One of Microsoft's goals in creating Windows Vista was to make it far more secure than its predecessor. At the heart of this new security model is a feature called User Account Control. Although User Account Control (UAC) does a good job of protecting users against malicious code (not to mention themselves), this feature has received a tremendous amount of backlash from the IT community.
Let's take a look at how User Account Control works in Windows Vista, and why it's been surrounded by so much negativity.
For as long as I can remember, Microsoft has been recommending that network administrators log on as standard users with standard privileges, and only use the administrator account for performing administrative actions. This is because in the vast majority of cases, any code you execute has the same level of privileges as you do. Therefore, if you were to become infected by a virus -- and you are logged on as an administrator -- the virus would have full, administrative access to the system for as long as you are logged on.
For that reason, working as a standard user unless administrative access is required is a good practice. Still, you have to admit that it's a pain to switch back and forth between accounts every time you need to perform an administrative action. To make this process easier on us, Microsoft created the RunAs command.
RunAs allows you to perform an action as a different user. For example, if you needed to perform an administrative action, you could stay logged in as a standard user, but use the RunAs command to perform the administrative task as a user with administrative privileges. RunAs is not unique to Windows Vista. It is also included in Windows XP and Windows Server 2003 (possibly earlier versions as well).
So why not just use RunAs? To be completely frank, RunAs works really well, but administrators are busy, and human beings in general (myself included) are lazy. Using the RunAs command creates one extra step for an overworked Windows administrator. Besides, I have talked to some administrators who say, "I am the administrator of my network, so why shouldn't I log on with the Administrator account?"
User Account Control
I mentioned earlier that User Account Control is a mechanism for protecting users from themselves, but it might be more accurately described as a mechanism for protecting administrators from themselves (it does both). To put it simply, User Account Control in Windows Vista warns the user (or administrator) whenever an unexpected or potentially threatening action is about to occur. That way, if the user or administrator initiated the action, then they can just approve it and go on. If the action occurred unexpectedly though, then it might be a sign of a malware infection, and the user or administrator has the ability to block the action.
If you have spent much time using Windows XP, you have no doubt seen malicious code display dialog boxes that pose as legitimate Windows messages. This is typically done as a way of tricking a user into clicking on a button that unleashes the code's wrath upon the system. The first time I heard about User Account Control, I envisioned malicious applications displaying phony WAC dialog boxes in an effort to trick users into clicking a button. However, Microsoft did something rather clever to keep this from happening.
When User Account Control is invoked, Windows Vista goes into Secure Desktop Mode. This means that everything on the entire screen is grayed out except for the UAC dialog box. This is Vista's way of proving to the end user that the dialog box is legitimate. It is also a way of preventing any further action from occurring until the person using the computer has made a decision. In fact, I tried to get a screen capture of the User Account Control dialog box, and it seems that Microsoft has even disabled the Print Screen button when Windows is running in Secure Desktop Mode.
So what does all of this have to do with administrators? Well, in Windows Vista, admins are treated as standard users with standard permissions. If an administrator attempts to perform an administrative action, then User Account Control asks for the administrator's permission prior to performing it. If a regular user tries to perform an administrative action, then Windows Vista does the equivalent of invoking the RunAs command. This means that Vista not only asks for permission to perform the action, but it also requires the user to enter a set of administrative credentials.
So why the backlash?
There are a number of reasons why users have had so many issues with User Account Control. One is that some people think that UAC bothers you too often. I have to admit that during some of the early Windows Vista betas, User Account Control would pester you to death. Today, though, the average user rarely even sees a UAC screen, as it is only invoked if a user attempts to take an administrative action or if something unexpected happens (such as a Web page trying to interact with Windows). Administrators see User Account Control screens far more often than standard users because of the nature of the tasks they are performing.
Another reason why User Account Control has drawn criticism is because some people view it as an ineffective security mechanism. Someone once told me that displaying a UAC screen for an end user is the equivalent of displaying a dialog box that says "Do you want to see the dancing monkey?", and having buttons that say "Duh," "Of Course" and "No." In other words, users will always click the option that gives them instant gratification, regardless of the consequences.
Sadly I have found this to be true in most cases. In the past three weeks I've received phone calls from two different people who wanted to "see the dancing monkey" and chose to perform an action that infected their systems, even though User Account Control tried to stop them.
The other reason for the backlash against UAC is that it is the mechanism responsible for the majority of Windows Vista's compatibility issues with legacy applications. Fortunately, most applications now have newer versions that are compatible with Vista. Furthermore, you also have the ability to disable User Account Control (although I wouldn't advise it).
Personally, I don't think User Account Control is as bad as people make it out to be. Granted, a lot of users are going to just click the option to allow an action to happen regardless of what it is. At the same time, though, standard users run with standard permissions, which limit the amount of damage that can be done. Therefore, I tend to think of User Account Control as being more of a mechanism for protecting the administrator, who should be smart enough to avoid the "dancing monkey."
|Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award four times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and healthcare facilities, and was once a network administrator for Fort Knox. You can visit his personal Web site at www.brienposey.com.|