As I am focusing more and more on Windows 7, I find that blogging now begins with web searching, to make sure that what I’m talking about is already publicly disclosed and, as such, I’m not putting my job at risk.
I want to go into a bit of detail on UAC configuration, what’s changing in Windows 7, and what’s available today. Because, in my experience, there are a lot of people who don’t fully understand how to configure UAC as it exists in Windows Vista – probably because we haven’t spent enough time talking about it.
PC Magazine (oh, how I’m going to miss the dead tree edition of that magazine) was kind enough to already show you what I want to talk about in it’s article here: http://www.pcmag.com/article2/0,2817,2335122,00.asp. So, let’s have a second look at the new UI for UAC in Windows 7, as it exists today (this is not a commitment that it will never change, that it’s a good idea, or that you won’t experience premature hair loss from viewing the picture – all the regular disclaimers for pre-release software apply):
Now, my friend Crispin would prefer a different UI metaphor than a slider – he’d like to see a pair of pants – the further down you pull the slider, the further down your pants are while you’re computing. I actually think that’s a really good analogy. Let’s look at each of these settings, talk about what you can (and can’t) do on Windows Vista today, and then add some commentary on the consequences of making that choice.
Always Notify Me
This is UAC configured the way you get it on Windows Vista today. This one should be very familiar.
Notify me only when programs try to make changes to my computer
This one is genuinely new for Windows 7, and essentially will auto-approve elevation when performing some actions to modify system state. I won’t get into the mechanics of exactly what we’re doing, because it’s neither final nor am I currently authoritative on all of the details behind the logic here. My goal here is to explain what you could do today, anyway.
Notify me only when programs try to make changes to my computer (do not dim my desktop)
Well, half of this (as discussed above) is new stuff, but the other half (the half in parentheses) is available for you on Windows Vista: not dimming the desktop. That’s something you can configure today. In group policy, under Windows Settings \ Security Settings \ Local Policies \ Security Options, you’ll find an entry called User Account Control: Switch to the secure desktop when prompting for elevation. Change that policy to disabled, and you have that half of the configuration.
Why do we default to switching to the secure desktop? Defense in depth. Message queues don’t have security descriptors. Of course, User Interface Privilege Isolation should help keep less trusted messages from getting to the approval dialog (consent.exe runs with System IL), but it’s even better to get to a separate desktop since the boundary of a window message is the desktop.
You see, today Windows doesn’t have what some call “Authentic User Gestures” – the ability to differentiate between a real user clicking a mouse button which gets translated into a window message to click the button, and an application sending a window message to pretend that somebody clicked it. To the receiving application, they both look exactly the same. So we build up mechanisms like this. While elevation is not technically a security boundary, it should at least do a reasonably good job of looking after you.
When do I see people configuring this policy? Well, there were some drivers early on that had a really hard time with the transition to the secure desktop (I haven’t seen this in a while). And otherwise, I see people configure this temporarily to make it easier to grab a screenshot of the dialog box. (Of course, if you want to make it look more realistic, you should change the theme to the basic theme first, since the secure desktop doesn’t have glass.
Never notify me
This is the off switch that you have in Windows Vista. This is bad for all the same reasons that it’s bad in Windows Vista.
So, what’s really new is the “windows settings” categorization. But wait, there’s more! This slider still doesn’t expose two settings which are very interesting to know about!
In the “Behavior of the elevation prompt for …” settings you have:
(For local administrators) Elevate without prompting
This is the setting for people who never, ever want to see a prompt, but don’t want to lose out on the value of UAC. You keep things like Internet Explorer in Protected Mode, AXIS for your standard users, UAC file and registry virtualization, and all kinds of other useful stuff – and, oh yeah, the fact that the overwhelming majority of software testing is done in the default configuration (enabled). If you’re hell-bent on disabling UAC, could I talk you into giving this setting a try?
(For standard users) Automatically deny elevation requests
This is the setting for people who disable UAC for their standard users because they don’t want them seeing a credential prompt, since their users won’t have credentials and, in the enterprise, that just means it’s going to cost more to run the helpdesk. You don’t have to disable UAC and lose all of its benefits, you just need to tweak this policy.
Personally, I’d like to see an additional notch in the slider that uses these settings – leaving UAC on but getting rid of all notifications. Perhaps even hiding to “off” switch a bit, because in my travels, this is the setting that gives the best overall experience for people who hate prompts passionately. But alas, it’s not my decision to make.
By the way, here is the e7 post on UAC: http://blogs.msdn.com/e7/archive/2008/10/08/user-account-control.aspx