Microsoft Australia has defended the company’s User Account Control (UAC) system as being “misunderstood” and said it should be the type of technology that all operating systems aspire towards.
Microsoft: All OSes Should Use Vista’s UAC Security
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
I would just prefer a more secure kernel and OS, not something that asks me if I am sure that I would like to change the theme 1000 times.
I agree and I thought Unix style permissions were the way to go. Why reinvent the wheel when there is proven technology already out there?
While I’m a Unix nerd, regular Unix style permission aren’t as robust as NTFS permissions. When you implement ACL’s or similar then you get on par, but unix stlye permission can’t hang.
Well NTFSv5/6 permissions have many more options and managed by an ACL (a list with specific granting and denial info for certain users/groups) for each file and directory.
But I wouldn’t say Unix-style permissions are less secure; they are just less flexible by themselves.
While I’m a Unix nerd, regular Unix style permission aren’t as robust as NTFS permissions. When you implement ACL’s or similar then you get on par, but unix stlye permission can’t hang.
The only things I miss from “regular Unix style permission[s]” are (a) a separate delete flag on files and (b) the ability to restrict permissions to specific user(s) other than the owner. And POSIX ACL’s do the latter. I’m not quite familiar with them, however, so it’s even possible they do the former.
…but I’d also like to separate rights for ‘read’ and ‘copy’ actions, since e.g. there might be circumstances where one would like to make files available to users with read only rights and no right to copy the files …
I’m specifically referring to copyrighted fonts made available to users at the design school I work for. We have no way to ensure that every single student does not ‘steal’ our $20.000 worth of fonts by simply copying them to their own computers…
That makes no sense… What happens if I read a file, and then write its contents into a different file? Or send it over the Internet? You can’t prevent copying this way.
> …but I’d also like to separate rights for ‘read’
> and ‘copy’ actions, since e.g. there might be
> circumstances where one would like to make files
> available to users with read only rights and no
> right to copy the files …
And the reply by Dima:
> That makes no sense… What happens if I read a
> file, and then write its contents into a different
> file? Or send it over the Internet? You can’t
> prevent copying this way.
Yes it makes sense, but raises practical problems. First to explain why it makes sense (countering Dima’s reply): You could read the file, but you couldn’t write its contents into a different file or send it via the net. Doing so would be refused by the OS with an error message.
Now why this is hard in practice: It requires that the OS can detect, when data is written to some file, whether it came from a copy-protected file. One way would be to compare written data with protected data. This *could* be possible in practice, but would burn a lot of computing power. Also, with enough knowledge, users can encrypt the data before sending it away.
Another would be to allow a program that has loaded the file only restricted access to the data. That is (in your example), use the fonts for drawing but for nothing else. The font would get a similar status as the process table: This table can be altered by user processes through syscalls like fork(), but not read or written arbitrarily.
my question is, why the extra “delete” option?
if its to allow people to alter a file without wiping it out, then remember that they can still overwrite all the content of the file.
and *nix have a interesting way to avoid accidental deletion. just have the file have a hardlink in some other part of the file system. only when all hardlinks are deleted is the actual inode area on the disk opened for rewrite.
hardlinks can also be used to give pr user rights. as in, each user is the owner of their own hardlink
ACLs are also far more complicated to deal with than regular permissions… In many cases the standard unix permissions are sufficient, and consequently easier to manage. This way, you have far less work to do since you only set ACLs when necessary.
bingo!
for home use, ACL is overkill to the nth degree.
but for office use and similar, the extra control one gets may be just what the doctor ordered.
the right tools for the right job and all that
You can implement ACLs in Linux and many other flavors of UNIX by way of Posix complient ACLs. This form of ACLs are based on the IEEE’s POSIX 1003.1e draft 17, also known simply as POSIX.1e. This allows one to easily implement ACLs in addition to the standard Unix file permissions. Posix ACLs give *NIX users and administrators the same flexibility and fine-grained control over who can read, write, and execute files as those running Windows NT based OSs.
