It killed me previously and will kill many home users because:When authenticating to remote resources:
•If system is non-domain joined, user authenticates as standard user
•If domain-joined and an administrator of the remote resource, user authenticates as administrator
1. If you computer dies, you have no remote access to it unless RDP works, and RDP is disabled in Home Editions (2).
2. Shares need to be explicit to users and not just administrators.
I see the reason behind this; it is to protect from attacks that redirect to \\localhost\c$\. It creates a problem though; when you are unable to access your computer, let's say a filter driver that didn't uninstall correctly screwed your keyboard, like in the good old SoftIce days, you need some expensive recovery tools like ERD because you CAN'T use remote registry anymore. Well you can still use Safe Mode but I like to remotely fix dead computers. In addition, sharing is now a little more complex to set correctly.
Therefore, the only way to recover from this problem is to disable UAC and use a standard account, like everyone in the security field always recommended to. Adding to the fact that they improved the RunAs command in the shell, it shouldn't be a problem at all to run as a standard user.
Reference
#1 "Windows Vista User Account Control Internals", Mark Russinovich, powerpoint, page 46
http://microsofttech.fr.edgesuite.net/msexp/download/0370/0370_pres.zip
#2 Windows Vista Product Editions
http://www.winsupersite.com/showcase/winvista_editions_final.asp
No comments:
Post a Comment