Windows - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Windows


Finally, Microsoft Will Separate Vista Users from the Desktop



 By: Andrew Garcia
2006-10-06
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Windows story.


  Table of Contents:
  1. Finally, Microsoft Will Separate Vista Users from the Desktop
  2. ' Page 2 '

Rate This Article:
Poor Best
Finally, Microsoft Will Separate Vista Users from the Desktop
( Page 1 of 2 )

Tech Analysis: Vista's User Account Control feature will bring it up to par with other enterprise operating systems. eWEEK Labs' tests, however, show that the feature will require a fair amount of evaluation, forethought and fiddling—at leastAmid the hullabaloo about how intrusive Vistas User Account Control feature will be to the average user, Microsoft has been quietly ramping up the support infrastructure needed to help companies adopt it. eWEEK Labs work with UAC shows that more work lies ahead, however.

With Vistas UAC, Microsoft has finally gotten serious about securing the Windows operating system by limiting a users rights during day-to-day computer usage. UAC also finally brings the Windows operating system up to speed with just about every other major operating system available today.

UAC enables the concept of LUP (Least User Privilege), where users run with limited privileges for the bulk of their interaction with the desktop. User rights are elevated only when necessary to perform certain administrative tasks. By limiting the users normal permissions, there is less attack surface on the operating system and less chance for the user to inadvertently—how should we put this—screw things up.

Microsofts new anti-piracy tools will delay the enterprise adoption of Vista. Click here to read more.

Resource Library:
Under UAC, both administrators and standard (limited rights) users operate with the Standard User security token. When a process requiring elevated permissions is initiated, Vista may ask users to confirm their intention to run the process or ask for administrative credentials to perform the act (depending on the configuration). This interaction—be it a confirmation or a credentialing—occurs in the Secure Desktop, where users cant interact with the desktop, and vice versa—until the questions are answered.

Organizations that have already implemented LUP with current Windows versions will likely have the easiest transition to Vista and UAC, as the hard work of getting users accustomed to limited rights and making applications work correctly with those limited rights has already been done. (And we expect that these organizations will quickly remove the annoying credential request for standard users, replacing it with a stock denial message.)

However, organizations unfamiliar with the LUP concept are likely to disable the UAC feature in Vista altogether—at least for the short term—as they begin the arduous task of evaluating their software stable for security compliance with the new operating system. (Vista is expected to be released by the end of 2006.)

Whether administrators are familiar with LUP or not, they will need tools to configure Vista across the enterprise and to evaluate their applications Vista-proclivity. With Group Policy and the Standard User Analyzer, Microsoft aims to do just that.

Microsofts top security guru responds to Vista security concerns. Click here to read the interview with Ben Fathi.

In Vista, Group Policy includes nine new policy settings that control the behavior of UAC, and these settings can be applied either in the local GPO (Group Policy Object) or in a Windows Server 2003 domain-based GPO. These settings control whether domain-based and built-in local administrators run by default with the Standard User token or with the Administrator privilege token.

In the former case, the settings determine if admins can simply approve privilege escalation or if they must provide their credentials to run a protected task. Other settings dictate whether standard users have the option to enter administrator credentials or if they are simply denied access.

As long as IT managers are administering GPOs from a Vista-based machine, each of these policy objects can be found at Computer Configuration/Windows Settings/Security Settings/Security Options. Because Vista uses new XML-based ADMX templates with Group Policy, legacy Windows machines cannot edit or take advantage of these new policy settings.

Next Page: Virtualization.





  Reader Comments: Finally, Microsoft Will Separate Vista Users from the Desktop
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Windows Articles          >>> More By Andrew Garcia
 


