Common sense for UAC in Windows 7

There was some talk about the behavior of UAC in Windows 7. To make a long story short:

  1. access to UAC is protected by … UAC: UAC is marked as a “Windows Setting” and those are protected using UAC
  2. by default UAC is not triggered when changes are done to a “Windows Setting” (according to MS due to popular demand for not showing the UAC dialog too often)
  3. therefore changing UAC to “Don’t show up ever” (= disabling it) can be done without invoking UAC itself for confirmation (for systems that haven’t changed the default setting)
  4. world domination!! (but for hackers, not for you)

At first Microsoft considered this not an issue and said this behavior is “by design”. Now they seem to have seen the light over there in Redmond.

It is always dangerous if you protect a system using the system itself. I am not saying it is bad design if you do, I am just saying that bad things can happen if you don’t think this through. The original idea for UAC in Windows 7 was obviously not thought through.


I am Card-enabled

Since a few weeks I have been running IE 7 Beta on my desktop at home. Kim’s blog pointed me to Craig Burton’s blog that pointed me to this sandbox site for .NET 3.0 and Infocards.

I downloaded the July CTP of .NET 3.0, expecting a lengthy install, a few reboots and possible some problems. None of that. In about ten minutes the software was installed and I was already creating a self-issued card. Minutes later I could seamlessly log in to the sandbox and to Kim’s blog (where I could finally post a comment about a previous post).

So it seems that .NET 3.0 July CTP and Cardspace are already showing a great deal of quality. Good work!



Since a few months I have been walking around with the idea of blogging. Not about my personal life but about my work in the world of identity and access management.

A few years ago the company I worked for, SilverStream, was acquired by Novell. Since that moment I have been involved in identity management. Currently I work for Ascure, a Belgian company specialising in Information Security. I am still focused on the subjects of identity and access management in my role as competence center leader.

When time permits, I hope to share some of my ideas and thoughts about the subject.

Hope to see you back soon!