At Windows Vista lab in Redmond before the release of Beta 2, Microsoft developers showed off the new OS to a room full of MVPs and enthusiasts. But even the company’s most loyal fan base turned ugly when User Account Control took the stage. Now, Microsoft is begging users not to disable the controversial feature. User Account Control, or UAC, is a fundamental security change coming in Windows Vista and one of the most important additions to protect users from threats, Microsoft says. But the company is struggling to find a balance between security and usability.
People prefer convenience to security.
…and that bad old habits are very hard to break.
Not that I feel any sympathy for MS at this point.
They allowed/encouraged the lax attitude towards security, now let them clean it up.
This does seem good/bad of Microsoft on the new security tool. The fundamental idea sounds correct… like when *nix pops up that root or sudo password box when you go too far. Unfortunately for MS, *nix has been built like that for years and programmers know when the box will appear so try to either work with it, or write the program so it doesn’t need root privileges. It would seem that MS would have built the end result better.. their bread-n-butter is “making things easy for stupid people” over the years. It would seem they’ve dropped the ball yet again.
But also, where are the programming tools for this feature? It would seem like such a potentially annoying feature would get addressed by programmers first in Visual Studio. A UAC plug-in there would allow programmers to vet their code before.. again, another traditional MS strong point of their dev tools.
Lastly, UAC acronym is already taken.. Carmak has that slated for his try at world(s) domination, after he gets the spaceships of course. I can see them trying to take over yet another market before it’s even started.
But also, where are the programming tools for this feature? It would seem like such a potentially annoying feature would get addressed by programmers first in Visual Studio. A UAC plug-in there would allow programmers to vet their code before.. again, another traditional MS strong point of their dev tools.
There are several tools and guidance provided on MSDN and MS Downloads. Some of it has been there for years with regards to developing for standard user on NT. For .NET, you can basically follow the CAS guidelines for least privilege. A tool is included in VS that can guide you in determining what’s allowed at each level, and can also analyze your application, pointing you to what additions are needed and where. Permcalc.exe and permview.exe (.NET 1.x) may help.
For unmanaged code, there’s the following:
Standard User Analyzer (should also work on managed code)
http://www.microsoft.com/downloads/details.aspx?FamilyID=df59b474-c…
Application Compatibility Toolkit
http://www.microsoft.com/technet/prodtechnol/windows/appcompatibili…
Application Verifier
http://www.microsoft.com/downloads/details.aspx?familyid=BD02C19C-1…
It’s also best to use MSI 3.1 or higher, or ClickOnce, if you need an installer. Basically if the app runs as standard user on XP, etc., it should also do so on Vista. Search MSDN and MS Downloads, or even the MS blogs, for terms like “UAC”, “UAP”, “LUA”, “standard user”, “least privilege” for whitepapers and articles on developing for and running as standard user on Vista and downlevel platforms. Also check out http://devreadiness.org/
I wish it were just that easy, the problem is, third party developers are lazy, and would sooner sit around whinging and whining about Microsoft, then actually improve their products to take advantage of the new features, and test them adequately to work with the new security requirements.
Take Service Pack 2, and the shear amount of information which Microsoft made available, in regards to the changes they would make, and what issues developers needed to look out for – and yet, we STILL had developers bitch and whinge, and customers left in the dark as to when these third parties would FINALLY update their applications, and properly support their customers, as they should.
Microsoft, sure, they play hard ball, but they also keep their developers well informed about the changes they make – if your do have application compatibility issues, the first port of call should be to your application provider, NOT Microsoft. It is the applications providers responsibility to maintain their product, not Microsofts job to maintain third party products.
People need convenient security.
You hit the nail on the head.
People have been arguing that UAC isn’t that much worse than privilege elevation procedure in Mac OSX or Linux, but it obviously is. Worse, I don’t think 6 months or even 3 years will be enough to make UAC as convenient as the facilities in the competing systems.
The problem is fixable across the core Windows OS, but implementing a convenient and secure access control system across the vast Windows _platform_ is an unenviable task.
