Tales from the Evil Empire

Bertrand Le Roy's blog

News

Ads Via DevMavens

ASP.NET AJAX UpdatePanel Control: Add Ajax interactivity to your ASP.NET 2.0 web pages


follow bleroy at http://twitter.com

Bertrand Le Roy




Add to Technorati Favorites

Blogs I read

My other stuff

How to manipulate files inside Inetpub/wwwroot all day without being bugged by UAC

A lot has been written about UAC. Some choose to disable it. I chose not to and I'm doing just fine. At least, I don't have to type in my password on every prompt like on some other OS that likes to mock us on TV ;)

Anyway, the one place where UAC has been really annoying to me as a web developer is that any file manipulation in Inetpub requires validation by default (and that's legitimate, it's not a directory that you want rogue processes to be able to easily modify). I tend to be in that directory a lot.

So I was talking about that with Nikhil yesterday and we were wondering if running the Windows Explorer as administrator would fix the problem. At first, it looks like it doesn't, but Nikhil then mentioned that Explorer was probably not actually running as admin because all Explorer windows run under a single process by default. So I went to the folder options (press alt while in Explorer, choose tools/folder options) and activated "launch folder windows in a separate process" in the "view" tab. An Explorer launched as an administrator from this moment on will enable you to do all file manipulations without UAC prompts.

Hope this helps.

UPDATE: Dean suggested in the comments giving rights to your user acount on the directory. That works too, but it means that you're permanently disabling UAC on that directory for *all* applications that run under your identity. That may be fine depending on the value you attach to Inetpub contents. For example, don't do that on a production, public-facing machine (but the above method should probably not be used either in this situation). The method I expose above also exposes the system to shell extensions that you may have installed on the machine, so check those and only use trusted ones I suppose, or don't do this if unsure.

Posted: Mar 14 2007, 04:51 PM by Bertrand Le Roy | with 12 comment(s)
Filed under:

Comments

Dean Harding said:

Wouldn't just giving your account explicit read/write access to the folder do the same thing? Then you wouldn't need to run explorer as an administrator!

# March 14, 2007 8:27 PM

Bertrand Le Roy said:

Dean: that's a good point, but it doesn't do exactly the same thing.

If you just give permissions, it means that any process that runs under your identity can do whatever it wants on the folder. If you just run the explorer as admin, then only that explorer process has the rights.

In other words, giving permissions basically disables UAC on that folder (permanently), whereas running as admin disables UAC for this process (temporarily).

# March 14, 2007 8:40 PM

Dean Harding said:

Yes, but running explorer as an administrator also means all your explorer extensions and so on are running as administrator.

I guess it just depends on where you think the threats are coming from :-)

# March 14, 2007 9:24 PM

Bertrand Le Roy said:

Yes, you're absolutely right, but giving rights on the folder presents the same risks as far as shell extensions are concerned.

If you have shell extensions that you're unsure about, I guess it's just better to leave UAC on, not give additional permissions and not run as admin...

Ultimately, I see people disabling UAC as a whole and while it would be best to leave it on and bear with the alerts, such tricks can help in that it's better to have it partially on (and know the risks) than have it completely off.

As always, the best protection is skeptical computing.

# March 14, 2007 9:34 PM

rbuckton said:

There are times where I wish there was a way to "pre-authorize" certain applications for UAC.  I always run Visual Studio elevated and the prompt seems a bit cumbersome in those cases.  I think you should be able to authorize certain applications as approved without the need to accept a UAC prompt.  You could define the trusted startup parameters for the application (e.g. what are the valid commad line options that can be supplied).  Pre-authorized applications would then just need some type of bubble tip after launch that appears above the icon in the taskbar, or differentiate the window with slightly different window chrome (say a red or orangeish cast to the aero glass style) for applications running elevated.

Beyond that I am a big fan of UAC. Vista makes large-scale operations affecting a protected folder efficient by determining up front everything that will need elevation when beginning a copy, move, delete, etc. operation.  It's the one-by-one changes that become cumbersome.  

One of the more difficult to understand features of UAC is attempting to write a file to a protected location by an application that doesnt understand UAC.  Instead of denying the operation, a special folder structure under your profile folders that matches the protected directory structure is created for those files.  Vista needs a way to track and merge these changes easily after the fact, rather than having to do it manually.

# March 14, 2007 10:03 PM

David Taylor said:

Bertrand, like you I have left UAC enabled for the last few months of running Vista.

However I am not that worried if many technical people turn it off as they know how to fix their machine if it gets trashed.  

What I care about is that my mother, father and other non-technical people leave it on.  We should remember that 95% of people are not very technical, and if that 95% have UAC enabled Vista is a huge win.

# March 14, 2007 10:08 PM

Dean Harding said:

> Yes, you're absolutely right, but giving rights on the folder presents the

> same risks as far as shell extensions are concerned.

Except that they WOULDN'T have those rights on every OTHER folder marked Admin-only (System32, Program Files, etc).

I guess it depends on how "valuable" your InetPub folder is compared to those other folders. Either way, I think there are risks doing it both ways... but that's the nature of security; you've got to take risks in the interest of actually being able to DO stuff :)

# March 14, 2007 11:13 PM

Speednet said:

rbuckton, your comments are right on target!

I have been thinking exactly the same thing.  What malware is going to try and run the VS2005 IDE?

UAC desperately needs fine-tuning controls, which an advanced user can manipulate.  It can be changed to work exactly like a learning firewall, giving the user the ability to remember a rule or ask every time.  Wouldn't that be the best approach?

# March 15, 2007 1:49 AM

Bertrand Le Roy said:

Dean: you're absolutely right, so for a dev machine, the inetpub folder may be dependable and just giving access may be acceptable but on a production server, well, in this case just leave everything on I suppose.

# March 15, 2007 3:38 AM

victor said:

I am an IT auditor. I find that there were developers who had modify rights on inetpub directory in the production environment. How risky or dangerous it is? please help

# March 11, 2009 4:26 AM

Bertrand Le Roy said:

@Victor: please don't take my advice as the official Microsoft recommendation but only as my opinion. If those developers must publish the development site to the production server, this seems quite normal. I'm not sure what to do if that is not acceptable. One thing you might want to do is turn on write audits on that directory. That won't prevent attacks from insiders but it would enable you to find who's responsible for it.

# March 11, 2009 1:30 PM

victor said:

Thanks very much. Bertrand Le Roy. I will also do some reading from the best parctice.

# March 12, 2009 4:01 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)