Keith Combs' Blahg

Ramblings from another nerd on the grid

Blogs

Windows Vista User Account Control (UAC) - love it?

  • Comments 3
  • Likes

There has been a raging debate inside and outside of Microsoft about the new security feature in Windows Vista called UAC.  UAC stands for User Account Control.  The debate has raged mostly about the effectiveness of the feature.  Do a search on www.live.com for vista uac and you’ll see what I mean.  The mainstream press has even  decided this topic is worthy of  “debate”.

By effectiveness, I mean that most of the negative articles mention that your are prompted so often for elevation consent, that you become a drone hitting the enter key without really looking closely at why you are being prompted.

Let’s get one thing straight about the feature set… you can control this.  In the snip I have posted, you can see the policies that are available that control the behavior of this feature.

UAC policy

The policies can be set and controlled locally via secpol.msc, or via a Windows Active Directory Group Policy.  In the snip above, you can see I took a harsh stance on the policies for my machine.  I’m currently running a Windows Vista Beta 2 release candidate and have been running with these policies for over three weeks.

Keep in mind Windows Vista is in development.  You get to tell us what is the right balance of security and control.  Windows Vista Beta 2 is almost ready.  Install it and try it for yourself.  Post feedback to the UAC blog at http://blogs.msdn.com/uac/archive/2006/01/22/516066.aspx where they’ve outlined the settings and their meanings.

See the Step-By-Step at http://www.microsoft.com/technet/windowsvista/library/0d75f774-8514-4c9e-ac08-4c21f5c6c2d9.mspx

See http://www.microsoft.com/technet/windowsvista/security/uacppr.mspx for more information.

See the Application Compatibility article at http://www.microsoft.com/technet/windowsvista/deploy/appcompat/acshims.mspx.  This is a very nice resource and you should devote some time to reading that article (recently updated).

 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Honestly...I really don't know.  It will all depend upon how much an average user can do without administrator rights.  I can't have 1500 students coming down to the Help Desk because they can't install software.  My team would die.

    As it is, in education, nothing *major* happens during the school year.  Sure, we can do minor changes and we can test all we want, but if it involves touching 2000 computers then it's a summer-time only project.  Thus, I think we will spend the 2007-2008 school year testing Vista...learning how to best use Vista's capabilities...but won't deploy Vista on a grand scale until our next notebook lease.

    On a personal level...well...it would be easier to answer if I could "touch" it.  I know I already need Ultimate and with a Child(TM), I need control over what she can and - more importantly - cannot do.  Between UAC and the Parental Controls, I think I'm set.

    In my opinion, UAC is just something we all need to learn to work with.  The day of running as an Administrator are rapidly coming to a close.  Most people running a Linux distro (I think Linspire runs most users as a root-equivalent) or OS X already deal with something like UAC yet they get the job done.  This is something Windows users can love too.

  • I love the concept, just hate the implementation.  As explained on my blog, on my two dev boxes I've turned it off and will be unlikely to turn it back on till we get a less obtrusive implementation.

  • Yea, for a developer box, it's probably overkill.  However, I think you all should install Beta 2 and run with default settings for a week or so and provide feedback.  

    Beta 2 is getting closer so you'll be able to get your hands on it soon.