Windows 7 To Dial Down UAC

Barence writes "Engineers working on Windows 7 have admitted Vista's User Account Control was too intrusive, and are promising to tone it down in the forthcoming Windows 7. 'We've heard loud and clear that you are frustrated,' says Microsoft engineer Ben Fathi. 'You find the prompts too frequent, annoying, and confusing. We still want to provide you control over what changes can happen to your system, but we want to provide you a better overall experience.' According to Fathi, when Vista first launched, 775,312 unique applications were producing prompts — so some may be annoyed that it won't be scrapped entirely, but at least Microsoft is listening. The comments echo those of Steve Ballmer, who admitted at a conference in London that 'the biggest trade-off we made was sacrificing security for compatibility. I'm not sure the end-users really appreciated that trade-off.'"

Cancel or allow what?!

[Ethanol-fueled]

Of course most users are going to just click "OK", but how can the more tech-savvy users(you know, the ones who actually read the boxes) actually know what they're approving when the dialog boxes say such laughingly vague shit like "File operation - continue or cancel?"!

Re:Cancel or allow what?!

[MobyDisk]

If only there was some sort of button, or perhaps a downward facing arrow, that would provide additional details about what is happening. That would be awesome.

Re:Cancel or allow what?!

[SCPRedMage]

By the context it comes up in?

Seriously. I run Vista, and I've NEVER seen a UAC prompt come up where I didn't know what it was for.

And if you DON'T know what it is? Freaking hit cancel! What's the worst that'll happen? Something you're trying to do errors out? OH NOES!

Re:Cancel or allow what?!

The details only tell you what application is requesting access.

It most certainly does not tell you:

What file - well, that's not completely true, it gives you the file name but not the path!
What the file operation is (read? append? replace? delete?)
Anything that might help you make your decision

And when I said it tells you what application it is, I mean it tells you the process name, which is generally something very helpful like "RUNDLL32.EXE".

Re:Cancel or allow what?!

[eleuthero]

Or maybe they are sometimes vague because the program wanting control of the system is vague itself. I remember being glad the UAC actually worked when browsing a webpage recently. It looked like a completely innocent webpage but all of the sudden the UAC panel comes up with a request for who knows what attached to the website. I still am not sure what it was and why it wasn't picked up by the more robust security systems running on my computer.

Re:Cancel or allow what?!

[Carnildo]

How do you *know* that it's Apple's software updater that's causing the UAC box to appear, and not an opportunistic bit of malware that's been watching for the software update dialog to show up?

Re:Cancel or allow what?!

[afidel]

If you're trying to get permissions correct to eliminate these type of prompts in a corporate environment (or make an app work in a locked down pre-Vista environment) I can't recommend LUA Buglight highly enough. Basically it provides a way to record exactly what rights an application is requesting as you run it. I've used it mostly to get temperamental programs running as locked down users under Citrix but it should work fine to help reduce the amount of UAC messages under Vista.

Re:Cancel or allow what?!

[macdaddy357]

A left mouse click was detected. Cancel or allow?
Allow.
A left mouse click was detected. Cancel or allow?
Allow.
A left mouse click was detected. Cancel or allow?
Allow.
A left mouse click was detected. Cancel or allow?
Allow.
and so on....

Re:Cancel or allow what?!

[Thelasko]

Really, it's quite like sudo. The problem is that users and developers weren't used to this type of security. They need to adapt, not Micosoft. Microsoft got it right for once.

Re:Cancel or allow what?!

[SEAL]

The end result, unfortunately, is even more dangerous. Any product that requires updates to be installed results in a UAC prompt every time. Developers hate that, so they started writing *services* that install on the first run. That way the user gets one UAC prompt, the service installs (probably not telling the user that it is a service), and then that developer can forevermore install anything to his hearts delight, without prompts, by going through the privileged service.

Re:Cancel or allow what?!

[Miamicanes]

I've said it before, and I'll say it again in the hope that someone from Microsoft might actually see this and have it sink in...

If a program wants to create a new directory in c:\program files, that's not really a big deal.

If a program wants to overwrite an existing non-executable file in an EXISTING directory of c:\program files, it's probably worth bothering me about.

If a program wants to overwrite an existing executable file, dll, or device driver... or change a shortcut to point to a different file... THAT is a very, VERY big deal that merits my full attention.

What Windows 7 REALLY needs is a way to run untrusted programs (untrusted by ME, not untrusted by Hollywood) in a chroot jail, complete with firewalled network access, spoofed system and registry settings, and parallel-universe copies of system files. Basically, a way to run apps that might be outright trojans in a way that limits the scope of their damage to their own subdirectory tree and phantom system files that are meaningful only to that app.

