I had some interesting questions today from customers about the level of customization an IT guy can do regarding which areas of functionality are protected by UAC. I.e. if I don't want the Firewall protected by UAC can I change a setting in Group Policy? The answer is unfortunately no, you can't customize the individual bits of functionality protected by UAC.
I guess the reason for this is that we've done some pretty extensive user testing, beta feedback analysis and security threat modeling and found the right amount of features that require protection and those that don't. I guess what I'm saying is "trust us - we've done it right", which judging from customer and user feedback was the right thing to do - it works well and we've struck a good balance that allows the user to carry out their day to day tasks free from UAC interruption whilst maintaining security on important areas like firewall et al.
There are however some settings in Group Policy that enable to tweak your UAC experience:
1) User Account Control: Behavior of the elevation prompt for administrators2) User Account Control: Behavior of the elevation prompt for standard users3) User Account Control: Elevate on application installs4) User Account Control: Run all users, including administrators, as standard users5) User Account Control: Validate signatures of executables that require elevation6) User Account Control: Virtualize file and registry write failures to per-user locations
These are described in great detail on the UAC Team blog over here, so I won't try and paraphrase I'll just recommend you take a look.
Other things I would read are the TechNet resources on UAC: Understanding and Configuring User Account Control in Windows Vista
While I'll generally agree that UAC works pretty well, there are a few areas in which improvements may be in order.
For example, the creation of a new folder in a restricted location and emptying the Recycle Bin of certain protected files.
In the first instance, the creation of a new folder (with something other than a "New Folder" name) requires no less than 4 mouse clicks (two sets of UAC prompts), one set for the folder creation and yet another for the folder rename operation.
On rare occasions, emptying the Recycle Bin of certain files generates a UAC prompt. Seems akin to your garbage man ringing your doorbell and asking your permission to throw away one of your items of trash. :)
James gave me some hassle the other day for not referencing his blog (which is a valid thing to do),
I have to disagree significantly with this post. While the UAC presents a much needed change to keeping users hands out of the O/S and making my life easier, it has thusfar not done so, and Microsoft is part of that reason. A prime example are the ActiveX control settings in IE7. While our users are attempting a Webinar with clients present, the ActiveX pops up and now they need it gone immediately leaves me with no choice but to give them the passwords and then remote in and change it. Other factors, such as software which requires certain permission levels to operate (such as Autocad, Fishbowl and other LOB's), now require me to make the user an admin, or I get to be at their side 8 hours a day watching over them for every prompt.
As I said, the UAC is awesome in its initial form. What's missing? The UAC's customization based on software/security permissions. And, it should not take Microsoft a lot to modify this. The UAC does not have to be completely re-written, but it can be adapted to work closely with the other built-in options. For instance, if it was designed to use the exception list available in Windows Firewall, or apply its security settings based on the Windows Trusted zone and not pop up when an internal network ActiveX control request pops up.
I am amongst the first to congratulate Microsoft and the whole team for a great job on Vista. I can spend a year tearing it apart, but all things considered - I've spent my time breaking and fixing and am already implementing it across entire networks for our clients. However, the UAC is one area where Microsoft needs to not toot its own horn, but look at the fact there are areas outside of the single 'focus group' that should be given consideration. Keep the UAC as it is for those who like it - but don't destroy an administrator's ability to customize, lest you take away the tools they need to do their job right.
Thanks for you comment. UAC is primarily there to protect against apps that are writing to places on disk or accessing resources they shouldn't be doing. Take your autocad or fishbowl apps, I think you'll agree that you shouldn't need to be an admin to use these applications, so ask why are they triggering UAC consent boxes? They're not playing with Windows in the right way. We've done a lot to accomodate these kinds of apps like Virtualized Registry and Folders but there are some things that we cannot cover.
Check out this page for resources on how apps *should* be built:
http://mtpgcluster05.dns.microsoft.com:8082/en-us/windowsvista/aa904985.aspx Of particular interest to software developers is the standard user account analyser tool and how to build UAC compliant apps here:http://msdn2.microsoft.com/en-us/library/aa480150.aspx
I think at the end of the day it's about compromise and we won't compromise on security any more at Microsoft.
Your webinar example seems like an interesting example thought and I'd like to dicuss that offline with you... could you email me with more details?