KezNews.com - News - microsoft.com/windowsvista

KezNews.com - News - microsoft.com/windowsvista http://keznews.com/server.php?web_link=microsoft.com/windowsvista News en-us KezNews - Windows news http://media.keznews.com/pics/logo_windows_portal.jpg http://keznews.com/ TechNet Webcast: Limiting Administrator Privileges with User Account Control (UAC) in Windows Vista (Level 200) http://keznews.com/17533=TechNet_Webcast__Limiting_Administrator_Privileges_with_User_Account_Control_(UAC)_in_Windows_Vista_(Level_200) Thanks to everyone who joined the chat last week, we hope you found it helpful. On Tuesday July 25th at 9:00 AM PST we will also host <A href="http://www.microsoft.co m/events/EventDetails.aspx?CMT YSvcSource=MSCOMMedia&amp; Params=%7eCMTYDataSvcParams%5e %7earg+Name%3d%22ID%22+Value%3 d%221032301949%22%2f%5e%7earg+ Name%3d%22ProviderID%22+Value% 3d%22A6B43178-497C-4225-BA42-D F595171F04C%22%2f%5e%7earg+Nam e%3d%22lang%22+Value%3d%22en%2 2%2f%5e%7earg+Name%3d%22cr%22+ Value%3d%22US%22%2f%5e%7esPara ms%5e%7e%2fsParams%5e%7e%2fCMT YDataSvcParams%5e">a live Web Cast </A>on how User Account Control can help deploy desktops as a standard user. This Web cast is indented for IT pros and will cover the general capabilities of User Account Control. Hopefully, if LiveMeeting behaves on Windows Vista we will be able to show you some demos of the File and Registry Virtualization and the new ActiveX Installation Service. Webcast description: <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> Companies today face a difficult trade-off: Is it better to deploy PC users as administrators and accept the high security risk, or to limit user privileges, which has implications for application compatibility and user productivity? User Account Control (UAC) in Microsoft Windows Vista helps solve this problem by allowing standard user accounts to perform common tasks like adding printers and changing the time zone, while also improving application compatibility. This webcast covers the benefits of UAC, UAC architecture, how to administer UAC policy settings, and how to control device installation for standard users. Join us to get the background you need to start planning your Vista deployment with standard user privileges.</BLOCKQUOTE> &nbsp;You can sign up at the <A href="http://www.microsoft.co m/events/EventDetails.aspx?CMT YSvcSource=MSCOMMedia&amp; Params=%7eCMTYDataSvcParams%5e %7earg+Name%3d%22ID%22+Value%3 d%221032301949%22%2f%5e%7earg+ Name%3d%22ProviderID%22+Value% 3d%22A6B43178-497C-4225-BA42-D F595171F04C%22%2f%5e%7earg+Nam e%3d%22lang%22+Value%3d%22en%2 2%2f%5e%7earg+Name%3d%22cr%22+ Value%3d%22US%22%2f%5e%7esPara ms%5e%7e%2fsParams%5e%7e%2fCMT YDataSvcParams%5e">Events and Webcasts site</A>. We hope to see you there. - Alex Heaton&nbsp; &nbsp; &nbsp;&nbsp;User Account Control Product Manager<img src="http://blogs.msdn.com/ag gbug.aspx?PostID=647384" width="1" height="1"> Tue, 29 May 2007 13:32:31 "How do I turn off that annoying User Account Control?" http://keznews.com/17532=_How_do_I_turn_off_that_annoying_User_Account_Control__ Hi, Aaron Margosis here.&nbsp; I'm not actually on the UAC team, but we're good friends and share a common&nbsp;passion about&nbsp;<A href="http://blogs.msdn.com/a aron_margosis/archive/2005/04/ 18/TableOfContents.aspx">runn ing Windows with least privilege</A>. Those of you who follow this blog are probably aware that there has been... well, let's say dissatisfaction ... (yes, that's putting it nicely)... with the current implementations of UAC.&nbsp; One of the frequently asked questions about Vista today is "How do I turn UAC off?", and even some "experts"&nbsp;suggest turning it off. There are two ways to answer the question.&nbsp; There is the technically correct answer involving Local Security Settings, and then there is the better answer that Jesper Johansson <A href="https://blogs.technet.c om/jesper_johansson/archive/20 06/06/22/438316.aspx">recentl y posted on his blog</A>&nbsp;that offers a compelling argument for leaving it on.&nbsp; If you're thinking of turning off UAC, read what Jesper has to say.&nbsp; Why?&nbsp; Because he's right! :-)<img src="http://blogs.msdn.com/ag gbug.aspx?PostID=648165" width="1" height="1"> Tue, 29 May 2007 13:32:31 â€œCertified for Windows Vistaâ€ Software Logo Requirements http://keznews.com/17531=â€œCertified_for_Windows_Vistaâ€_Software_Logo_Requirements Critical to the success of User Account Control is having software that works well for standard users and administrators, without excess prompts. Since User Account Control is such a central part of Windows Vista, User Account Control compatibility is one of the key requirements to display the Certified for Windows Vista Logo on software. <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:of fice:office" /><o:p></o:p> v 1.1 of the <A href="http://download.microso ft.com/download/8/e/4/8e4c929d -679a-4238-8c21-2dcc8ed1f35c/W indows%20Vista%20Software%20Lo go%20Spec%201.1.doc">Certifie d for Windows Vista Software Logo Technical Requirements</A> is available now.&nbsp; Our goal in sharing this information on our blog is to make sure that any ISVâ€™s reading this are aware of the requirements so that they have ample time to make their product compliant and to give our customers confidence that there will be a great supply of software that works well for standard users and UAC. <o:p></o:p> Some of the key requirements that relate to User Account Control and running as a standard user:<o:p></o:p> Â·&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; Make sure the application works well for standard users, unless it is something truly designed to be run only by system administrators such as disk partitioning software.&nbsp; If the program has admin and non-admin components the main application should still be run as a standard user and administrative features should be moved to a separate executable. <o:p></o:p> Â·&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; Every .exe file included with an application must have an embedded manifest that defines its execution level. Such as:&nbsp; <o:p></o:p> &lt;requestedExe cutionLevel level="asInvoker|highestAvail able|requireAdministrator" uiAccess="true|false"/&g t;<o:p></o:p> Note, including the manifest file will disable File and Registry Virtualization for the application. So the application has to work well for a standard user without relying on virtualization. <o:p></o:p> Â·&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;Executable files with&nbsp;.EXE, .DLL, .SYS, .DRV, .OCX, .CPL, or .SCR&nbsp;extensions must be signed with an Authenticode certificate.