Chapter 1: Administering Vista Security-The Little Surprises

Much of this book shows you how Vista's new big security technologies work, how they'll affect you, and where you can control them. This chapter, however, doesn't hit the big stuff; instead, in this chapter I want to introduce you to a bunch of changes in Vista that are fairly significant, but not obvious…until you run up against the kind of strange, unexpected, or puzzling behavior that I've come to think of as "Vysteries." Now, you might think "hey, if this is a potpourri of small Vista administration and security surprises, why not put it at the end of the book?" I thought about that but realized that if you did want to fire up a copy of Vista and work through some of the things we cover in the rest of the book, then you might find yourself more aggravated from tripping over the small brambles at your feet than from trying to scale the high towers of User Account Control internals and the like-so the first chapter seemed a practical place to put these items.

But let me stress that these aren't all bad surprises. All I'm trying to do in this chapter is give you a quick heads-up about things that I feel have changed most significantly administration-wise, particularly from a security point of view, with a view to highlighting the not-so-well-publicized changes. That way, you can decide best where to spend your time in Windows new doodads. (In addition, I'm hoping to show you these things before some client mentions it in a meeting. Don't you just hate those kinds of surprises?) These aren't in any particular order; it is, again, a potpourri.

Because, as I mentioned in the Introduction, I'm trying to keep this short and because I'm working from pre-release versions of Vista, I'll assume that you've already figured out how to get Vista up and running in at least a minimal manner on a test system or two. That way, we can move right along to the surprises.

Restoring the Administrator

You go to log onto Vista for the first time, and want to log on as the Administrator, just as you always have. But there's this hitch because, well, there doesn't seem to be an Administrator account anymore. Arrgh.

Actually, the Administrator account's still there and can be logged onto. It's just disabled. So here's how to get it back.

First, log onto the Vista system as a local administrator. If you're on a domain, that means that you'll probably need to log on with a domain administrator account, or, if you're not in charge of your domain, then ask your domain administrator to put your domain account in the Administrators group of your Vista machine. If you're using a computer that's a member of a domain, but you can't do either of those things then you're probably stuck, unless you reinstall the Vista box as a member of a workgroup rather than a domain.

Making Your Own Administrator

If, on the other hand, you're running a Vista box that is not a member of a domain, then Vista will prompt you to create a user account when it first starts up. Vista then automatically puts that account in the Administrators group, just as XP did. It won't force you to give that account a password, but it's a good idea to do it anyway because Vista, like XP and 2003, treats accounts with blank passwords as sort of second-class citizens in that they can't be used over a network.

Because that first account is a local administrator, you may not actually need to revivify the Administrator account.

Activating the Administrator Account

Do you, then, need to activate the Administrator account? Probably not. I figured out how to activate the Administrator account in the early days of Vista, but soon realized that I could accomplish anything with that account that Vista prompted me to create that I could do with the Administrator account. In fact, when testing Vista builds 5472, 5536, and RC1 I never even bothered with activating the Administrator account.

I have heard of people needing the Administrator for application compatibility; as some folks have apps coded to run using the Administrator account (not a good idea, but, again, I've been told that some need it). In any case, if you need the Administrator back, then here's the sequence. First, the Administrator account needs a password, as it's currently blank and, as we all know, having an account on a system named "Administrator" with a blank password and that is a member of the Administrators group is a terribly bad idea.

Also, if your system is a member of a domain that has minimum password requirements installed, then you won't be able to activate an Administrator account with a blank password. (Not that the error message that you get from Windows is crystal clear in explaining why it errors out when you try to activate an Administrator account with a lame password; you tell it to activate the Administrator account and it replies something to the effect that "the password does not meet the minimum requirements of this system." You then scratch your head and say, "I wasn't trying to do anything with a password!")

We'll give the Administrator a good password and activate it at the same time. Here's how.

1. Log onto your Vista system with whatever local administrator account you've wangled.

2. Start up a command prompt: click the Start button (it doesn't say "Start" anymore, but it's in the same place as the old Start button, the lower left-hand corner by default and is a circular representation of the Windows flag). Then click All Programs, and then Accessories.

3. I know, I've lulled you into a false sense of "I know what I'm doing now," and you're about to click the Command Prompt icon. Don't. Instead, right-click the Command Prompt icon and choose "Run as administrator." You will see your desktop go gray and you'll see a dialog box warning you that you're about to do something administrator-like, and did you really mean to do that? You then click either a Continue or Cancel button.

4. This is called the "Consent user interface" because the program that kicks it off is called consent.exe. It's part of User Account Control (UAC), which we'll discuss in Chapter 2. You'll see this dialog box every time you do something that requires even mildly "administrator-ness" to work right. It stays up for two minutes, and if you don't respond in those two minutes, you get a dialog box announcing that Windows won't run the program because "The operation returned because the timeout period expired." In any case, click Continue to get Vista to open a command prompt.

5. Now that you've got the command prompt, set the Administrator's password to something other than blank. (And, if necessary, something that makes your domain's group policies happy.) That command looks like net user administrator newpassword. In my case, I'll type net user administrator swordfish to give it the password "swordfish." As with virtually all Windows command-line commands, case does not matter except in the password itself, and you've got to press the Enter key once done. You should get "The command completed successfully."

   Tip

   But what if you didn't? If you get "System error 5 has occurred. Access is denied," then you didn't start up the command prompt by right-clicking and choosing "Run as administrator." Yes, I know, you're logged on as an administrator, you should be able to do administrator things…but it's a longer story having to do with UAC, and we'll cover it later. For now, just please remember to always start your command prompts with "Run as administrator" if you want to do anything administrative.

6. Now we've got an administrator with a good password; finish the job and activate the account. From the command prompt, type net user administrator /active:yes and press Enter.