James Bannan09 September 2006, 4:35 AM
If TweakVista can turn off Vista's User Account Protection with one click of a checkbox, just how much security does this major new feature of Vista really offer?
Recently we’ve been discovering some of the downsides of User Account Control (UAC) in Windows Vista. One of the things we found was how easy it is to turn off completely.
David Flynn mentioned in a previous article a tool called TweakVista, and one of its features is to modify the behaviour of UAC, or turn it off completely.
These tweaking tools generally just leverage off the system registry, changing strings and DWORDs on the fly. Most of these are, in turn, set by options in local group and security system policies. So in other words, if you know where to look you can just under the hood and tweak whatever you please.
What worried us with TweakVista was the tickbox to turn UAC off entirely. There was no protected desktop popping up to ask whether we REALLY wanted to do this - it was simply gone. End of story, goodbye.
So the question I asked Microsoft was: if UAC is supposed to help protect people from malicious programs and their own bad choices, how effective can it really be if a benign app like TweakVista can jump straight in there and make whatever changes it likes while Vista slumbers, blissfully unaware of what’s happening?
What’s stopping a malicious app ... say, a downloaded "freeware game" ... from prompting the user for UAC authorisation during the install process and then getting into the registry and disabling UAC?
The response from Microsoft was thus:
"If an application requires administrative privilege, such as Tweak Vista, a prompt is generated through User Access Control (UAC). If consent is given by the user, this then elevates the application to a higher (administrative) integrity level and allows privileged access to occur within the context of that application only. Note that for this to occur, the UAC prompt requires that a user must provide consent before the application will be allowed to run. UAC is only one component of the defence in depth security capabilities of Vista. It is the sum of all Vista's security capabilities - UAC, IE7, Firewall, Defender, MIC, SID and CI - that protect users from inadvertently obtaining and then allowing malicious software to run. Microsoft recommends that users run with standard user privileges, and that they be very careful when running applications with administrative privileges."
This isn’t too surprising really. It confirms what we have come to suspect about UAC - it’s very useful for standard users and totally useless for power users/administrators.If you have to grant admin privileges to a setup process to allow installation, and from there it can do whatever it wants, UAC hasn’t actually protected you at all.
Standard users are in a different position, as when UAC prompts them for action approval, they have to enter an administrative username and password. In this case (assuming they don’t know the password), users ARE protected.
The only downside is that to get full admin rights (particularly at the filesystem level), UAC has to be disabled. This means that standard users aren’t protected. For home users this probably won’t ever be an issue, but for business machines with both admin and normal user accounts on each machine, it’s probably going to mean a bit more work to get things working properly. Hopefully the user benefits of UAC will outweigh this cost.