Because elevations aren’t security boundaries, there’s no guarantee that malware running on a system with standard user rights can’t compromise an elevated process to gain administrative rights. For example, elevation dialogs only identify the executable that will be elevated; they say nothing about what it will do when it executes. The executable will process command-line arguments, load DLLs, open data files, and communicate with other processes. Any of those operations could conceivably allow malware to compromise the elevated process and thus gain administrative rights.
To summarize, UAC is a set of technologies that has one overall goal: to make it possible for users to run as standard users. The combination of changes to Windows that enable standard users to perform more operations that previously required administrative rights, file and registry virtualization, and prompts all work together to realize this goal. The bottom line is that the default Windows 7 UAC mode makes a PA user’s experience smoother by reducing prompts, allows them to control what legitimate software can modify their system, and still accomplishes UAC’s goals of enabling more software to run without administrative rights and continuing to shift the software ecosystem to write software that works with standard user rights.
翻译:总结一下,UAC 这一系列技术的目的:让用户以 standard user 运行 Windows 成为可能。它通过1. 允许 standard user 执行更多之前需要 admin 权限的操作 2. 文件和注册表虚拟化,以及3 .显示的提醒用户来达到这个目的。它的底线是默认情况下,Windows 7 UAC 可以让 Protected Admin 的体验更流畅,允许 Admin 控制哪些程序可以合法修改系统,并仍然符合 UAC 的最终目标:让更多的应用程序不再需要 admin 权限,并以此持续地改变 Windows 的软件生态。
UACs real purpose is quite simple: its meant to trip whenever a routine attempts to elevate security privileges, and get in your face. As we have reported before, this has two goals: a) it give users a chance to approve of the elevation in the off chance that something wrong is happening, and b) it encourages developers to design their software such that privilege elevations arent needed in the first place. The latter is really the point of UAC, since users have absolutely zero control over the privilege requests their applications make (other than to chose not to install said apps).
至于 UAC 该不该关,反正不关绝对比关了安全
UAC 设计的好不好,见仁见智,微软是主动选择了这条对抗用户习惯的道路,走不走得通还得拭目以待,反正现在很多软件都适应了 UAC,不管是正常软件还是恶意软件。
============================分割线==========================================
讨论 UAC 的技术人员能不能先把 UAC 的相关文档看一看?比如这个
Security: Inside Windows Vista User Account Control
和
User Account Control: Inside Windows 7 User Account Control
UAC 不是 security boundary,因为低权限恶意程序完全可以通过和高权限程序合谋来进行破坏,而对于用户来说,这是没法识别的,所以 UAC 不能代替反病毒软件;低权限恶意程序也可以完全地访问用户数据,所以 UAC 也不能保护用户隐私。
翻译:总结一下,UAC 这一系列技术的目的:让用户以 standard user 运行 Windows 成为可能。它通过1. 允许 standard user 执行更多之前需要 admin 权限的操作 2. 文件和注册表虚拟化,以及3 .显示的提醒用户来达到这个目的。它的底线是默认情况下,Windows 7 UAC 可以让 Protected Admin 的体验更流畅,允许 Admin 控制哪些程序可以合法修改系统,并仍然符合 UAC 的最终目标:让更多的应用程序不再需要 admin 权限,并以此持续地改变 Windows 的软件生态。
Vista’s UAC security prompt was designed to annoy you
发明 UAC 的目的就是为了未来不再需要 UAC,所以 UAC 不是用来烦用户的,UAC 是用来烦开发人员的,是为了提醒开发人员,你们的程序真的需要 admin 权限吗?
对于本来就有恶意的程序,比如大量国产软件,完全可以在安装时安装各种服务各种驱动来达到邪恶的目的,根本无需弹 UAC。
所以,时至今日还碰到老是需要弹 UAC 的程序,只有一个解释,开发人员水平太次了,干坏事都干不好。
PS,Win8 你还真关不掉 UAC,关了 metro app 都不能正常运行了。
一周热门 更多>