Vista file security mechanisms

1) I noticed that there is quite a bit of restrictions in the file system,
almost like a *nix file system since you cannot change/delete etc certain
files in certain directories (...permissions). This is awesome and only a
small example, I'm wondering though if the system asks for the admin password
to install a program ONLY if it is an install routine or ONLY if a program
tried to create directories/files in certain directories (like program
files), or both, basically how is Vista realizing that it's an install
routine and that admin is needed?

2) In Vista there is a difference between "Administrator" and an account
with administrator priveledges...or am I confused? From my experience I
needed to log into safe mode and change the Administrator password, couldn't
do it from the Admin account I created in XP before the Upgrade...NICE!!

3) Updating the Hosts file was a PITA!!! But IS possible!

Hello,

Quote:

> 1) I noticed that there is quite a bit of restrictions in the file system,
> almost like a *nix file system since you cannot change/delete etc certain
> files in certain directories (...permissions). This is awesome and only a
> small example,

Actually, these permissions have been in Windows NT-based operating systems
since conception... however, running as Administrator ("root") by default
negates all the nice security features of this, since administrators have
access to pretty much everything, so I'm sure a lot of people have never
noticed this

In Windows Vista, accounts with administrator privileges run like a user in
the 'wheel' group ... every program they open runs as a standard user. Then,
when they want to run a program with admin privileges, they have to 'sudo'
the program. The program can either request to be sudo'd (Windows needs your
permission to run this program), or you can explicitly run the program with
admin power by right-clicking it and clicking Run As Administrator.

Quote:

> I'm wondering though if the system asks for the admin password
> to install a program ONLY if it is an install routine or ONLY if a program
> tried to create directories/files in certain directories (like program
> files), or both, basically how is Vista realizing that it's an install
> routine and that admin is needed?

Applications have to be explicitly configured to ask for admin permission by
the developer of the application.

Alternatively, Windows may "know" that a legacy application will need admin
powers via the application compatibility database, so Windows may prompt on
behalf of a legacy application if it knows it will need admin powers.

If a program is not configured to ask for admin permission, when in fact it
DOES, this program will fail to work correctly, even if you are logged in as
an administrator. To use these programs, right-click on it, and click Run As
Administrator. You can manually configure a program to always ask for
administrator permission from the compatability tab of its properties
screen.

Also, Windows Vista automatically recognizes the most common types of setup
programs and asks for admin permission for these programs when they run.

As for accessing restricted files and registry keys ... Windows Vista uses a
new concept called "virtualization" to allow old programs to run. Basically
how this works, is if a program that was not designed for Windows Vista
tries to write data to certain restricted folders or registry keys, Windows
makes the program THINK that it is writing to these places, but actually
puts the files/registry keys into a folder inside the user's folder.

In this way, these older programs can still work, but they cannot change
other user's data or affect the system state.

Quote:

> 2) In Vista there is a difference between "Administrator" and an account
> with administrator priveledges...or am I confused? From my experience I
> needed to log into safe mode and change the Administrator password,
> couldn't
> do it from the Admin account I created in XP before the Upgrade...NICE!!

Yes, there is a difference.

When logged in as an account with admin permissions, you run all programs as
a standard user, and only programs that you give permission to will run with
your administrator powers.

On the other hand, the Administrator account is like the 'root' account in
linux ... it ALWAYS runs everything with full privileges. By default in
Windows Vista, you can only access this account from safe mode.

Quote:

> 3) Updating the Hosts file was a PITA!!! But IS possible!

An easy way to do file management is to right-click the link to Windows
Explorer and click Run As Administrator. This will prompt for admin
permission FIRST, and then allow you to do any other admin-task without
needing to be prompted again (from within that window).

For more info, check out these Microsoft websites:

http://www.microsoft.com/technet/win...ty/uacppr.mspx
http://www.microsoft.com/technet/Win...9e4e5c10f.mspx
http://www.microsoft.com/technet/Win...ff918c281.mspx
http://www.microsoft.com/technet/win...1f5c6c2d9.mspx
http://blogs.msdn.com/uac/

- JB

Vista Support FAQ
http://www.jimmah.com/vista/

test
"Jimmy Brush" <JimmyBrush@discussions.microsoft.com> дÈëÏûÏ¢ÐÂÎÅ:FBBE957E-67D1-4EFE-A896-43191C31EFD4@microsoft.com...

Quote:

> Hello,
>

Quote:

>
> Actually, these permissions have been in Windows NT-based operating
> systems since conception... however, running as Administrator ("root") by
> default negates all the nice security features of this, since
> administrators have access to pretty much everything, so I'm sure a lot of
> people have never noticed this
>
> In Windows Vista, accounts with administrator privileges run like a user
> in the 'wheel' group ... every program they open runs as a standard user.
> Then, when they want to run a program with admin privileges, they have to
> 'sudo' the program. The program can either request to be sudo'd (Windows
> needs your permission to run this program), or you can explicitly run the
> program with admin power by right-clicking it and clicking Run As
> Administrator.
>

Quote:

>
> Applications have to be explicitly configured to ask for admin permission
> by the developer of the application.
>
> Alternatively, Windows may "know" that a legacy application will need
> admin powers via the application compatibility database, so Windows may
> prompt on behalf of a legacy application if it knows it will need admin
> powers.
>
> If a program is not configured to ask for admin permission, when in fact
> it DOES, this program will fail to work correctly, even if you are logged
> in as an administrator. To use these programs, right-click on it, and
> click Run As Administrator. You can manually configure a program to always
> ask for administrator permission from the compatability tab of its
> properties screen.
>
> Also, Windows Vista automatically recognizes the most common types of
> setup programs and asks for admin permission for these programs when they
> run.
>
> As for accessing restricted files and registry keys ... Windows Vista uses
> a new concept called "virtualization" to allow old programs to run.
> Basically how this works, is if a program that was not designed for
> Windows Vista tries to write data to certain restricted folders or
> registry keys, Windows makes the program THINK that it is writing to these
> places, but actually puts the files/registry keys into a folder inside the
> user's folder.
>
> In this way, these older programs can still work, but they cannot change
> other user's data or affect the system state.
>

Quote:

>
> Yes, there is a difference.
>
> When logged in as an account with admin permissions, you run all programs
> as a standard user, and only programs that you give permission to will run
> with your administrator powers.
>
> On the other hand, the Administrator account is like the 'root' account in
> linux ... it ALWAYS runs everything with full privileges. By default in
> Windows Vista, you can only access this account from safe mode.
>

Quote:

>
> An easy way to do file management is to right-click the link to Windows
> Explorer and click Run As Administrator. This will prompt for admin
> permission FIRST, and then allow you to do any other admin-task without
> needing to be prompted again (from within that window).
>
> For more info, check out these Microsoft websites:
>
> http://www.microsoft.com/technet/win...ty/uacppr.mspx
> http://www.microsoft.com/technet/Win...9e4e5c10f.mspx
> http://www.microsoft.com/technet/Win...ff918c281.mspx
> http://www.microsoft.com/technet/win...1f5c6c2d9.mspx
> http://blogs.msdn.com/uac/
>
> - JB
>
> Vista Support FAQ
> http://www.jimmah.com/vista/
>
>
>