proposed changes to UAC mechanism, RunAs, and documentation

Posted: 08-26-2008, 03:27 AM
Hello -

Someone please forward the comments below to people working on Vista Service
Pack 2:

The "Run as Administrator" option that appears when you right-click on a
shortcut or program should be changed in Vista to say "Run Elevated as
Current User". The Run As Administrator doesn't prompt for credentials in
instances where a Local Admin is already logged in, breaking the
functionality of "Run As" as it was previously created and used in XP/2000.
If anything, Vista should have "Run Elevated as Current User", "Run Elevated
as Different User", and "Run Standard as Different User" options instead of
the current Run as Administrator. What if you are a power user - the "Run as
Administrator" option may need to be used by that user - that is very
confusing to the user since they are not an administrator.

Vista's UAC implementation does not take into account or allow
administrative scripts to operate as they have in the past. I do not like any
of the current options for getting around UAC controls/prompts that stop or
break administrative scripts based on batch/vbs/wsh/AutoIT/KiXtart/etc. There
needs to be a straightforward method for people to execute administrative
scripts without turning off UAC. These scripts need to be able to run
administrative functions with elevated privileges without UAC prompts. Most
SMB organizations will not buy add-on (think MS SMS) or third party tools to
repackage, rewrite, sign, or execute their current administrative automation
under Vista. Only allowing signed content to run/install is not a fix of any
sort - malware writers will just start digitally signing their stuff. Also,
for most organizations only allowing installs/scripts to happen from certain
locations is just not possible.

How about a new default user group in Windows like this: Local group with
automatic, silent UAC elevation? This way UAC is left intact and
administrators can choose which accounts can silently elevate their
privileges. This group should also have some security event log auditing
turned on by default.

We need two classes of accounts - those that silently elevate their
privileges and those that do not. Accounts with the silent elevation
privilege may not even be Local Admins or Domain Admins, but with special,
custom privileges instead. Just silently elevating all Local Admins is a bad
practice that diminishes the usefulness of UAC greatly. Unfortunately that is
the best option for most admins right now.

I notice several deficincies in Microsoft documentation about UAC posted
online:

There appears to be no differentiation between Local Administrator and
Domain Administrator. There is clearly different behavior with MMC tools and
similar for users who are not Domain Admins and Local Administrators at the
same time. If you are logged in as a Local Admin but not a Domain Admin you
have to revert to things like invoking RUNAS from the CMD prompt to properly
run your MMC tools.

There is very little info about users who have rights more than a standard
user but less than a Local Admin, like power user. The document does not note
the fact that any user who logged in with privileges higher than standard
user appears to receive two tokens too and UAC applies in that instance as
well.

Thanks for listening,

James
MCSE +Security Server 2003, XP
CompTIA Security+

----------------
This post is a suggestion for Microsoft, and Microsoft responds to the
suggestions with the most votes. To vote for this suggestion, click the "I
Agree" button in the message pane. If you do not see the button, follow this
link to open the suggestion in the Microsoft Web-based Newsreader and then
click "I Agree" in the message pane.

http://www.microsoft.com/communities...vista.security

proposed changes to UAC mechanism, RunAs, and documentation


Responses to "proposed changes to UAC mechanism, RunAs, and documentation"

Mark H
Guest
Posts: n/a
 
Re: proposed changes to UAC mechanism, RunAs, and documentation
Posted: 08-26-2008, 11:44 AM
You're barking up the wrong tree. Try here:
https://feedback.windowsvista.micros..._master&scrx=1


