Is Vista UAP getting a bum rap?

Is Vista UAP getting a bum rap?

Summary: Windows Vista UAP attempts to wean Windows users away from running their computers as a system administrator by asking them to elevate their permissions for system level operations. Mac OS X and Linux do the same thing by asking for administrative rights when needed so why is UAP getting a bum rap? The truth is that UAP actually goes further than any other operating system by protecting your user files as well and not just the system files.

SHARE:
TOPICS: Windows
121

With Windows Vista Beta nearing "feature complete" status, Paul Thurrott wrote this damning article slamming Microsoft Windows Vista for "broken promises" and its new UAP (User Account Protection) mechanism as a "sad, sad joke".  A number of other Microsoft critics including Bruce Schneier have piled on the slam-UAP bandwagon for implementing wizards for maneuvering around administrative restrictions.  Normal day-to-day operations will never bother anyone with UAP warnings... The allegation is that the Vista UAP wizards pop up for seemingly innocent tasks that you would think shouldn't pop up, but these people should really know better. [Editor's note: Ed Bott takes a closer look at the system prompts presented by Vista's UAC.] Bruce Schneier goes as far as trying to have it both ways by criticizing Microsoft for not implementing administrative restrictions sooner in pre-Vista operating systems but criticizes Microsoft for implementing UAP and doesn't offer any alternatives for handling the task in a more graceful manner.

Thurrott specifically raises the "problem" that when he attempted to delete a Firefox shortcut from the desktop when he had just installed it, it demanded additional user authorization from Vista's UAP which he thought was so stupid.  What Thurrott failed to realize or disclose is that deleting a shared shortcut like the one Firefox installed on the Desktop means that you are deleting a shared shortcut from the "All Users" desktop which requires administrative privileges.  With typical Windows XP configurations where most people run as part of the "Administrators" group (one of the main reasons Windows XP is so easy to infect with root kits and spyware), deleting something from the "All Users" desktop is no problem since administrative privileges are already present.  Had you been running Windows XP as an ordinary user (enterprises that care about security do this), you wouldn't have been prompted with UAP warnings but you would have been flatly denied.  The only way to delete that shared shortcut is to log out of Windows XP and log back in as a System Administrator.  Once you've deleted the file, then you have to log out again and back in as the regular user.

Windows Vista UAP tries to make this process simpler by allowing you to elevate your system privileges on the spot and delete the shared shortcut without having to log off and back on again.  If you attempted to delete something in a shared user directory from Mac OS X or a Linux operating system, you're also going to have to elevate your system privileges before you can complete the operation so why is anyone surprised at Windows Vista doing the same thing?  Where Windows Vista and UAP does differ from Linux and Mac OS X is that Vista actually goes a step further to protect your data files and not just the operating system.  If we look at a recent zero-day Mac OS X exploit, the proof of concept code couldn't access the system files but it was given full access to the user's files.  This means that while the exploit couldn't damage the operating system, it could access your family photos and your financial records.

You can always rebuild your system files by reinstalling the operating system, but can you ever recover your family photos?  There are actual Malware called "ransomware" roaming in the wild that will attempt to hold your data hostage by encrypting your data until you pay them for the decryption keys.  Telling people "too bad you didn't backup your data" doesn't exactly help the vast majority of the population get their precious data back.  Windows Vista UAP goes as far as running Internet Explorer 7 in a sandbox so that if it ever did get compromised by a documented or undocumented exploit, it can't access your System or User files.  Vista UAP even prevents IE7 from logging keystrokes from the rest of the operating system to prevent privilege escalation.  While some will point out that dedicated sandbox accounts can be set up in Mac OS X and Linux, they're not that way by default and they take manual intervention to achieve which simply means that it won't ever be done by the vast majority of users.  The pundits have failed to recognize the solid security advancements of Windows Vista and are clinging to a non-issue.

The challenge for Microsoft is that Windows users are not accustomed to dealing with user permissions since the vast majority of them routinely run Windows with administrative privileges.  There is no simple way of implementing sensible restrictions on user permissions without some growing pains.  When Windows XP Service Pack 2 came out, all the pundits slammed SP2 for "breaking hundreds of applications" when all that was needed was some holes punched in the firewall or worst case turned off.  The result was that a lot of people didn't upgrade to Windows XP SP2 and still haven't and are only harming themselves by not doing so.  I fear the exact same thing happening with Windows UAP protection because scaring people about Vista's UAP feature is only going to help the Spyware and Malware pushers.  What's really needed is user education on the dangers of running their computers as administrator and how UAP helps them get around the restrictions.  The reality is that normal day-to-day operations will never bother anyone with UAP warnings and the only time you'll ever see it is when you need the protection most.

