Modified UAC in Windows 7 Exposes Potential Security Issues
That said, there has been a great deal of controversy lately about the modified UAC in the public Beta of Windows 7. Bowing to pressure related to the Windows Vista UAC backlash, Microsoft altered the default behavior of UAC in Windows and made it easier to adjust or customize UAC behavior. In Windows 7, there is a slider in the Action Center (available in the Control Panel) that allows users to adjust User Account Control Settings. I will say that Microsoft does not do themselves any favors in clearing up the confusion of UAC as a security control when the UAC Settings states "User Account Control helps prevent potentially harmful programs from making changes to your computer".
By default, it is set to the second highest setting. A security researcher determined that because this level does not provide any alert or notification when a Windows setting is changed, and UAC itself is a Windows setting, a malicious program could potentially disable UAC completely before performing malicious actions and the user would not have any indication that UAC was turned off. The same individual also subsequently determined that the way UAC handles Microsoft-signed code in the default mode can be exploited to initiate malicious attacks as well.
The official Microsoft response thus far has been that the changes are by design and in response to the mountains of feedback, backlash, and negative publicity that UAC received in Windows Vista. However, I don't think they will be doing much to improve their image or their publicity if they weaken the default security of the operating system and allow users to be compromised. By all means, include the little sliding User Account Control Settings adjustment and let people make that decision themselves. But, the default configuration at installation should be to have UAC maxed and behave just like it did in Windows Vista. Microsoft should invest more in educating enterprises and users about what UAC is and why it works the way it does and how to configure it properly rather than disarming it and rendering it effectively useless.