Commercial Unix operating systems (except SCO) have all had ACL functionality for quite awhile. FreeBSD supports POSIX.1e ACLs as well. Linux 2.6.x series kernels have supported ACLs for EXT2, EXT3, XFS, JFS, and ReiserFS as well as other esoteric filesystems for years. *NIX’s implementation of ACLs can be manipulated easily in both KDE and Gnome using GUI tools, just like within Windows.
Unix-style permissions are limited and not particularly secure. They’re more an accident of how Unix was initially implemented than anything else. ACLs are the way of the present and MAC/RBAC (and I hope Capabilities) is what will be implemented in the future (or in high-security installations today).
One of the design goals of NT was to pass the B2 Common Criteria certification for the US DoD. Under those criteria, Unix permissions just don’t cut it. That’s why all *nixes are adding ACLs and other mechanisms.
B2 is a classification for Trusted Computing under the long defunct Trusted Computer Security Evaluation Criteria (TCSEC), which was cancelled March 1999:
http://www.alw.nih.gov/Security/FIRST/papers/criteria/tcsec.txt
Under Common Criteria a trusted system would be evaluated at an Evaluated Assurance Level (EAL) of 4+ or better.
The original design goal of Windows NT was to evaluated at TCSEC C2, which is the minimum for processing Top Secret information. This link should be helpful in describing the TCSEC security ratings:
http://www.windowsecurity.com/whitepaper/Windows_NT_Security_Part_1…
B2 level security calls for Labeled Security and would be evaluated today using the Labeled Security Protection Profile (LSPP). There is no version of Windows that I am aware of that supports Labeled Security.
Edited 2007-04-28 02:15
Sorry… I should have checked the specifics before posting. My fault. The point I was trying to make was that ACLs and Auditing were specifically required for the (now defunct) security tests that MSFT wanted NT to pass.
Exactly. What most people don’t understand is that Microsoft read directly from the TCSEC and gave the US Government most of what it wanted. Windows since NT has audited user actions (when enabled) based on DoD requirements. I am sure Microsoft used it (amongst other things) in their sales pitch to DoD.
Now if only they actually read the portion of the TCSEC that dealt with least privilege and created an OS using that concept, things might be different.
Standard UNIX / Linux access control (i.e. rwx bits) are limited and archaic. The better way, more aligned with the flexibility of NTFS permissions would be RBAC (Role Based Access Control).
I’m confused [actually, not, but whatever]. ACL is not something you can’t see or can’t hear about in Linux land, but many just behave like it wouldn’t exist, maybe it’s easier to dismiss. I don’t give a rat’s behind, but as I know extx,xfs,jfs,reiser support acl without patches in the 2.6.x branch (feel feel to correct me, with facts not with wishes), even samba IIRC, I think there is still work to be done on nfs, but still, talking about it as it wouldn’t even exist bothers me.
I also was confused. getfacl and friends are available for years…..
http://www.suse.de/~agruen/acl/linux-acls/online/
Have another read of what I said. Here’s a quote for you:
I never said alternatives don’t exist, I referred specifically to the the rwx bits of files and directories. I’m not sure why you’re confused.
Perhaps he’s confused by your implication that ACLs are not standard functionality on a Linux(or most Unix) system. The functionality is not utilised by default in most distros, but since 2.6.0, it is standard in the kernel. For ext{2,3} partitions, all that is required is for them to be mounted with the ‘acl’ option.
I know that you were using ‘sttandard’ to mean ‘the method that most people use’, but for people who actually want to use ACLs, the facility is so trivial to enable that there is no barrier to adoption. So although RWX bits may be Archaic, they are kept for performance/simplicity reasons rather than any particular lack of technology. the commonly used term here is ‘traditional’ Unix file permissions
isnt fedora attempting to ship with SElinux as a option?
from what i understand, SElinux is basically role based.
you may su to root, but given that your starting role was a user, the root account is limited by said role.
isnt fedora attempting to ship with SElinux as a option?