<o:p></o:p> Â·&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; Installers must not assume that the person who starts the installation is the one who finishes the installation. For example if your program allows per user and all user installations, a standard user should be able to start the install, but it should prompt for admin credentials if the user chooses the all users option. <o:p></o:p> Â·&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; If the installer uses a boostrapper/chainer, it must include an embedded manifest that designates the desired execution level for the installer.&nbsp; <o:p></o:p> Another big change in the Certified for Windows Vista logo requirements is that applications must be independently tested by a Microsoft approved testing vendor before they are granted logo certification.&nbsp; A draft of the test cases that will be used to verify compliance are <A href="http://microsoft.mrmpsl c.com/uploadedFiles/VistaPlatf ormAdoption/ResourcesAndTraini ng/Windows%20Vista%20-%20Certi fied%20for%20Windows%20Program %20Test%20Cases%200.5.doc" mce_href="http://microsoft.mr mpslc.com/uploadedFiles/VistaP latformAdoption/ResourcesAndTr aining/Windows%20Vista%20-%20C ertified%20for%20Windows%20Pro gram%20Test%20Cases%200.5.doc\n">posted here</A>. <o:p></o:p> Weâ€™ve also provided a number of resources to help developers make their software Windows Vista and User Account Control compatible, including:<o:p></o:p> Â·&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <A href="http://msdn.microsoft.c om/windowsvista/default.aspx?p ull=/library/en-us/dnlong/html /AccProtVista.asp" mce_href="http://msdn.microso ft.com/windowsvista/default.as px?pull=/library/en-us/dnlong/ html/AccProtVista.asp">Develo per Best Practices and Guidelines for Applications in a Least Privileged Environment</A><o:p></o:p></SP AN> Â·&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <A href="http://www.microsoft.co m/downloads/details.aspx?Famil yID=DF59B474-C0B7-4422-8C70-B0 D9D3D2F575&amp;displaylang =en" mce_href="http://www.microsof t.com/downloads/details.aspx?F amilyID=DF59B474-C0B7-4422-8C7 0-B0D9D3D2F575&amp;display lang=en">Microsoft Standard User Analyzer</A><o:p></o:p> Â·&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <A href="http://devreadiness.org /blogs/works_with_windows_vist a/archive/2006/05/17/8.aspx" mce_href="http://devreadiness .org/blogs/works_with_windows_ vista/archive/2006/05/17/8.asp x">Windows Vista Jumpstart Toolkit</A><o:p></o:p> Learn more about the Certified for Windows Vista Software Quality Logo program including how to enroll your companyâ€™s software at <A href="http://www.isvinnovatio nportal.com/windowsvista" mce_href="http://www.isvinnov ationportal.com/windowsvista" >http://www.isvinnovationporta l.com/windowsvista</A>. <o:p></o:p> When&nbsp;develo pers release software that meets the Certified for Windows Vista requirements, users will experience even fewer User Account Control prompts than they are seeing on beta versions today. And the Windows Vista team will continue to minimize the number of OS-generated prompts and help make as many legacy programs as possible work without prompting to ensure a good User Account Control experience in the final release. <o:p></o:p> &nbsp;- Alex Heaton &nbsp;&nbsp; &nbsp;User Account Control Product Manager<img src="http://blogs.msdn.com/ag gbug.aspx?PostID=650262" width="1" height="1"> Tue, 29 May 2007 13:32:31 UAC Developer Screencasts http://keznews.com/17530=UAC_Developer_Screencasts Iâ€ ™m Jeremy Mazner, Group Manager of the Windows Vista platform evangelism team (the same folks behind <A href="http://www.seewindowsvi sta.com/">www.seewindowsvista.co m</A>),&nbsp; we make sure early adopters of the Windows Vista platform have the information they need about UAC.&nbsp; While we most often work 1:1 with partners, we recently asked <A href="http://www.interact-sw. co.uk/iangblog/">Ian Griffiths</A> to record some short screencasts to share this information with the dev community at large.&nbsp; Check out <A href="http://channel9.msdn.co m/Showpost.aspx?postid=211271\n">How To: Tell Vista's UAC What Privilege Level Your App Requires</A> (24 minutes, but worth it!) and <A href="http://channel9.msdn.co m/Showpost.aspx?postid=209647\n">How To: Use Vista's UAC Feature To Avoid Always Requiring Admin Rights</A> (18 minutes) to see Ian walk through the code needed to embed a UAC manifest, and refactor an application so that the main executable runs as standard user, and calls an elevated COM object when it needs to do administrative tasks.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:of fice:office" /><o:p></o:p> <o: p>&nbsp;</o:p> (An d if youâ€™re doing Windows Vista development, you might also enjoy <A href="http://channel9.msdn.co m/Showpost.aspx?postid=208606\n">How To: Use Vista's Power Management APIs to Be A Good Laptop Citizen</A> and <A href="http://channel9.msdn.co m/Showpost.aspx?postid=206647\n">How-to: Query Vista Search From Your App</A>)<o:p></o :p> <o: p>&nbsp;</o:p> -&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp; Jer emy <o:p></o:p> (Comments disabled on this thread because it was getting deluged with spam.)<img src="http://blogs.msdn.com/ag gbug.aspx?PostID=658597" width="1" height="1"> Tue, 29 May 2007 13:32:31 Webcast Recap http://keznews.com/17529=Webcast_Recap Thanks to everyone for joining the webcast on Tuesday and to Chris Corio for helping to answer questions. People asked a lot of good questions, so we wanted to share the transcript with others who may have similar ones.