Paula Rojas Blog

With the User Account Control technology acting as a sentry, two security related benefits are immediately realized:

1. Malware cannot install silently in the background while a user is unaware. UAC doesn’t prevent malware from installing, mind you; it just stops the installation in its tracks before an administrator gives it the go ahead. What’s more, this safeguard is directly related to the second main benefit.
2. UAC requires either credentials or confirmation before performing any act that will affect all users of the computer. Individual users can still make changes to their own user environments because that won’t affect the computer as a whole. But more sweeping changes such as accidentally disabling a driver (or installing a piece of malware) will be prevented by UAC until administrator approval is given.

But before we get too far into the discussion, it’s important to stop for a moment to realize that Vista still includes the two basic kinds of user accounts that were available in Windows XP. Each one will be handled differently by User Account Control’s security mechanism. With Vista, new user accounts fall under these two categories:

• Administrator accounts These accounts can perform any and all administrative tasks on the machine, including application installation and system settings changes.
• Standard User accounts These are the equivalent of the Standard User accounts in previous Windows versions. Standard accounts can now install applications, but not those apps that install into the %systemroot% folder. Also, they cannot change system settings or perform other administrative tasks.

Disabling User Account Control

So now that you’ve learned all about UAC, there’s really only one real configuration question that needs to be addressed: how do you turn the thing off? Some folks find the User Account Control feature the absolute zenith of computer annoyance. Blogs abound filled with gripes and rants on UAC. You’re a smart person, after all, and don’t need some OS reminding you that you’re installing a new app. To stop those constant reminders that you’re about to install something, or make a configuration change, follow these steps:

1. Open the Control Panel. (There are lots of ways to do this use the Start Button and then choose Control Panel if you’re lost.)
2. Double-click User accounts, and then choose the Turn User Account Control On Or Off link. Since UAC is on, you’ll have to grant approval for your action before getting to the next screen.
3. Uncheck the Use User Account Control (UAC) check box to help protect your computer.
4. Click OK. You’ll then need to restart your computer. There are several other ways to do this, by the way. We’ll hit on most of them throughout the course of the book. For now, all that’s necessary is an understanding of UAC’s implications.

Once you’ve disabled the ability for Administrators to run in Admin Approval Mode, you have effectively turned UAC behavior off; you’ve made your brand-new operating systembehave more like the old one, where users logged in as local administrators carrying the full access tokenwith themat all times.(Note that you’re immediately warned about the utter stupidity of your action: the Security Center squawks a warning your way in the System Tray. Open the Security Center and Vista even gives you a chance to atone for your transgression with a single click. Since you’re disabling UAC you can ignore this warning, of course.) Before you take the step, however, Imust pass along this word of warning, directly from Microsoft:

While some non-UAC compliant applications may recommend turning UAC off, it is not necessary to do so sinceWindows Vista includes folder and Registry virtualization for pre-Windows Vista or non-UAC compliant applications by default. Turning UAC off opens your computer to systemwide malware installs.

In other words, Vista will make “virtual” allowances for applications that want to run in the context of an administrative account. You shouldn’t have to disable User Account Control to make things work. So there.