Guy’s Ezine 168 – Attitudes to UAC (User Account Control)
The advent of a more subtle UAC (User Account Control) in Windows 7 has rekindled my interest in these dialog boxes, which are also found in Vista and Windows Server 2008. This week I offer an insight into the two sides of the argument for disabling the UAC.
The Young Gung-ho Guy
His deep-seated hatred for anything to do with the establishment means that gung-ho Guy will turn off the UAC immediately. He regards the security dialog box as a personal affront, and disables the UAC as a matter of principle. The only question in his mind is whether it’s better to make the configuration change via the Local Policy snap-in, or call for regedit.
Old Senile? Guy
‘Old’ Guy thoughtfully reflects that Microsoft must have implemented the UAC system for a good reason. He undertakes background reading on elevated rights and the PA (Protected Administrator) account. When each UAC dialog box appears he dutifully checks the ‘Program name’ and the ‘Publisher’. Old Guy has no intention of turning off UAC, or curtailing its scope.
Incidentally, it might amuse you to identify these gung-ho or senile traits in your colleagues!
Barking Eddie’s Research
Barking Eddie has been gazing into his crystal ball in an attempt to anticipate what techies will do with the new UAC in Windows 7. His conclusion is quite startling. ‘There will be no happy medium,’ says Eddie. ‘The majority of techies simply will not accept the default middle-of-the road setting.’
Eddie claims the default Windows 7 setting represents the worst of both worlds; the UAC dialog box is still annoying, yet does not offer strong protection against insecure or rogue processes. The only good news about the Windows 7 version is that you can change the settings more easily, this is because Microsoft has produced a new interface in the User Accounts section of the control panel. Eddie predicts that most of the techies he knows will swing the UAC slider to ‘Never Notify’. While a few boot-licking ‘Jobsworths’ will go for the ‘Always Notify’, which is actually the same UAC setting as in Vista.
Eddie also spells out the unpalatable truth that the UAC never has, and probably never will, protect against malware. On its best day the UAC may give a clue to an alert user that something is not quite right. But as you analyze the problem, so you realize that virus writers will soon learn methods to circumnavigate the UAC, for example DLL injection. Even if the UAC was able to block malware, you still need superior anti-virus and anti-malware utilities to control the infection that caused the UAC reaction.
UAC’s Original Mission
To be fair to Microsoft we should return to the UAC’s mission statement, in a nutshell, this was to encourage users to logon with ordinary accounts, and not as administrators. Legitimate developers were then supposed to design their programs to use elevated rights sparingly, and then prompt users when ever genuine administrative rights were needed to complete an operation.
What followed was a marriage between the desire to minimize people logging on as administrator, with the quest for a magic security bullet that protected us from rogue software. The result of this uneasy union was the UAC. Microsoft should have realized that techies don’t like aggravation, especially where they cannot see any benefits, consequently right from the earliest Vista betas techies gave the UAC the thumbs down, and delighted in finding ways to bypass the UAC. Furthermore, over the last 3 years word from the server room is if you disable the UAC then nothing bad ever happened, at least nothing that could legitimately blamed on neutering the UAC. Disable UAC Windows Server 2012
While the UAC theory is a mess, and the goals are still muddled in Windows 7, fortunately, the practicalities remain simple, either we leave the UAC as it is, or disable the nagging dialog box. My friend Barking Eddie wonders if the UAC will eventually go the way of that other, ‘Most hated feature’, namely the MS Office paperclip helper, and be consigned to the great recycle bin in the sky.
Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.
It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.
Will and Guy’s Humour
In addition to jokes and funny pictures Will and Guy sometimes feature special occasions, for example, today is St Swithin’s day. Are we going to get 40 days of rain, at least in the UK?
Windows 8 Features: