| Subject: Run As Adminstrator - why hasn't it saved us? |
| Group: microsoft.public.windows.vista.security |
| Date: 8/14/2008 2:41:51 PM |
| From: riix [Email Address Protection] |
Hi all, I'm totally confused and wondering if I got this wrong or, after 2 decades of NT its still microsoft that's got this wrong. - I figure that better than UAC would be to run as Power User, and use the "Run As Administrator" when needed - which is often - Visual Studio, Event Viewer, IIS, SQL Server, etc. - so I enabled the Administrator id, turn off UAC (after all, won't need it anymore and might speed up this doggy), downgraded my id to 'PU' and try it out. - Boots and I log on (so far so good). Go to run VS - what? "Run As Administrator" is grayed out ??? so I google this and find out you gotta have UAC running to get this to work .. DUH Microsoft ??? what's the connection between these two concepts ?? - But ok, log on as Administrator, turn UAC back on, reboot and log on again as a 'PU' . OK, let's try VS again - "Run As Administrator" works ! and voila a (big) box pops up (what ever happened to respect for screen real estate?) and I have to select an id - it lists my PU id even if its not an administrator (so why??) but, anyhow, I select "Administrator", enter password and .. .. sure bloody enough it works - I'm now running VS as the "Administrator" id .. .. err ... you gotta be kidding right? Because I'm running as "Administrator" .. like I have the Administrator's (My) Document and preferences etc .. .. Unbeliveable - what's wrong with this picture Microsoft? I didn't want to run as the Administrator ID - I just wanted to run with Administrator RIGHTS - i.e., to be ethereally in the Administrators Group for the life of this single process !!!!! Jumping heck, I can't believe we've been with this since NT3 and Microsoft still don't seem to get it. Wouldn't this solve so many darn problems? Even to the point of making UAC unnecessary???? SO .. I'm bitterly disappointed in MS, in Vista. Back to being Administrator and the ever constant UAC nag. Or back to XP .. (anyone have XP64 experiences?) Or just give up, and jump over to Eclipse, Java and Linux .. -- riix |
| Back |
| Subject: Re: Run As Adminstrator - why hasn't it saved us? |
| Group: microsoft.public.windows.vista.security |
| Date: 8/14/2008 3:43:54 PM |
| From: "Mr. Arnold" [Email Address Protection] |
"riix" <guest@unknown-email.com> wrote in message news:916a34dd41239df1dc7665f27879e302@nntp-gateway.com... > > SO .. I'm bitterly disappointed in MS, in Vista. Back to being > Administrator and the ever constant UAC nag. > http://news.softpedia.com/news/Admin-Approval-Mode-in-Windows-Vista-45312.shtml <http://www.computerperformance.co.uk/vista/vista_administrator_activate.htm#Summary_of_Vista_Administrator_-_Super_User_(Hidden_Account)> |
| Back |
| Subject: Re: Run As Adminstrator - why hasn't it saved us? |
| Group: microsoft.public.windows.vista.security |
| Date: 8/14/2008 4:06:24 PM |
| From: "Steve Thackery" [Email Address Protection] |
Here's what to do: just make your normal user account an Administrator account, and re-enable UAC. You still run as a normal user, except that when elevation is required you just get a confirmation box, rather than the whole "Administrator's username and password" prompt. It takes one click of the mouse, or two key presses. And to be honest you give nothing away in terms of security, unless other people can get unauthorised access to your machine. Like you, I run a few programs that need elevation, and this is how I run my machine. It's great: whenever something that might affect the integrity or security of the OS is about to happen, UAC gives me a single "are you sure?" prompt. This should have been implemented years ago, to be honest. It's known as Administrator Approval mode, and is very low hassle. SteveT |
| Back |
| Subject: Re: Run As Adminstrator - why hasn't it saved us? |
| Group: microsoft.public.windows.vista.security |
| Date: 8/15/2008 5:53:00 AM |
| From: riix [Email Address Protection] |
To all that replied - thanks for your comments and no disrespect intended please, but seems we missed the issues: 1) when attempting to run as a Power User, the "RunAs Administrator" seems to be completely wrong in concept, yet has been around since .. NT3? Can this really be? Or am I totally not understanding how its supposed to work? 2) Why does disabling UAC also disable "RunAs.." - again: these are totally different concepts, why are they coupled? 3) UAC is _not_ a minor inconvenience, it is a *major* hassle for members of a development shop. Its not just a click. Its the constant jarring effect of the screen going dim (or even black) for a second or two, the box, the click, the blink back to reality, then a few seconds later .. Event Viewer, IIS Admin, SQL studio, etc. Doing this, maybe 30-40 times a day? When XP just worked? And all this because the Vista product, and Microsoft narrow-mindness, won't allow me to work in a more intelligent fashion - which is: as a Power User and *not* as an Administrator? 