December 27, 2006

Disappointment in VS2005 SP1 on Vista

Well, I installed SP1 of Visual Studio 2005 yesterday on my laptop running Vista, and I have to say there was one think that really disappointed me. So much so that I am not just going to blog about it... I want everyone that reads this to go AGAINST Microsoft recommendations. Here is what I mean:

Thats right.... Microsoft is recommended to run Visual Studio as Administrator. NO. NO. NO. NO. NO. Don't do this!!

You are on Vista. You should be running as a Standard User, and running Visual Studio as a standard user. Why? Because then you can SEE how your application will work while in least privilege mode AS you develop the software.

Now, some people will complain that they need to be administrator because they need some of the tools in the IDE. A good example would be if you are writing a COM component. You cannot register the library when running as a standard user. Is there a solution? Yes. Open up a cmd window as Administrator and do it by hand. Don't like that idea? Have a post build event that runs a custom app to do it... and modify the manifest to REQUIRE the UAC elevation. This way, you elevate a separate process to do your administrative task without requiring the IDE to be run with higher privileges that you really don't need.

And NOTHING prevents you from starting a second copy of VS2005SP1 elevated in those cases where you really have to debug as Administrator. But for your day to day use of VS... DON'T run elevated!!!

I am really surprised and disappointed to see this dialog. I only hope Microsoft reconsiders this position in its next version. If they REQUIRE admin privs for some tools, separate them out so only they have to be run as Administrator. You should only elevate when you need to; you should try to run with least privilege throughout the entire development process so you can REALLY see the impact of the code on normal users.

Well, IMNSHO anyways.

Posted by SilverStr at December 27, 2006 08:28 AM | TrackBack

Hi Dana,

Yet another case of Microsoft not having a clue about security. When Microsoft builds an OS from the ground up with security as a core component, then and only then will they start to get an idea what security is all about.

Giving out recommendations like this, well, its scary. I wonder why they didn't also give the instructions on how to disable UAC in that message box!


Posted by: HiltonT at December 28, 2006 12:24 PM

Dana, Visual Studio SP1 is still in beta. I'm not trying to explain away this atrocity, but please, file a bug on it! There is still time to fix it before they release it.

Posted by: JJ at December 29, 2006 09:29 AM

Dana, like I said over on Michael Howard's blog (not sure if you're still reading the comments there), I believe that specific "Update for Windows Vista" is what addresses this problem. Once you install the update for Windows Vista, you should no longer need to run Visual Studio as an administrator.

I remember that they had planned on making this Vista update part of SP1, but due to time constraints it didn't get in and that's why there's a second update.

Posted by: Dean Harding at January 2, 2007 03:22 PM