Hell, Microsoft OWNS VirtualPC. DO SOMETHING with it. Give me an option that basically works something like, "Spawn a virgin installation of Windows... updated, but crap-free, with Explorer (the file manager) NOT spawned by default, and windows opening up in windows managed by the "real" hypervising-copy of Windows 7... then copy the installer to that instance's chroot jail, and launch it. Going forward, spawn the virtual instance of Windows, then launch the app in it." Think: the long-awaited sequel to WinOS/2... 15 years late, but better late than never ;-)

The acid test: make it so someone can install a DRM'ed game that's a shameless rootkit (Starforce comes to mind...), emulating Windows well enough with phantom files (any files the program changes are local copies that apply only to the session that spawned them) and spoofed drivers so the Evil App never even realizes it's not screwing up the user's PC. Then be very, VERY anal about warning the user before anything is able to change a "global" (common to all instances of Windows spawned under the hypervisor) setting or file. Big hint... if you don't, Sun or VMware eventually WILL.

I never understood...

[Anita+Coney]

... how getting computer users to blindly click through continuous, repetitive, and annoying dialog boxes kept computers more secure in the first place. It would seem under any reasonable analysis to do the opposite.

How about fixing the developers instead?

[Chemisor]

It would be a much better idea to force every programmer to run under a non-Administrator account (and no Administrators or even Power Users group membership either!) Anyone who complains is obviously writing bad code, since there is absolutely no friggin' reason that a regular application should require administrative privileges. Whatever you set during setup is IT! And, for God's sake, learn to open registry keys in read-only mode!

Trade-off my ass...

[IgnoramusMaximus]

This problem of imbecilic prompts is directly related to the entire inane history of DOS and then Windows, where all the lessons of multi-user systems learnt decades before were wilfully and sanctimoniously ignored by the resident Microsoft "geniuses". Thus application "developers" were allowed to, and soon came to depend on, access to what in nearly every other OS in existence are "root only" subsystems. Even in editions of Windows which were supposedly multi-user capable, the prevalent lazy practice of majority of "developers" was to depend on system-wide registry keys, administrative privilege level processes and what not to accomplish most mundane of tasks.

And so now the chickens are home to roost, with literally hundreds of thousands of apps written to kindergarten competence levels. And Microsoft is in a bind: secure the OS and either break these stupidly written apps altogether, inundate the user with prompts every time one of them tries something stupid, or give up.

They are scared to death of the implications of the first choice, tried the second, and now seem to be heading toward that last one.

Re:Dumb

[haystor]

Does it really have to prompt me every single time? After prompting me to run the same program 5 times, couldn't it just ask me if I want to white list that program until the executable changes?

Re:Linux does it right

[MobyDisk]

Perhaps I was not clear in my explanation.

In Vista, if you open the "all users" start menut and re-arrange 10 shortcuts, you get 10 prompts (actually, 20 - moves involve two prompts). In Linux, if you use the KDE/Gnome/whatever tools to reorganize the "start" menu, you get one single prompt when you save the changes.

In Vista, you also get prompts merely for viewing some information in the control panel. Then you get another prompt when you save/apply it, then another if you apply it again. In Linux, running the appropriate "control panel" tools requires no special privileges until you change something, at which point it prompts you once. And if you change something else without closing that window, you don't get another prompt.

I am guessing that the underlying difference is that Vista is confirming each particular action (system call?) whereas Linux is prompting for a privilege escalation which then applies to that process.

UAC is attacking the wrong problem.

[argent]

The biggest security problem in Windows is that the design of the HTML control and ActiveX in conjunction with the "security zone" model is inherently insecure. It provides a huge surface are to remote code execution exploits that simply does not exist in any other web browser... or any other software on any other platform that uses HTML and HTTP. The problem is that it's an explicit and deliberate mechanism for an object that should never be trusted... that is to say, a remote website... to request full local application permissions and run unsandboxed code.

Until this model is changed and only explicitly installed applications can run outside the browser's sandbox, Windows is going to remain the poster boy for "insecure systems".

Being able to prevent an already compromised application from performing system administration tasks is laudable, but it's not really all that important to the user. Everything on their computer that they care about isn't owned by the administrator, it's owned by their regular user account. And there's plenty of places owned by the end user that malware can hide to keep being restarted after the computer is rebooted. UAC is a partial sandbox, at best.

Being able to restrict what the web browser can do after it;s been compromised is laudable, but since the browser has to be able to save files for the user, it can still inject an exploit into the users account. So the reduced privilege mode on Vista (and the much touted sandboxes on OS X) are leaky protection at best.

And leaky sandboxes, and partial sandboxes, are more useful in providing a false sense of security to the user than actually keeping malware out.

Getting rid of the "security zones" model and replacing it with hard impermeable sandboxes will cause some disruption. Programs like Windows Update will have to be rewritten to use plugins. ActiveX games will have to be rewritten as flash or modified to run in a full sandbox using something like .NET or a JVM. But this WOULD be a matter of trading off convenience for security. UAC is trading off convenience for the illusion of security. That's not the same thing at all.