Wed, Oct 28 2009 23:41
UAC on a Server
Sometimes (okay a lot of times) I have this annoying streak where I want people to ask themselves if there is a true risk to what they are doing. Too many times in security we turn knobs and do things just because some tool said so or some article said we all must do it. And I'm guilty of it too. The "best practices" mantra.
Sometimes the best practice of all is to patch yourself... as in patch your own stupidity.
Some people may freak out about what I'm about to post. Some people may question why I feel this way, but from day one I've cringed at that UAC on SBS 2008 and felt that if it annoyed me a little bit when I was working on the server, it certainly would be annoying to others. So today when I got this email....
With SBS2008 deployments we are finding UAC to be a pain whenever you need to change ini or script files etc from inside a folder that is secured be administrator group permissions rather than explicitly applied to the user account. Now I can accept this is UAC doing its thing and thats ok but the only way I have found to get around this is running notepad as administrator and then I can change the files as I need; the problem is, is that having to navigate through folders in this manner when trying to make changes to several config files is pretty clunky (in a recent sbs 08 deployment we had to disable uac and restart it to do all the changes to 30 odd ini files for an app that is used). I’m overly interested in changing folder permissions explicitly to get around this; have you got any thoughts of how we might get around this?
Thanks for your time.
It reminded me of that cringing I personally do and it made me once again question the sanity of this setting. UAC first and foremost is a tool to beat vendors over the head to write code better. That's it's basic goal in life. It's not to annoy you (even though for many of you in Vista it does a darn fine job of that), it's not there as a security boundary, it's there as a virtual 2x4 to hit some sense into coders that DEMANDED admin rights.
When you are on a server and ESPECIALLY as you set it up, what are you? You are an admin. You are god. You need to be in your "patched for stupid" mode. UAC is there more for the desktop, right? Intially I said that I wasn't going to beat anyone up they adjusted UAC down to silently elevate as I said I liked protected mode on. But there was a flaw in my thinking. There are times that there are apps on a server that many not behave with UAC is silently elevate mode and it may end up that it won't tell you if it needs RunAs or true admin rights and you'll be banging your head against a wall.
So fasten your seat belt because here I go more into a religious security position. I won't kill you if you turn UAC off on a SBS box.
On two conditions of course:
First you have to promise me you won't be surfing at that server. No facebook. No farm game on facebook while setting up the SBS box. The only sites that I'll allow you to go to are Microsoft.com and HP or Dell for drivers.
Secondly, before you work on that box, you patch your stupid. That means you do your adminy stuff and then get off the box when you aren't doing adminy stuff.
My 64bit vendors on the desktop tell me to turn off UAC while installing now.
So there you have it. Patch for stupid. Do only adminy stuff and I won't yell at you. Understand that when you are on that server you are God. Act accordingly.
Filed under: Security