Its funny how you get a whole bunch of similar questions at the same time. A couple of weeks ago Ian from a city council in Melbourne was asking me how he could verify whether an application was developed according to Microsoft guidelines so that he could pick which application would deploy and operate the best and thus reduce the amount of post deployment frustration and maintenance. At the time I didnt have a great answer for him...sorry Ian...I do now!
Then this week I was presenting at the Novell User group in Perth and Ashley comes up and asks the same question! Though he got me thinking about whether we already have this stuff and he mentioned the logo program...of course! Doh!
I was talking to the Novell User group about the reasons behind User Account Control and how that it now enforces system integrity. See for ages we've told app developers:
1. Don't write dynamic user data to HKLM, c:\Windows, c:\windows\system32 or any other protected system area
2. Don't overwrite core system files with your dodgy ones...
Unfortunately they ignored it - though the problem was we never properly enforced it and when people tried to run those apps with least privilege, many of them broke as they assumed that the user was running as Local Administrator as really that's what the dev guy who wrote the app was running under when he wrote it and hey it compiled ok on his machine right so it must work???
Now Vista enforces it. The only time you should see a user account control consent box is when you do something that will affect system integrity like install an app or change a core system setting.
The problem is that now some apps are breaking despite some of the virtualisation steps we have taken to virtualise out some of the bad system writes back into the user profile areas...
Enter Ian's and Ashley's question. So how can we know this before we buy the app?
Enter the Innovate on Windows Vista logo program.
The top end of this program is the "Designed for Windows Vista" logo. There are specific requirements to pass this level that are specific to full compatibility and best experience with Windows Vista. Bear in mind too for those of you that don't have Vista yet, if it works on Vista then it will definitely work on XP and in least privilege access most likely too. There's some more resources to help you build a test pass:
1. The Application Verifier is a tool that helps you to assess where the app is writing to, what its doing and whether it will pass user account control.
2. The Application Development requirements for User Account Control online documentation
3. Specifically the initial app testing documentation.
You really do want the app to pass the top end of the logo program to ensure that it deploys well without unnecessary reboots, allows you to patch it without reboots and runs well in multi user environments.
Otherwise if today you have a deployment of Windows XP machines all running in Local Administrator privilege and want to know if the apps youre running will work with Vista deploy the Application Compatibility Toolkit 5.0. It can installs agents on selected machines, monitor the apps and where they are writing to and then deliver you a report on whether the app with run with Vista and thus least privilege.
I read this article from Angus today with much amusement. Apparently Vista is more insecure than Windows