8 of 11Image
One of the great failings of Windows XP was a default security model that gave the primary user account full administrative powers over the operating system.
In its documentation for IT professionals, Microsoft recommended that administrators configure standard accounts for users, to limit the amount of damage they could do if they were tricked into installing a malicious piece of software. But many Windows programs were written under the assumption that the user had full administrative privileges and wouldn't run under a standard user account.
So, for Windows Vista, Microsoft decided to get serious about tightening the screws on user account permissions. In the process they went too far, alienating users and creating the single most mocked, misunderstood, and despised Vista feature of all: User Account Control.
During the darkest days of the Vista era, I wrote a lot of posts about UAC. including one extremely popular set of instructions for taming UAC. That post included this succinct description:
The biggest misconception I hear about UAC is that it’s just another silly “Are you sure?” dialog box that users will quickly learn to ignore. That’s only one small part of the overall UAC system. The point of UAC is to allow you to run as a standard user, something that is nearly impossible in Windows XP and earlier Windows versions. In fact, with UAC enabled (the default setting) every user account in Windows Vista runs as a standard user. When you try to do something that requires administrative privileges, you see a UAC consent dialog box. If you’re an administrator, you simply have to click Continue when prompted. If you’re running as a standard user, you have to provide the user name and password of a member of the Administrators group.
What went wrong? For starters, there were way too many consent prompts—some of them in a cascade for a what should have been a simple task.
And it didn't help when a Microsoft executive publicly and proudly admitted that the point of the feature was to "annoy users." David Cross, a product unit manager at Microsoft, made that admission in a speech at a security conference:
"The reason we put UAC into the [Vista] platform was to annoy users — I'm serious," said Cross, speaking at the RSA Conference in San Francisco on Thursday. "Most users had administrator privileges on previous Windows systems and most applications needed administrator privileges to install or run."
Cross claimed that annoying users had been part of a Microsoft strategy to force independent software vendors (ISVs) to make their code more secure, as insecure code would trigger a prompt, discouraging users from executing the code.
That might have been literally true, but the subtlety was lost on exasperated Vista users, who felt personally offended at being used as human targets in a sniping war with third-party software developers.
Microsoft toned down UAC dramatically in Windows Vista Service Pack 1 and gave it a complete overhaul in Windows 7. And the bad publicity did indeed shame the most egregious software offenders into cleaning up their act. But the damage was done. Today, UAC may be far less annoying, but its reputation has never fully recovered. Microsoft learned a key lesson: features with this much disruptive potential need to be designed carefully from Day 1.