So I want to take a second to vent. First, I recognize that I work for Microsoft and before the whole Trustworthy Computing thing (which hit it’s 5 year anniversary this week) the concept of security and Microsoft was the brunt of several jokes. Not hurting my feelings….we needed those of you in the field to really open our eyes as to what we should have been doing from Square 1….so for that I thank you. I also think we’re moving in the right direction, as do many of you.
What makes me angry is when we do what is “right” for the security field as a whole and then get some self-serving “security expert” who gets quoted saying that specific security features are just a “burden to users”. Know what else is a burden? Seat belts. Would this same guy be quick to recommend that his kids drive without them? What about airport security checkpoints? I know they’re a real drag for me. Maybe we should just have two lines at the airport…one for people who don’t mind being screened and an express line for those who do. Of course, I bet if I choose to run this vendor’s “security solution”, my experience as a user would be near perfect. Funny how that works.
Here’s the facts: The User Access Control feature in Windows Vista is absolutely the right thing to do keep users from being their own worst enemies, by running with administrative rights, when it’s not required by the task. Of course, you need to determine if the risk of turning the UAC off is less of a hassle than rebuilding a corrupted network. Totally up to you. Don’t forget (like this gentleman failed to mention) you do have the ability to set the level of user interaction with UAC through nine separate options in Group Policy. The Windows Vista Security Guide explains where to make that change.
The screen shot on the left shows the option for someone with admin rights. The other is for those who run as standard users without admin rights:
If you got any more questions about UAC please check out the UAC team blog….and always wear your seat belt.