Guy's Ezine 168 - Attitudes to UAC (User Account Control)
The advent of a more subtle UAC (User Account Control)
in Windows 7 has rekindled my interest in these dialog boxes, which are also found in Vista and Windows Server 2008.
This week I offer an insight into the two sides of the argument
for disabling the UAC.
Young Gung-ho Guy
His deep-seated hatred for anything to do with the establishment means that gung-ho Guy
will turn off the UAC immediately. He regards the security dialog box
as a personal affront, and disables the UAC as a matter of principle. The
only question in his mind is whether it's better to make the configuration
change via the Local Policy
snap-in, or call for regedit.
Old Senile? Guy
'Old' Guy thoughtfully reflects that Microsoft must have implemented the UAC
system for a good reason. He undertakes background reading on elevated
rights and the PA (Protected Administrator) account. When each UAC
dialog box appears he dutifully checks the 'Program name' and the 'Publisher'.
Old Guy has no intention of turning off UAC, or curtailing its scope.
Incidentally, it might amuse you to identify these
gung-ho or senile traits in your colleagues!
Barking Eddie's Research
Barking Eddie has been gazing into his crystal ball in an attempt to
anticipate what techies will do with the new UAC in Windows 7. His
conclusion is quite startling. 'There will be no happy medium,' says
Eddie. 'The majority of techies simply will not accept the default
middle-of-the road setting.'
Eddie claims the default Windows 7 setting represents the worst of both worlds; the
UAC dialog box is
still annoying, yet does not offer strong protection against insecure or
rogue processes. The only good news about the Windows 7 version is that
you can change the settings more easily, this is because Microsoft has produced a new interface in the User Accounts
section of the control panel. Eddie predicts that most of the techies
he knows will swing the UAC slider to 'Never Notify'. While a few
boot-licking 'Jobsworths' will go for the 'Always Notify', which is actually
the same UAC setting as in Vista.
Eddie also spells out the unpalatable truth that the UAC never has, and
probably never will, protect against malware. On its best day the UAC
may give a clue to an alert user that something is not quite right.
But as you analyze the problem, so you realize that virus writers will soon
learn methods to circumnavigate the UAC, for example DLL injection.
Even if the UAC was able to block malware, you still need superior
anti-virus and anti-malware utilities to control the infection that caused
the UAC reaction.
UAC's Original Mission
To be fair to Microsoft we should return to the UAC's mission
statement, in a nutshell, this was to encourage users to logon with
ordinary accounts, and not as administrators. Legitimate developers
were then supposed to design their programs to use elevated rights
sparingly, and then prompt users when ever genuine administrative rights
were needed to complete an operation.
What followed was a marriage between the desire to minimize people logging
on as administrator, with the quest for a magic security bullet that protected us from rogue software.
The result of this uneasy union was the UAC. Microsoft should have
realized that techies don't
like aggravation, especially where they cannot see any benefits,
consequently right from the earliest
Vista betas techies gave the UAC the thumbs down, and delighted in finding ways
to bypass the UAC. Furthermore, over the last 3 years word from the
server room is if you disable the UAC then nothing bad ever happened, at
least nothing that could legitimately blamed on neutering the UAC.
Windows Server 2012
While the UAC theory is a mess, and the goals are still muddled in Windows 7, fortunately,
the practicalities remain simple, either we leave the UAC as it is, or disable the nagging dialog box.
My friend Barking Eddie wonders if the UAC will eventually go the way of
that other, 'Most hated feature', namely the MS Office paperclip helper, and
be consigned to the great recycle bin in the sky.
Guy Recommends: Tools4ever's UMRA
Tired of writing scripts? The User Management Resource Administrator solution
by Tools4ever offers an alternative to time-consuming manual processes.
features 100% auto provisioning, Helpdesk Delegation, Connectors to more than
130 systems/applications, Workflow Management, Self Service and many other
benefits. Click on the link for more information on
Will and Guy's Humour
In addition to jokes and funny pictures Will and Guy sometimes feature
special occasions, for example, today is
Swithin's day. Are we going to get 40 days of rain, at least in
Windows 8 Features:
• Windows 8 New Features •
Windows 8 Metro UI •
Windows 8 Tips •
Windows 8 FAQ • Ezines
SLA Monitor •
Network Performance Monitor (NPM) •
Windows 8 Home •
E 128 Win Update
• E 174 Win 8 Traps •
E 168 UAC •
E 163 Update •
E 152 Closet •
E 139 End Msoft