Topic: Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

121 comments
Log in or register to join the discussion
  • UAC

    The most common type of malware for Windows these days are bad advices:
    - Turn off firewall, it slows down computer too much
    - HOWTO: Disable [System Restore/System file Protection/etc.]
    - Don?t install SP2
    - Etc.
    UAP is a nice and innovative technology and it is very flexible:
    - You can work as with XP ? with full admin rights
    - You can work as limited user, with or without prompts for administrator password, when needed.
    - You can get this new thing where you run as Administrator, but your programs don?t?
    There are reasons why UAP is better than running as ordinary limited user (my own):
    - You don?t have to remember password for administrator, and you don?t have to have your own set at all (yes this is a BIG requirement from home users category)
    - You are the OWNER of files you create always (and you always have the same profile) ? when running programs in limited/protected mode or administrative mode
    I believe that Microsoft did not do their marketing for this feature very good, and that they should start early.
    PS: Check-out UAP/UAC blog for more info, explanations, screen-shoots and discussions: http://blogs.msdn.com/uac/
    megame
    • XP could have been retrofitted with some of these features

      [i]"There are reasons why UAP is better than running as ordinary limited user (my own):
      - You don?t have to remember password for administrator, and you don?t have to have your own set at all (yes this is a BIG requirement from home users category)
      - You are the OWNER of files you create always (and you always have the same profile) ? when running programs in limited/protected mode or administrative mode"[/i]

      The benefits you've described above, I have in XP using a little hack I wrote called [url=http://winsudo.toadlife.net]WinSUDO[/url]. It' pretty sad that I had to do this for myself when Microsoft could have implimented something similar in XPSP2, either by improving runas, or adding a seperate function similar the one my program adds.
      toadlife
      • well...

        There are several applications for XP, including processxp from www.sysinternals.com, but they all come short too often. (I have not tried WinSUDO)
        All of these application use NT Kernel's Token functionalities (they are more-or-less only GUI for what NT had back in '91?)

        But UAC goes a lot further - the changes to the kernel are not small - it detects when program tries to execute command that needs administrative privileges and it elevates it's token then and I believe that it virtualizes FS and REG for applications that need admin access only for compatibility reasons.
        megame
      • It's a tough call for Windows XP

        Windows XP was Microsoft's way of unifying Windows 9x/ME base with the Windows NT base. It was a miracle that they were able to pull it off and wean people away from Windows 9x/ME. Had they tried to enforce NTFS style permissions in to Windows XP, they would have had a much harder time pulling in the Win9x base. Even now with Windows Vista, you have people screaming bloody murder that Microsoft is forcing them to deal with admin rights.

        While I?m not excusing it, I do understand the reasoning in the decision process to not take on user permissions with Windows XP.
        georgeou
        • Clarification of what I meant

          I dind't mean they should change XP so that it creates limited users by default. From a support and compatibility standpoint, that would insane. Only that I should have implimented some changes to the built in run-as, so that it supports a sudo-like functionality. This would be for current users who want to run their machines as a non-admin, but get stuck on the miriad of gotchas that come up and give up. If I, someone who isn't even really a programmer, can impliment a semi-reliable/secure working sudo-type service in XP using kludgy DOS batch files and third party tools, I would think Microsoft could impliment it properly in a short amount of time.
          toadlife
    • Did I read this right!

      "- You don?t have to remember password for administrator, and you don?t have to have your own set at all (yes this is a BIG requirement from home users category)"

      It will autofill the root password. Please tell me that is wrong as that does defeat the purpose.
      Edward Meyers
      • Not as bad as it sounds

        [i]"It will autofill the root password. Please tell me that is wrong as that does defeat the purpose."[/i]

        It's not *quite* as dangerous as it sounds. Because it uses the secure desktop mecahanism (the same mechanism used when you press ctrl+alt+delete), only objects which are already have root access to the system can interact with it.

        This means that malware can not press the button for you, because by default, any process launched, even by a local administrator, starts out without the administrator token.

        Of course, the user can still click on the accept button, but at least it ensures that the choice is left in the hands of the user.

        The above is what happens if the user is logged on as an administrative account.

        If the user is running as a *non* administrator acount, and they try to do something that they are no allowed to do, they are prompted for a username/password just like OSX.
        toadlife
        • Exactly

          "If the user is running as a *non* administrator acount, and they try to do something that they are no allowed to do, they are prompted for a username/password just like OSX."

          A lot of people don't realize that there are different levels of UAP depending on who you log in as. If you log in as Administrator, you get much fewer prompts and it's easier to bypass them when the do come up. The change that people will need to get use to is that even administrator accounts will have restrictions that require manual intervention, which is a really good thing. The new administrator account is similar to Sudo under Linux.
          georgeou
  • Missing the problem

    George, you are right about Windoze needing more security. But the problem here is the WAY you implement it. People are NOT system administrators (and since it is NOT taught in schools, you can ONLY become a system admin through on-the-job experience), and they don't understand what is the right thing to do. Over-explaining (like Over-commenting code), can have an opposite effect - creating fear and doubt, as the user becomes afraid to do ANYTHING on their computer. This could POSSIBLY be a way to generate work for sysadmins (and friends of the family) - but it fails in its original purpose.

    M$ has made ease-of-use the number one goal for Windoze. Now that security has been elevated to that number one slot, M$ has lost sight of ease-of-use - which is unfortunate since Linux is making that its own goal.
    Roger Ramjet
    • So how...

      ...would Linux handle the described situation differently (and presumably better for end users)?

      Carl Rapson
      rapson
      • One thing KDE does

        is it allows you to "save" the password, so you only have to type it in once per session. Gnome may or may not do the same thing (it's been a while since I've tried it). But honestly I'd rather not have that feature, because it seems to me that you might be able to program a virus to lie dormant until that password is saved, then it uses the saved password itself.

        But other than that (and I am assuming UAP does not have that feature, for all I know it may have it) it isn't all that much different. Rather than using an "All Users" icon, just about every installer I've seen put the icons in a "Default Users" area which then populates the individual user settings (this is normally done in Windows as well, but some installers get lazy), so you don't have a situation where you need a password to delete something on your desktop. But anyway I don't think it's the ABM crowd that's making most of the noise here (aside from a few trolls who'll jump on anything just for the sake of jumping on something), I think it's the ones who WANT to use Windows because of all the conveniences it offers over the alternatives and are reluctant to address the security issues that those conveniences create.
        Michael Kelly
      • Why?

        So Windoze can copy yet another feature of *NIX? Do you want a cludged-up, b@stardized *NIX clone or the real thing?

        In reality, very little should be done by root - and that includes installing software. Well architected applications can install and run without root . . .
        Roger Ramjet
        • And...

          "Well architected applications can install and run without root . . ."

          ...the same applies to Windows, right now. Are ALL Linux apps well-architected, or does some allowance have to be made?

          Carl Rapson
          rapson
          • In the ABMers' defense...

            [i]the same applies to Windows, right now. Are ALL Linux apps well-architected, or does some allowance have to be made?[/i]

            MS has to shoulder [b]some[/b] of the responsibility for the laziness in third party software manufacturers. By making admin the default user, MS has basically encouraged people to write lousy apps. While people could theoretically also write poorly architected apps for *nix, those apps are much less likely to get used giving the developers real incentive to write their apps properly. No such incentive exists to this day in the Windows world although I've certainly noticed that things are much, much better than they used to be.
            NonZealot
          • No allowances in general

            Any app that requires the user to be root to run, except for admin tools, won't make its way into a distro or a repository hence won't get installed very much as it will have to be compiled from source.

            The typical vanilla install user set up, is to give the user only access to;

            /usr/local
            /home/[i]username[/i]
            and if the disto includes it the directory /opt

            therfore a third party app has to install in one of these areas and contain all the config files, normaly installed in the home directory in /home/[i]username[/i]./[i]appname[/i] or be installed by the admin. Some admins will only give access to /home/[i]username[/i] .

            So to answer your question- You bet they adhere to it. The directory where it is installed is very important if you are absolute linking libraries.
            Edward Meyers
        • Yikes, tell that to Linux users!!

          [i]In reality, very little should be done by root - and that includes installing software.[/i]

          I'll admit to not being a Linux expert although I have been running it for about a year now and I could not find any way of installing apps through either Yast on SuSE or portage on Gentoo without logging in/su as root. If anything, Windows has Linux beat on that one because MSIs CAN be written to not require admin rights as long as the MSI isn't doing anything that would require them. It seemed to me that even the smallest little Linux utility, if installed through a package manager, absolutely required root. My understanding from the people here is that OSX is the same way. I always found it funny (and short sighted) of people who laughed at MS's "pathetic" security model that allowed apps to be installed without admin rights (again, as long as the install didn't do anything that required admin). I've always believed, as you obviously do, that there is no reason why most installs should require admin/root.
          NonZealot
          • The difference is

            That when using a package manager, you're installing software from a trusted source, that's at least for windows.

            Everything you get outside of this, i would definately recommend to install it without root rights.
            tombalablomba
          • oops

            [b]That when using a package manager, you're installing software from a trusted source, that's at least for windows. [/b]

            Silly me, i meant linux, as far as i'm aware such a thing doesn't exist for windows (and then i mean a software repository)
            tombalablomba
          • Not the only way of using package manager

            [i]That when using a package manager, you're installing software from a trusted source[/i]

            You can download .rpm files from anywhere. Heck, you can even email .rpm files as attachments. I tried this on SuSE and it takes remarkably few clicks to run a .rpm attachment as root from KMail. The "nice" thing about such an attack vector is that users are used to entering their root password when they want to install .rpm files. Many wouldn't think twice about supplying it when the package manager asks for it because, after all, it is the trusted package manager that is asking for root rights, not the untrusted .rpm.
            NonZealot
        • That can be done

          "Well architected applications can install and run without root . . ."

          In this particular case, you'll have to blame Mozilla for their firefox installer. It's easy to write an application that only runs with user permissions in Windows, the ISV just needs to write it that way.
          georgeou