Experience UAC protection to ensure Vista system security

The user account management function (UAC) is one of the most significant improvements in Vista compared with the previous generation. The introduction of UAC is Microsoft's
X operating system. This security mode requires the user to have administrator permissions to implement certain tasks, such as installing software, while the user's permissions are lower in other cases.
Why does Microsoft do this? This prevents users from being harassed by hackers. If a hacker uses an unpatched vulnerability to hijack a user's browser, he also hijacks the user's permissions. Because that user can install software, hackers can. What will happen? Attackers can take control of the computer and place Trojans, worms, malware, and spyware in it.

 

Vista (click to make wallpaper)

In the face of increasing and increasingly clever attacks, developers have launched Vista as a solution. But why? Copy the following five policies to allow your XP (or even earlier operating systems) to experience the UAC protection of Vista.

Solution 1: Use a restricted account

It is easy to create a non-Administrator account in Windows. You may wonder what protection Vista and UAC provide.

Yes. You can easily create a restricted account. Just click Start-set-control panel-user and account. Select "create new user", give the user a name, and select "Restricted User" before "create account ". Set a password and you will be done.

This is not the case. Once the settings take effect-for example, using a restricted account of XP-when you start to use a new computer (or at least reinstall Windows XP ), if you do this on a system that has been in use for a period of time, your nightmare is about to begin.

You will not be able to access the files in your previous "My Documents" because the folder is locked under the administrator account. Some previously installed programs will disappear.

In addition, even if the program is still available, all your custom settings will expire and the program will go back to the initial settings. Taking Firefox as an example, all its extensions will be lost, and Microsoft's Word goes back to its standard settings. It takes some time to reset XP.

You can only install some programs in administrator mode. Even if the installation is complete, you do not want to run it without the Administrator permission. (You can avoid this problem temporarily. Right-click a program file, select "running mode", select an account with administrator permissions, and enter a password. But there is no guarantee for doing so .)

Summary: this is not feasible because there are too many problems.
Solution 2: Running Mode

Windows XP has a function called "running mode" that allows you to temporarily use another user account. It is usually used for users with lower permissions to temporarily have administrator permissions to install
Program.

But you can also use it to simulate some protection provided by Vista UAC.

The method is as follows: when you run the most vulnerable program-your browser and email sending and receiving program are two of them-use a low-privilege user. In this way, even if the malware hijack these programs, the situation will not go bad.

This method works effectively by running your browser-such as IE or firefox-and email programs with low permissions, while using the Administrator account for other operations. This avoids the possibility of program installation/startup problems when Restricted Users are used. At the same time, you can retain the custom settings of the current program, the location of data files, and so on.

For example, right-click the shortcut key of IE on the desktop in Windows Explorer or in the Quick Start bar. Select "running mode" from the menu ". Select "following users ". Then, enter or select a Restricted User Account, enter the password, and click "OK ".

You can make this process run automatically without having to right-click the program icon. Right-click the shortcut, select "properties", click the "shortcut" tab, and then click the "advanced" button. Select "Run as another user" and click "OK ". In the future, you can start the program with this shortcut, and you will immediately see a dialog box asking you to choose to run the program as an administrator or another identity-here, the restricted user account is used.

Summary: this solution is not flexible because a restricted user account is required.

Solution 3: Use Process Manager

Although Sysinternals is now a small part of Microsoft, its famous free tool-According to Microsoft's external statement-will remain free.

Download the Process Manager from Sysinternals website. This website is hosted by Wintemals, and Wintemals is jointly established by both parties, one of them is Mark Russinovich, which is famous for discovering Trojans in Sony Music CD.

Even though the process manager is used to display information about the processes currently running in Windows, what is the error rate? Task Manager-it helps increase the security protection of some UAC functions in Windows XP. The "run as a restricted user" function is included in the Process Manager file menu.

Just as if Windows has a "running mode" command, you can run a program-browser or email program without administrator permissions. Unlike running mode, you are not required to enter a restricted account or password. Instead, it uses the CreatedRestrictedToken API of Windows to create a security environment called a token and remove the administrator privilege.

All you need to do is select file-run, and then run as a restricted user. Then, enter the program you want to run, such as program outlook.exe, to run it with less permissions. This is very good.

Overview: This is very flexible. However, as Russinovich admitted, this does not guarantee that it can deal with all possible security threats.
Solution 4: Reduce "my" Permissions

One problem in solution 3 is that you have to use another program-Process Manager to run the program with low permissions. It is not very convenient.

Of course, Vista hides account protection behind the selection box,
You only need to click an icon.

To copy this process -- and automatically run the program you selected with low permissions -- download the software "lower my permissions", a program with two years of history, you can cleverly set shortcuts to run various programs with just one click.

This software was written by Michael Howard, a Microsoft Security Developer. What it does is as indicated by its name, lowering the permissions of a program. Set a shortcut to start a restricted browser or email program. Howard clearly explains (and also shows through the screen) the steps you need to take. We recommend that you place the executable program “dropmyrights.exe under the C root directory, so that you do not need to enter a long path name to find the target of the shortcut.

Sysinternals also provides a similar tool named PsExec. You can download it from here. You can think of it as a strange way for the Process Manager in command line mode. Need to know