Poor old Microsoft. When User Account Control was introduced in Windows Vista the crowd said it was too intrusive, broke applications, and not really more secure – partly because of the “OK” twitch reflex users may suffer from. In Windows 7 UAC is toned-down by default, and easy to control via an easy-to-find slider. Now the crowd is saying that Microsoft has gone too far, making Windows 7 less secure than Vista. The catalyst for this new wave of protest was Long Zheng’s observation that with the new default setting a malicious script could actually turn off UAC completely without raising a prompt.
Microsoft’s Jon DeVaan responds with a lengthy piece that somewhat misses the point. Zheng argues that Microsoft should make the UAC setting a special one that would:
force a UAC prompt in Secure Desktop mode whenever UAC is changed, regardless of its current state
DeVaan doesn’t respond directly to this suggestion which seems a minor change that would barely impact usability.
DeVaan also says:
There has been no report of a way for malware to make it onto a PC without consent. All of the feedback so far concerns the behavior of UAC once malware has found its way onto the PC and is running.
It’s an important point; though I wonder how DeVaan has missed the problems with autorun that can pretty much install malware without consent.
I am not one of those journalists whom Zheng lambasts:
This is dedicated to every ignorant “tech journalist” who cried wolf about UAC in Windows Vista.
Rather, I’ve been an advocate for UAC since pre-release days; see for example my post If Microsoft doesn’t use UAC, why should anyone else? which I later discovered upset some folk. One reason is that I see its real intent, best articulated by Mark Russinovitch, who writes:
UAC’s various changes and technologies will result in a major shift in the Windows usage model. With Windows Vista, Windows users can for the first time perform most daily tasks and run most software using standard user rights, and many corporations can now deploy standard user accounts.
and Microsoft’s Crispin Cowan:
Making it possible for everyone to run as Standard User is the real long term security value
In other words, UAC is a transitional tool, which aims to bring Windows closer to the Unix model where users do not normally run with local admin rights and data is cleanly separated from executables.
The real breakthrough will come when Microsoft configures Windows so that by default non-expert home and SME users end up running as standard users. Experts and system admins can make their own decisions.
In the meantime, I don’t see any harm in implementing the change Zheng is asking for, and I’d like to see Microsoft fix the autoplay problem; I believe users now understand that there is a trade-off between security and convenience, though they become irritated when they get the inconvenience without the security.
Update: Microsoft now says it will fix Windows 7 so that the UAC settings are better protected.
Looks like they reneged http://www.istartedsomething.com/20090206/microsoft-changes-windows-7-uac-control/
Hilarious that they made all those “not a problem” announcements, whilst the engineers were actually fixing it. Actually, not hilarious, embarrassing.
Paul Thurrott sums it up nicely http://www.istartedsomething.com/20090206/microsoft-changes-windows-7-uac-control/