December 09, 2006

Is it ever appropriate to disable UAC on Vista?

Maybe. Depends on your tolerance for UAC dialogs during the initial build of a Vista workstation.

Recently Vlad wrote an entry on his blog that got me in a pretty defensive position about UAC. He stated that:

"I have personally walked several people through the disabling of UAC."

On the surface I was vexed. How could such a competent geek do such a thing? I wanted to get Susan's 2x4 and show Vlad what I thought of his actions. Instead, I decided to ask him WHY he did such a thing, and what caused him to take such drastic action. I was glad I did.

He spoke of the fact that during the initial build of the workstation, installing drivers and application software was painful. He also commented that developers were always installing software, and as an end user experience... this wasn't a desired state. Hence why he disabled it.

I am of two minds. When initially building the machine I can understand wanting to disable UAC. If you trust the software you are installing, I could actually see where it would be desirable to speed things along. If the machine is in an isolated environment firewalled away from the rest of the Internet... go for it. Just remember to turn UAC on when you are done. Although, as someone who has installed a number of Vista machines now... its not that bad.

For the developers though... that's a different story. They SHOULD keep UAC on at all times. For a NUMBER of reasons. First off... maybe they will see how annoying their own software is if it wasn't designed to work in a least privileged environment :) Secondly... and more importantly... DEVELOPER'S ARE USERS as far as the IT resources are concerned. They SHOULDN'T been installing software hap-hazardly on corporate machines. That's what their test (virtual) machines are for. They should have to adhere to the same corporate security policy as everyone else... detailed for their particular role in the organization (assuming the policy supports the definition of roles). People SHOULDN'T be allowed to install software on the machines unless it is part of the duties they must perform. As such, the UAC prompt is a REMINDER of that. If the developer is going to override it... AND has authority to do so... they can enter their credentials and continue on.

UAC is a good thing. It might seem nice to do it old school 'sudo' like Unix environments, but globally disabling such security controls is a mistake if you ask me. Being prompted of all elevation requests help you to understand what apps are really doing. As 3rd party apps build their software for Vista we will see a reduction in the prompting as the applications will be written properly with least privilege. As someone who has run Vista for months now I can attest to the fact that I rarely see UAC prompts. I did during the initial install phase... but now that I am using the platform... I don't see it that much. And when I do, it's expected.

So don't turn UAC off. Instead educate your users on NOT installing software unless they absolutely need it. And if they DO need it to do their job... why wasn't it already cataloged as an information asset of the business and previously installed? Your IT asset catalog should define all software needed for a role's responsibilities in your organization, and you should be making sure you have backup media to ensure you can always reinstall it on a rebuild.

When set up properly, Vista's UAC isn't there to hinder a user's experience. Rather it is there to inform the user when they take action that requires higher privileges and may be against the policy of the organization. Don't lose that. Don't disable UAC.

Posted by SilverStr at December 9, 2006 01:07 AM | TrackBack
Comments

I turn UAC off on my machines. But I also run as a limited user (ie my account really isn't a member of the administrators group). This ultimately makes for a more secure solution than with UAC on because there is 0 chance that I will ever be able to take any administrative action on the machine. Remember that the whole reason we have UAC is because Windows puts your account in the administrators group by default. I find the solution is better when you fix the problem rather than band-aid over it.

Posted by: Brad C. at December 9, 2006 03:59 AM

Oh I so totally disagree. Developers AREN'T users... we're early adopters, tinkerers, and the like. Developers _should_ be installing things, often in fact. Trying out the latest betas of new frameworks, seeing what the competition is up to with their new products, seeing what the latest and greatest in UI technology might be in alpha-level software.

Maybe installing bittorrent on one of their machines causes the eureka moment where a developer sees this can be used internally to synchronize large datasets between corporate offices, who knows? If developers don't have the freedom to explore and are only allowed "corporate IT" mandated software (Office(TM), Windows(TM), etc) then indeed the solutions coming from those developers will never be much better.

Posted by: Greg S. at December 9, 2006 04:52 AM

In my previous job I was a systems administrator responsible for windows clients. The pc's that had the highest failure rate were devs and managers pc's. Both claimed to be the so called Early adapters and were installing freeware and illigal software. On one software product alone there were about 200.000 euros unpaid licenses.

If you need to try out "new" software. Do it at home and dont mess up the office pc.

That said, I was guilty as well trying out software on the office pc.. but I clean my own mess up and dont bother someone else.

Posted by: hoberion at December 9, 2006 10:31 AM

Couldn't agree more; developers have to live with UAC so they get a sense of what real end users will see, and in what situations. Reading it in documentation doesn't do it; you have to get annoyed by the little buttons before you really grok it.

Posted by: Steve Dispensa at December 9, 2006 07:55 PM

Greg S: That's what Virtual PC is for.

Posted by: Dean Harding at December 10, 2006 02:21 PM

Good job!

Posted by: Markus at December 11, 2006 09:02 AM

Good job!

Posted by: Markus at December 12, 2006 06:13 PM

Fewer developers are truly early adopters than I think many of us would realise. [I've been a developer for a couple of decades.]
A couple of points:
1. Software developers do most of the testing of software, even in companies with dedicated testers. So, if developers run as administrator, there will be portions of the software that break if you're a restricted user.
2. "Early adoption" should not be done from the developer's account, or on the corporate OS. A home machine, or a VPC, or a scratch-test machine should be used. Once approved, the software should be deployed.
3. Developers are, to put it politely, often prima-donnas. Acknowledge their learning and skill, but remind them that they are working on corporate machines that need to be managed on a corporate plan, otherwise corporate executives can get in all sorts of regulatory / compliance trouble. Individualists can go do their own thing on their own time, and if necessary, they can be given vast quantities of their own time.

Posted by: Alun Jones at December 13, 2006 06:00 PM