The Windows platform has simply outgrown itself. It’s not just security. The whole model and ecosystem is rusting away. Every PR announcement Microsoft has made in the past 3 years is a testament to this fact. The ISVs will jump ship first, followed by corporate IT (starting from the biggest and smallest firms and proceeding toward the middle), and then the flight of the hardware vendors will signal the beginning of the end of the Windows era. The consumer will be the last to go.
Too speculative? You’re entitled to your opinion.
And free money.
Many people would like to enforce user restrictions in XP now, but many run their users as local administrators because of the difficulty of permissions on things like printers (many of them blatant Windows bugs and problems with drivers) and software installation. Vista doesn’t look like it’s going to be any different. This should have all been handled years ago when Active Directory was created, as that’s where many people found out about these problems. It was obvious. Microsoft can blame third-party developers all it likes, but this should have been in place years ago.
Oh, and like XP, Vista creates a user during install who is an administrator and doesn’t have a password!
Many people would like to enforce user restrictions in XP now, but many run their users as local administrators because of the difficulty of permissions on things like printers (many of them blatant Windows bugs and problems with drivers) and software installation. Vista doesn’t look like it’s going to be any different. This should have all been handled years ago when Active Directory was created, as that’s where many people found out about these problems. It was obvious. Microsoft can blame third-party developers all it likes, but this should have been in place years ago.
People are disabling UAC before even giving it a chance. Some aren’t even trying it in newer builds despite its improvement. They’re supposed to be testing the OS. The feature may never improve to their satisfaction if they never test it incrementally and give MS quality feedback rather than just saying “it sucks” and disabling it. MS should probably consider forcing it on in the betas as they do some other features just so people won’t turn it off.
Oh, and like XP, Vista creates a user during install who is an administrator and doesn’t have a password!
This isn’t a security issue. Accounts with blank passwords cannot be used for remote access in XP or in Vista. Also, in Vista’s default configuration (i.e., with UAC turned on), applications running under the account don’t receive all the rights of that account. They run as standard user unless elevated.
But that administrator isn’t “really” – it’s more akin to OSX/BSD and its “wheel” system.
Personally, I *love* UAC – finally, MS have a system that allows me to run as a non-admin user without compromising my ability to run basic applications.
Its interesting so soon after an anouncement that users are idiots. How much of the whole trouble with the UAC thing. is users getting used to the security model, and how much it is badly implimented.
With Winfs gone, and with UAC a mess its agood job its pretty…
…and it is pretty.
Nothing, nothing at all. That’s all they changed.
UAC isn’t security, it’s a fun new kind of BDSM. sure to sweep the nation. This was so that Microsoft could find *something* to sell in Japan since their bomb with the xbox.
Hopefully linspire doesnt go all dominatrix peguin.
—-I’m going to hell for that one. I know it…
Looks like it (restricted user permissions) isn’t at all usability problem in MacOS which never was OS for techies but OS for artists, grandmamas etc.
How so?
They need to use their head with what should be prompted, and what shouldn’t.
The first user should be a Power User, not an Administrator.
People shouldn’t need to be warned about changing network settings, changing the look of the machine, deleting things off a desktop.
If need be, let people change things and have the ability to lock the preferences like OS X, and prompt for a password if they are trying to be unlocked. If they need to borrow the good ideas from other people, just do it, especially when it relates to security.
Don’t assume that everyone are morons either, there are power users out there that do like Windows, give us the ability to get rid of the Network Center, because although it may be helpful for the less competent, for the poweruser it’s a huge frustration.
Places it should warn you are where system files are, Windows, possibly Documents and Settings, things that compromise system stability and security.
Access to things like regedit shouldn’t be prompted if opened or at least have a prompt and “Do not show this again”.
Things being merged into the registry should be though.
I think they really need to evaluate what security problems they have currently, and do simple prompts for the things that could breach security/stability.
I know the whole screen dim is to try and force you to answer the question, but I think it would panic a lot of people and make them feel like it’s locking down their whole computer because of some big security breach.
Keeping clicks to a minimum should also be a priority, I know I don’t like being asked if I want to delete something, and then be asked if I’m sure, and sure again, it’s just frustrating.
There needs to be a balance, and they won’t get it first off either, it will require a lot of teething problems.
In my opinion anyway.
Edited 2006-06-29 01:58
The features of UAC is not that bad. I’ve used it (Beta 2) for 2 full weeks now (As my primary system) and it worked pretty well. Alright, it’s annoying for the first few days, but you get used to it.