Fedora has been shipping SELinux as an installation option for quite a while now, at least the last few releases.
ah, just goes to show that its not my distro of choice i guess
so if one wants to be “anal” about security when using fedora, install SElinux
so if one wants to be “anal” about security when using fedora, install SElinux
If you’re a debian person you could try adamantix which uses RSBAC.
http://www.adamantix.org/
Yeah, why innovate at all? Its all just re-inventing the wheel at this point. Why not completely mimic the windows ui on every operating system. Re-doing a new design is just re-inventing the wheel, right? Why code Linux? Its just a clone of Unix.. Isn’t THAT just re-inventing the wheel? The truth of the matter is, its a matter of preference. Believe it or not, some people like the way windows does it.
I would just prefer a more secure kernel and OS, not something that asks me if I am sure that I would like to change the theme 1000 times.
It’s not that the kernel and core OS components are insecure so much as it’s the applications demanding access to system-wide resources. I’m sure that Windows has many system resources that should be per-user, but changing these would break the applications. The applications were written on the premise that the user has full reign over the system, which is no longer the case. The crap that used to pass for an application doesn’t cut it anymore, and that’s why we (or more accurately you [all], since I don’t use Vista) have UAC.
Other operating systems provide the same mechanisms provided by UAC, but they’re much less annoying because the applications for those platforms understand that the user has limited rights. Most Linux distributions have a one-command or one-click software update facility that only requires root authentication once, not once (or more) for every package. Changing desktop or application settings is not a privileged operation. If Vista worked like this, then UAC wouldn’t be universally hated at all.
People liken UAC to a “boy who cried wolf” situation. But these prompts aren’t false alarms, they are actually wolves in sheep’s clothing. The applications shouldn’t be doing this stuff, but the user has to let them have their way or else they won’t work properly.
well, it might not be that UAC is that bad, but currently, ppl wo want to install firefox from their website get 3 (!!!) messages of ‘are you sure’ before they even enter the installer (to answer even more questions).
First ‘this is downloaded, are you sure you want to run it’ then a ‘this is an unknown app, sure you want to run it’ then UAC, then the installer. Sorry, but I can install 10 applications with only ONE dialog asking me for the rootpasword in linux. Start Adept/Synaptic/whatever, give pw, tick 10 boxes, click ‘execute’, and it’s done. Windows would need to ask 30 times ‘are you sure’ and a lot of other ‘next’ style wizards asking if you want another icon on your desktop or where you want to install the application.
Yeah, software management only got harder with UAC while it doesn’t solve anything (OF COURSE you just hit enter, it’s way overdone!)
UAC has been overplayed by the “MS SUXXORZ” crowd as expected. The idea that it pops up every seven seconds is stupid at best, and the usual FUD at worst. Once you’re done installing and configuring crap, you should not see it. Let me repeat that: I haven’t seen a UAC prompt since I “stabilized” my two Vista boxes almost two months ago. If I expect to see it, I expect I’ll see it about as often as I do on Ubuntu.
But of course, it’s always more fun to blabber on about how a Microsoft product is doing “funny” things. Yes, “universally hated” and the basic misunderstanding (probably on purpose) of the fact that UAC compensates for software written for the admin-all-the-time model of previous versions of Windows.
Carry on. Those of us who actuall use Vista know that you are full of shit.
I have vista here, and it’s shit. Not that guy, Vista.
Currently, ppl wo want to install firefox from their website get 3 (!!!) messages of ‘are you sure’ before they even enter the installer (to answer even more questions).