xks8(y\9;N1ŋn)%[ey-%ޤ*EB%)_fSOx -N7-Dh F'vv,IMkmJv9[D;;?.ЇP|gS92t=z#m)>M3ة OwGl&J~z'A :#:UGPL55Κ]ٚc7h2 X -$(kOմn<ش$1q@h] EQږyHm: _N T|_ANé-}!*{|@Jk4ً/шqGws_?;|'yЀk`Vl m׸ڮb'UFͰ [ aZ.9rz G&lwsDƞIC h,v2*-&;1ҡk)1kkTQ3#}jݳt{#ԳFu|ף&Y!&$f v?ĭ RI&6q#/T׌<{mLjXL<:/yӝF3l˸;4 PSK(J\UC罨rwwӽm˙[YpoZ×޹RV5MQE2Gq7ںsm)9x] Z>'}r:?'׼;Aڼ o$&7 JDTRBp$" Pc@GI^GoVP+jZP+(H.FZ<," J1zĢJ:7gSKߺjZ:>;jN|~bP+Mz(#1hؕ 3Bz 'KE{#'+l}jzH ݹGtHM Wh:w -No7#?!~j[dPp9LwRURs~nv/[d@ˏGcdp,~9'=--˭%wܿG)H̛cM|`Imdʱ(|ǺrN9~mEjZ孱*҄& )B:A`ܺ厁R$9Vˡ8ȟ4R\ 9lb)6K .7R?o dB* b$rݠQ3^}N}%I FNRW}:;SjZim;Ni|Q}ѦޡR?ݘXiI70i|V8; tCuӹga {>0kJY-UD%i-DCwM0Ie!S@uKLΝ݀2C?FlEP>X^0G`^@8ppyY?90@]ubsBݷ|{ޚouև &QsnPBgԁ!~9.Wb&A/tStIj[iܯ n$50K%g; A&rG|增5 Jx0?3\eDfkVL"fˣQ4dJ Io2@n=ȢmDG*+i#7~/iV9ԴjyX,y| p6X"@7wM)mT.mT^·'Χޱ;i6E7;{\Ow@>8`3ǟG )a!c$4)̕>A XX}U[*X[ 3D2.P\+Cҵ3KwEe蘆J .}Fl4\Z#V!0\ |D30`,e?C&]1=ZSYɰ\R !16D ȸau-Ce0\P`t>*ˈ`mS@@kSU Փ.E^~~V%Ŵ谢zԘ{}Qː 0gxyd.Nәd_(WbtxC+jrXT+ 8;s??]ex$? rF@0@Mf1ZpY57~^R`w%eXY8f-1_0kY /ÊTUӅZPQ"+ȣCY V +:2pn`{y~t=GqDLԀH 5^Fl.*ٝ'(R~-p;>mRI4YZDIa枏~KkF$XS F1j>Lk}\SJuݬXY :iw3 9& ~'[ k欭h+,s Jb+ͤV(EcZUz|ylFoC<ϤMNU)HW<M?ܛZ`%ͳq58=_PpbGi |gR!܏p<7L M <]մRb/_ s*?.=l)[36PY]7TOgZScoa2\ 6-G'~7,mǤ|e4,tn1a%[4x[2|'@ dѪ9O'A(՚\0ZZժ,aڝNC7E$w9`ܘGpXH[AOpЍe?F8j7pթrV>H+UtY/sOYq, 2wMLa(JyZJp9ԃ `뼂 7@$B#|=ݤ1p p\ihkc}产Z"⣨j^7 Jx \t-[& vaN0qܻB3ڛ5^,@M|CZOP]8ۤTV<^ۋ953ק~@Lf;zf3&tƝ7. y*>`2N8{ a\&LXt@Z:{*ݔY`'.%_gI#cF􀮢e4qyh7(ǞjMY@h# ;wk}AUR#|(VVJr/;se0F\0R,߫=bxEOP?l]~\V*jd9CRDBZNBq<:N}+tSZ1wOXO\dK!MWF@"'!Z+3,qv_+ŵyAg@48'ov;wvھ01A AE@"jߵpفbßyc(m'@/])|;?]R6I/4:x:O㇧/vݽ8ୃb>$gY? 0f;,5.aЇ/R)X|8~hJNO50osV; J@c$=ĸ}/gvl4Sa Na嵀 unG4NK?wH-)^{)o=rHpBjO/Xz G]9>o5³OM1k&05hoq_V3]mY?{xXTbivEOi\|&G-Я> I V޼=FoQwP]Yz$AC~klr¸nnהŞa6 }Fpvڕv{qO r4]9'Ucd;I2ӱ$BUUk ʾʜ9%'+x|42(oV (f~\:pGҤscmf<ݸw[f1rfwio?X] {~ G%uB{Ze%QJW=q @k%yȁq~ ГGm֗Fݽ];+&bi4W;Tf{ts̷ֈ5'|ȞFcԲفǣ&X r4hg A[ɱ-Ιx <v4..߮ B;BJ [<[N->42UCnuk-Ǭ§ ,'ipqFԱQo*_Oߛ7e{cA|3 e\1RΟ w^XR|  .O?i{\nax{7d\ڊ]aKn~ &v/wN-Viuˏo.k9WʾRw"y2;M(i>՟k. jRQ(wYòD_K8iRVj%5qgxO rA2{kgn*5CWa$1}pL$m!3-r^m3$_q#ro4:MU#CdKuvN1 \QǘLu1@': A<w$<&oaIL][+u@2T$,L2k?;F)+Qr9:){b&:<9x'Cq$oe@XjB`%:)Qm'D1paHgAWAgyTuz wR]n!YMh4 Tv@g9q߆.H/+v2cVi1)/։vRcekI&*qIM#+c&!%KRUޮ8LD) 80aكJ'RH"5