&nbsp; For those who missed it, you can <A href="http://www.microsoft.co m/events/EventDetails.aspx?CMT YSvcSource=MSCOMMedia&amp; Params=%7eCMTYDataSvcParams%5e %7earg+Name%3d%22ID%22+Value%3 d%221032301949%22%2f%5e%7earg+ Name%3d%22ProviderID%22+Value% 3d%22A6B43178-497C-4225-BA42-D F595171F04C%22%2f%5e%7earg+Nam e%3d%22lang%22+Value%3d%22en%2 2%2f%5e%7earg+Name%3d%22cr%22+ Value%3d%22US%22%2f%5e%7esPara ms%5e%7e%2fsParams%5e%7e%2fCMT YDataSvcParams%5e">watch the replay here</A>. <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:of fice:office" /><o:p></o:p> <o:p>&nbsp;</o:p> I always start my webcasts with a poll asking attendees what percentage of their users has admin rights today. Here is that data: <IMG src="http://uacblog.members.w inisp.net/images/before_after. png"> &nbsp; Then, at the end, I ask what percentage will be administrators on Windows Vista:<o:p></o:p><o :p> <IMG src="http://uacblog.members.w inisp.net/images/after.png"> Not a scientific study, from just about 50 people or so, but we generally see that today about 80 percent of users have administrator rights, and on Windows Vista, customers are anticipating that will drop considerably. <o:p></o:p> <o:p>&nbsp;</o:p> <o:p>&nbsp;</o:p> On to the transcriptâ€¦ <o:p></o:p> <o:p>&nbsp;</o:p> Question: Can I ask technical questions while the presentation is going on?<o:p></o:p> Private Answer: Yes<o:p></o:p> <o:p>&nbsp;</o:p> Question: Will this be in the form of an on-demand webcast?<o:p></o:p> Answer: Yes. Watch your inbox tomorrow for an e-mail with information about viewing this webcast on demand and downloading a WMV file. The e-mail will also include a link to a downloadable PowerPoint presentation of todayâ€™s webcast. &nbsp;<Anyone can watch it again <A href="http://www.microsoft.co m/events/EventDetails.aspx?CMT YSvcSource=MSCOMMedia&amp; Params=%7eCMTYDataSvcParams%5e %7earg+Name%3d%22ID%22+Value%3 d%221032301949%22%2f%5e%7earg+ Name%3d%22ProviderID%22+Value% 3d%22A6B43178-497C-4225-BA42-D F595171F04C%22%2f%5e%7earg+Nam e">here</A>.> <o:p></o:p> <o:p>&nbsp;</o:p> Question: I connected some Windows Vista workstations to an SBS2003 server, and every logon, the default SBS2003 logon script runs a Client\Setup.exe, which kicks up the UAC screen. This does not seem to be a desirable feature of every logon.<o:p></o:p> Answer: This is something that we are working with the SBS team on right now. This logon script updates binaries and settings configured by SBS, but it is rarely updated. Currently, we recommend that you propagate an App Compat shim marking the client\setup.exe binary as not requiring Administrator privileges. The proper run level would be asInvoker.<o:p></o:p> <o:p>&nbsp;</o:p> Question: How can you run things as an admin that don't specifically have a Start menu icon? For instance, an applet in the taskbar that requires admin access (but right-click over doesn't allow for "Run as...").<o:p></o:p> Answer: You can either browse to the binary and right-click it, or you can run a CMD window with Administrator privileges and run it there.<o:p></o:p> <o:p>&nbsp;</o:p> Question: What is Microsoft doing to educate vendors on how to write applications that don't require admin rights?<o:p></o:p> Answer: We've done our best to let all developers and ISVs know about this product by presenting at numerous conferences since PDC '05. We also have guidance available online. Check out the resources slide for those links.<o:p></o:p> <o:p>&nbsp;</o:p> Question: Is it possible for IT departments to update the app compat list using, say, GPO or SMS?<o:p></o:p> Answer: Yes. You can use GP to deploy the App Compat shims.<o:p></o:p> <o:p>&nbsp;</o:p> Question: I am asking about the domain users in the local machines. Does this apply to it?<o:p></o:p> Answer: UAC applies to both domain users and local users.<o:p></o:p> <o:p>&nbsp;</o:p> Question: You have mentioned App Compat shims several times in the replies. Is there some detailed documentation on App Compat Shims available?<o:p></o:p> Answer: Yes, take a look at: <A href="http://www.microsoft.co m/technet/windowsvista/deploy/ appcompat/acshims.mspx">http: //www.microsoft.com/technet/wi ndowsvista/deploy/appcompat/ac shims.mspx</A><o:p></o:p></SPA N> <o:p>&nbsp;</o:p> Question: So you can drop a manifest in alongside an app that you did not produce (e.g., I have an app from a defunct ISV)?<o:p></o:p> Answer: Yes, as long at the app does not have an internal manifest, which would override the external one. You can also use the tool mt.exe (shipped with Visual Studio) to add an internal manifest to an existing .exe.<o:p></o:p> <o:p>&nbsp;</o:p> Question: My initial take on UAC is you are simply masking over the real problem of users with admin rights. If they have an admin password, they are only one step away from hacking their computer. Will we be able to identify and customize the ACLS on all system components based on application requirements to allow these applications to run without supplying an admin password?<o:p></o:p> Answer: Our goal is to reduce the privileges that applications are designed to run with. Unfortunately, because all of our users prior to Windows Vista were members of the Administrators group, applications often unnecessarily required that the user be an administrator. We are trying to help the industry understand that oftentimes they don't need administrator privileges to execute their applications, and we expect many users in enterprises to no longer run as administrators.<o:p></o:p></SP AN> <o:p>&nbsp;</o:p> Question: Can the local store be relocated to better support roaming profiles?<o:p></o:p> Answer: Unfortunately, the location of the virtual store isn't configurable.<o:p></o:p> <o:p>&nbsp;</o:p> Question: That so it is of stability? (Sorry for my English) will be able to use the old standard user or not?<o:p></o:p> Answer: You can still run your users as member of the users group. If you want exact parity between XP, you should disable the UAC installer detection feature and file virtualization.<o:p></o:p></SP AN> <o:p>&nbsp;</o:p> Question: I referred to me that in spite of being a beta, if Windows Vista is stable in its totality or still it has things to correct.<o:p></o:p> Answer: We continue to refine Windows Vista as we move toward release. We feel that the beta version is quite stable.<o:p></o:p> Question: I'm still confused. Applications don't "require" admin rights. Applications perform tasks on a computer that accesses system components (directories, registry, services, etc.) that are locked down to admins only. Can we not identify these components in advance and adjust the ACLs on these components to give the standard user the ability to access?<o:p></o:p> Answer: You could do this, but then any malware running as the user could also change those settings. This would undermine any security model that an application or Windows has established for those resources.<o:p></o:p> <o:p>&nbsp;</o:p> Question: In what SKUs is the secpol available?<o:p></o:p> Answer: secpol.msc is available in all SKUs <Correction from live chat: secpol will only be available in the SKUs that support group policy: Business, <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:of fice:smarttags" /><st1:City><st1:place>Enterprise</st1 :place></st1:City>, and Ultimate.> <o:p></o:p> <o:p>&nbsp;</o:p> Question: Given that we'll be running in a mixed environment at first (Windows XP and Windows Vista), will any level of these controls be available for XP via a patch?<o:p></o:p> Answer: There are currently no plans to move UAC down-level. However, as you understand which applications can run as standard users on Windows Vista, you can move your Windows XP users into the Users group and get similar performance.<o:p></o:p> <o:p>&nbsp;</o:p> Question: How can I make a white list program by vendor or by location or what?<o:p></o:p> Answer: Check out the Software Restriction Policy white paper available here: <A href="http://www.microsoft.co m/technet/prodtechnol/winxppro /maintain/rstrplcy.mspx">http ://www.microsoft.com/technet/p rodtechnol/winxppro/maintain/r strplcy.mspx</A><o:p></o:p></S PAN> <o:p>&nbsp;</o:p> Question: What was that again? If I disable UAC, do I also lose the new security features of Internet Explorer?<o:p></o:p> Answer: Internet Explorer will not be running in Protected Mode if UAC is disabled.<o:p></o:p> <o:p>&nbsp;</o:p> Question: What is the URL for the compatibility tools?<o:p></o:p> Answer: <A href="http://www.microsoft.co m/technet/desktopdeployment/ap pcompat/toolkit.mspx">http:// www.microsoft.com/technet/desk topdeployment/appcompat/toolki t.mspx</A><o:p></o:p> <o:p>&nbsp;</o:p> Question: Can we see the vote results?<o:p></o:p> </o:p>&nbsp;- Alex <o:p></o:p>& nbsp;<img src="http://blogs.msdn.com/ag gbug.aspx?PostID=682055" width="1" height="1"> Tue, 29 May 2007 13:32:31 Administrator Marking for Command Prompt http://keznews.com/17528=Administrator_Marking_for_Command_Prompt Besides reducing the number of prompts, one of the top requests weâ€™ve gotten is a way to identify whether a window (particularly Command Prompt) is running with reduced privileges. If you asked for this, too, youâ€™ll be happy to know that when Windows Vista Release Candidate 1 comes out youâ€™ll be able to tell. When you run cmd.exe as an administrator... <IMG src="http://uacblog.members.w inisp.net/images/080106_graphi cs/CMD_run_as_admin.png"> &nbsp; â€œAdministrator â€ will be pre-pended to the title bar of the window... <IMG src="http://uacblog.members.w inisp.net/images/080106_graphi cs/CMD_Administrator.png">&nbsp; This is designed for scenarios where you have multiple command windows open and you want to know which ones are elevated. You will also be able to tell which ones are elevated by looking at the taskbar... <IMG src="http://uacblog.members.w inisp.net/images/080106_graphi cs/CMD_Task_Bar.PNG"> This functionality is not enabled for all programs, but we got feedback that Command Prompt needed it most. Overall, our user experience goals with regards to UAC are: (a) A user should be running as a standard user all the time. (b) Elevation should be rare and for a very short duration. As a result of these goals, a user should not have to keep track of what is running elevated and what is running normal, as in general, there should be nothing running elevated all the time. In our research, we have not come across many applications that have valid scenarios where they should be running normal and elevated on a continuous basis for long durations. Command Prompt is one such application that people tend to run continuously as normal as well as elevated to perform mostly script- or batch-oriented tasks. Therefore, based on feedback received, and just for Command Prompt, we have made changes such that if Command Prompt is running elevated, its title will be prefixed with â€œAdministrator:â€ to help a user distinguish between a normal and elevated CMD. Even though we provide this facility, from a security point of view, our recommendation remains that you keep the elevated CMD on your desktop for as short a duration as possible so as to avoid any inadvertent changes to your computer without further UAC prompts.<img src="http://blogs.msdn.com/ag gbug.aspx?PostID=685645" width="1" height="1"> Tue, 29 May 2007 13:32:31 Flash Swag: Windows Vista Build 5472 DVD http://keznews.com/17527=Flash_Swag__Windows_Vista_Build_5472_DVD <DIV style="BORDER-RIGHT: windowtext 1pt solid; PADDING-RIGHT: 4pt; BORDER-TOP: windowtext 1pt solid; PADDING-LEFT: 4pt; BACKGROUND: #ffffcc; PADDING-BOTTOM: 1pt; BORDER-LEFT: windowtext 1pt solid; PADDING-TOP: 1pt; BORDER-BOTTOM: windowtext 1pt solid; mso-border-alt: solid windowtext .5pt; mso-element: para-border-div">We have reached our limit. All the DVDs are gone. If you replied before 8:00 AM PST on Thursday, August 10th with your mailing address you should receive one. (Please do not send mail to the blog owner requesting a DVD, there are no more to give out.)&nbsp;We hope to do more giveaways in the future so stay tuned. </DIV> I have a few DVDs left that I want to share with UAC blog readers so that you can see the progress on the prompt reduction work weâ€™ve been doing since Beta 2. This build also has the new ActiveX Installer Service. The first 75 people who send e-mail to <deleted> with their mailing addresses can get a DVD and product registration key. These copies expire May 31, 2007. We will not use your contact information for any other purpose and will delete all e-mails as soon as the DVDs are distributed. If you already have access to this build through one of the beta programs, please donâ€™t request one of these DVDs so that someone else can get one. Thanks to everyone for reading and for your comments. We hope to do more giveaways in the future. - Alex<img src="http://blogs.msdn.com/ag gbug.aspx?PostID=691463" width="1" height="1"> Tue, 29 May 2007 13:32:31 User Account Control Virtual Lab http://keznews.com/17526=User_Account_Control_Virtual_Lab The TechNet team has a released a <A href="http://www.microsoft.co m/technet/traincert/virtuallab /vista.mspx ">virtual lab</A> that lets you get some experience with User Account Control even if you havenâ€™t installed it on any of your machines. And if you have Windows Vista installed, the tutorials can help you learn about User Account Control in a more structured way. My only caveat about these labs is that Windows Vista is much cooler in person. These desktops are running the Windows Standard theme, which looks like Windows 2000, and the performance is not 100% snappy. But it is a good primer on UAC basics.