So, do these UAC issues present a security risk to users, or has Microsoft neutered UAC to the point of being useless?
I've experimented with both these issues and read around the matter extensively and my take is that there's an issue here. It's not one of these "Gahhh! The sky is falling in on us! Heeeelllllllppppppppp!" issues but it is something to pay attention to. Microsoft claims that UAC is not a "security boundary," and while I don't really like that term because it's far too wide-reaching, I accept that UAC was never meant to be a security feature in of itself. However, what these two issues show is that UAC is totally useless on accounts in Windows 7 beta with admin privileges because its primary function, which is to allow the user to have the final say on an request to escalate privilege, can easily be overridden.
Here's Roger Halbheertake on the situation (Halbheer is chief security advisor to Microsoft EMEA);
A lot of people complained about UAC in Windows Vista – I guess you remember. I heard all these statements “I do not want to get all the UAC elevation prompt just because I change my Windows settings”. We heard you loud an clear. So, we decided to do what you asked us: Not show you an elevation prompt when you change settings in Windows.
So, basically to give you my view:
- We did, what you asked us to do: Reduce the number of UAC prompts especially when you change your Windows settings
- We do what the prompt tells you we are doing
In my opinion, this is not a vulnerability. We can debate now, when we should generally show a UAC prompt but this is a completely different debate than to claim this being a vulnerability. And if you come to me now and say that we should show more UAC prompts, please carefully reconsider your statement before you comment and think about all the Windows Vista discussions.
This doesn't make sense to me because what Halbheer is saying is that because people complained about having too many UAC prompts in Vista, Microsoft's answer to this was to put in place a default level of UAC "security" where changes to Windows settings don't generate any UAC prompts, and then consider the action that changes UAC levels to be a regular Windows setting. In a desire to create fewer UAC prompts, this seems to be to be one step too far. When it comes to making trade-offs between security and ease-of-use (something which almost always happens unless you are running a high security system), it seems that someone made a bad decision in this instance.
At the core of these UAC issues is whether UAC (and especially UAC on an admin account) really offers any real security, or even useful information that the person sitting at the keyboard can use to decide whether to accept or reject the request to escalate privilege. If you are the kind of user where a UAC prompt made you sit up and pay attention, then this latest change to the default settings in Windows means you get less feedback from your system. However, if you fall into the "monkey see, monkey click yes" crowd then you're no less safe than you are right now.
My takeaway ...
I think that Microsoft really knew that when it introduced UAC in Vista that is was designed with the intention of giving the "impression" of security (or at least offsetting the responsibility ... and maybe blame ... of making the choice on the user). The feedback that Microsoft received from users was that UAC was too annoying, so with Windows 7 the company came to a fork in the road - actually turn UAC into a proper security feature, or just tone it down. Looks like Microsoft chose to tone down