UAC Keeps You Safe While Using Vista
Introduction
With the release of Vista there have been many new security aspects in the operating system. One of the most talked about features is User Access Control or UAC. UAC has gotten a lot of bad press, but I disagree with them. Here is a quick run down on UAC and why it is a good thing. In the not to distant past, users of Windows would find themselves logged on automatically as an administrator when setting up Windows XP. If you install XP and do not join a domain, the default user you create has full administrative privileges and can access all aspects of the computer operating system.What’s the big deal you ask?
Many computer users found it convenient to never have to elicit the help of the IT team to install a new software application or reconfigure the Windows registry or change the system clock. While convenient for the computer user, in a small company the effects can be devastating for two reasons.
1. Inadvertent Experimentation
Many users consider themselves Power Users and editing the registry or installing new drivers is old hat to them. However, problems arise when the latest drivers for that new video card are in beta only and have known issues with the accounting software you are also running. This causes the system to crash repeatedly. The user now loses productivity as hi system has to be rebuilt. In a smaller organization, this might actually mean installing from scratch as opposed to an imaging process. That equates to lost time and productivity.2. Personal Use of Corporate Computers
This second reason is a little more ominous. Many users tend to use their work computers as their own private portals to the Internet. Surfing inappropriate sites, checking stocks and downloading bit torrents at work is fast becoming a major security issue. When a user downloads executable code such as a script or even a screen saver and then runs the code they are doing so as the administrator of the computer. If the code is nefarious, it get’s a bump start on its road to destruction as it does not even need to try to escalate its privileges as it is running as administrator already. The potential for loss and breach of security is huge. Microsoft has long touted the benefits of running as a non administrative user on a system. Until now it was impractical for many users and cumbersome. UAC was defined to address these shortcomings.UAC Explained
User Access Control (UAC) which is enabled by default in Vista allows standard users (non administrators) to complete both standard and administrative tasks (if they have the administrative credentials on hand) without having to log off. Very similar to the ‘su’ command in Linux. The process works by assigning two security tokens to a logon. One token contains group membership information and the second controls the authorization and access data. Until Vista there was only a single token which stated what a user could do. It was all or nothing. With User Access Control (UAC) even administrators must provide acceptance for various tasks. For example, the user of a computer wants to add a file to the Startup Menu to begin a chat application at start up. This function is trying to write to the registry and will cause UAC to request access even if the user is the administrator. When the user attempts to create the shortcut they are presented with a similar screen. The only difference between a standard user and administrative user is that the latter will not be prompted for credentials.While it may seem cumbersome at first, UAC prevents applications from writing to the registry inadvertently with out the user’s knowledge. It also prevents applications from installing without a user’s knowledge.
Some articles have said that UAC is in fact security vulnerability because by default users are still by default administrators when their account is created. True. But they will still need to use UAC to install program, perform system maintenance or run some applications. However, the onus is still on the owner to be using the correct account. Microsoft can’t do that for you. At the end of the day operating system and software application vendors can only do so much, computer users need to be aware of proper secure practices.
Some users complain that it is annoying having a popup extended every time they open the control panel. But let’s think for one moment. Let’s take the majority of users of systems. Standard everyday computer users. How many times a day to most users have to open MMCs, adjust video settings or monkey with the registry? The fact is, once the system has been configured, most users will probably not have to even see the popups. Even when I run my system in Admin mode I leave the UAC turned on as a secondary measure of security. This way I am notified when when operating system or a software application is doing a task that should have my approval to proceed.
Aucun commentaire:
Enregistrer un commentaire