4) and maybe that's a bottom line - why does Vista install and create its users as Administrators? A while ago my son bought a new Acer computer with Vista Home Exceptional (or whatever its called). First thing I did was create an Adminstrator id, write the password on his monitor, then downgraded his ID to Normal User. He's now been using it for over a month and HAS NOT EVEN NOTICED he's not an Administrator, that is, it hasn't affected him at all. Why doesn't Vista do this by default ? 5) I've just found references to "UAC Manifest" files - does anyone have real, honest, practical experience with this as a way of calming UAC? Cheers. -- riix |
| Back |
| Subject: Re: Run As Adminstrator - why hasn't it saved us? |
| Group: microsoft.public.windows.vista.security |
| Date: 8/15/2008 6:39:12 AM |
| From: Kayman [Email Address Protection] |
On Fri, 15 Aug 2008 07:53:00 -0500, riix wrote: > To all that replied - thanks for your comments and no disrespect > intended please, but seems we missed the issues: > > 1) when attempting to run as a Power User, the "RunAs Administrator" > seems to be completely wrong in concept, yet has been around since .. > NT3? Can this really be? Or am I totally not understanding how its > supposed to work? > > 2) Why does disabling UAC also disable "RunAs.." - again: these are > totally different concepts, why are they coupled? > > 3) UAC is _not_ a minor inconvenience, it is a *major* hassle for > members of a development shop. Its not just a click. Its the constant > jarring effect of the screen going dim (or even black) for a second or > two, the box, the click, the blink back to reality, then a few seconds > later .. Event Viewer, IIS Admin, SQL studio, etc. > > Doing this, maybe 30-40 times a day? When XP just worked? TweakUAC for Windows Vista. http://www.tweak-uac.com/home/ > And all this because the Vista product, and Microsoft narrow-mindness, > won't allow me to work in a more intelligent fashion - which is: as a > Power User and *not* as an Administrator? Windows Vista Secret #4: Disabling UAC "...you probably consider yourself a power user. You pride yourself in the responsibility of having full and absolute control over your machine environment..." http://blogs.msdn.com/tims/archive/2006/09/20/763275.aspx > 4) and maybe that's a bottom line - why does Vista install and create > its users as Administrators? A while ago my son bought a new Acer > computer with Vista Home Exceptional (or whatever its called). First > thing I did was create an Adminstrator id, write the password on his > monitor, then downgraded his ID to Normal User. He's now been using it > for over a month and HAS NOT EVEN NOTICED he's not an Administrator, > that is, it hasn't affected him at all. > > Why doesn't Vista do this by default ? Speed Vista: Turn off UAC, or at least make it less annoying http://www.pctipsbox.com/speed-vista-turn-off-uac-or-at-least-make-it-less-annoying/ > 5) I've just found references to "UAC Manifest" files - does anyone > have real, honest, practical experience with this as a way of calming > UAC? Understanding and Configuring User Account Control in Windows Vista. http://technet.microsoft.com/en-us/library/cc709628.aspx User Account Control Step-by-Step Guide. http://technet.microsoft.com/en-us/library/cc709691.aspx How to disable UAC http://www.vista4beginners.com/How-to-disable-UAC |
| Back |
| Subject: Re: Run As Adminstrator - why hasn't it saved us? |
| Group: microsoft.public.windows.vista.security |
| Date: 8/15/2008 7:03:16 AM |
| From: "Beoweolf" [Email Address Protection] |
Your question, seems more an indictment than a genuine question. My comment, much as yours, is offered as an opinion or view, except from an administration point of view, no disrespect intended or hidden agenda. The fact that development is hindered by having to respect secure calls should be a warning to development that your intended audience will similarly be affected. Business as usual, shortcuts and all is not acceptable in Vista. Just as users are having to deal with a more secure environment, seems development is going to have to learn a new way building code. As I'm sure you already know, Vista Home(?) is built with the intent of servicing less knowledgeable consumers/users. Further it is intended to run, seamlessly without use of administrator, due to its limited target user. Back on topic, I continue to find it strange when the biggest historical complaint against Microsoft client OS's has been lack of security, yet when it finally assumes a much more secure posture, the reward is more complaints about it being "too" secure. I would expect, that if developers complain enough, Microsoft may take a step toward making a developers version Vista with all the offending safeguards removed. However, I would expect it would lengthen the test cycle, since at some point the code must run in the real world of the ultimate consumer. Bottom line - You can turn UAC off. If you are the administrator, why would you need "run as"? It does not seem logical to want the rights and not want to accept the responsibility. Power user had been inactivated/removed, since W2K/XP/XP-Pro, when client is installed on a domain...hasn't it? "riix" <guest@unknown-email.com> wrote in message news:e100bf9a5d61a24164a35762cccd0b06@nntp-gateway.com... > > To all that replied - thanks for your comments and no disrespect > intended please, but seems we missed the issues: > > 1) when attempting to run as a Power User, the "RunAs Administrator" > seems to be completely wrong in concept, yet has been around since .. > NT3? Can this really be? Or am I totally not understanding how its > supposed to work? > > 2) Why does disabling UAC also disable "RunAs.." - again: these are > totally different concepts, why are they coupled? > > 3) UAC is _not_ a minor inconvenience, it is a *major* hassle for > members of a development shop. Its not just a click. Its the constant > jarring effect of the screen going dim (or even black) for a second or > two, the box, the click, the blink back to reality, then a few seconds > later .. Event Viewer, IIS Admin, SQL studio, etc. > > Doing this, maybe 30-40 times a day? When XP just worked? > > And all this because the Vista product, and Microsoft narrow-mindness, > won't allow me to work in a more intelligent fashion - which is: as a > Power User and *not* as an Administrator? > > 4) and maybe that's a bottom line - why does Vista install and create > its users as Administrators? A while ago my son bought a new Acer > computer with Vista Home Exceptional (or whatever its called). First > thing I did was create an Adminstrator id, write the password on his > monitor, then downgraded his ID to Normal User. He's now been using it > for over a month and HAS NOT EVEN NOTICED he's not an Administrator, > that is, it hasn't affected him at all. > > Why doesn't Vista do this by default ? > > 5) I've just found references to "UAC Manifest" files - does anyone > have real, honest, practical experience with this as a way of calming > UAC? > > Cheers. > > > -- > riix |
| Back |
| Subject: Re: Run As Adminstrator - why hasn't it saved us? |
| Group: microsoft.public.windows.vista.security |
| Date: 8/15/2008 9:09:51 AM |
| From: riix [Email Address Protection] |
Beoweolf;805441 Wrote: > Your question, seems more an indictment than a genuine question. Others can say it more succinctly that me: 'Am I at risk if I disable UAC?' (http://www.tweak-uac.com/am-i-at-risk-if-i-disable-uac/) Beoweolf;805441 Wrote: > The fact that development is hindered by having to respect secure calls > should be a warning to development that your intended audience will > similarly be affected. I'm not sure what you're referring to; certainly I don't anticipate our product buyers ("intended audience") to have to use Event Viewer, IIS Admin, or SQL Server Studio (at least not to use our product). Beoweolf;805441 Wrote: > seems development is going to have to learn a new way building code. Yes a tedious, non-productive and irritating way .. Beoweolf;805441 Wrote: > As I'm sure you already know, Vista Home(?) is built with the intent of > servicing less knowledgeable consumers/users. Further it is intended to > run, seamlessly without use of administrator, due to its limited target > user. I don't disagree. This is why I wonder that Vista Home doesn't 'promote' creation of basic accounts but instead creates Administrator accounts? Beoweolf;805441 Wrote: > Back on topic, I continue to find it strange when the biggest > historical complaint against Microsoft client OS's has been lack of > security, yet when it finally assumes a much more secure posture, the > reward is more complaints about it being "too" secure. Are you referring to my post or to comments 'out there' in general? My issue is not about it being "too" secure (refer again to above link for a better stating of facts than I could ever do), my issue instead is how intrusive and irritating this supposed 'safeguard' is. Beoweolf;805441 Wrote: > Bottom line - You can turn UAC off. If you are the administrator, why > would you need "run as"? It does not seem logical to want the rights and > not want to accept the responsibility. > > Power user had been inactivated/removed, since W2K/XP/XP-Pro, when > client is > installed on a domain...hasn't it? You missed the point. I do not want to run as administrator. I don't think I should need such lofty privileges just to write programs. And if I turn off UAC then RunAs doesn't work. However .. to end this thread - thank yous Kayman for pointing out Tweak-UAC; I think its an acceptable compromise. "riix" <guest@xxxxxx-email.com> wrote in message news:e100bf9a5d61a24164a35762cccd0b06@xxxxxx-gateway.com... -- riix |
