Windows 7: why you should keep User Account Control at the highest level

Windows 7 makes it easy to adjust the settings for User Account Control, the system protection feature introduced in Vista. You can access User Account Control Settings from Control Panel, whereupon you see a slider with four settings:

1. Always Notify

2. Notify me only when programs try to make changes to my computer – don’t notify me when I make changes to Windows settings

3. Same as (2) but without the dimmed desktop

4. Never notify

The default is (2). This means Windows 7 is not too annoying, but 3rd party applications still have to prompt in order to do things like writing to a location in Program Files.

Sounds good? Not really. Leo Davidson has an extensive write-up; but all you need to know is actually in the online help for option 2:

It is usually safe to allow changes to be made to Windows settings without you being notified. However, certain programs that come with Windows can have commands or data passed to them, and malicious software can take advantage of this by using these programs to install files or changes settings on your computer.

The problem lies in what Microsoft means by “make changes to Windows settings”. In reality, this is just a whitelist of applications which get elevated permissions automatically, and as online help hints, these are “certain programs that come with Windows.” Davidson observes that it is possible for malware to inject data into one of these processes and have it do whatever the malware wants without a prompt.

Microsoft’s point is that malware shouldn’t be running on your PC in the first place. Very true; but the simple slider control is less than honest about the implications of the default option.

The solution is to move the slider to the highest level. I am sure this should be the default: Microsoft: even at this stage it is not too late to change it. Let the user relax the security if they want; though this stuff about “Windows settings” should be replaced with something which better describes what the option means.

I am not all that worked up about this. UAC will still be achieving its main goal, which is to make 3rd party developers follow the rules more often – though it is still possible for developers to subvert this. And even when fully enabled, UAC is nothing like a complete security solution.

Still, bearing in mind that Microsoft is unlikely to change the default, I’d suggest that users move the slider to the highest setting. It is not painful at all, and at least gives you the same level of protection as Vista.

Technorati Tags: ,,,

2 thoughts on “Windows 7: why you should keep User Account Control at the highest level”

  1. You know, there is a much more grievous bug in Windows (or all operating systems):

    Users.

    Almost all attacks (UAC can be credit with that), either use social engineering, or masquerade as harmless, even useful software (scareware comes to mind as a particular nasty example).

    Thing is, as long as users are able to actually operate a computer, users will be able to shoot themselves in the foot.

    This “UAC is broken” spiel in the media is particular funny, since the very same publications probably have an article on a) how annoying UAC in Vista is, and MS should make it less annoying, and b) how to disable UAC outright.

    Now MS makes changes to the user experience of UAC to make it less intrusive (so that users feel in control), and it is wrong, too.

    Damned if you do, damned if you don’t.

    Mind, I also think that, before a program can actually call out to, say rundll32, it has to be elevated. Since the changes introduced with Vista include a different IPC model. A non-elevated process can’t call out to nor create an elevated process without user consent: http://msdn.microsoft.com/en-us/library/bb625964.aspx

  2. Phillip –

    ‘This “UAC is broken” spiel in the media is particular funny, since the very same publications probably have an article on a) how annoying UAC in Vista is, and MS should make it less annoying, and b) how to disable UAC outright.’

    The ‘very same’? So Tim himself is guilty of this is he…?

    ‘A non-elevated process can’t call out to nor create an elevated process without user consent’

    Have you actually read the linked post?

Comments are closed.