&nbsp; There are also labs on the new firewall, group policy settings, and the User State Migration Tool. <A href="http://www.microsoft.co m/technet/traincert/virtuallab /vista.mspx">http://www.micro soft.com/technet/traincert/vir tuallab/vista.mspx</A> - Alex Heaton<img src="http://blogs.msdn.com/ag gbug.aspx?PostID=700240" width="1" height="1"> Tue, 29 May 2007 13:32:31 Elevations Are Now Blocked in the User's Logon Path http://keznews.com/17525=Elevations_Are_Now_Blocked_in_the_User_s_Logon_Path Hi, Jim Hong, Program Manager on UAC, here again to tell you about a new change in the UAC user experience coming in RC1. Applications that start when the user logs on and that require elevation are now blocked in the logon path. Without blocking applications from prompting for elevation in the user's logon path, both standard users and administrators would have to respond to a User Account Control dialog box on every log on. While this potentially becomes an annoyance for administrators, it is an unusable UI for standard users who cannot drive the UAC elevation prompt without having an administrator around to provide credentials. Furthermore, we advise users to be wary of prompts that appear without them taking an explicit action -- and prompts generated at startup go against that advice. In RC1 and later, Windows Vista notifies the user if an application has been blocked by placing an icon in the system tray and providing a notification balloon during the startup sequence. See Fig. 1 for a visual of what this might look like: <IMG src="http://uacblog.members.w inisp.net/images/BalloonOnly_c opy.png" p <> In many cases, users can operate their computers normally without the software that was skipped. However, in cases where the skipped application may be needed, users can then right-click this icon to run the applications that were blocked as they logged on. The user can elect to manage which startup applications are disabled or removed from this list by double-clicking the tray icon and bringing up the default application that controls Startup programs. The areas where these applications are blocked from are: â€¢ Per-user Startup Folder â€¢ Per-user RUN Key â€¢ Per-machine Startup Folder â€¢ Per-machine RUN Key Independent Software Vendors who wish to have part or all of their software suite run during the startup process are encouraged to architect their applications to run AsInvoker so that all users (that is, administrators and standard users) can run the software without the need for a UAC elevation. A couple of exceptions to note: First, setup applications that need to complete their setup after a reboot should be putting their application in the RunOnce key. This key gets consumed by the next Administrator account that logs on, and the setup will continue without the need for an elevation. (This key can only be set by a program running with elevated privileges.) Second, applications that require UAC elevation that gets pushed out via the POLICY\RUN keys will not get blocked at logon. Therefore, they will run and will either result in the Secure Desktop prompt or appear in the taskbar as a blinking button that will require user input before the desktop switch occurs. This feature will really help users with streamlining the logon path so that they can start using their Vista PCs quickly, with as little distraction as possible. Users maintain control of these UAC elevations. This reinforces the UAC theme of putting admin elevation under the user's control.<img src="http://blogs.msdn.com/ag gbug.aspx?PostID=715265" width="1" height="1"> Tue, 29 May 2007 13:32:31 Built-in Administrator Account Disabled http://keznews.com/17524=Built-in_Administrator_Account_Disabled Darren Canavor, Program Manager on the UAC team has made a post on the Windows Vista Security blog about changes to the behavior of the built-in Administrator account: â€œIn Windows Vista we made numerous changes to our user account model. Standard users are now the default user type for new accounts created after initial setup. The Power Users group is effectively deprecated. In addition, weâ€™ve made it much easier to run as a standard user and even administrators run with limited Windows privileges and user rights by default. But people often ask us, â€œWhat about the built-in administrator account? Isnâ€™t it a security risk to have an administrator account with no password?â€&nbsp; Yes, in some cases this administrator account could be used to circumvent other security mechanisms. For example, parental controls could not be effective if the child could simply login with the built-in administrator account and do whatever they want, including disabling the Parental Controls. In Windows Vista RC1 we will have completed a series of changes to disable the built in administrator account under most circumstances. These changes apply to the default administrator account named Administrator, which is created during setup.â€ See full post at <A href="http://blogs.msdn.com/w indowsvistasecurity/archive/20 06/08/27/windowsvistasecurity_ .aspx">http://blogs.msdn.com/ windowsvistasecurity.</A></FON T><img src="http://blogs.msdn.com/ag gbug.aspx?PostID=727741" width="1" height="1"> Tue, 29 May 2007 13:32:31 UAC Improvements in Release Candidate 1 (RC1) and Video http://keznews.com/17523=UAC_Improvements_in_Release_Candidate_1_(RC1)_and_Video Weâ€™d like to thank all of the Windows Vista beta testers for using and giving us feedback on User Account Control. Itâ€™s definitely an area where weâ€™ve received significant feedback, and an area where weâ€™ve been able to make significant improvements in Windows Vista Release Candidate 1. On June 1, Steve Hiskey, Lead Program Manager for the User Account Control, <A href="http://blogs.msdn.com/u ac/archive/2006/06/01/613098.a spx">blogged about the teamâ€™s plan to reduce the prompts in RC1</A>. Weâ€™ve created a video to show you some of the work the team has done since then. &gt; <A href="mms://wm.microsoft.com/ ms/office/security/UAC_RC1_Pro mpts_MBR.wmv">Watch video</A> Prompt reductions shown in the video: <UL> <LI>File operations, reducing the prompts caused by adding, deleting, or editing files in protected directories. For example, administrators can delete shortcuts from the public desktop without receiving a prompt. And the user should no longer receive a prompt when copying files to a newly formatted storage drive.</LI></UL> <UL> <LI>Re-architecting several Control Panel applets so that they no longer prompt when opened. Examples include the Firewall applet, Scanners and Cameras applet, and the Software Explorer of Windows Defender. </LI></UL> <UL> <LI>Reducing prompts when creating new network connections.</LI></UL> In addition to the prompts in the video, users can install high-priority updates without a prompt, and will receive fewer prompts caused from unknown devices and driver installation. Based on these changes, we are finding that, on average, users are not receiving any prompts most times that they use Windows Vista. Other improvements besides prompt reduction that weâ€™ve made to Windows Vista RC1 are: <UL> <LI><A href="http://blogs.msdn.com/u ac/archive/2006/06/14/631416.a spx">ActiveX installer service</A> enables standard users to install approved ActiveX controls.</LI></UL> <UL> <LI>UAC prompts will not â€œsteal focusâ€ from the userâ€™s task. If the operating system cannot determine that the prompt was generated from the foreground window the current user is using, we will alert the user with a highlighted operation in the taskbar that an application is requesting elevated privileges. The user can select to elevate at his or her convenience and not be disrupted by an unplanned application elevation.</LI></UL> <UL> <LI>Elevations are now blocked in <A href="http://blogs.msdn.com/u ac/archive/2006/08/23/715265.a spx">the user's logon path</A>. Applications improperly elevating during each and every logon were a significant source of feedback from the Beta 2 release, and based on that feedback, we are disallowing elevations during logon.</LI></UL> <UL> <LI>The command prompt <A href="http://blogs.msdn.com/u ac/archive/2006/08/01/685645.a spx">window will now read â€œAdministratorâ€</A> in the title bar if run with elevated permissions.</LI></UL> <UL> <LI>Improved performance when switching to the <A href="http://blogs.msdn.com/u ac/archive/2006/05/03/589561.a spx">secure (dimmed) desktop</A> to display the prompts. We received significant feedback that the small delays during switching were disruptive, and we have worked with the video and display teams to enhance the user experience in this area.</LI></UL> If youâ€™ve used an earlier version of Windows Vista, we are confident that youâ€™ll notice the improvements in RC1. If RC1 is your first chance to use Windows Vista, youâ€™ll probably wonder what all the fuss was about. - Alex Heaton Windows Vista Security<img src="http://blogs.msdn.com/ag gbug.aspx?PostID=741318" width="1" height="1"> Tue, 29 May 2007 13:32:31 ActiveX Installer Service Discussion and Video http://keznews.com/17522=ActiveX_Installer_Service_Discussion_and_Video This is Joel Yoker, Senior Consultant, and Rob Campbell, Technical Solutions Specialist, from the Microsoft Federal (Government) District. Many of the customers that we work with have locked-down desktop environments. One of the challenges that these customers face is how to deploy ActiveX controls in an environment where users are not administrators. ActiveX controls are designed to be installed interactively by the user, but standard users donâ€™t have privileges to install ActiveX controls. The ActiveX Installer Service (AxIS) in Windows Vista is designed to solve this problem by giving IT a way to use Group Policy to determine which controls their users can install, even if they donâ€™t have administrator privileges. To illustrate AxIS in action, we have included a complete walkthrough of the installation and configuration of AxIS on Windows Vista RC1 in this video: Start video <A href="mms://wm.microsoft.com/ ms/Office/Security/AxISRc1_100 k.wmv">100k </A>| <A href="mms://wm.microsoft.com/ ms/Office/Security/AxISRc1_300 k.wmv">300k</A> One of the biggest challenges with ActiveX controls is enabling the use of trusted objects while mitigating potential threats. In some customer segments, ActiveX and related technologies are labeled as â€œmobile codeâ€ and considered potential threats to the computing environment. The problem is that at the end of the day, depending on rights, the decision to install a particular ActiveX control (good or bad) is left up to an individual user. This means that in a 10,000-user environment, the decision to introduce spyware/malware into the environment could potentially be made by 10,000 different individuals within the organization. Letâ€™s look at the problem for a moment, how previous versions of Windows mitigated this threat, and the innovative way Vista handles this with the ActiveX Installer Service (AxIS). By default in Windows Vista (and in previous versions of Windows), only those with local Administrator rights have the ability to install ActiveX controls. Once installed, any user of the system can invoke a given ActiveX control. This is controlled by a series of registry and file system Access Control Lists (ACLs). While the default behavior is a good approach, it does not address the problem of allowing specific ActiveX controls that are in use with internal applications to be installed by end users. To address this gap, there are many different approaches, some of which are outlined below: <UL> <LI>Pre-installation of ActiveX controls</LI></UL> <UL> <LI>Modifying URLActions (such as Install Signed ActiveX controls) on specific Internet Explorer Security Zones</LI></UL> <UL> <LI>Designating an internal Internet Component Download Server (by manipulating the CodeBaseSearchPath registry value)</LI></UL> <UL> <LI>Administrator Approved Controls (via Group Policy)</LI></UL> <UL> <LI>Blocking at the perimeter</LI></UL> Without diving into details on each of these methods, it is safe to say that they each have certain flaws. Each of the solutions addresses areas such as blocking where ActiveX controls come from, where