Let’s Not Give Up on UAC

OK, I admit my visceral reaction to Vista’s User Account Control (UAC) was over the top. Just because it causes some inconvenience does not warrant ditching UAC altogether (sort of like divorcing your wife for burning the toast). Microsoft realized that many users log into Windows with an account that belongs to the Administrators group, so they can install programs and do other things requiring admin rights, even though it’s better to run under an account with more limited privileges. But when you’re running as admin, viruses and Trojan horses can do anything you can do. That’s a bad thing. UAC basically prevents programs from doing certain things without explicit approval from the user. That way, a rogue program is unable to do some things only an administrator can do. That’s a good thing.

So why the uproar? I think the negative reaction has more to do with the implementation than the underlying principle. Developers in particular spend a lot of time doing things that require admin rights, so frequently having to respond to the UAC prompt can start to get on one’s nerves (however, tools like TweakUAC may help to calm your jitters).

Then there’s Visual Studio. Microsoft recommends that you run VS as admin. That may not always be necessary. If all you want to do it use VS as a code or xml editor, there’s absolutely no reason to run it as admin. If you want to open a solution from Windows Explorer just by double-clicking the .sln file, my DevelopMentor colleague Dominick Baier (who happens to be our security curriculum lead) wrote a utility that lets you drag the .sln file to a shortcut.

So do not, I repeat do NOT, set the VS executable (devenv.exe) to always run as administrator. You may want to have two VS shortcuts, one set to run as admin, and the other to run without prompting. Run VS elevated where it makes sense. That’s the most practical – and cool-headed – thing to do.

About Tony Sneed

Married with three children.
This entry was posted in Technical. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s