M-A's

technology blog

Sunday 18 February 2007

Vista Recommendations

My recommendations are:

- You can't really disable UAC without problems until a nice way to add back the RunAs command exists and running IE7 in protected mode is available.

- Disabling UAC was my main point because there is no way for an administrator to remotely access sensitive resources on the computer otherwise. One thing to note is that the built-in administrator account is exempted by default from UAC (configurable through group policy). So my main recommendation is not to disable UAC, it is instead to enable back the built-in administrator account and set a strong password to it. Since the built-in administrator account is exempted from UAC, you don't get the dual-token scheme and you start at level 4000, but only for this account. You can use this account when you need to do administrative task, and keep running as a standard user the rest of the time. In case of emergency or anytime you want to browse c$, you can now remotely access the machine with this account. Otherwise, you're out of luck. Trust me.
To enable the built-in administrator account, start gpedit.msc, go in Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options. Set "Accounts: Administrator account status" to enabled. Restart the computer, login with the Administrator account (it will now be shown) and set a strong password. If you don't set a password, you won't have remote administrative access to the computer unless it's part of a domain.

- Disable virtualization. (See previous post) It's more trouble than solution. Do a RunAs instead when needed.

- Learn what is the integrity level stuff and dual token trick

- If you don't care about transparency, set Aero (desktop composition) off. You'll save a heck of memory. It's already automatically disabled in VMs and low-end laptops.

Like Mark Russinovich (A new marketing guy at Microsoft) said, UAC is mainly a temporary measure to make ISVs applications that runs correctly as a standard user. I don't think it'll stay as is more than a few years.

No comments: