How Microsoft can save User Account Control

How Microsoft can save User Account Control

Summary: For years, Windows users have been allowed to essentially ignore the responsibilities of security while having to deal with the consequences of insecurity. Windows Vista is about to introduce User Account Control - a sweeping change to the Windows security model that really works. Unfortunately, this feature risks being torpedoed by a user community that can't handle change. UAC can work, especially if Microsoft can make a few small changes before the final release of Windows Vista.

SHARE:
TOPICS: Windows
12

For years, Windows users have been allowed to essentially ignore the responsibilities of security while having to deal with the consequences of insecurity. Windows XP has always had the requisite security infrastructure, including a secure file system and the ability to create limited accounts that are difficult to exploit. But in the ongoing battle between security and convenience, security has always come in a distant second. Outside of corporate networks, most users leave Windows security settings turned off, running as a member of the Administrators group with unrestricted access to virtually all system files and settings.

Most of those users are woefully unprepared for the sweeping changes to the Windows security model that are incorporated by default in Windows Vista. The most important of these changes is the User Account Control feature, which overturns the XP default setting and runs every account as a standard interactive user. In Part 1 of this series, I showed how UAC requires you to provide an administrator’s credentials before installing a program or altering a Windows system setting. In Part 2, I described the confusing and all-too-common set of circumstances that might confront some Windows Vista users with consent dialog boxes when they perform seemingly innocent file operations.

I’ve already heard from dozens of beta testers who are so annoyed by UAC prompts that they reflexively disable the feature as soon as they install a new build. As my colleague George Ou notes, some uninformed commentators are slamming UAC because they don’t understand it. A new report from the Yankee Group confirms that the wider community of Windows users are likely to follow their lead and shut off the "annoying" UAC completely.

That’s an understandable instinct, but as I explain in this post, it’s a very bad idea. You can tone down the annoyance of UAC without completely disabling its protection.

Part of the problem stems from the nature of beta testing. Testing beta software requires constant tweaking and thus triggers UAC prompts constantly. The effect is the same one you experience with a two-way firewall that is “chatty” at first but settles down after a few days of use. The problem is compounded by bugs in current beta versions that cause delays in the appearance of UAC dialog boxes.

So, what’s the alternative?

Let’s start with the nuclear option. Yes, you can turn off UAC completely, using the Windows Vista version of the venerable System Configuration utility, Msconfig.exe. Click the Tools tab, choose the Disable UAP option, and click OK.

The next time you log on using an account in the Administrators group, you do so without the training wheels of UAC. You’re blissfully free of consent dialog boxes. You’re also completely unprotected from spyware, viruses, and potentially destabilizing system configuration changes. If you’ve set up user accounts for others on your computer, they’re unprotected too, which means you're one click away from having a rootkit or Trojan horse on your PC. Disabling UAC is a bad idea. A really bad idea.

So what’s the alternative? If you're testing Windows Vista, try any of these approaches (all assume that the logged-on account is a member of the Administrators group):

  • Run Control Panel as an Administrator. Create a shortcut to Control.exe in an easyily accessible location, right-click the shortcut icon, and choose the Run As Administrator option. You’ll have to endure one UAC dialog box, after which you can use any Control Panel option with full administrative permissions.
  • Better yet, run Windows Explorer as an Administrator. Right-click the Windows Explorer shortcut and choose Run as Administrator. After supplying your administrator credentials, you can use this window to run any program, browse any drive or folder, or use any Control Panel option without seeing another consent dialog box.
  • Open a Command Prompt window (Cmd.exe) using the Run As Administrator option. After you supply your credentials, you can do anything you want in that window. Want to browse files? Type Explorer and press Enter to open a copy of Windows Explorer that runs with an unrestricted process token . Type Control and press Enter to open a Control Panel window that offers unrestricted access to system options.
  • Disable the Secure Desktop. If you find UAC prompts annoying because of the delay that occurs when the regular desktop fades to black, you can turn this feature off. Run System Policy Editor (Secpol.msc), choose Local Policies, then Security Options, and disable the User Account Control: Switch to the Secure Desktop when prompting for elevation option. This option leaves you vulnerable to security exploits that spoof ordinary consent dialog boxes, but for an experienced user this tradeoff might be acceptable.

Will users be willing to use these workarounds? Most won't be willing to put up with the hassle, I predict. For Microsoft, then, the challenge is to provide options that discourage users from disabling UAC completely. At this stage, months before the final release of Vista, no one knows how this feature will be finally implemented, especially in the Home Basic edition. Given the intense nature of the criticism so far, one has to assume that some changes are in the works. Here are some suggestions that might ease the pain:

  • Create a special Admin Mode. Power users would appreciate a UAC option that lets an administrator respond to a single prompt and temporarily open a session that runs with full administrative permissions. The devil is in the details, of course. How do you keep people from choosing this option as the default?
  • Put a time limit on UAC. In current betas, each UAC prompt is tied to a single process. When that process ends, so does the elevated set of permissions. But what if a UAC consent dialog box elevated your permissions for 10 minutes? Long enough to install a couple of programs or make a series of system tweaks, but not so long that you forget and fall victim to a piece of malware.
  • Provide easy options to open Control Panel and/or Explorer with full Admin rights. As I indicated earlier, it takes only a right-click and a quick OK to open either of these windows with full permissions. So why not offer those options on the Start menu?
  • Identify applications running in an elevated context. Today, if I open two Windows Explorer sessions – one as a standard user and another using an administrator’s process token – I have no way to distinguish which is which. A text label in the title bar, or a blood-red border around the window, would help prevent this convenient shortcut from becoming a security hole.

One thing is clear: Microsoft has to deal decisively with the perception that UAC imposes an unacceptable tradeoff between performance and security. In its current incarnation, too many people are likely to dismiss it completely, and if that happens, everyone loses.

Topic: Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • The need to change perceptions

    [i]One thing is clear: Microsoft has to deal decisively with the perception that UAC imposes an unacceptable tradeoff between performance and security. In its current incarnation, too many people are likely to dismiss it completely, and if that happens, everyone loses.[/i]

    Succinctly stated, Ed. For UAC to succeed with the "Joe Sixpack" home users, a lot of education on why this is good needs to be drilled in. Even the *nix community could help on this, since *nix users deal with and embrace least user privilege practices every day.

    BTW, your idea of a blood-red window border for administrative apps is pretty good, but how about a blood-red font in the title bar as a variation? Some users might find that more subtle, but stil noticeable.
    Tony Agudo
  • A tough nut to crack

    Letting a user put the admin password in ONCE - is not a solution. People get accustomed to the "Do you really, REALLY want to quit"-type prompts, and reflexively click though each one.

    So bombard them with stuff they can sleepwalk through (learning the click behavior) - or ask them once? Either way, you won't get the result you seek.
    Roger Ramjet
  • Good Luck

    Finding that middle ground from years of insecurity.

    I have Windows machines today that have to run in an administrtive account or such and such program doesn't work. BTW, some of those programs are old written in the Windows 95 era thus not a lazy programer fault. Some of the other programs are new and I do blame the programer for it.

    It is maddening! You end up using domain policies to lock down the user account with local admin rights as much as you can without breaking the apps.

    That "run as..." feature is useless with your average user. Give them an adminstrative user and pass for the "run as" and I guarantee it is used for logon. Even if it is a local computer account vs. domain with local adminstrative. Then they complain because they can't access domain resources. Not to mention having two user and password accounts that they have to remember in the first place.

    We plan on taking the wait and see approach to Vista. Wait and see what pains everyone else has to go through to adopt it.
    dragosani
    • some info

      You can almost allways fix broken apps that required evelvated rights to run. There are some exception, but IME they are few and far between. It's usually just a few file permissions. You can also push down these permission changes via AD group policies.

      Anyway, I feel your pain. I've had to fix dozens of old apps in the last five or so years.

      Here is a good place to start if you are interested...

      http://nonadmin.editme.com
      toadlife
  • UAC

    How about adding extra security "over-ride" options instead of just a password...perhaps inserting a security card etc (or to make it EVEN cheaper allow people to use an ordinary flash memory/SD card as a security password token!!).

    Flash/SD readers are dirt cheap and if people realize that when they set-up Vista they can use a (very cheap) 16mb SD/flash card as an administrator access tool they will be more likely to do so as it's easier than typing in passwords all the time....

    Then just remove the card and hey presto!! the PC is secure for the non-administrator users...

    If Microsoft is smart they could EASILY allow one single card to have admin access for LOTS of different PCs...Add a utility that saves an encrypted key to the card after entering an administrator password.

    People who setup PCs for their non-techie friends can have a single card to access admin rights to that machine....or IT supervisors etc don't have to carry around 100 of them!!!
    geldo
  • Re: How Microsoft can save User Account Control

    [i]"Open a Command Prompt window (Cmd.exe) using the Run As Administrator option. After you supply your credentials, you can do anything you want in that window. Want to browse files? Type Explorer and press Enter to open a copy of Windows Explorer that runs with an unrestricted process token . Type Control and press Enter to open a Control Panel window that offers unrestricted access to system options."[/i]

    Sounds like what I do on Linux - open a bash shell, su to root and I've got a privileged window open while I surf &etc as a restricted user.

    But - what about the adage "if it has syntax, it's not user-friendly?" It's not that the cmd.exe shell is anywhere near as powerful syntactically rich as bash, but you still need to know syntax to use it.

    I welcome this serious take on security from the Beast, as I do have and use Windows. But I gravely doubt Joe Average ever will use it. I predict he will turn it off.



    :)
    none none
    • Good point

      [i]Sounds like what I do on Linux - open a bash shell, su to root and I've got a privileged window open while I surf &etc as a restricted user.

      But - what about the adage "if it has syntax, it's not user-friendly?" It's not that the cmd.exe shell is anywhere near as powerful syntactically rich as bash, but you still need to know syntax to use it.

      I welcome this serious take on security from the Beast, as I do have and use Windows. But I gravely doubt Joe Average ever will use it. I predict he will turn it off.[/i]

      I use Linux myself, but it took me a long time to accept least user privilege practices. For years I logged in as root because I thought that not being root just got in the way of doing whatever I wanted. It wasn't until I got hooked on Ubuntu that made me really understand LUA(least user access). I predict the same thing will happen with Vista: initally users will reject it(turn it off, like you said) because it's "new and annoying", but if Microsoft and ISVs enforce UAC/UAP right and properly educate users, it will be a success in the long run.
      Tony Agudo
  • My vote is for the time limit

    My vote would be for the time limit--specified by the user of course and the settings should be available in the first dialog box triggered by UAC.
    frank_s
  • copy osx and get it done

    I've been using windows for 10 years and OSX for 2

    Like UAC I run as a normal user 99% of the time. In an average day I might get 5 requests for my administrator password and that's it.

    I've read your articles and looked at the image galleries and I still don't 'understand' why the user needs to be prompted for so much stuff.

    the windows people need to go over to the Mac Office people and say "show us how OS X does and so that we may copy it exactly". That's all they have to do.

    ALSO, I have no clue how to disable OSX's version of UAC. I feel it should be near IMPOSSIBLE to disable UAC in windows, after all it's a lot more important for windows security than it is for OSX.
    Free_Thinker
  • User Account Control

    It can't be saved. It's garbage. Who is MS to nanny us on our own computers? It's bad enough to have to click OK on a confirmation window just to delete a file, but to have to get Vista's permission to rename a file or save something to a disk just goes too far.
    OmegaWolf747
  • RE: How Microsoft can save User Account Control

    You???ve got some interesting points in this article. I would have never considered any of these if I didn???t come across this. Thanks! <a href="http://us.gigajob.com/index.html">find jobs</a>
    prince11223344
  • RE: How Microsoft can save User Account Control

    Youve got some interesting points in this article. I would have never considered any of these if I didnt come across this. Thanks! <a href="http://us.gigajob.com/index.html">find jobs</a>
    prince11223344