Yesterday I delivered a presentation about Windows Vista Security, especially to counter Social Engineering tactics. I scheduled only one talk, but apparently last minute change of plan made me do it twice in a day. One to WSS-ID community in the morning, and another one to Binus students in the afternoon. The audience from both communities also asks good questions.
Mostly are concerned with annoyances from Consent/Credential, so I want to share a little bit of good practices here:
- If you don't want to see Consent/Credential window, try logging in using Standard User account and set UAC to automatically deny elevation request (this can be done via policy). This setting is the best practice, but will render some application useless (can't access system directory, etc.)
- If you had problem with solution #1 and still don't want to see Consent/Credential window, log in as Administrator account and set UAC to automatically allow elevation request (also can be done via policy). This setting has security impact, but it is limited to administrators only. Assuming administrator knows what good programs and bad programs, it's a good thing to do.
- If you really brave and wanted to go unprotected (which should be really avoided), you can disable UAC through Control Panel. Be aware that disabling UAC does not only disable Consent/Credential window but also let other applications, like Internet Explorer 7, to run unprotected as well.
UAC is a security feature, you can fine grain it's behaviour, you can even turn it off. But tweaking it will put your security at risk (if done wrong), therefore creating it as a security weak link.
P.S.: For the website for the show thebroken, you can get it at Revision3.