User Account Control in Vista
A lot of my students ask me how to disable UAC and it takes some convincing to persuade them not to do it. UAC is a great security feature, but it isn’t a magic bullet. Unfortunately there’s a perception that UAC is at best, just an annoyance, and at worst that it will secure your PC against malware.
I recently read a great blog posting by Jesper Johansson that cleared a lot of the issues up for me. I won’t steal his thunder (well I’m too lazy to copy and paste it all) but the highlights are…
- UAC is meant to help more people log in as standard users. That’s right, you can now perform more configuration tasks than previously possible. For example, non-admins can now change the time zone, without changing the time. Previously the whole group of settings was inaccessible, but it’s more granular now.
- Software developers need to write their programs to operate in standard mode, and not require admin privileges.
- UAC does not offer total protection against malware. It will just alert you that a process, which may be malware, is attempting to run with elevated privileges. By the same token, malware doesn’t need to run with elevated privileges to be harmful.
- There are many ways to attack a machine that UAC will not alert the user about, so UAC should be part of your defense-in-depth strategy, not your only line of defense.
Be sure to read Jesper’s blog for all the details