"stumppc" <stumppc@discussions.microsoft.com> wrote in message
news:40809FED-17C0-4EB9-A304-68D6F74733B1@microsoft.com...
> Hello -
>
> Someone please forward the comments below to people working on Vista
Service
> Pack 2:
>
> The "Run as Administrator" option that appears when you right-click on a
> shortcut or program should be changed in Vista to say "Run Elevated as
> Current User". The Run As Administrator doesn't prompt for credentials in
> instances where a Local Admin is already logged in, breaking the
> functionality of "Run As" as it was previously created and used in
XP/2000.
> If anything, Vista should have "Run Elevated as Current User", "Run
Elevated
> as Different User", and "Run Standard as Different User" options instead
of
> the current Run as Administrator. What if you are a power user - the "Run
as
> Administrator" option may need to be used by that user - that is very
> confusing to the user since they are not an administrator.
>
> Vista's UAC implementation does not take into account or allow
> administrative scripts to operate as they have in the past. I do not like
any
> of the current options for getting around UAC controls/prompts that stop
or
> break administrative scripts based on batch/vbs/wsh/AutoIT/KiXtart/etc.
There
> needs to be a straightforward method for people to execute administrative
> scripts without turning off UAC. These scripts need to be able to run
> administrative functions with elevated privileges without UAC prompts.
Most
> SMB organizations will not buy add-on (think MS SMS) or third party tools
to
> repackage, rewrite, sign, or execute their current administrative
automation
> under Vista. Only allowing signed content to run/install is not a fix of
any
> sort - malware writers will just start digitally signing their stuff.
Also,
> for most organizations only allowing installs/scripts to happen from
certain
> locations is just not possible.
>
> How about a new default user group in Windows like this: Local group with
> automatic, silent UAC elevation? This way UAC is left intact and
> administrators can choose which accounts can silently elevate their
> privileges. This group should also have some security event log auditing
> turned on by default.
>
> We need two classes of accounts - those that silently elevate their
> privileges and those that do not. Accounts with the silent elevation
> privilege may not even be Local Admins or Domain Admins, but with special,
> custom privileges instead. Just silently elevating all Local Admins is a
bad
> practice that diminishes the usefulness of UAC greatly. Unfortunately that
is
> the best option for most admins right now.
>
> I notice several deficincies in Microsoft documentation about UAC posted
> online:
>
> There appears to be no differentiation between Local Administrator and
> Domain Administrator. There is clearly different behavior with MMC tools
and
> similar for users who are not Domain Admins and Local Administrators at
the
> same time. If you are logged in as a Local Admin but not a Domain Admin
you
> have to revert to things like invoking RUNAS from the CMD prompt to
properly
> run your MMC tools.
>
> There is very little info about users who have rights more than a standard
> user but less than a Local Admin, like power user. The document does not
note
> the fact that any user who logged in with privileges higher than standard
> user appears to receive two tokens too and UAC applies in that instance as
> well.
>
> Thanks for listening,
>
> James
> MCSE +Security Server 2003, XP
> CompTIA Security+
>
> ----------------
> This post is a suggestion for Microsoft, and Microsoft responds to the
> suggestions with the most votes. To vote for this suggestion, click the "I
> Agree" button in the message pane. If you do not see the button, follow
this
> link to open the suggestion in the Microsoft Web-based Newsreader and then
> click "I Agree" in the message pane.
>
>
http://www.microsoft.com/communities...ws.vista.secur
ity


stumppc
Guest
Posts: n/a
 
Re: proposed changes to UAC mechanism, RunAs, and documentation
Posted: 08-26-2008, 12:45 PM
Thanks - I looked all over for that link and could not find it for some
reason. Would you believe it only allows for a 1000 character submision?
Whoever made that feedback submission page makes MS look like they don't
really want to hear from users...

