A site devoted to discussing techniques that promote quality and ethical practices in software development.

Sunday, January 18, 2009

The Best way to set up Vista

Many months ago, I was asked for recommendation to set up a brand new Vista machine to provide maximum security protection. I subsequently discovered that my recommendation earns the 'Best' rating by Jesper M. Jphansson in his article "The Long-Term Impact of User Account Control".

Here are the ratings for various set up (figure 2):
Protection Level Elevation Method
Worse Turn off UAC.
Bad Automatically elevate administrators.
Good Run in admin-approval mode.
Better Run as standard user and elevate to a separate admin account.
Best Run as standard user and switch user to a separate admin account instead of using UAC to elevate.

The default set up is to rely on AAM (Admin-Approval Mode) and that only earns a 'Good' rating. Jesper explains why this is not as good as using a separate account:
This lessens the risk of a poisoning attack, where a malicious non-elevated application poisons the user environment for an elevated one, but it does not necessarily remove the ability of a non-elevated application to control an elevated one.

No comments:

Blog Archive