User Access Protection (UAP) in Windows Vista
One of the features I am most excited about in Windows Vista is User Access Protection (UAP). Enabling UAP tells Windows to run your session in a least privilege mode, even though you have full admin rights. To do something restricted you have to run the app in "elevated" mode (right-click, Run Elevated). Windows requires you to enter your password in order to authorize elevation. Presumably this feature is to help reduce the spread of viruses and worms by preventing them from silently doing things when a user is logged on with full rights. This is FANTASTIC! Finally there is something that will force ISVs to get their acts together and start coding with least-privilege in mind.
There must be something new in the Win32 API for an application to request elevated privileges because some programs bring up the password prompt when they start (e.g., regedit). It would be a real tragedy if software vendors modify their apps to simply request elevated privileges on startup. Perhaps Vista should require applications to declare what types of administrative tasks they intend on performing so security can be doled out more granularly. The authorization interface could include an Advanced section for more savvy users that lists the permissions the application has requested. I know I have glossed over numerous potential snags but wouldn't it be great? :)
I have been running my Vista machine with UAP enabled, which has caused a few problems. Most notable was Napster not working for streaming and downloading tunes -- actually, I think it was Windows Media Player DRM that was not working right. Napster tech support sent me a list of troubleshooting steps that included renaming the DRM folder under All Users (on XP it would be C:\Documents and Settings\All Users, on Vista Beta 1 it is C:\Users\Public). When I could not do that from Windows Explorer with UAP running, I knew I was onto the problem. I disabled UAP, renamed the folder, and suddenly all was well with Napster and/or WMP DRM. I enabled UAP again and so far everything is working fine if I run the Napster client elevated. I suspect DRM would not work properly for other users on this machine due to the ACLs I see on the new DRM folder. That does not affect me as my machine is only for me, but that would be a major problem for home users and other shared PC environments.
[Sidebar: If you are reading this blog you might not realize that in some homes people share one computer. You probably don't have shared computers at your home: every man, woman, child, and dog probably has his/her own PC. Unless, of course, you're broke, in which case you should come work for me so you can make some money to buy more computers for home... ;) ].
So far I have a few complaints with UAP:
- I cannot run Windows Explorer elevated
- I cannot elevate a process already running (this would be especially useful for installing browser plug-ins and ActiveX controls)
- I cannot modify Start menu shortcuts to always start with Run Elevated because I don't have permission to edit them but I cannot open Explorer with elevated privileges.