January 31, 2009
With only a very simple VBScript, a user can now completely disable UAC (User Account Control) in Windows 7.
Here's what Microsoft has to say about this:
"This is not a security vulnerability (!) The intent of the default configuration of UAC is that users
don't get prompted when making changes to Windows settings (A-Ha!) This includes changing the UAC prompting
For those that can remember this, when Windows Vista was originally first released in December 2006, the
operating system came with UAC (User Account Control).
At that time, some industry observers interpreted UAC as a necessary tool to fix developers' attitudes towards writing applications for Windows.
So when it came to developing Windows 7's UAC, Microsoft decided to implement a 'slider control' where you
could set which events would trigger a UAC prompt.
This is a blatant case of sacrificing security for the sake of perceived usability!
The default setting in Windows 7 is "Notify the user only when programs try to make changes to this
computer" and "Don't notify us if we make changes to Windows settings".
Obviously, since changing a Windows setting doesn't trigger the UAC, just changing the UAC settings doesn't
trigger the UAC either. (Catch 22?)
Stated differently, users can completely disable the UAC without them ever having to give any consent!
If someone places a couple of keyboard shortcuts in a small and very simple VBScript, the UAC will be disabled
Interestingly, there is an easy way to repair this potential security hole. Simply enable to the full-blown,
Vista UAC in Windows 7, in other words, move the slider all the way up and that will do it, believe it or not!
That setting will verify that if a user tries to change the UAC settings, they would see a UAC dialog.
So the conclusion to all of this could simply be resumed in one sentence: having the UAC on at the policy
(as it is currently implemented in Windows 7) is as good as not having it on at all... (!)
While this exposes the strange and insecure implementation of the UAC's settings adjustements in Windows 7, it
also has its foundation in utterly sacrificing data and network security simply to please its users and to
prevent them from being annoyed with endless dialog boxes.
Some security experts are now saying that it isn't recommended to disable UAC in the first place or to attempt
to jeopardize it simply because Windows users don't like dialog boxess.
Source: The Web Hosting Tech Support Forum.