$K,ۆ?#>Y~ƱtBuܢO'u Ax'K8 8FS29;ìo~woʒHjm[h/M(к8#+]O$X #Im_:b CDw(TRA:4qV\j **zRB|<'TڊڪR[ᥨ HP[gK`B$.ť#5I%Jq$ffkVra _ B<%gT~MoJŗɐ~f90^ ]z֭e1&” :}%Q099}PQ>>lEI:(nJeNYqvͲ.u.C HkדX'`liJU)W"O"$O1 Jzqdxz&nϫV~)Be:s@-:)(/5 0@%al`MxvCJ)h=\b2D@&2g _^#hy0^Bt=EgUߞj5eS=s]%/{R1ASӵM̈2ϠG!ƽ ²& .Qo1n:a\;e5[qD#~/nA+ōK8s^H(mR>ݶY 1qbV@SbUX/U{q0A$|3>@³Y;=IOD}yElw*{W- a$%?կz䂨kܙn2ׄ%T̈́p_|]'5Wsa`b{3 ͙xBԚA-tBHvjmm"kfERsoi-[o&6௶|L(ʋU+yl^ֲkt)3۬Reײ>Ҵn}3=W/!if-2ĚDUa+I錂qnr/o 5V)c2J6K5hh`PW"7JK@:kҽ:u]L5hέko(3y_ڋKۨ_xȣŹe l ^| 'ɋ[>S&p6]?rEcb*k\|61CןONuFx.G<;wPAfXt~D)f:ffSxf f?otw3oa`d=њ8 n8 Ě[Llvf97|~6.>!}^/шU7e\S5hQ5h:YJ- -Ѩ#&]c<;9ǯ.wI%;"Vq" 낯!ݰ,VI - `} Pg!zO5A*HcWh\$>cz?\g\o1W:C}N.Z׽Vߺ :29&U&dzm8Tw)0>k`|=_>a~'@vѻl2Kwy»_zIL0XȈR06׳8nz,(ĴF# 0b[c 9ӈ =r61@=۾dlUo%P`qTc,ȣ4ϓol3G/.Z)]N"@ g #?B57{ v767XC/ xnc@ϔ,;8:sG-\EMRCg?7o-n0M0:YNF `+Hu l9\*' a8mu}1q{a'{!RS¤vT/>>' .yHcI 8WiN4X-!Mng, |bA`p3W+jE)OBz_uFtIXUK8G[wy |~YVg/cZ/4!W)WPh'x|-'i92b^gTo)G|LBz،Pf{E"G%:oĭblkE‰/n՝nqIuyվykCA湾xQ(XltYi1;eNq*M1BWh,Y3sxixɎ(bh,.6ɻtI`JE_VC襯ib2 Sh6Z _l5#Ǯ!u7~V p܄qP( ?E[}ҽhIk%w@CF(Q~Wˏ@.w3ʑ˛f+ʏח~N2s ?G(חzQkg3틌r;z^Fg(gmWdOw~;~:;}v2ɠOы_|OgP~Qw({Fy;0{s?0ׅw3͐?]/ r qAP2U``'s}G ?e>eS::~3/$)CAy#pz~;"9(/GR*Ȫ_~*%IFy3YY zvAeX^f\12ௗednld~i_wu CFWz^S_xښꖽpۭ]n@KG{1Pi +{: }@{̂\+>2l?V\[[,Oнۺ{g%Iy=0?'Mu{2پWߕ\*ܢ}:QObMxyhΑkxX( JںsdZc+mDƋw|.y|e8Ntw+wU/3i˘ЈwS;:8=q*9.n d*n_q8\&@_up{Z̋\ڎvh#U]2b;w6 S췡\}IQ43 ]x[Йq帉ޢʔͶ?8{z8#U^ LE|p8m|Z+OTq4 j5%N'p"!H8? O,Ly~FqN a箨-gj.jX,.g^9Q(Fuooz|(%F0Y7^J"DK(1=: ǬA*VӘ6ofa( ^!v:Ac(<ǀ)/HTBO}gq=q] YI 4\wX?KUIW1hӐMX#lɒ]k"bؖC['mƑL; ~f|`  cAݢ=>0i"r]6M b ه%?1ɫs{Lx *g@bAx< %$Id`"iy0t'Sre z⢙պ" "HH "s{B|%;eo9S%Btl Ee v"ё{wF $2GVF  /MgA۾$=מ V%Co cf\+>ԙQi'J :BVf456ptѷkd9HR=I*4UMf΢ِ$nQ[w+*%mqm =c"1B``a'oZ^y|XeΥ!S<Ě![S1Q)jkA/?nwI3۱xL])0tI1@/7AkHJ D ϱ.]ӀGc ?djL\fϮuZH\*,lf  ΋?Zf)j!"#Q!*m#66s/>^|ۺ+Aўx-v; ͇OVe؋(| _b[0~;_ږ*zYD1e~}=3Ӳg(q",@zPpPE5+7`/92H]8ǩkl6E@w: εC{Ng8g0N^Xɩȩ(vbTD4;N793N~p `\YBš|Ji(oʓE_:it-gꎾV;yv<;k_Zѽ*m(FR"ډV{޽:H]:u㆗5?^u?^4Ey遢%!^5[i B";{l/N/j8?`*XEl⍿#014[3ˬZY$IL#[ob$- U.IU)6`3ڔ̡r&s.# MW\ RMS9Q/kFW)|t )¹Z`'l/Zw&b