{"id":1205,"date":"2009-02-05T21:33:02","date_gmt":"2009-02-05T20:33:02","guid":{"rendered":"http:\/\/www.itwriting.com\/blog\/1205-windows-security-and-the-uac-debate-microsoft-misses-the-point.html"},"modified":"2009-02-05T21:33:02","modified_gmt":"2009-02-05T20:33:02","slug":"windows-security-and-the-uac-debate-microsoft-misses-the-point","status":"publish","type":"post","link":"https:\/\/www.itwriting.com\/blog\/1205-windows-security-and-the-uac-debate-microsoft-misses-the-point.html","title":{"rendered":"Windows security and the UAC debate: Microsoft misses the point"},"content":{"rendered":"

Poor old Microsoft. When User Account Control was introduced in Windows Vista the crowd said it was too intrusive, broke applications, and not really more secure \u2013 partly because of the \u201cOK\u201d twitch reflex users may suffer from. In Windows 7 UAC is toned-down by default, and easy to control via an easy-to-find slider. Now the crowd is saying that Microsoft has gone too far, making Windows 7 less secure than Vista. The catalyst for this new wave of protest was Long Zheng\u2019s<\/a> observation that with the new default setting a malicious script could actually turn off UAC completely without raising a prompt.<\/p>\n

Microsoft\u2019s Jon DeVaan responds<\/a> with a lengthy piece that somewhat misses the point. Zheng argues that Microsoft should make the UAC setting a special one that would:<\/p>\n

\n

force a UAC prompt in Secure Desktop mode<\/a> whenever UAC is changed, regardless of its current state<\/p>\n<\/blockquote>\n

DeVaan doesn\u2019t respond directly to this suggestion which seems a minor change that would barely impact usability.<\/p>\n

DeVaan also says:<\/p>\n

\n

There has been no report of a way for malware to make it onto a PC without consent. All of the feedback so far concerns the behavior of UAC once malware has found its way onto the PC and is running.<\/p>\n<\/blockquote>\n

It\u2019s an important point; though I wonder how DeVaan has missed the problems<\/a> with autorun<\/a> that can pretty much install malware without consent.<\/p>\n

I am not one of those journalists whom Zheng lambasts:<\/p>\n

\n

This is dedicated to every ignorant \u201ctech journalist\u201d who cried wolf about UAC in Windows Vista.<\/p>\n<\/blockquote>\n

Rather, I\u2019ve been an advocate for UAC since pre-release days; see for example my post If Microsoft doesn\u2019t use UAC, why should anyone else?<\/a> which I later discovered upset some folk. One reason is that I see its real intent, best articulated by Mark Russinovitch, who writes<\/a>:<\/p>\n

\n

UAC\u2019s various changes and technologies will result in a major shift in the Windows usage model. With Windows Vista, Windows users can for the first time perform most daily tasks and run most software using standard user rights, and many corporations can now deploy standard user accounts.<\/p>\n<\/blockquote>\n

and Microsoft\u2019s Crispin Cowan<\/a>:<\/p>\n

\n

Making it possible for everyone to run as Standard User is the real long term security value<\/p>\n<\/blockquote>\n

In other words, UAC is a transitional tool, which aims to bring Windows closer to the Unix model where users do not normally run with local admin rights and data is cleanly separated from executables.<\/p>\n

The real breakthrough will come when Microsoft configures Windows so that by default non-expert home and SME users end up running as standard users. Experts and system admins can make their own decisions.<\/p>\n

In the meantime, I don\u2019t see any harm in implementing the change Zheng is asking for, and I\u2019d like to see Microsoft fix the autoplay problem; I believe users now understand that there is a trade-off between security and convenience, though they become irritated when they get the inconvenience without the security.<\/p>\n

Update<\/strong>: Microsoft now says<\/a> it will fix Windows 7 so that the UAC settings are better protected.<\/p>\n

Technorati tags: windows 7 sdk<\/a>, uac<\/a>, security<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"

Poor old Microsoft. When User Account Control was introduced in Windows Vista the crowd said it was too intrusive, broke applications, and not really more secure \u2013 partly because of the \u201cOK\u201d twitch reflex users may suffer from. In Windows 7 UAC is toned-down by default, and easy to control via an easy-to-find slider. Now … Continue reading Windows security and the UAC debate: Microsoft misses the point<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55,75,80,93,98],"tags":[],"class_list":["post-1205","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","category-software-development","category-vista","category-windows-7"],"_links":{"self":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/posts\/1205","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/comments?post=1205"}],"version-history":[{"count":0,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/posts\/1205\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/media?parent=1205"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/categories?post=1205"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/tags?post=1205"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}