they can be invoked from, and so on; however, these solutions do not mitigate the fundamental problem that users without Administrator rights cannot install ActiveX controls. In addition, each of the solutions listed above comes with a large administrative burden, particularly with the frequent changes found within the landscape of internal applications. What we have witnessed in some customer organizations are solutions ranging from end users being granted temporary/permanent administrative access on their workstations to the extreme of the default permissions in the operating system being modified to allow end users the ability to install ActiveX controls. Enter Windows Vista and AxIS -- the solution to the problems outlined above. AxIS provides corporate administrators the ability to identify trusted sources of ActiveX controls, and provides standard users the ability to install controls from those trusted sources. The key benefit of this solution is that a non-administrative security posture is maintained on user workstations. A short explanation of the ActiveX Installer Service is provided by our good friend Chris Corio here (<A href="http://blogs.msdn.com/u ac/archive/2006/06/14/631416.a spx">http://blogs.msdn.com/ua c/archive/2006/06/14/631416.as px</A>). As described by Chris, this is enabled by identifying trusted locations where ActiveX controls are being installed from and having a service on Windows Vista install the ActiveX control on the userâ€™s behalf (since any user can invoke a control once installed). If a control isnâ€™t previously identified by Group Policy, the standard behavior will occur requiring administrative rights. However, an event will be logged in the Application event log (EventID 4097 from Source Microsoft-Windows-AxInstallSer vice) outlining the attempted ActiveX control installation, along with the specific download path to the control. The data from this event log entry can then be used by the corporate administrator to modify Group Policy, allowing the control to be installed by AxIS on subsequent visits to the site. Furthermore, the ability to attach tasks to events in Windows Vista provides an easy way for anyone to receive a notification from the AxIS service (such as when the installation of an ActiveX control is blocked). What does this mean practically? This means that through a simple Group Policy change and a service that can be enabled on Windows Vista, you can take control of which ActiveX controls are installed by end users across your entire organization. This also eliminates a common justification that end users cite when they request administrative rights on their systems. AxIS provides organizations with another tool to take a least-privilege approach to end-user rights on desktop systems. The choice of which ActiveX controls are â€œtrustedâ€ within the corporate environment are determined the organization, not the end user. If you have Windows Vista RC1, we encourage you to give this feature a try. The next step for those planning Windows Vista deployments is to start a dialog with the developer community within your organization and identify all of the trusted locations where ActiveX controls could possibly come from. -- Joel and Rob<img src="http://blogs.msdn.com/ag gbug.aspx?PostID=752248" width="1" height="1"> Tue, 29 May 2007 13:32:30 Windows Vista Application Development Requirements for UAC Compatibility http://keznews.com/17521=Windows_Vista_Application_Development_Requirements_for_UAC_Compatibility Our updated guidance for ISVs is now available for you to download at the Microsoft Download Center. We'll have a "browesable" form on MSDN as part of the Windows Vista Developer Story shortly, as well. I'll post a link&nbsp;on the blog&nbsp;when it goes live. The download page for the "Windows Vista Application Development Requirements for UAC Compatiblity" document is here: <A href="http://www.microsoft.co m/downloads/details.aspx?Famil yID=ba73b169-a648-49af-bc5e-a2 eebb74c16b&amp;DisplayLang =en">http://www.microsoft.com /downloads/details.aspx?Family ID=ba73b169-a648-49af-bc5e-a2e ebb74c16b&amp;DisplayLang= en</A>. -Jenn Allen<img src="http://blogs.msdn.com/ag gbug.aspx?PostID=763897" width="1" height="1"> Tue, 29 May 2007 13:32:30 Credential Prompt Change in RC2 http://keznews.com/17520=Credential_Prompt_Change_in_RC2 Hi, everyone. I'm Daniel Oliver, a program manager on the Windows Shell Team. If you're running Windows Vista on a domain-joined machine, you may have noticed a small change between Windows Vista RC1 and RC2 when the UAC dialog box prompts for credentials in an OTS (over the shoulder) scenario. In RC2, only the empty Password Provider tile is enumerated by default. Some users thought this was a bug, and other users requested we revert to the previous behavior. In addition, many users wanted to know why we made this change. Please allow me to address these questions individually. <IMG src="http://uacblog.members.w inisp.net/images/cred1.jpg" mce_src="http://uacblog.membe rs.winisp.net/images/cred1.jpg "> <DIV>RC1 behavior <IMG src="http://uacblog.members.w inisp.net/images/cred2.jpg" mce_src="http://uacblog.membe rs.winisp.net/images/cred2.jpg "> <DIV>RC2 behavior Is this a bug? No, this is intentional. By default, when UAC prompts users for credentials, it should display the empty Password Provider tile. If you are able to validate your identity with additional (installed) credential providers, such as the Smart Card Provider, you will probably see additional tiles in the user list. Is it possible to get the old default behavior back? Yes, it is. The behavior is controlled by a Group Policy setting and can be configured using gpedit.msc. Once in the MMC snap-in, use the tree control to navigate to... Local Computer Policy -&gt; Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Credential User Interface -&gt; Enumerate administrator accounts on elevation Enable this Group Policy setting. Why did the UAC team make this change? During enumeration of local machine administrators, the system must contact a domain controller (DC). While this enumeration occurred, an indeterminate progress bar appeared within the user list region. We received a large amount of feedback regarding the long period of time this progress bar took to disappear. We analyzed the problem in detail and found users experiencing unusually slow performance when the DC was unavailable or slow to respond. In order to place the dialog box in front of users as fast as possible, we changed the default behavior. Speed. How do I change the domain field? By default, the Password Provider will pre-append the domain (or machine name in the workgroup case) to serialized credentials. The uneditable string below the password field indicates the domain (or machine name) that will be used. To specify a different domain, it must be entered in the user name field. The correct format is domain\username or username@domain. The domain field will update automatically. This is the same convention used during logon. How does this Group Policy setting function on workgroup machines? Enumerate administrator accounts on elevation has a slightly different meaning on workgroup machines. By default (that is, the setting has been neither enabled nor disabled), the Password Provider will list all local administrators on the machine. When enabled or disabled, this policy behaves exactly the same as in the domain-joined scenario. How does this Group Policy setting affect other credential providers? The Microsoft Smart Card Provider is not affected at all by this change. We recommended credential providers written by ISVs respect the settings in Group Policy. -- Daniel Oliver Windows Shell Team</DIV></DIV><img src="http://blogs.msdn.com/ag gbug.aspx?PostID=819744" width="1" height="1"> Tue, 29 May 2007 13:32:30 Windows Vista RTM, Closure of Blog, Free SWAG! http://keznews.com/17519=Windows_Vista_RTM__Closure_of_Blog__Free_SWAG! <DIV style="BORDER-RIGHT: windowtext 1pt solid; PADDING-RIGHT: 4pt; BORDER-TOP: windowtext 1pt solid; PADDING-LEFT: 4pt; BACKGROUND: #ffffcc; PADDING-BOTTOM: 1pt; BORDER-LEFT: windowtext 1pt solid; PADDING-TOP: 1pt; BORDER-BOTTOM: windowtext 1pt solid; mso-border-alt: solid windowtext .5pt; mso-element: para-border-div">Thanks to everyone who wrote in. The 100 stickers are now all taken for. If you replied before 6:00 PM PST on Wednesday, November 10th with your mailing address you should receive one. Thanks again for reading everyone. </DIV> Today we are proud to announce the RTM of Windows Vista! Releasing Windows Vista and User Account Control has been an incredible adventure, and we would like to thank all of our beta testers (and critics) who have given us invaluable feedback that drove many of the changes made since the early beta versions. <DIV></DIV> <DIV>Now that Windows Vista will be here soon for everyone, itâ€™s time to make sure your applications and environments are ready for Windows Vista and User Account Control:</DIV> <UL> <LI>For IT professionals: Test Windows Vista as a standard user in your environment. The key UAC IT resource is <A href="http://www.microsoft.co m/technet/WindowsVista/library /00d04415-2b2f-422c-b70e-b18ff 918c281.mspx">Understanding and Configuring User Account Control in Windows Vista</A>. Weâ€™ve also created the <A href="http://www.microsoft.co m/technet/desktopdeployment/bd d/2007/default.mspx">Microsof t Solution Accelerator for Business Desktop Deployment 2007</A>&nbsp;to help you plan and manage your deployment.</LI></UL></LI> <UL> <LI>For developers: Test your application as a standard user on Windows Vista. The key UAC developer resource is <A href="http://www.microsoft.co m/downloads/details.aspx?Famil yID=BA73B169-A648-49AF-BC5E-A2 EEBB74C16B&amp;displaylang =en">Windows Vista Application Development Requirements for User Account Control Compatibility</A>. Also, <A href="http://www.microsoft.co m/downloads/details.aspx?Famil yID=df59b474-c0b7-4422-8c70-b0 d9d3d2f575&amp;DisplayLang =en">download Microsoft Standard User Analyzer</A>. And get your applications <A href="http://microsoft.mrmpsl c.com/InnovateOnWindowsVista" >certified for Windows Vista.</A></LI></UL> Today we are also announcing the closure of the UAC blog. We will still continue to blog about UACâ€”hopefully more than ever now that we should have more timeâ€”but going forward, we will post UAC info on the general Windows Vista Security blog at <A href="http://blogs.msdn.com/w indowsvistasecurity">http://b logs.msdn.com/windowsvistasecu rity</A>, so please update your bookmarks and RSS feeds. Back in January, we said we would give away free SWAG if we went for one month without posting a new message. Well, we are RTM, but we still wanted to give out some SWAG to our faithful readers, so here it is. The first 100 readers who send mail to uacswag at microsoft dot com with your physical mailing address will get one of these Windows Vista â€œIâ€™m a Standard Userâ€ stickers. We hope it will help you spread the work of this important step everyone should take to improve the security of their PCs. <IMG src="http://uacblog.members.w inisp.net/vista/sticker.png" mce_src="http://uacblog.membe rs.winisp.net/vista/sticker.pn g"> Thanks again for all of your feedback and ideas. --The User Account Control Team<img src="http://blogs.msdn.com/ag gbug.aspx?PostID=1039147" width="1" height="1"> Tue, 29 May 2007 13:32:30 Make Beautiful Music with Windows Vista_#8212;at Home or On the Go http://keznews.com/14785=Make_Beautiful_Music_with_Windows_Vista__8212_at_Home_or_On_the_Go Columnist S.E. Slack explains how to use Windows Media Center in Windows Vista to experience digital music on your PC and portable device. Wed, 24 Jan 2007 19:16:10 Windows Vista Editions: What's Right for You? http://keznews.com/14654=Windows_Vista_Editions__What_s_Right_for_You_ Columnist Walter Glenn compares the features that are available in different editions of Windows Vista. Fri, 19 Jan 2007 19:16:09 Wow! Windows Vista! http://keznews.com/14636=Wow!_Windows_Vista! Columnist Joli Ballew shares her excitement over the new interface, graphics, applications, and features in Windows Vista. Thu, 18 Jan 2007 23:16:09 Windows on the Go: Windows Vista Goes Mobile http://keznews.com/14485=Windows_on_the_Go__Windows_Vista_Goes_Mobile Columnist Jerri Ledford highlights the exciting new capabilities of the Windows Vista operating system for mobile devices. Thu, 11 Jan 2007 23:16:08 Create Your Own DVDs in Windows Vista http://keznews.com/14225=Create_Your_Own_DVDs_in_Windows_Vista Columnist Galan Bridgman explores much-anticipated capability of Windows Vista—writing and burning DVDs. Wed, 27 Dec 2006 23:16:08