Trilight Zone

[tricore]

Microsoft, as you probably know, has spent a lot of time and millions of dollars to make Windows Vista more secure and ultimately to protect users from themselves.

But you -- you've been using computers for years, right? You don't need any of this hand-holding. You were infested with malware that one time, but that wasn't your fault. And no one has noticed the eight toolbars in your browser whose origin you couldn't explain.

Oh, and your significant other was very understanding about Blaster causing you to work 80-hour weeks cleaning up a software wasteland.


You and your network are clearly ready for Vista without the locks. Here's how to fly with all the safeties off.

Turn User Account Control completely off

User Account Control, or UAC, is a new security feature that limits the authority of accounts users are running in, restricting them from entering protected areas or performing sensitive actions on the system. Briefly, users log on, whether they are power users, ordinary users or administrators, and are assigned a normal security token.

However, when an action is requested that requires administrative privileges, a logon prompt is displayed and the user must enter credentials; at that time, an administrative security token is assigned to users that allows them to carry out the protected function. This really bothers some people, especially power users, who think they don't need to be protected from themselves.

For the people who subscribe to that school of thought, it's relatively easy to turn off UAC entirely. You'll need to open GPEDIT.MSC, acknowledge the very UAC prompt you're trying to disable and then disable everything beginning with "User Account Control" under Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options.

Windows Vista hides and disables the true administrator account that you've come to expect to find in NT-based versions of Windows. The idea is that you should use regular user accounts with "Vista administrator" permissions, which simply grant administrative tokens to a normal user, allowing him or her to perform a restricted operation within the official context of a standard account.

However, you can expose the true administrator account in Windows Vista -- the one that acts like the administrator in Windows 2000 and XP -- by following the instructions in this Computerworld article by Scot Finnie.

Turn off data execution prevention

Data Execution Prevention (DEP) is a security feature introduced in Windows XP, Windows Server 2003 and now in Windows Vista that looks for malicious code trying to execute. If DEP's analysis of a process beginning execution makes DEP think the resulting code will cause some sort of unwanted activity, DEP intervenes and shuts the process down.

It sounds good in theory, but too often DEP shuts down legitimate programs -- particularly third-party installers used by software developers that release their products for download off the Web. Equally too often, DEP fails to show any sort of warning or information prompt telling you it shut off a process, leaving you scratching your head and wondering why your machine is ignoring you.

You might want to turn off Data Execution Prevention globally by issuing the following at an elevated command prompt (i.e., a shell running with administrative credentials): bcdedit.exe /set {current} nx AlwaysOff
(As you might imagine, it's almost as simple to turn it back on should you want DEP's protection back on your side. The following command will do the trick: bcdedit.exe /set {current} nx AlwaysOn)

Neuter the built-in Windows Internet Explorer protections

The new Protected Mode -- available in Windows Vista -- runs IE in an isolated security setting, working in conjunction with most of the other, under-the-hood architectural improvements in Windows Vista. With Protected Mode enabled, Internet Explorer runs within a low-right environment no matter which user actually launched the process.

Add-ins, like ActiveX controls and browser toolbars, subsequently run with low rights as well. This helps to prevent browser-based malware from latching onto your system through IE, which was a significant problem in previous versions of Windows.