I am one of those people who always leaves UAC enabled - I like to see when something (*cough* - Adobe Update - *cough*) wants to execute with admin privilege on my system and then get the choice as to whether to allow it or not.  However, not everyone likes the choices that are presented by default with the GPOs (Group Policy Objects). Coming to the rescue are tools to help enhance these offerings, such as the Privilege Manager from BeyondTrust.  Sometimes people forget that Microsoft is a platform for others to build on and this is no different.  Their product enables pre-defining the responses to UAC based on a number of variables.  While I have NOT tried the product, it is getting good reviews.  You can however download an eval copy for free if you so desire.

One thing to bear in mind is that when a tool like this is used, you weaken security - why, well, even if you use a SHA1 hash to work out if an application is safe or not, a clever hacker will use plugins, dll's etc to attack that product - it does not have to have the main .exe file to breach the security and once they are in, they are in.

You can find out more about Privilege Manager from the FAQ at BeyondTrust | Privilege Manager FAQ, however a short snippet is below (which I have cut around, so there is much more under each section):

Applications are targeted on the Application tab, which allows you to specify an application by one of several criteria. This includes:

• Path to an executable file

  • supports wildcards and environment variables

• Folder of one or more executable files

  • including wildcards and environment variables

• Hash rule

  • SHA1 hash of the targeted executable file

• MSI Path rule

  • target Windows Installer installation of specified packages

• MSI Folder rule

• ActiveX rule

My gift to those of you who are UAC challenged :-)

ttfn

David