In wildly heterogeneous research environments with a history of researchers being able to do what they need to do on whatever hardware they need to do it on (everything from supercomputers to embedded controllers), and no formal end-user IT support to speak of, things don't always go the way they "should" when it comes to IT practices. Sometimes new requirements take effect with very little lead time as a result of mistakes and poor practices in another (unrelated) part of the "organization" that get press visibility. Adequate resources to implement those new requirements don't suddenly appear along with them.
Aircraft carriers can't turn on a dime, so to speak.
Thanks for the link.
I don't run IE so that vector is not available.
The answer is to not let malware get on the PC in the first place. The standard user response of Click OK when a popup appears on installing software doesn't protect users any more than not having the Click OK dialog in any situation I've come across on my machines. YMMV.
To be honest, this new laptop is the first one that I've turned the UAC all the way down on - I usually put it on the next to last setting. Maybe I should do that now. ;-)
Again, the settings for UAC and the rest are going to be out of my hands on the new laptop soon. So don't have heartburn over this. ;-)
Thanks.
Cheers,
Scott.
(Who isn't saying that all users should do what I do. And who isn't saying he's never broken his Windows install - that's happened a few times, but had nothing to do with UAC (e.g. breaking partitions on a stretched clone drive).)
Aircraft carriers can't turn on a dime, so to speak.
Thanks for the link.
Finally, the bottom slider position turns off UAC technologies altogether, so that all software running in a PA account runs with full administrative rights, file system and registry virtualization are disabled, and Protected Mode IE is disabled. While there are no prompts at this setting, the loss of Protected Mode IE is a significant disadvantage of this mode.
I don't run IE so that vector is not available.
Several people have observed that it's possible for third-party software running in a PA account with standard user rights to take advantage of auto-elevation to gain administrative rights. For example, the software can use the WriteProcessMemory API to inject code into Explorer and the CreateRemoteThread API to execute that code, a technique called DLL injection. Since the code is executing in Explorer, which is a Windows executable, it can leverage the COM objects that auto-elevate, like the Copy/Move/Rename/Delete/Link Object, to modify system registry keys or directories and give the software administrative rights. While true, these steps require deliberate intent, aren't trivial, and therefore are not something we believe legitimate developers would opt for versus fixing their software to run with standard user rights. In fact, we recommend against any application developer taking a dependency on the elevation behavior in the system and that application developers test their software running in standard user mode.
The follow-up observation is that malware could gain administrative rights using the same techniques. Again, this is true, but as I pointed out earlier, malware can compromise the system via prompted elevations as well. From the perspective of malware, Windows 7's default mode is no more or less secure than the Always Notify mode ("Vista mode"), and malware that assumes administrative rights will still break when run in Windows 7's default mode.
The answer is to not let malware get on the PC in the first place. The standard user response of Click OK when a popup appears on installing software doesn't protect users any more than not having the Click OK dialog in any situation I've come across on my machines. YMMV.
To be honest, this new laptop is the first one that I've turned the UAC all the way down on - I usually put it on the next to last setting. Maybe I should do that now. ;-)
Again, the settings for UAC and the rest are going to be out of my hands on the new laptop soon. So don't have heartburn over this. ;-)
Thanks.
Cheers,
Scott.
(Who isn't saying that all users should do what I do. And who isn't saying he's never broken his Windows install - that's happened a few times, but had nothing to do with UAC (e.g. breaking partitions on a stretched clone drive).)