A couple of years ago, I helped out with the documentation for the Microsoft Shared Computer Toolkit. On June 22, 2007, Microsoft released the newest incarnation of the product, now named Windows SteadyState. For those who haven’t seen or heard of it, SteadyState is a utility that makes it easier to manage public computers, such as those found in libraries, classrooms, and Internet cafes – or even the computer you keep in your guest room that you get sick of having to troubleshoot every time your nephew visits.
One of the challenges of managing public computers is that all manner of malware, other programs, and system changes can be introduced by users. SteadyState works by offering several vital functions in an easy-to-manage interface:
- Windows Disk Protection. This feature basically creates a snapshot of the hard drive at a certain point in time (like when you finally get it configured just the way you want it). Whenever the computer restarts, Windows restores the computer to this exact state. So whenever a user is done with the computer, you can just restart the computer and it returns to the same state as before the user logged on.
- User Restrictions and Settings. This feature allows you to restrict access to programs and settings, and also to lock a user account to prevent changes.
- User Account Manager. This feature lets you create and delete user accounts, and also to export user accounts for use on other shared computers – perfect for creating identical user accounts on a group of shared computers.
- Computer Restrictions. This feature lets you restrict access to computer settings.
Right now, Windows SteadyState is only available for Windows XP and does require that you validate the copy of Windows you’re running.
Most programs recognize the new User Account Control (UAC) security model in Windows Vista. However, in order for this to work properly, the program must be marked by the developer (or identified by Windows Vista) as an program that requires administrative rights.
You are likely to run into some older programs that aren’t properly marked. So Vista provides a few ways to run a program as an administrator right off the bat.
Run a program as administrator from the Search box
As you probably know, you can use the new Search box in the Windows Vista Start Menu the same way you used the Run command in Windows XP (plus, it does a whole lot more). To run a program as an administrator from the Search box, type the command (such as CMD for the command prompt) and then press Ctrl-Shift-Enter.
Run a program as administrator from the graphical interface
You can also run a program as administrator right from a program icon. Instead of double-clicking the program icon to launch it, right-click the icon and choose Run as Administrator from the shortcut menu.
Set a program to always run as administrator
If you have a program that you run frequently, you can set the program to always run as administrator. To do this, use the following steps:
- Right-click the program icon and click Properties.
- On the Property sheet, click the Compatibility tab.
- Under Privilege Level, select the Run this program as an administrator check box, and then click OK.
Bonus Tip: If you work in the command prompt a lot, right-click the Command Prompt shortcut on your Start menu and click Properties. On the property sheet, click Advanced. In the Advanced Properties dialog box that opens, click Run As Administrator. When you use the shortcut to open the command prompt, UAC will prompt you for administrative priveleges.
Windows Vista includes the new User Account Control (UAC) security component. Even if you’re not familiar with the name, you’ve seen it in action When Vista pops up a dialog asking you to press Continue when you install a program, change system settings, or whatever other nefarious deed you’re up to.
In previous versions of Windows, when you logged on with an administrator account, your user account was granted a single access token that allowed you extensive rights and privileges throughout the system. The problem with this? Windows XP and earlier didn’t include any kind of checks to make sure that you actually wanted to perform an action that the system was trying to perform. So, it was easier for malicious programs like viruses and spyware to get themselves installed without you knowing about it.
In Windows Vista, when you log on with an administrator account, your user account is assigned two access tokens – a full administrator access token and a standard user access token. The standard access token is used to start the Vista desktop. During normal activities (such as running a program, working with files and folders, or changing innocuous system settings like the desktop background), your user account uses the standard access token.
When you try to perform an administrative task (changing system settings, installing programs, and so on), Windows Vista prompts you to make sure that the action is one you intended to take. If you give it the go ahead, your user account is elevated to administrator access and the action proceeds. This prevents administrative tasks from happening without your knowledge. Throughout Windows Vista, you’ll now see an icon with the Windows Shield applied to commands and user interface elements that require administrative privileges.
Microsoft has released a free online magazine (in PDF format) named Safety and Security Online that’s all about protecting home computers and your family. It’s a pretty good read and has good step-by-step guidance for people who are not IT pros, but who want to improve security and family safety in their homes. You will need to validate your computer using Windows Genuine Advantage (in either IE or Firefox) in order to download, but it takes only a few seconds.