"Mark H" wrote:
> You're barking up the wrong tree. Try here:
> https://feedback.windowsvista.micros..._master&scrx=1
>
>
> "stumppc" <stumppc@discussions.microsoft.com> wrote in message
> news:40809FED-17C0-4EB9-A304-68D6F74733B1@microsoft.com...
> > Hello -
> >
> > Someone please forward the comments below to people working on Vista
> Service
> > Pack 2:
> >
> > The "Run as Administrator" option that appears when you right-click on a
> > shortcut or program should be changed in Vista to say "Run Elevated as
> > Current User". The Run As Administrator doesn't prompt for credentials in
> > instances where a Local Admin is already logged in, breaking the
> > functionality of "Run As" as it was previously created and used in
> XP/2000.
> > If anything, Vista should have "Run Elevated as Current User", "Run
> Elevated
> > as Different User", and "Run Standard as Different User" options instead
> of
> > the current Run as Administrator. What if you are a power user - the "Run
> as
> > Administrator" option may need to be used by that user - that is very
> > confusing to the user since they are not an administrator.
> >
> > Vista's UAC implementation does not take into account or allow
> > administrative scripts to operate as they have in the past. I do not like
> any
> > of the current options for getting around UAC controls/prompts that stop
> or
> > break administrative scripts based on batch/vbs/wsh/AutoIT/KiXtart/etc.
> There
> > needs to be a straightforward method for people to execute administrative
> > scripts without turning off UAC. These scripts need to be able to run
> > administrative functions with elevated privileges without UAC prompts.
> Most
> > SMB organizations will not buy add-on (think MS SMS) or third party tools
> to
> > repackage, rewrite, sign, or execute their current administrative
> automation
> > under Vista. Only allowing signed content to run/install is not a fix of
> any
> > sort - malware writers will just start digitally signing their stuff.
> Also,
> > for most organizations only allowing installs/scripts to happen from
> certain
> > locations is just not possible.
> >
> > How about a new default user group in Windows like this: Local group with
> > automatic, silent UAC elevation? This way UAC is left intact and
> > administrators can choose which accounts can silently elevate their
> > privileges. This group should also have some security event log auditing
> > turned on by default.
> >
> > We need two classes of accounts - those that silently elevate their
> > privileges and those that do not. Accounts with the silent elevation
> > privilege may not even be Local Admins or Domain Admins, but with special,
> > custom privileges instead. Just silently elevating all Local Admins is a
> bad
> > practice that diminishes the usefulness of UAC greatly. Unfortunately that
> is
> > the best option for most admins right now.
> >
> > I notice several deficincies in Microsoft documentation about UAC posted
> > online:
> >
> > There appears to be no differentiation between Local Administrator and
> > Domain Administrator. There is clearly different behavior with MMC tools
> and
> > similar for users who are not Domain Admins and Local Administrators at
> the
> > same time. If you are logged in as a Local Admin but not a Domain Admin
> you
> > have to revert to things like invoking RUNAS from the CMD prompt to
> properly
> > run your MMC tools.
> >
> > There is very little info about users who have rights more than a standard
> > user but less than a Local Admin, like power user. The document does not
> note
> > the fact that any user who logged in with privileges higher than standard
> > user appears to receive two tokens too and UAC applies in that instance as
> > well.
> >
> > Thanks for listening,
> >
> > James
> > MCSE +Security Server 2003, XP
> > CompTIA Security+
> >
> > ----------------
> > This post is a suggestion for Microsoft, and Microsoft responds to the
> > suggestions with the most votes. To vote for this suggestion, click the "I
> > Agree" button in the message pane. If you do not see the button, follow
> this
> > link to open the suggestion in the Microsoft Web-based Newsreader and then
> > click "I Agree" in the message pane.
> >
> >
> http://www.microsoft.com/communities...ws.vista.secur
> ity
>
>
>
Paul Montgomery
Guest
Posts: n/a
 
Re: proposed changes to UAC mechanism, RunAs, and documentation
Posted: 08-26-2008, 01:45 PM
On Tue, 26 Aug 2008 05:45:13 -0700, stumppc
<stumppc@discussions.microsoft.com> wrote:
>Thanks - I looked all over for that link and could not find it for some
>reason. Would you believe it only allows for a 1000 character submision?
>Whoever made that feedback submission page makes MS look like they don't
>really want to hear from users...
Split your submission into smaller bits... like only one suggestion
per submission.

DUH!
 
LinkBack Thread Tools Display Modes
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
runas /user:USER problem and a strange behavior of runas Stefan Helmig Windows Vista Administration 1 01-31-2007 06:51 PM
Bug#392592: proposed patches dann frazier Linux / Unix 0 11-22-2006 11:00 AM
[gentoo-dev] Proposed wxwidgets eclass Rob Cakebread Gentoo Linux 0 07-29-2004 10:00 PM
How to print the Resource Kit Documentation? Where to download a printable Resource Kit Documentation? Where to download any printable Windows XP Documentation? Dmitriy Kopnichev Windows XP Help & Support 3 08-19-2003 12:10 AM
How to print the Resource Kit Documentation? Where to download a printable Resource Kit Documentation? Where to download any printable Windows XP Documentation? Dmitriy Kopnichev Windows XP Basics 3 08-19-2003 12:10 AM