User Account Control offers improved security
|
By Mark Joseph Edwards Vista's User Account Control (UAC) helps defend your system against all sorts of malware. This week, I discuss whether or not it's a good idea to disable UAC and explain how to disable it, if you want to. (Note: Fred Langa is taking the week off and will return in the next newsletter.) |
Is disabling Vista's User Account Control wise?
If you use Vista, then you're probably aware that it has a new security feature called User Account Control (UAC). This feature enables you log in as a regular user without administrator privileges (which is a more secure way of using your computer), but quickly elevate your privileges when a program needs greater access to your computer than is allowed for a regular user account.
Overall, UAC is a good feature. But some people find it to be bothersome, due to the prompts that appear, asking if you want to elevate a program's privileges. So, the question arises whether or not to disable UAC. If you do disable it, and then log in with an account that has administrator privileges, you need to be aware that your system is less protected than it would be if you had left UAC enabled.
The reason this is true is because many forms of malware typically try to create or modify Registry keys and Windows system files. They might also try to write files to areas of the system where a regular user account would not normally write files. With UAC enabled, actions that require administrator-level access are prohibited unless you specifically allow them by approving a UAC prompt.
Keep in mind that while UAC does help prevent many forms of malware from infecting your system, malware can still find its way in to your system even with UAC enabled. UAC simply protects the system from actions that would normally require administrator-level access. So, it's a good idea to leave it enabled.
On the other hand, if you consider yourself to be somewhat of an expert at protecting your computer, then disabling UAC and running as admin may be something you'd be comfortable with. After all, if you've used Windows for years and have yet to experience a serious infiltration of your system by some type of malware, then it's possible that you can continue in that way without UAC.
Keep in mind that if you share your computer with other people who have their own user accounts, you can disable UAC but it might break usability for other user accounts. Woody Leonard pointed out to me that when UAC is disabled via the Control Panel for one user account, other regular user accounts are no longer able to elevate their privileges. A regular user account can't even change Vista's system time, unless UAC is available so the user can authorize the change. Disabling UAC isn't good if you have other regular user accounts for people who share your computer.
Instead of disabling UAC using the Control Panel, a better approach might be to use an account with administrator-level access as your usual user login account, and then disable UAC only for accounts that have administrator-level access. That way, your user account won't be subject to UAC prompts, but other user accounts will be.
On any version of Vista, except Home Basic and Home Premium, you can disable UAC for administrator accounts by following these steps:
Step 1. Click the Start button and launch the Local Security Policy editor by entering secpol.msc in the Search box.
Step 2. Select the Local Policies item in the left panel to expand the tree, then expand Security Options under Local Policies.
Step 3. Scroll down the list in the right panel to locate User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode. Right-click that item and choose Properties.
Step 4. Select Elevate without prompting and close the dialog.
If you use Vista Home Basic or Home Premium, the Local Security Policy editor, unfortunately, isn't included. To disable UAC for administrator accounts, you'll need to edit the Registry. Follow these steps to do that — and be extremely careful, since mistakes could render your system unusable!
Step 1. Click Start and enter regedit in the Search box to launch the Registry Editor.
Step 2. Navigate to the following key:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System
Step 3. Double-click the ConsentPromptBehaviorAdmin item.
Step 4. Change the value to 00000000.
Step 5. Close the dialog and exit the Registry Editor.
That's all there is to it!
How to make Windows boot faster
The more programs that launch at boot time, the longer it takes for Windows to boot up. Sometimes you might want Windows to boot as fast as possible, and there's a way to make that happen. Donald Parkyn wrote to ask about a quirk he noticed when booting XP:
-
"I notice that Windows XP Pro seems to boot and run better if
I hold the Shift key down during bootup. What is this all
about?"
If you hold down the Shift key during the entire bootup process, Windows won't launch at startup any programs located in the following places:
%systemdrive%\Documents and Settings\Username\Start Menu\Programs\Startup
%systemdrive%\Documents and Settings\All Users\Start Menu\Programs\Startup
%windir%\Profiles\Username\Start Menu\Programs\Startup
%windir%\Profiles\All Users\Start Menu\Programs\Startup
In the above locations, %systemdrive% refers to the drive where Windows is installed — typically the C: drive. %Windir% refers to the Windows installation directory, whatever it may have been named when Windows was first installed.
Find your true Internet connection speed
When you use a dial-up modem connection, you can be reasonably sure what speed you're getting when you connect, since your modem tells you what speed it connects at. But that's not always the case with DSL, cable, and wireless connections. So how do you find out what your real throughput rates are?
There are a number of sites on the Internet that can help you test your network connection to determine what your upload and download speeds are. It's important to use the tests once in a while to make sure you're getting what you pay for.
As an example, my Internet provider recently said it was upgrading all its connections to allow more bandwidth for both upload and download speeds. I wondered if the company had made the changes in my particular area yet. When a serviceman was at my house, I asked him, and he said he believed that they had made the changes. We then tried a speed-testing site to measur the throughput. As it turns out, the company had not made the speed increases in my area yet, so I was still running at the lower network speeds.
The test I used is offered by Speakeasy. It works in a browser, uses Flash, and lets me select the destination to test from a list of eight possible choices in the United States.
But there are other tests you can try, too. Bandwidth Place offers a test you can use up to three times a month for free. Their test doesn't let you choose the end point, though.
Ookla offers a really slick, Flash-based speed test that lets you choose a destination from numerous places all over the world. This is probably the most useful test available, if you're curious about your connection speed, because of its location specificity.
Windows User Group Network (WUGNET) has a good test, too. It uses Java and displays the results in a clear graph for easy comparisons to various types of connections (modem, DSL, cable, satellite, T1, T2, etc.). It doesn't, however, let you select a destination endpoint. Regardless, I found both WUGNET's and Speakeasy's tests to be the most useful and the most accurate.
Your results may vary, so try a variety of tests. Use a search engine to search for “speed test” or “speedtest” and you'll find lots of others.
How to tweak TCP/IP settings for faster throughput
Transmission Control Protocol/Internet Protocol (TCP/IP) is the communication language used on the Internet. Various parameters control how TCP/IP operates, and understanding what those settings mean and what they do can be very confusing. A.B. Calvin wrote to ask about TCP/IP settings:
-
"Although most computers have internal modems, there is no help on
them since they are made/supplied by other vendors to the OEM.
The communications settings are not set for optimum results.
Depending on the type of connection — dial-up, broadband, etc. —
some parameters have to be set for best results.
"Are these to be done at the modem level or the network level? How do we read the present settings, find the best values for the specific mode, and correct them?
"For example, I have a computer with Windows XP and an internal 56k modem with a dial-up connection. A program I used indicated that the following changes were required:
Max transmission unit.. 576 instead of 0
TCP receiving... 65392 instead of 0
Default TTL..... 64 instead of 0
Auto MTU detection.. 1 instead of 0
Max Dup Acks.. 2 instead of 0
Fast retransmission & recovery value.. 1 instead of 0
selective acks.. 1 instead of 0
max connection.. 10 instead of 0
max 1.0 connection.. 20 instead of 0
"What do these mean? Is there any info/FAQ/tutorial available on the Web? The Knowledge Base at Microsoft is of no help. I don't know the keywords to do a search on Google. Is there any freeware program that can check the connection and set the parameters correctly with a 'restore back' option?"
An even better tool is SpeedGuide's SG TCP Optimizer. It lets you select the bandwidth that you use (56K, 256K, 1MB, etc.) and makes suggestions about how to adjust the settings. It also lets you save your current settings before making any changes. You canthen revert to those saved settings if, for some reason, your new settings don't work correctly.
Be careful when adjusting your TCP/IP settings, and make certain that you save your current settings. Sometimes changes can render your connection entirely useless. In that case, you'll definitely be glad that you saved your previous settings. Be sure to read Speedguide's TCP Optimizer Help section, where you'll also find a link to the related TCP Optimizer FAQ.
Before you change your TCP/IP settings, use one of the speed-test sites that's described in the section above to test your connection speed. Then test the speed again after you've made changes to see if there are any significant improvements.
Mark Joseph Edwards is a senior contributing editor of Windows IT Pro Magazine and writes the weekly email newsletter Security UPDATE. He's a network engineer, freelance writer, and the author of Internet Security with Windows NT.
Digg
Del.icio.us
Reddit
StumbleUpon
Other
Permalink
(
