Vista - RE: UAC whitelist

03-09-2008

Unfortunately, there is no way to have a specific app silently elevate while
leaving UAC enabled for all other administrative apps. I do feel your pain
here -- I bounce off the elevation prompt many times a day. I just learned
to quick hit ALT+C whenever it's coming up. There's plenty of websites that
give instructions on how to turn UAC off, if it's really ruining your day.

Although it doesn't seem like that's a security hole, it actually can be.
Security is a 'weakest link' game. If a program has a "golden ticket" to run
elevated, then the system's security is only as strong as that app is -- and
most apps aren't written in such a way as to be strong against subversion by
other apps. Suppose mmc.exe (the Microsoft Management Console - open the
Start menu, right-click on 'Computer' and choose 'Manage') were automatically
quietly elevated every time. Then a bad guy would just have to figure out
how to run it from the command line; or to ask it to open a malformed .mmc
file that causes it to crash exploitably.

"anySmarterIdrunLinux" wrote:

Quote:

> Is there a way to grant an applicatoin the right to execute now and forever
> more? An app that I use 3,4,10,15 times a day triggers an UAC prompt. I
> understand that the app should be written in a different manner so that it
> does not need Admin rights. Until it is re-written, I do not want to be
> prompted __EVERY__ time i launch it. Is this possible?
>
> Since I think I already know the answer (but I am wrong far more than I
> would like to admit which is why i am posting), Why not???
>
> and to answer the first 3 arguments against: 1) I don't care that the app
> should be written differently. It is not written differently now, and I need
> to run it now. 2) It's not really a security hole to whitelist an app(s) -
> UAC is still running. Firewall is still running. User is still a least
> priveledge account, etc. 3) i haven't thought far enough to have 3 counter
> arguments.
>
> Can someone explain to MS the value in grannular configuration? 'Configure
> UAC' should have a few more options than Turn On / Off.
>
> Thanks for all of your help and feedback.
>
> Matt

03-09-2008

> If a program has a "golden ticket" to run elevated,

Quote:

> then the system's security is only as strong as that app is
> and most apps aren't written in such a way as to be strong against
> subversion by
> other apps. Suppose mmc.exe (the Microsoft Management Console - open the
> Start menu, right-click on 'Computer' and choose 'Manage') were
> automatically
> quietly elevated every time. Then a bad guy would just have to figure out
> how to run it from the command line; or to ask it to open a malformed .mmc
> file that causes it to crash exploitably.

Do you think that the prompt for elevation is a more secure way to avoid a
bad guy program running?
What prevents a "bad guy" program to patch a "normal" program, then asking
for running the "normal" program in an elevated mode ?
If an integrity check was done and failed, then prompting the user to
require a specific action would be meaningfull.
I don't see UAC doing a crc check or whatever mechanism to be assured that
the "normal"program had not been patched by a bad guy. actually an user can
accept to run in an elevated mode a program that is supposed to be a "safe"
one ?
A white list, associated to a crc check (or whatever mechanism to check
integrity) is, in my mind the way to acchieve this goal without endless
prompting the user for anything.

Regards

--
Olivier

03-09-2008	#1 (permalink)
Jeff Smith [MSFT] n/a posts	RE: UAC whitelist Unfortunately, there is no way to have a specific app silently elevate while leaving UAC enabled for all other administrative apps. I do feel your pain here -- I bounce off the elevation prompt many times a day. I just learned to quick hit ALT+C whenever it's coming up. There's plenty of websites that give instructions on how to turn UAC off, if it's really ruining your day. Although it doesn't seem like that's a security hole, it actually can be. Security is a 'weakest link' game. If a program has a "golden ticket" to run elevated, then the system's security is only as strong as that app is -- and most apps aren't written in such a way as to be strong against subversion by other apps. Suppose mmc.exe (the Microsoft Management Console - open the Start menu, right-click on 'Computer' and choose 'Manage') were automatically quietly elevated every time. Then a bad guy would just have to figure out how to run it from the command line; or to ask it to open a malformed .mmc file that causes it to crash exploitably. "anySmarterIdrunLinux" wrote: Quote: > Is there a way to grant an applicatoin the right to execute now and forever > more? An app that I use 3,4,10,15 times a day triggers an UAC prompt. I > understand that the app should be written in a different manner so that it > does not need Admin rights. Until it is re-written, I do not want to be > prompted __EVERY__ time i launch it. Is this possible? > > Since I think I already know the answer (but I am wrong far more than I > would like to admit which is why i am posting), Why not??? > > and to answer the first 3 arguments against: 1) I don't care that the app > should be written differently. It is not written differently now, and I need > to run it now. 2) It's not really a security hole to whitelist an app(s) - > UAC is still running. Firewall is still running. User is still a least > priveledge account, etc. 3) i haven't thought far enough to have 3 counter > arguments. > > Can someone explain to MS the value in grannular configuration? 'Configure > UAC' should have a few more options than Turn On / Off. > > Thanks for all of your help and feedback. > > Matt
My System Specs

03-09-2008	#2 (permalink)
Olivier n/a posts	Re: UAC whitelist > If a program has a "golden ticket" to run elevated, Quote: > then the system's security is only as strong as that app is > and most apps aren't written in such a way as to be strong against > subversion by > other apps. Suppose mmc.exe (the Microsoft Management Console - open the > Start menu, right-click on 'Computer' and choose 'Manage') were > automatically > quietly elevated every time. Then a bad guy would just have to figure out > how to run it from the command line; or to ask it to open a malformed .mmc > file that causes it to crash exploitably. Do you think that the prompt for elevation is a more secure way to avoid a bad guy program running? What prevents a "bad guy" program to patch a "normal" program, then asking for running the "normal" program in an elevated mode ? If an integrity check was done and failed, then prompting the user to require a specific action would be meaningfull. I don't see UAC doing a crc check or whatever mechanism to be assured that the "normal"program had not been patched by a bad guy. actually an user can accept to run in an elevated mode a program that is supposed to be a "safe" one ? A white list, associated to a crc check (or whatever mechanism to check integrity) is, in my mind the way to acchieve this goal without endless prompting the user for anything. Regards -- Olivier
My System Specs

Similar Threads
Thread	Forum
Whitelist Address Book/Contacts	Vista mail