I couldn’t tell you how many times I have either had the question “how do I turn off User Account Control” or heard the statement “boy, I sure hate all those annoying user account control popups in Vista.”
Yeah, security sucks, it gets in the way of doing things, some bad, some good, but that’s a fact of life. The other fact is that User Account Control (UAC) is one of the most important ways that we hope to protect people in Windows Vista. I have many times told the story about how Steve (Riley) and I were at an event when he gets a call from his wife asking for help with her computer. Apparently it was getting all sorts of popups, ads, and other weirdness; clear signs of spyware. He stated that he’d fix it when he got home. When he did he downloaded and ran all kinds of cleaners, and then called me with the astonishing results. The computer had about 168 separate pieces of spyware. So I went and ran the same cleaners on the computer in our kitchen, the one most of the family uses. On that one we found exactly zero problems. The difference? Steve is a nice guy, so he gives his wife administrative access to her computer and everything installed nicely, including the spyware. I am, well, there is a term for it, but it is not suitable for electrons, so none of my users ran as an administrator. The result, nothing installed, including the spyware. This experience obviously does not guarantee that just by running as a normal user you will not get spyware, but it will make it more difficult to get it, and it will make it easier to clean off.
The problem is that without considerable savvy, or lots of time spent in Aaron Margosis’ blog, the vast majority of people today can’t run as a non-admin user. The reason is all the apps that require administrative privileges. To solve that problem, we can do a couple of things. We can try to plead with the app vendors to fix their stuff, and you know how well that has worked in the past. We can stop buying these defective apps, and you know how well that has worked in the past. And, we can build a technology that allows most people to do most of the things they need to do to run the computer on a daily basis as a non-administrator. That technology is called User Account Control.
Windows Vista includes a number of features that work as part of, or in conjunction with, UAC to meet three important goals. The first is that these features allow a lot of applications that did not previously run as a non-administrator to do so. This is done by virtualizing key operating system locations, such as the Windows directory and Program Files. UAC also changes the privileges required for many common tasks, such as changing the time zone, power settings and even installing approved devices and ActiveX controls, so those tasks can be performed by ordinary users. This allows users to run as non-privileged users while allowing many scenarios and applications that did not work that way under Windows XP to still work. The second promise is to create an easy elevation path for applications that really do require administrative privileges, while still allowing even users who are administrators to run as non-administrators most of the time. This means that even for users who are in the administrators group, applications like Internet Explorer and the mail client do not actually have administrative privileges all the time, reducing the damage attacks against those applications can inflict. Finally, UAC allows us to quickly spot all the broken apps out there so that we can either shim them to run as non-admins or get them fixed. This latter is at the same time the most subtle and arguably most important of the things UAC does. It is also in many cases the most obvious, and the reason many people want to turn UAC off. By doing so, they allow applications with fundamental design flaws to still work, reducing the pressure to actually fix those applications so they work as non-privileged users, as most of them should.
None of that will work unless people use the feature. To do all those things we need your help, yes, yours, as a beta tester of Windows Vista. Unless we get feedback on what works and what does not we can’t fix it. If you disable critical technologies that we are trying to get to work, we can’t fix them. That means that, yes, some things will be annoying and not work quite right in the final release, unless people work with us to fix them. Going out with statements like “this is the worst feature ever and I already disabled it and will never re-enable it” based on unfinished beta code is simply silly. Why not instead realize that allowing people to run as a non-admin is one of the most important things that can be done when it comes to protecting your system, and that it won’t happen if the only people trying to get it done are a few program managers at Microsoft. Work with us on this one and help us build a great, usable, and useful UAC. If you find prompts that are absolutely egregious and need to go, send us feedback on that. We need to know. If you can’t find any other way to submit it, send me a comment on the blog and I will get it filed.
Disabling UAC also removes many other protections. For instance, if you set the “User Account Control: Run all administrators in Admin Approval Mode” security policy item to disabled you actually remove all of the benefits of the integrity controls and the restricted security tokens from your administrative account. That means that Internet Explorer, for instance, will run as a full administrator, just like it does under Windows XP. By extension, it means that any missed click or accidental navigation could completely compromise your system, just like under Windows XP. If you have to disable UAC temporarily, for example while you are building out the system and you can’t stand all the prompts, do not turn off Admin Approval mode. Instead, change the behavior of the elevation prompt for administrators in Admin Approval mode to not prompt. That way you at least leave Internet Explorer protected with a low integrity token.
Once the OS is released, if you absolutely can’t stand a security feature that is designed to protect you, by all means, turn it off. For now though, realize that this is beta code. It is not quite done yet, and it won’t be quite right unless we get help from the people entrusted with pre-release copies of the operating system.
To learn more about UAC, check out the UAC team blog. A lot of questions and concerns about UAC are probably already addressed there.