| Back |
| Subject: Re: Run As Adminstrator - why hasn't it saved us? |
| Group: microsoft.public.windows.vista.security |
| Date: 8/15/2008 12:14:34 PM |
| From: "Mr. Arnold" [Email Address Protection] |
"riix" <guest@unknown-email.com> wrote in message news:e100bf9a5d61a24164a35762cccd0b06@nntp-gateway.com... > > To all that replied - thanks for your comments and no disrespect > intended please, but seems we missed the issues: > > 1) when attempting to run as a Power User, the "RunAs Administrator" > seems to be completely wrong in concept, yet has been around since .. > NT3? Can this really be? Or am I totally not understanding how its > supposed to work? There is no more Power User on Vista, as stated in the article. <http://technet.microsoft.com/en-us/magazine/cc160882.aspx> > > 2) Why does disabling UAC also disable "RunAs.." - again: these are > totally different concepts, why are they coupled? UAC and Run As Administrator are tied together on Vista and are the new security profile for the Admin and Standard user accounts. Even Admin on Vista is locked down to Standard User and must have its rights escalated, as stated in the link. <http://technet.microsoft.com/en-us/library/cc709691.aspx> > > 3) UAC is _not_ a minor inconvenience, it is a *major* hassle for > members of a development shop. Its not just a click. Its the constant > jarring effect of the screen going dim (or even black) for a second or > two, the box, the click, the blink back to reality, then a few seconds > later .. Event Viewer, IIS Admin, SQL studio, etc. > > Doing this, maybe 30-40 times a day? When XP just worked? > > And all this because the Vista product, and Microsoft narrow-mindness, > won't allow me to work in a more intelligent fashion - which is: as a > Power User and *not* as an Administrator? 1) You disable UAC. 2) You use something like TweakUac. 3) You set your account to be Super Admin so that you still have UAC enabled because some applications will not work correctly with UAC off, those applications using the Vista UAC manifest as an example, and by being Super Admin, UAC will not prompt you as Super Admin, as stated in the link. <http://www.computerperformance.co.uk/vista/vista_administrator_activate.htm#Summary_of_Vista_Administrator_-_Super_User_(Hidden_Account)> > > 4) and maybe that's a bottom line - why does Vista install and create > its users as Administrators? A while ago my son bought a new Acer > computer with Vista Home Exceptional (or whatever its called). First > thing I did was create an Adminstrator id, write the password on his > monitor, then downgraded his ID to Normal User. He's now been using it > for over a month and HAS NOT EVEN NOTICED he's not an Administrator, > that is, it hasn't affected him at all. That's because Standard user on Vista has more rights than Limited user on XP as an example, which was preventing a Limited user on XP from doing things. This as been corrected on Vista. However, if the user your son was running a solution as Standard user or as Admin, because Admin on Vista is locked down to a Standard user, and UAC is enabled, the user is going to be prompted for credentials for privilege escalation. > > Why doesn't Vista do this by default ? > Ask MS. > 5) I've just found references to "UAC Manifest" files - does anyone > have real, honest, practical experience with this as a way of calming > UAC? > A programs running on Vista with UAC enabled, the developer can present the UAC credentials to Vista for privilege escalation by using the manifest. That UAC challenge box is still going to pop in the user's face, to allow or disallow as Admin or if Standard user give user-id and psw for an Admin account. <http://community.bartdesmet.net/blogs/bart/archive/2006/10/28/Windows-Vista-_2D00_-Demand-UAC-elevation-for-an-application-by-adding-a-manifest-using-mt.exe.aspx> |
| Back |
| Subject: Re: Run As Adminstrator - why hasn't it saved us? |
| Group: microsoft.public.windows.vista.security |
| Date: 8/15/2008 5:44:28 PM |
| From: "Kerry Brown" [Email Address Protection] |
> > You missed the point. I do not want to run as administrator. I don't > think I should need such lofty privileges just to write programs. And if > I turn off UAC then RunAs doesn't work. > The whole point of UAC is to allow you to run with an administrator account when needed (as in a development environment) but still maintain better security than previous versions of Windows. With UAC enabled when you logon with an administrator account you get two tokens, a standard user token, and an administrator token. The administrator token is never used unless UAC steps in and allows it. In effect you are running as a standard user until you see a UAC prompt. When you see a UAC prompt if you respond in the affirmative the admin token is unhidden and the process will run with the admin token. The key point is only that process has the admin token. Everything else is still running as a standard user. For development either turn UAC off or leave it on and run with an administrator account. With UAC off you will need a different computer (possibly virtual) for testing. -- Kerry Brown MS-MVP - Windows Desktop Experience: Systems Administration http://www.vistahelp.ca/phpBB2/ http://vistahelpca.blogspot.com/ |
| Back |
| Subject: Re: Run As Adminstrator - why hasn't it saved us? |
| Group: microsoft.public.windows.vista.security |
| Date: 8/16/2008 5:41:53 PM |
| From: DevilsPGD [Email Address Protection] |
In message <10878302a19c380ba0d55200d531a8a9@nntp-gateway.com> riix <guest@unknown-email.com> wrote: >I don't disagree. This is why I wonder that Vista Home doesn't >'promote' creation of basic accounts but instead creates Administrator >accounts? This is *exactly* what UAC does. Users are using a basic "user" level token at all times, until a program requests administrator privileges. |
| Back |
| Subject: Re: Run As Adminstrator - why hasn't it saved us? |
| Group: microsoft.public.windows.vista.security |
| Date: 8/16/2008 5:41:53 PM |
| From: DevilsPGD [Email Address Protection] |
In message <e100bf9a5d61a24164a35762cccd0b06@nntp-gateway.com> riix <guest@unknown-email.com> wrote: >To all that replied - thanks for your comments and no disrespect >intended please, but seems we missed the issues: > >1) when attempting to run as a Power User, the "RunAs Administrator" >seems to be completely wrong in concept, yet has been around since .. >NT3? Can this really be? Or am I totally not understanding how its >supposed to work? First, there is no such thing as a power user in Vista. If the group exists from an AD context, it has no particular rights on the desktop. Second, if you're running as a standard user, "Run As Administrator" hasn't changed, it still allows the user to run a program under a different security context. If you're running as an administrator already, then the UAC popup by default doesn't require credentials (it already knows who you are, and that you are authorized), so this is technically a regression as you used to be able to run programs as any user. Luckily you can use group policies to change this, if you need to be able to launch programs in a different user context. >2) Why does disabling UAC also disable "RunAs.." - again: these are >totally different concepts, why are they coupled? UAC controls the elevation process, and is largely what allows processes from two different security contexts to interact on the same console. >3) UAC is _not_ a minor inconvenience, it is a *major* hassle for >members of a development shop. Its not just a click. Its the constant >jarring effect of the screen going dim (or even black) for a second or >two, the box, the click, the blink back to reality, then a few seconds >later .. Event Viewer, IIS Admin, SQL studio, etc. > >Doing this, maybe 30-40 times a day? When XP just worked? If XP "just worked" then you were running with administrative access already, or you're using a program that requests administrative access but doesn't need it. >And all this because the Vista product, and Microsoft narrow-mindness, >won't allow me to work in a more intelligent fashion - which is: as a >Power User and *not* as an Administrator? A Power User is just an administrator who hasn't promoted themselves yet. >4) and maybe that's a bottom line - why does Vista install and create >its users as Administrators? A while ago my son bought a new Acer >computer with Vista Home Exceptional (or whatever its called). First >thing I did was create an Adminstrator id, write the password on his >monitor, then downgraded his ID to Normal User. He's now been using it >for over a month and HAS NOT EVEN NOTICED he's not an Administrator, >that is, it hasn't affected him at all. > >Why doesn't Vista do this by default ? Because the majority of users actually use their computers. They install software (Flash come to mind anyone?), upgrade software, stuff like that. iTunes, Adobe Reader, Adobe Flash have all had security updates recently, so either your son is horribly insecure, or uses the administrator password. If he users the administrator password when doing these activities then he's doing what UAC would have done for him. UAC doesn't pop up randomly, it only happens when Vista detects an activity happening that requires administrative privileges, or an application or user specifically requests administrative privileges. |
| Back |