In recent weeks I’ve had the chance to chat with many Windows admins about the tech media’s unfair treatment of Windows Vista and Windows 7. These are well-known Windows experts such as Jeremy Moskowitz, creator of PolicyPak, and well-respected journalists such as Greg Shields, who is taking aim at InfoWorld’s “patently biased” Windows 7 compatibility calculator this week in his Realtime Community blog.
Now Derek Melber, a true legend in the field of Windows know-how and technical training, is fuming over ignorant comments regarding the UAC (User Account Control) technology in Vista and Windows 7.
For those of you who aren’t aware of Derek Melber, here is a mini-bio: Derek Melber, MVP, MCSE, and author of BrainCore.Net, is one of only a few Group Policy MVPs in the world. His most recent book, “Windows Group Policy Resource Kit: Windows Server 2008 and Windows Vista” published by Microsoft Press, provides in-depth information on the new Group Policy Preferences that control all Windows desktops back to Windows XP SP2. He provides custom training and education on Windows AD, Group Policy, and security. You can reach him at firstname.lastname@example.org.
[ Measured by runtime specs and performance benchmarks, Windows 7 and Windows Vista are a nearly identical match, although in all honesty we are dealing with a pre-Beta. | If Windows 7 is a dead end (and it’s too far off from release date to say that it is), what’s next? Several new personal computing paradigms are emerging. ]
If anyone has the inside scoop on UAC, it would be Derek. And with this technology getting so much bad press, I asked Derek a few questions about its implementation in Vista and in Windows 7.
JPB: Derek, there’s no escaping the fact that users have plenty of complaints regarding UAC in Vista. What is your overall view of the problem and how do you think Microsoft is going to address it?
Derek Melber: Windows Vista has had a bad rap since the Beta phases due to the User Account Control prompts. Microsoft is fully aware of the industry view on the UAC prompts and is taking action to get a solution to the problem, sooner rather than later. As a Vista user for the past year, I have trained myself to click the Continue button without much thought when UAC prompts me to elevate an application, OS function, or installation that requires Administrative privileges. I do suggest the use of Windows Vista for all IT administrators, while the use of Vista for end-users is still a variable. For those of you who have successfully held out on moving to Windows Vista, you might want to keep an eye out for Windows 7, which is the next version of the Windows client.
Microsoft Windows 7 UAC
JPB: Why do you feel IT Administrators should use Windows Vista today?
Derek Melber: The reason IT admins should use Windows Vista with UAC today is quite simple. When an administrator is logged on to perform routine “employee” tasks, the credentials of the logged on user should be that of a “standard user.” Most administrators have a single user account, which has membership in the Domain Admins or worse, Enterprise Admins, group. When browsing the Internet, performing routine tasks, checking e-mail, etc., if the user has administrative privileges, so does the malware, virus, or other malicious code that is running without the administrator’s knowledge.
Windows Vista eliminates risk by forcing all users — administrators and end-users alike — to run as a “standard user.” Then, when a task, application, installation, etc. that requires elevation is run, the user is prompted for consent or credentials (if UAC is configured to prompt). It is this prompting that informs administrators of code that is trying to perform an action which only administrators should be able to do. This would include writing to the system files or Registry.
Another way that Vista with UAC helps administrators is by configuring IE 7 to run in Protected Mode. Protected Mode runs the user as a “standard user” and IE with low Integrity level. It also virtualizes user-specific files away from the system files. If you have ever been browsing a perceived “safe Web site” and had the UAC prompt come up, you should be very glad you had it running!
JPB: Which end-users should use Windows Vista?
Derek Melber: The issue of end-users running with UAC enabled is a bit more difficult to swallow. This is because you don’t want your end-users running as administrators, having administrative privileges, or being provided with the Administrator password. Therefore, if you have end-users that do not run applications or functions or perform installations that require administrative privileges, Vista is a perfect solution. All of the benefits that I mentioned above for IT admins will also benefit end-users.
However, if you have end-users that run applications or OS functions or perform installations that require administrative privileges, you might find that using UAC causes some issues, since the end-user will either need to have the credentials of an administrator-type account or be placed in the Administrators group to perform their tasks. Either way, end-users running with administrative privileges is a death wish for any company.
One alternative to fixing the end-user issue where they are required to run applications requiring administrative privileges is to use a tool that elevates the user when running these applications. Tools such as BeyondTrust Privilege Manager allow end-users to run as a standard user until they need to perform an administrative task. Note that Microsoft’s Standard User Analyzer, found in the Application Compatibility Toolkit, can assist with users performing administrative tasks.
[ BeyondTrust Privilege Manager received a 2008 InfoWorld Technology of the Year Award. See Test Center’s review. ]
JPB: OK, so now for the big question. What is changing in Windows 7 UAC?
Derek Melber: According to all of the public information coming from Redmond on Windows 7, Microsoft is taking aim at the most complained-about features in Windows Vista. Primarily, the UAC prompts are supposed to be reduced dramatically. According to Ben Fathi, Microsoft corporate vice president of development, Windows core operating system division, UAC in Windows 7 will “broaden the control you have over the UAC notifications” and “provide additional and more relevant information in the user interface” for UAC prompts. For example, when the administrator of the Windows Vista computer launches Active Directory Users and Computers for the 10th time before lunch, there should be some heuristic logic in the computer to realize that this activity is routine and should be allowed without a prompt for consent.
The overall protection that UAC provides will not be altered. Therefore, all users will run as “standard user” until a task needing elevation is launched, then UAC will kick in providing the elevation to administrators and either denying the standard user access or prompting them for credentials of an administrator account.
JPB: Last week I wrote that all Windows 7 articles are a waste of time. I also noted that Windows 7 coverage comes in only two flavors: either a Microsoft-hating rant or a glowing endorsement through rose-colored glasses. How do you see it?
Derek Melber: Windows Vista gets a bad rap due to UAC. There is no question that it could be better, but the security that UAC provides for both admins and end-users far outweighs the negatives that UAC prompts pose. However, there are other reasons to stay clear of Windows Vista, such as driver and application compatibility issues. If you can run Vista, you should! If you still are apprehensive, Microsoft hears you and is making the appropriate changes in Windows 7 to make UAC prompts less intrusive, but still provide the security benefits that Windows Vista provides today.