When Microsoft released Windows Vista one of the features that I was more amazed from the architecture perspective was UAC. As during that time I was working at Microsoft CSS Enterprise Support I also heard the other side of the coin and heard many complaints from customers about the amount of authentication prompt. It was indeed a shift on user’s mind about stopping to have everything to have less and even worst, ask for authorization in order to have what they used to have. With Windows 7 the amount of prompts were reduced, the core architecture principle was preserved and enhanced in some areas. But beyond the implementations details and the improvements that we had on Windows 7, there is a core goal of using UAC – keep administrative rights away from end users.
Today I was reading an article from Info Security Magazine that was entitled “Report recommends removing admin rights from end users”. While I was reading this article my mind put me back to year 2007 when I was delivering a presentation about new security features in Windows Vista. The report mentioned in this from BeyondTrust brings again the discussion about reducing attack surface by limiting user rights and avoid using administrative accounts for regular tasks. What’s interesting about this subject is that four years ago Mark Russinovich emphasized the need to do that at TechED and the slide below (from that presentation) summarizes that:
The reason I particularly like this slide is because it covers the three core points of this discussion. As I previously mention, my goal here is not go to the implementations improvements on Windows 7 from the UAC perspective, but really to emphasize how important it is to keep end users running as standard users. This can dramatically assist you to enhance the security of your environment by mitigating potential threats that are trying to exploit vulnerabilities that require administrative privileges in order to succeed.
You can watch Mark’s presentation here to really see the value of UAC:
More about UAC on Windows 7 see: