Does enabling UAC control really make a difference in security?

[Arkitech]

I'm thinking it does'nt but maybe I'm wrong

 

[blackangst1]

It absolutely does. Without it activated, changes can be made without the user's knowledge to the registry, system folder, and others. Most who are somewhat tech savvy are confident these things would never happen to them, which, IMHO, is fallacy. Just because it hasnt, doesnt mean it wont or cant.

 

[MrChad]

It depends.

The intent is good. It makes you, the end user, aware when a program is trying to access system resources, as blackangst1 mentioned. This means that malicious programs cannot access these resources without you explicitly giving them permission to do so.

The problem, of course, is that too many UAC prompts leads to users clicking "Yes" automatically without actually reading the prompt or understanding what it's trying to say. This is a problem that Windows 7 tries to address, as Vista (at least earlier versions) overwhelmed users with way too many prompts.

 

[nerp]

In short, yes.

IE sandboxing is a significant advantage and that isn't related to prompts or user stupidity.

 

[corkyg]

Win 7 RTM has two intermediate levels of UAC between On and Off. That is useful. A lot depends on use. If you are the only person with access to your PC and you are not on line, and you have a good AV and firewall, then UAC is more of a PITA than an asset. On line, it is a different story.

 

[Tom]

Originally posted by: blackangst1
It absolutely does. Without it activated, changes can be made without the user's knowledge to the registry, system folder, and others. Most who are somewhat tech savvy are confident these things would never happen to them, which, IMHO, is fallacy. Just because it hasnt, doesnt mean it wont or cant.

Why did Microsoft make Windows so obscure and complex in the first place ?

example-Why is the registry necessary?

 

[blackangst1]

Originally posted by: Tom

Originally posted by: blackangst1
It absolutely does. Without it activated, changes can be made without the user's knowledge to the registry, system folder, and others. Most who are somewhat tech savvy are confident these things would never happen to them, which, IMHO, is fallacy. Just because it hasnt, doesnt mean it wont or cant.

Why did Microsoft make Windows so obscure and complex in the first place ?

example-Why is the registry necessary?

Well...Im not a coder so probably not the one to answer specifically; however, we have to remember we're talking about the most widely used OS on the planet. Now think about allll the possible hardware configurations that OS has to be installed on and it will give you an appreciation of 1. why it is the size it is, and 2. how well Windows works. Sure there are times when it gripes about some piece of hardware or another, but overall it covers the majority of what you throw at it.

 

[Crusty]

Originally posted by: Tom

Originally posted by: blackangst1
It absolutely does. Without it activated, changes can be made without the user's knowledge to the registry, system folder, and others. Most who are somewhat tech savvy are confident these things would never happen to them, which, IMHO, is fallacy. Just because it hasnt, doesnt mean it wont or cant.

Why did Microsoft make Windows so obscure and complex in the first place ?

example-Why is the registry necessary?

That's like arguing why cars have to be so complex in the first place. It's because it's a freaking Operating System. Do you think Linux or Mac OSX are any less complicated? Not at all, you need OS this complex to manage the even more complex hardware in order for users to accomplish simple tasks.

 

[sourceninja]

The registry is a great idea, just poorly implemented. Not that I would know how to handle it better. The INI situation before that was just hell.

 

[Nothinman]

example-Why is the registry necessary?

A central database is required for things like COM interfaces and filetype associations.

Is MS' implementation the best? That's debatable. It's pretty fragile because they used some special, proprietary, binary format and if the file holding HKLM gets corrupted the machine just BSOD's and there's no easy way to recover it.

Do you think Linux or Mac OSX are any less complicated? Not at all, you need OS this complex to manage the even more complex hardware in order for users to accomplish simple tasks.

Actually I'd say Linux is less complicated, I'm not sure about OS X since I don't own a Mac.

Sadly Gnome has their own registry implementation with gconf, but it's spread out into many files and they're all XML instead of some mysterious binary blob. The chances of you losing all of those XML files at once is pretty small and recovery is a lot simpler because they're just XML and the core parts of the system aren't dependent on them.

 

[iCyborg]

Originally posted by: Tom
example-Why is the registry necessary?

