Friday, July 06, 2007

Vista Security Configuration

In the last few weeks Sony Ericsson have realeased Vista software for their mobile phone range. Philips webcam drivers are now available. I believe also that Apple iTunes is at long last Vista compatible. So now more hardware is supported is it time to upgrade yet?

If you are a computer guru and can still do what you need to on your PC under Windows XP then I don't see much need to upgrade, other than curiousity. It is no more stable than XP. I had to pull the power plug out to reset mine which has now caused serious damage to my user environment. All I was doing was watching a video full screen while running a slow installer in the background. The installer asked a question meaning I couldn't minimise my video or bring the installer to the front to allow it to continue. I should be able to multi-task perfectly in windows by now, but it is still not right. Also why Mr Gates have you taken out the ability for me to choose the colour of my taskbar?? XP Blue is nicer than Vista Grey - Grrr

If you have young kids who's internet usage needs monitoring or controlling, or you struggle with the multimedia interfaces of XP then maybe Vista would help you. Parental controls and digital photo handling are much enhanced in Vista. It is also true that it is harder for viruses to propagate through the internet under Vista - so long as you keep UAC (User Account Control) enabled.

What is User Account Control (UAC) you ask?

If you have installed Vista you will know - even if you didn't know it's name! By default this is enabled. It prevents any major changes to your computer without your permission. Whenever you use the control panel, or run an installation program you will be bombarded with windows telling you that you are about to change the system or install the program. After an hour you will be so fed up with all these prompts you will just be clicking Yes and Accept to them all without reading them or thinking about them. If you have searched help about how to turn the problems off the only option listed is to disable UAC completely. Don't do this!

This problem, technically called 'User Fatigue' makes the new protection virtually useless. In fact I will go one step further and call it damned annoying. The level of user it is meant to protect is the level of user that will become most vulnerable.

There is a very little publicised way of fixing this, while still making use of all the advantages of it. That is the purpose of this post. The instructions below will allow you to create one account that will be able to alter anything without receiving the new security warning windows.

Background

In Windows XP each account was either a standard user that could not change the system configuration, or an administrator that could change anything. Because everyone needs to tweak things at some point everyone used the administrator setting for all their work under XP. Hence the terrible situation with viruses, malware and configuration problems.

In Vista this has been modified. An administrator level account is a normal user that must say yes to a security warning before it can change the system. Perfect you shout! Except when setting up a new system you will be constantly changing things and will get so many of these security prompts you will be pulling your hair out. Standard user accounts now have to supply the password to an administrator account before they can change things. Isn't that pretty similar to a new-type administrator account?? In a domestic situation yes!

Follow the steps below and you can have a proper administrator account that can do anything without being prompted. I recommend for normal use you use a new-type administrator account (created by default when you install your computer). If you have people using your computer who should never be able to install or change your computer create a non-administrator account for them.

Configuring UAC in Vista

Please note these changes are made at your own risk. If you change anything else make notes so you can repeat the process to reverse the changes.

1. Click on the Windows icon to open what would be the old start menu.
2. In the search box type 'mmc'
3. It should be found and listed as a program.
4. Click on it or press enter to run it.
5. You will be prompted with one of the security warnings asking for permission to run the Microsoft Management Console (now you know what mmc stands for).
6. Click Continue. The console will load.
7. Open the File menu and select Add/Remove Snap In.
8. From the list of available snap-ins, double-click on Group Policy Object Editor.
9. Simply click Finish in the Group Policy Wizard.
10. Click OK to dismiss the Add/Remove Snap In window.
11. Navigate the tree in the left hand pane of MMC to the following item.
"Local Computer Policy" ->
"Computer Configuration" ->
"Windows Settings" ->
"Security Settings" ->
"Local Policies".
12. Click on the policy titled "Security Options".

In the right pane are about 50 different policies that can be configured.

I recommend you change the following:

  • "Accounts: Administrator Account Status" = Enabled
  • Optionally edit "Accounts: Rename administrator account" to set the name of the super administrator account we are setting up.
  • "User Account Control: Admin Approval Mode for the Built-in Administrator account" = Disable.
  • "User Account Control: Behaviour of the elevation prompt for standard users" = "Automatically Deny Requests"

To exit the management console choose Exit from File menu. Say no when asked if you want to save. Your changes were saved instantly.

To login to the new administrator account open the start menu. Point at the arrow to the right of the padlock. In the menu that pops up select either "Log off" or "Switch User". I recommend the latter.

You should now be able to login to the new account. First thing to do is press (alt) - (ctrl) & (delete) and use the Change Password option.

For completeness, you can create, change or delete user accounts in the Windows Control Panel. The option you will require is in the "User Accounts and Family Safety" section and is called "Add or remove user accounts".

The more I use Vista the more I cringe at how it has such serious shortcomings in user friendliness. If a company of mine launched software this bad as a Beta I would be very concerned. I think a few people at Microsoft have been sitting on their arse eating donuts! (Picture homer simpson!). According to this report 10,000 people have been working for 5 years on this!

Chris

Update: This option is not available on the basic versions of Vista

No comments: