Managing Security Features on Windows Vista

Posted on
Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone

Q: I have Windows Vista Business on my desktop. It seems that every time I try to modify my date and time settings or other features, I get a barrage of security dialogue boxes. Is there any way I can give myself super permissions privileges so I do not have go through this every time I want to change something?

– Mark

A: This is usually a symptom related to a new mechanism that Windows Vista introduced called User Account Control (UAC). The problem also can take another form, in which, instead of “continue” and “cancel” buttons, UAC displays a password prompt. Usually it happens when the logged-in user is not a local administrator on the workstation.

Before disabling this mechanism entirely, it’s important to understand why it was included in Vista in the first place. To do that, we need to look at Vista’s predecessor, Windows XP. When XP is initially installed, the Setup Wizard by default designates all user accounts as local administrators. This type of account enables users to install, run and update software on the machine. This “permission-less” environment can pose a problem, as malware and viruses can leverage it. If, on the other hand, an employee is made a standard user on his workstation, he will not be able to do many of his daily tasks, and help desks around the world likely would suffer as requests for assistance would skyrocket.

So UAC addresses this issue by prompting for consent or credentials when an activity is identified to be administration-related, even if the user is an administrator. This helps prevent many of the malware applications from spreading. For example, an attempt to overwrite a system file will bring up a UAC prompt that can only be approved by the logged-in user.

What you are being asked to confirm in those pop-up windows is the elevation of the current activity to a privileged level that allows it to execute. You can tell if an application requires elevation or not based on the color shield that appears next to it in the Control Panel (for UAC compatible applications).

That said, UAC can be totally disabled — which I don’t recommend, as the side effects are more painful than the need to approve a box every now and then — or programmed to not prompt. I recommend the second option.

To do that, go to the Start menu and run “secpol.msc”. Under Local Policies, select Security Options and then scroll down to the lines that begin with “User Account Control.” Double-click the “User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode” and select “Elevate without prompting.” That way, you are still keeping the UAC features running, but you will not be prompted for approval anymore.

If you want or need to completely disable UAC — again, this is not recommended — go to the Control Panel and search for the keyword “user.” This should bring up a list of related activities; one of them will be “Turn User Account Control (UAC) on or off.” Uncheck the box to disable UAC altogether. Your machine will need to restart for the changes to take effect.

For the future, Microsoft is educating its partners to design applications that will adhere to the UAC model and would require user consent only when it is really needed and not for every application install. 

Avner Izhar, CCIE, CCVP, CCSI, is a consulting system engineer at World Wide Technology Inc., a leading systems integrator providing technology and supply chain solutions. He can be reached at editor (at) certmag (dot) com.

Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone


Posted in Archive|