Stuff like which device drivers to load at boot, which services to autostart, licensing info, or per-user info like what desktop resolution, or which icons and what wallpapers to load for each user, etc. All this has to be kept in some configuration database and the need for it should be self-obvious. Windows' config database is called the Registry. Control Panel is pretty much a GUI for various registry entries, and a normal user shouldn't need to work with the keys directly, but Windows exposes it via regedit if someone wants to.

 

[Nothinman]

The registry is a great idea, just poorly implemented. Not that I would know how to handle it better. The INI situation before that was just hell.

Actually ini files are fine, I much prefer editing a human-readable txt file than searching for some random key in regedit.

 

[Crusty]

Originally posted by: Nothinman

Do you think Linux or Mac OSX are any less complicated? Not at all, you need OS this complex to manage the even more complex hardware in order for users to accomplish simple tasks.

Actually I'd say Linux is less complicated, I'm not sure about OS X since I don't own a Mac.

Hehe of course, I was only alluding to the fact that it's an OS and that it has to be complex if the user wants to be able to get anything useful done

 

[Nothinman]

Hehe of course, I was only alluding to the fact that it's an OS and that it has to be complex if the user wants to be able to get anything useful done

To and extent, yea, but I do think MS makes things more complicated than necessary for no good reason sometimes.

 

[Crusty]

Originally posted by: Nothinman

Hehe of course, I was only alluding to the fact that it's an OS and that it has to be complex if the user wants to be able to get anything useful done

To and extent, yea, but I do think MS makes things more complicated than necessary for no good reason sometimes.

I tend to agree, like AD and it's non-standard LDAP layout. It makes for a fun time trying to integrate into open source LDAP authentication plugins.

Not that I could tell you a better way though

 

[Nothinman]

I tend to agree, like AD and it's non-standard LDAP layout. It makes for a fun time trying to integrate into open source LDAP authentication plugins.

The only thing non-standard that I know of about AD's LDAP is the vendor-specific group information, which is in an area intended to be vendor-specific, and the fact that you can't have 2 users/groups with the same name in different OUs. LDAP itself is ugly because of all the different schema extensions, MS isn't alone in that.

 

[Crusty]

I had issues getting LDAP auth plugins to recognize the correct DN for a member in a group. Authentication would happen on the sAMAccountName attribute of the User so Group membership searching would look for that attribute instead of by CN='First and Last Name' in the group member attribute. So it would look for CN=bsmith, OU=,DN=,DN= instead of CN='Bob Smith', OU=,DN=,DN=... in the Group container.

I'm new to LDAP though so I'm sure I could have figured a way around it that didn't involve a cron job to update the auth database that I was trying to replace with direct LDAP auth, but I needed something that worked sooner rather then later.

 

[mechBgon]

Originally posted by: Arkitech
Does enabling UAC control really make a difference in security?

Yes, it does make a difference, in ways you cannot duplicate by your own "street smarts" or other alternatives. If you want to take full advantage of the built-in security features of Windows Vista or 7, one step is to leave UAC enabled.

 

[RebateMonger]

I do miss the old days when you could migrate a Windows application to a new installation of Windows by just copying the program folder to the new PC. Post-Registry, that convenience went away. It's sad that MS hasn't developed a way to migrate applications.

 

[Crusty]

Originally posted by: RebateMonger
I do miss the old days when you could migrate a Windows application to a new installation of Windows by just copying the program folder to the new PC. Post-Registry, that convenience went away. It's sad that MS hasn't developed a way to migrate applications.

win-get update windows-7.0

 

[KeypoX]

Originally posted by: RebateMonger
I do miss the old days when you could migrate a Windows application to a new installation of Windows by just copying the program folder to the new PC. Post-Registry, that convenience went away. It's sad that MS hasn't developed a way to migrate applications.

yeah... but some programs still work. And games.

They do need to fix this, maybe with the next windows, how about a more complicated proprietary registry that will do it lol

 

[Crusty]

Originally posted by: KeypoX

Originally posted by: RebateMonger
I do miss the old days when you could migrate a Windows application to a new installation of Windows by just copying the program folder to the new PC. Post-Registry, that convenience went away. It's sad that MS hasn't developed a way to migrate applications.

yeah... but some programs still work. And games.

