What are the risks of disabling the User Account Control (UAC) feature on Windows Vista?

While most Vista users would probably agree that UAC, with its scary prompts and darkening of the screen, is the most annoying "feature" of Vista, many could probably live with the Microsoft OS asking user permission to install software, just as users are asked in Linux or Mac OS X. But when Vista asks about each and every change to things like Start menu folders or even the system clock, it can get a bit much. Hence the abundance of Web pages out there devoted to showing you how to turn off UAC.

So why didn't Microsoft set Vista's default level of user interrogation closer to that of rival OSes? The answer may lie in the many different avenues of attack that exist on a Windows system running Microsoft applications, whether it's Vista or XP.

Microsoft evolved its software, both OS and applications, from a closed environment to the wide-open world of Internet hosts, without a fundamental redesign. Just as Microsoft Office applications have had to live with Microsoft's decision to embed programming capabilities within data files (resulting in the abuse of macros and VB script), its operating systems have had to live with an excess of sharing abilities and other hooks originally designed for home and office environments where users are known and trusted (not untrusted networks like the Internet).

Now Vista offers the ability to run Internet Explorer in a secure "protected mode." Obviously, in an enterprise setting, it makes sense to control who can turn off UAC. For the general user population, consider denying administrator privileges altogether, forcing users to work at the level of a standard user so they won't be able to do things that trigger UAC elevation prompts for administrators.

For a group of experienced, responsible users who are running Vista with administrator privileges but getting annoyed by it, consider allowing them to run UAC in "quiet mode." This setting leaves UAC on, preserves protected mode in Internet Explorer, and prevents prompts when a user attempts an administrative task. The UAC will run, however, with the standard user permissions by default. There are several free utilities, such as TweakUAC, that simplify setting up quiet mode. The Group Policy Editor in Vista Ultimate also works. In Vista Home Basic or Home Premium, two registry key values must be changed from their default of 2 to 0: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem]

The values to change are: "ConsentPromptBehaviorAdmin" and "ConsentPromptBehaviorUser"

These modifications do not leave the user completely unprotected. UAC will still offer up an alert if the user, or some process, tries to run unsigned code, provided "ValidateAdminCodeSignatures" has not been changed from the default of 0 for "Off." As more code is being signed, I suggest avoiding the temptation to turn off validation.

In fact, exercise caution when changing any of the policy settings unless you are sure what the implications will be. In regard to other Vista features that can be used to secure Vista when UAC is disabled, I'm not sure what those might be, other than perhaps some restrictive combination of user groups and permission settings, the basic logon/startup protection and file encryption. I would certainly want to make sure some sort of memory-resident malware detection was running before UAC was disabled. While UAC is annoying, it is likely to get less annoying over time as fewer events trigger alerts, and running in "quiet mode" seems like a good compromise for experienced users.

More information:

• Features of Windows Vista SP1 may encourage wider adoption of the OS. Learn how.
• Vista WIL can help enterprises take control of data integrity levels with these tips.