James O'Neill's Blog

June 20, 2006

Vista security tips

Filed under: Real Time Collaboration,User Groups,Windows Vista — jamesone111 @ 5:00 pm

I promised Arthur that I would tell people about the Microsoft Unified Communications and RTC user group, UK, which goes by the Snappy name of MucUgUK , it’s early days for the user group, but if you’re interested in RTC or Unified Communications that’s the place to go.


Arthur also sent me a collection of tips that he has collected for Windows Vista: again the serendipity fairy has been waving her wand because earlier on I was reading some user comments which were about the same area.

First off the most frequently asked question in Vista, is Where did the Run menu go. You’ll find if you press [Window key] & [r] the run dialog appears. But You don’t need the run menu, type in the Search menu as if it is the run menu and see. If you start to type a path in the search box Vista will help you fill it in (just use the arrow keys when the bits appear in the menu area and \ to navigate to the next level).
If you really feel lost without run, then right click the start button, choose properties, and on the start menu tab click customize, and one of the many options is to turn on Run.

Secondly, and perhaps we should have foreseen this, power users testing Vista get a bit annoyed by the number of User Account control dialogs. You should have heard the Mantra

  • Secure by Design

  • Secure by Default

  • Secure by Deployment

Hopefully you agree with it as a principle, even if you if you want to exempt yourself from the practice, by changing the default. Arthur’s tip sheet refers to a useful tool called MSConfig (just type it on the search box !). You can control a lot of what goes on at start-up with this program, and on its tools menu there’s a useful collection of shortcuts. Enable and Disable UAP (which is now called UAC – user access protection vs user access control) toggles the right value in the registry (under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ), but this isn’t the tool I’d use …

Also in Arthur’s list was the registry hack for the Application consent, this too is found in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System but again I’d use a different tool.

Which tool ? Group Policy. If you Start MMC and click file, add/remove snap-in, and choose Group Policy Object Editor,and tell it you want to manage the local machine. Now Navigate to the Computer Configuration, Windows Settings, Security Settings, Local Polices, Security options. You can see the range of settings we have grouped together under User Access control. You can turn off “Detect Application Installations and prompt for elevation”, or make administrators put in the credentials for elevation (or have elevation silently approved). And 101 other things. Incidentally, one page I saw of 20 minor irritations with vista listed “You can’t turn on the Admin account”. What’s at the very top of security option ? Accounts: Administrator Account Status. By default this is enabled in XP and disabled in Vista.

People who are OK with their systems unsecured are the people who can change the defaults. The reverse is not true. Hence Secure by default .

P.s, You can read more about the elevation messages and why they are the way they are on the UAC Blog


This post originally appeared on my technet blog.


Blog at WordPress.com.

%d bloggers like this: