anything with it; this is not Linux people (though even then be cautious)! I've gone in and tweaked everything but I've also built Linux from the ground up and compile some of my own programs so I can do the more complex edits required to do things properly.

 

 

This is really a non-issue (and this coming from myself who is trained in the IT field) and I see no reason to change it. We're not going to be instructing users to change anything on their computer systems that has nothing to do with modding. That is outside the scope of STEP.

I agree with both of you. I guess I just got ahead of myself. UAC is more of a n00b prevention tool than a security tool, in my opinion though, as this flaw is easily exploitable... and pretty much renders UAC useless for security for a lot of malware. I prefer my Antivirus and understanding of where to go on the internet (plus an adblock) than having UAC, but I guess that's just my preference.

 

I decided to and removed that line from the DDSopt Guide entirely as it has nothing to do with the Guide and the information needed in provided in the bullet point above it.

 

Well I guess that's a better reason.. :/ lol.

 

Edit: Still 0 posts... yay I'm totally not providing good input here. XD


Edited by Drakonas, 05 July 2014 - 10:16 PM.

  • 0

#8 TechAngel85

TechAngel85

    Akatosh

  • Administrator
  • PipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPip
  • 13,040 posts

Posted 05 July 2014 - 10:36 PM

I use an ad blocker and Windows Defender. Seriously, that's it. I never have any malware/spyware issues. It's all about knowing and following best practices.

 

As for your post count...I have not idea what is going on there but it seems to be affecting the entire site or at least a group of users. Mine isn't increasing either. :O_o:

 

EDIT:

Sent a PM to Z and S4N about the post count issue.



#9 TechAngel85

TechAngel85

    Akatosh

  • Administrator
  • PipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPip
  • 13,040 posts

Posted 06 July 2014 - 08:25 AM

Okay, got an answer. Post counts are disable in some forums (this happens to be one of them). I don't know why the admins decided this, but there you go.





Also tagged with one or more of these keywords: issue

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users