I got used to it the same way I got used to the fact that I must have root privileges for most operation ‘potentially dangerous’ operation I do on my Linux Box.
Microsoft started their ‘UAC’ only a couple of years ago, while Unix had it for decades, let’s give the time to Microsoft to adjust it properly…
“The features of UAC is not that bad. I’ve used it (Beta 2) for 2 full weeks now (As my primary system) and it worked pretty well. Alright, it’s annoying for the first few days, but you get used to it.”
When you say get use to it, do you mean you just get fast at putting in your password and clicking OK?
No, I’m sure he means that once you get your system basically all setup it’s not an issue anymore.
“One change, however, will not be a “sticky” verification process. Apple’s Mac OS X operating system only asks users to enter their password once and it is remembered for the rest of the time they are logged on”
Now that’s just incorrect. When a program authenticates, it stays authenticated until the program frees the authentication or until the program is closed. For example after you are done copying a file with Finder into a folder that requires authentication, to copy something else you authenticate again because the Finder has already freed its authentication. Other programs can hold on to the authentication but granting one app access certainly doesn’t grant everything else access until you log out.
Security. This word means a lot to a lot of people. For less knowledgeable it means even a lot more different things – thanks to the various pr stunts of recent years. But thing is, they need it the most.
My problem is, that because Windows is at so many places, most people will see UAC in Vista and think: ok, this is what security means, and this is jack sh*t, why do those *nix people talkso much about *nix being secure, this whole thing just s*cks and tell me how do I disable it quickly.
So, what my problem really is that oh so many times has MS taught people to think about things and do things in a way that is not good, not even preferred, but still, people do it because they don’t know any other way.
Now MS comes and says, please don’t disable UAC. Then for god’s sake, make it work like it should ! Oh wait, they can’t do it, since they simply lack the necessary background architecture to really make a security-centered but still usable OS. However they try and come closer to *nix on the security field, they just fail all the time. You cannot bug the user with hundreds of popups just because you made a system that needs admin privileges for about everything.
If this abomination will turn out to be more nerving than useful, people will just not use it. No matter how you cryingly try to defend about the only visible “improvement” that Vsta will bring, besides the uninteresting GUI.
The UAC is of little use if most gamers play their favorite game online as admin.Because punkbuster anti-cheat software otherwise kicks them from server.
Why not making the UAC accessible with policies as SELinux or Apparmor does.This way only the absolute minimum of privileges has to be granted and you don’t have to bother the user with questions.
Edited 2006-06-29 06:00
> Oh, and like XP, Vista creates a user during install who is an administrator and doesn’t have a password!
This isn’t a security issue. Accounts with blank passwords cannot be used for remote access in XP or in Vista. Also, in Vista’s default configuration (i.e., with UAC turned on), applications running under the account don’t receive all the rights of that account. They run as standard user unless elevated
This is (imho) just plain idiotic thinking on the part of MS.
How on earth do they dream of educating – ever – users about security issues when they break away with security concepts firmly established in the field for more than a couple of decades? Why reinvent the wheel – badly – every time?
In the enterprise context the new, default, install mode of winxp was a real annoyance to support personnel, trying to figure out when and why would network services not be responding, even though enabled.
In the home user context this simply meant hiding away from the user even more the concept of ‘account’ and all its security implications.
It just reminds me of when they decided to hide – by default – file extensions. Now millions of users have no clue as to what a filetype is, and to the difference between opening a file with an app and doble clicking on it. And they curse at windows every day, because the feature was half-ass implemented anyway, not really 100% consistenly across the whole ‘platform’.
Maybe you could also look at the IE blog announcement that the rich dhtml editing activex control will not be part of IE7 anymore, because i was a security nighmare form the start. What about all intranet corporate apps that rely on that control? well, just screw them…
History repeats itself – MS will allways mis-implement features first, mis-educating generations of computer users, just to leave them – and developers – in the cold, when, after a couple of years, it turns out they cannot fix their original code…
… and this lesson should be taken seriously. These same users would also run as root on Linux because it’s more convenient, and do lots of other things that may seem braindead to a security-aware user. And they won’t change their habits.