They do need to fix this, maybe with the next windows, how about a more complicated proprietary registry that will do it lol

That's one thing I like about steam. All you have to do is reinstall the client and then copy all your game files back into your new steam directory.

 

[Tom]

Originally posted by: Nothinman

The registry is a great idea, just poorly implemented. Not that I would know how to handle it better. The INI situation before that was just hell.

Actually ini files are fine, I much prefer editing a human-readable txt file than searching for some random key in regedit.

thats more or less what I was thinking when I asked about the registry. I'd like to know if there's any reason for the registry other than hiding the complexity, which also makes it harder to fix problems.

I also think the "complexity" of a pc is being overstated. I suspect that the complexity comes more from the way operating systems are created than from the complexity of the hardware and the tasks computers are used for. My understanding is that the work of creating the operating system is divided up, and each group creates their own piece, then it's all glommed together into a giant program. I assume there's a group that integrates the stuff together, but that group probably gets rushed everytime and has to throw stuff together any way it can, rather than having time to come with a more sensible, easier to work with concept.

 

[Nothinman]

thats more or less what I was thinking when I asked about the registry. I'd like to know if there's any reason for the registry other than hiding the complexity, which also makes it harder to fix problems.

Well the registry dates back to NT31 so you've got to think about what was going on in the 1990-1993 timeframe. People screaming about open standards weren't nearly as prevelant and interoperability between systems was an afterthought at best. So it makes sense that when someone said "A central configuration database would be a good idea." the developers were left to go off and create their own completely new, closed database. As long as the API was available for 3rd party devs they were happy for the most part. If they were to create it fresh today one would hope they would start with something more open like XML.

I also think the "complexity" of a pc is being overstated.

Generally, yes. The combinations of hardware is almost infinite, however as long as devices follow specs it shouldn't really matter. However, lots of problems stem from hardware that doesn't follow the specs properly and drivers that just suck. ACPI is a great example of this, lots of manufacturers only tested their hardware with Windows and Windows didn't have complete ACPI support up until Vista. This let manufacturers release with partial implementations that made ugly assumptions based on how the Windows ACPI drivers worked. Now that Linux devs have been forcing the issue there's an ACPI test suite released on a Linux LiveCD and now Vista/W7 have more complete ACPI support this is getting better.

Just take a look at some of the Linux device drivers, there's tons of work arounds for hardware bugs. Hell, hardware bugs are the primary reason that "chipset drivers" even exist for Windows.

My understanding is that the work of creating the operating system is divided up, and each group creates their own piece, then it's all glommed together into a giant program.

It depends on how far you're stretching that. For the kernel itself, that's pretty much true because all of the drivers get loaded into the kernel directly and essentially become part of it.

For userland stuff each application is a separate binary and runs as a normal process. So explorerer, IE, paint, etc are all unique entities but they all use facilities presented by the kernel and libraries such as MFC, .Net, etc. As long as the exported APIs are maintained and work as described there shouldn't be any problems. But once again, those APIs are created by people so there's going to be bugs and things that aren't designed as well as they could've been.

I assume there's a group that integrates the stuff together, but that group probably gets rushed everytime and has to throw stuff together any way it can, rather than having time to come with a more sensible, easier to work with concept.

From that perspective, Windows and OS X have the higest levels of integration with the core system because they develop the whole thing from Explorer/Finder down to the kernel. Linux is different in that Gnome, KDE, XFCE, etc are developed separately from the kernel, C library, etc and then distributions like Debian, Ubuntu, Fedora, etc package them all up and do QA on the system as a whole.

As with every program, how well it works is going to depend on the developers skills and priorities. But IMO the more separated systems like Linux tend to work better because it forces the people working on exported APIs to be conservative with changes and think more about the design because they know they'll be stuck with that API for a while after it starts getting used.

 

[Rangoric]

Yes it does help. In many of the Security Issues that come up, if you read them they actually mention that the issue only appears when not using UAC.