X
Tech

How Microsoft can save User Account Control

For years, Windows users have been allowed to essentially ignore the responsibilities of security while having to deal with the consequences of insecurity. Windows Vista is about to introduce User Account Control - a sweeping change to the Windows security model that really works. Unfortunately, this feature risks being torpedoed by a user community that can't handle change. UAC can work, especially if Microsoft can make a few small changes before the final release of Windows Vista.
Written by Ed Bott, Senior Contributing Editor

For years, Windows users have been allowed to essentially ignore the responsibilities of security while having to deal with the consequences of insecurity. Windows XP has always had the requisite security infrastructure, including a secure file system and the ability to create limited accounts that are difficult to exploit. But in the ongoing battle between security and convenience, security has always come in a distant second. Outside of corporate networks, most users leave Windows security settings turned off, running as a member of the Administrators group with unrestricted access to virtually all system files and settings.

Most of those users are woefully unprepared for the sweeping changes to the Windows security model that are incorporated by default in Windows Vista. The most important of these changes is the User Account Control feature, which overturns the XP default setting and runs every account as a standard interactive user. In Part 1 of this series, I showed how UAC requires you to provide an administrator’s credentials before installing a program or altering a Windows system setting. In Part 2, I described the confusing and all-too-common set of circumstances that might confront some Windows Vista users with consent dialog boxes when they perform seemingly innocent file operations.

I’ve already heard from dozens of beta testers who are so annoyed by UAC prompts that they reflexively disable the feature as soon as they install a new build. As my colleague George Ou notes, some uninformed commentators are slamming UAC because they don’t understand it. A new report from the Yankee Group confirms that the wider community of Windows users are likely to follow their lead and shut off the "annoying" UAC completely.

That’s an understandable instinct, but as I explain in this post, it’s a very bad idea. You can tone down the annoyance of UAC without completely disabling its protection.

Part of the problem stems from the nature of beta testing. Testing beta software requires constant tweaking and thus triggers UAC prompts constantly. The effect is the same one you experience with a two-way firewall that is “chatty” at first but settles down after a few days of use. The problem is compounded by bugs in current beta versions that cause delays in the appearance of UAC dialog boxes.

So, what’s the alternative?

Let’s start with the nuclear option. Yes, you can turn off UAC completely, using the Windows Vista version of the venerable System Configuration utility, Msconfig.exe. Click the Tools tab, choose the Disable UAP option, and click OK.

The next time you log on using an account in the Administrators group, you do so without the training wheels of UAC. You’re blissfully free of consent dialog boxes. You’re also completely unprotected from spyware, viruses, and potentially destabilizing system configuration changes. If you’ve set up user accounts for others on your computer, they’re unprotected too, which means you're one click away from having a rootkit or Trojan horse on your PC. Disabling UAC is a bad idea. A really bad idea.

So what’s the alternative? If you're testing Windows Vista, try any of these approaches (all assume that the logged-on account is a member of the Administrators group):

  • Run Control Panel as an Administrator. Create a shortcut to Control.exe in an easyily accessible location, right-click the shortcut icon, and choose the Run As Administrator option. You’ll have to endure one UAC dialog box, after which you can use any Control Panel option with full administrative permissions.
  • Better yet, run Windows Explorer as an Administrator. Right-click the Windows Explorer shortcut and choose Run as Administrator. After supplying your administrator credentials, you can use this window to run any program, browse any drive or folder, or use any Control Panel option without seeing another consent dialog box.
  • Open a Command Prompt window (Cmd.exe) using the Run As Administrator option. After you supply your credentials, you can do anything you want in that window. Want to browse files? Type Explorer and press Enter to open a copy of Windows Explorer that runs with an unrestricted process token . Type Control and press Enter to open a Control Panel window that offers unrestricted access to system options.
  • Disable the Secure Desktop. If you find UAC prompts annoying because of the delay that occurs when the regular desktop fades to black, you can turn this feature off. Run System Policy Editor (Secpol.msc), choose Local Policies, then Security Options, and disable the User Account Control: Switch to the Secure Desktop when prompting for elevation option. This option leaves you vulnerable to security exploits that spoof ordinary consent dialog boxes, but for an experienced user this tradeoff might be acceptable.

Will users be willing to use these workarounds? Most won't be willing to put up with the hassle, I predict. For Microsoft, then, the challenge is to provide options that discourage users from disabling UAC completely. At this stage, months before the final release of Vista, no one knows how this feature will be finally implemented, especially in the Home Basic edition. Given the intense nature of the criticism so far, one has to assume that some changes are in the works. Here are some suggestions that might ease the pain:

  • Create a special Admin Mode. Power users would appreciate a UAC option that lets an administrator respond to a single prompt and temporarily open a session that runs with full administrative permissions. The devil is in the details, of course. How do you keep people from choosing this option as the default?
  • Put a time limit on UAC. In current betas, each UAC prompt is tied to a single process. When that process ends, so does the elevated set of permissions. But what if a UAC consent dialog box elevated your permissions for 10 minutes? Long enough to install a couple of programs or make a series of system tweaks, but not so long that you forget and fall victim to a piece of malware.
  • Provide easy options to open Control Panel and/or Explorer with full Admin rights. As I indicated earlier, it takes only a right-click and a quick OK to open either of these windows with full permissions. So why not offer those options on the Start menu?
  • Identify applications running in an elevated context. Today, if I open two Windows Explorer sessions – one as a standard user and another using an administrator’s process token – I have no way to distinguish which is which. A text label in the title bar, or a blood-red border around the window, would help prevent this convenient shortcut from becoming a security hole.

One thing is clear: Microsoft has to deal decisively with the perception that UAC imposes an unacceptable tradeoff between performance and security. In its current incarnation, too many people are likely to dismiss it completely, and if that happens, everyone loses.

Editorial standards