ow often have you been cajoled into troubleshooting a performance issue on an older version of Windows, brought up Task Manager and been bewildered by the list of processes running? Did you suggest a reformat, and sheepishly walk away with your engineering credentials slightly tarnished? Windows Vista brings order to this chaos through its new User Account Control (UAC) feature, which promises to put system administrators, programmers, and end users back in control. This article gives you the process you'll need to develop UAC-aware applications.
Imagine that you operate a factory and that all employees have an access card. Regularly, someone at the factory shuts down the assembly line, but you cannot determine who's doing so. Not only is someone stopping your production, but they are also allowing their friends in the factory. Those friends too, can stop the assembly line and invite their friends into the factory.
Pre-Vista Windows operating systems suffered from this same security model. If you logged in as an Administrator (and most people, particularly home users, did so), youand any piece of code you installed or startedhad carte blanche permissions to access or alter the file system, services, and registry. The solution to the factory's (and Window's) woes are one and the same; split the credentials required for different operations. For the factory, require managers to carry an additional security card required when stopping the assembly line. For Vista, provide an additional security token for selective tasks.
|Figure 1. Disabling UAC from the Control Panel: Although you can disable UAC from the Control Panel, as this figure shows, you shouldn't.|
By default Vista users run as standard usersand that includes upgraded administrative accounts migrated from Windows XP. Tasks that require elevated permissions, such as installations, registry edits, and firewall configurations, prompt the user to confirm that action, and use an administrative token for authorization. A number of users have complained about the frequent confirmations required to carry out their day-to-day tasks on Vista. Some find it tedious, but I personally find it reassuring. On Vista, I know with better granularity what processes are doing what and how it might impact my operating system.
Before getting into the details of programming for UAC, I must stress that while UAC is a best-practices security model for Vista, it is not required to run Vista. In fact, you can disable UAC completely via Control Panel> User Accounts (See Figure 1).
Although disabling UAC is tempting, particularly for new Vista users, my advice is, don't do it. Disabling UAC opens the operating system to a huge variety of issues, especially rogue processes. The point, however, is that UAC-based security is not mandatory, but highly suggested. As such, reaping the benefits of UAC depends on users, system administrators, programmers, and corporate IT policy makers adhering to those best practices. Table 1 details the requirements and the potential benefits of adhering to best practices.
Table 1. Best-practice Execution-level Permissions: The table shows the requirements and benefits of adhering to the recommended best practice execution permission levels.
||Standard user will not have sufficient privileges to install applications, edit the registry, or write user-specific data to shared directories.
||Less system performance degradation over time, and better security for user-specific data.
||Design applications with a standard-user bias, whenever possible. Applications need to embed manifests detailing privilege levels, isolate user-specific data, and limit access to secure areas of the operating system.
||Greater appeal to system administrators for ease of adoption, faster diagnosis of application-specific issues.
||Adopt only applications that conform to UAC best practices for the enterprise, including standard-user-only applications whenever possible.
||Reduced maintenance time by removing applications that introduce security risks to the enterprise.