First ‘this is downloaded, are you sure you want to run it’ then a ‘this is an unknown app, sure you want to run it’ then UAC, then the installer. Sorry, but I can install 10 applications with only ONE dialog asking me for the rootpasword in linux. Start Adept/Synaptic/whatever, give pw, tick 10 boxes, click ‘execute’, and it’s done. Windows would need to ask 30 times ‘are you sure’ and a lot of other ‘next’ style wizards asking if you want another icon on your desktop or where you want to install the application.
Yeah, software management only got harder with UAC while it doesn’t solve anything (OF COURSE you just hit enter, it’s way overdone!)
1) You don’t get asked a 1000 times.
2) That dialog that you get is not asking you if you are sure you want to run it, it is elevating your privelages so you can run it.
3) No matter what OS or kernel you are using, a user running as admin has full rights to the system (except in Vista, actually, only the administrator account has full access, and that is disabled by default).
Yes, you get asked stuff a million times. Way too much. Not just UAC, everything. Try to install an application:
First ‘this is downloaded, are you sure you want to run it’ then a ‘this is an unknown app, sure you want to run it’ then UAC, then the installer. Sorry, but I can install 10 applications with only ONE dialog asking me for the rootpasword in linux. Start Adept/Synaptic/whatever, give pw, tick 10 boxes, click ‘execute’, and it’s done. Windows would need to ask 30 times ‘are you sure’ and a lot of other ‘next’ style wizards asking if you want another icon on your desktop or where you want to install the application.
Sorry, but I can install 10 applications with only ONE dialog asking me for the rootpasword in linux.
Sounds like a security issue to me.
How? You run the app as root, so everything in the app is as safe as an process in Vista which runs under UAC. The only difference is that in Linux, you have a centralized and easy way to manage software, Vista lacks such a technology. That’s why you need a lot more work in Vista to install apps.
There are many advantages of a centralized repository of software – it’s easier, the software is checked by the distributor (would be like MS would have checked each and every piece of software you download) and you have a centralized and effective way of managing updates. Thus you have a much lower chance of installing spyware and adware or otherwise infected sofware. The linux update software doesn’t just work for a certain small amount of software (eg only Vista itself) but also for all other installed software like webbrowsers, music software, video players, foto management – all of it recieves updates through the same mechanism.
And they’ll be willing to license it to you for a low low price… :>
This is the last in the line on this code base, I have tried it out and you have to click on prompt boxes.
* When trying to change almost anything the screen dims in the background and a prompt box appears asking if this is what you want to do. Of course it is why on earth would I click on it in the first place? It is out of control, why can’t it be like my Linux distro Fedora with a regular user account that can run programs/applications and perform computing functions. Then have the admin account to install what you need or make system changes. From the time I spent on it in a Office Depot store it was slow, actually one of the laptops blue screened with the ‘infamous IRQ NOT EQUAL’ that means it was a buggy driver.
Basically, this is nothing more than a rehashed Windows NT Workstation code base that was unstable until about SP5 or SP6 it actually was not to bad.
Anyways, the UAC will not protect the system completely since deviant people sit around and write viruses, trojan and spyware for Windows because they like to cost companies money which in turn pass it on to the consumer. I gave up on Windows NT Workstation when I performed by first install of Red Hat Professional 6.0 boxed set back around 1999.
In the Enterprise at work, I run Fedora Core 6 on my laptop/workstation and the Corp runs Windows XP Pro however, just as previous Windows versions you have to run as Administrator on a Windows machine to run certain programs. I use the VPN or Citrix client to log in on my laptop, but the security in Windows is there but it is not correctly implemented.
I just don’t understand why in previous Windows releases why you need to run as Administrator? It should have been locked down years ago, but they created this monster and they are having the worst time trying to correct it.
Just as a Professor told me in College years ago, ‘Always grant the LEAST amount of permissions to get the job done, because you can always add but it is almost impossible to start taking them away’……..
How true that quote is, and I do not understand a Corps non-nonchalant attitude with data security being at the utmost importance.
And you call yourself a ‘professional’? anyone who has half a brain will tell you that the reason for Administration by default with Windows XP and below is for compatibility reasons relating to how things are written to the hard disk and how some poorly written applications interact with the system itself.
Oh, and btw, when you run Windows Vista, you’re not running in Administrator mode, hence the reason for UAC – it teporarily elevates privilages for that given application, its no different than the use of sudo/gksu in the *NIX world.
Ah, the professor. If I had 10 cents for every professor I met who never stepped foot into a company, I would be a millionaire by now. Just because a professor says something, doesn’t make it gospel or some new revelation.
Microsoft *KNOW* about security, the problem is that third parties would rather refuse to update their software and write their programmes properly to take into account restricted access when running.
Microsoft only provides it for backwards compatibility – I swear there is a legion of pea brain people like you out there claiming that Microsoft makes these decisions for shits and giggles.
Microsoft is a multibillion dollar organisation with some of the smartest people in the industry, you really think they go out of their way to deliberately bone head and stupid things? ever thought there was more it than just what appears on the surface?
Edited 2007-04-28 02:49
Microsoft can be a multi billion dollars company and be beaten by the monster they created!
Microsoft own product have a hard time playing nice with UAC. Why is it recommended to run Visual Studio 2005 as administrator every time you launch it? Never seen that on any development tools on any other OS! Why did it take 5 month for providing compatibilty on something like SQL 2005 or Visual Studio 2005?
Also you go to control panel, run network setting just to check (read only). Oops, “Please confirm…”… What’s the point for a read only operation? The truth is that Microsoft did not take time to carefully check every windows component so that the user is not prompted abusively.
Where did Microsoft guarantee that Visual studio 2005 would work on Windows Vista flawlessly? Microsoft never said so. Visual Studio 2005 was provided for programmers to get their applications up and ready to run on Windows Vista whilst still in a Windows XP environment.
The next version of Visual Studio will be 100% compatible with Windows Vista, and might possibly be a free upgrade for those who are running Visual Studio 2005 – then again, most people who programme for Microsoft Windows will have a MSDN subscription which means they’ll automatically get it.
UAC and sudo are not at all the same. They work in quite different ways. Sudo grants the user temporary extended rights (depending on the configuration of sudo – visudo) while UAC prompts _everytime_ the user goes out of his/her normal domain. Two very different approaches and behaviour. UAC is no more like sudo than bananas are like strawberries.
Actually, sudo does the same thing.
You start something using sudo, everything that spawns from that (be it a browser, a temrinal window, whatever) will have the same elevated rights as the original.
UAC does the same thing.
Eeh.. no. That’s not how sudo works. Sudo grants the user some extra rights (depending on configuration) and a typically a “ticket” for 5 minutes (where anything can be done without having to enter password again). Of course anything spawned by sudo’ed process will have the same rights. That’s obvious.
The big difference is that UAC is less customizable, are not ticket-based (a mistake), does not require the user’s password (big mistake). And UAC grants the rights to the process rather than the user, leading to the click-endlessly hell. UAC != sudo. sudo however grants the user and not to the process. Big difference. UAC and sudo have something in common, but they are not closely related.
As stated, UAC DOES require a password if running as a standard user.
As far as granting rights per process or per user, that is definately a trade-off between functionality (“click-endlessly hell”) and security (happen to run a piece of malware while the user has been granted higher privs.).
Granted. It could be considered a trade-off between functionality and security. But since I don’t allow for remote use of sudo it is not a problem. And GNU/Linux+Gnome does not have the required APIs for malware to work
– there is simply no way it can be done the way we know it from Windows. On Windows of course it could be considered different. But IMHO Windows is secure enough to use a ticket-based system if you remember to protect the system properly. If you have malware on the system it doesn’t matter if it has Administrator rights or not. You’re screwed already.
BTW. Who would run as a pseudo-admin? The logical and sensible approach is to create a normal user account (Restricted/Limited, not Power User) and use Run As… (to the extent it works).
Default account is a pseudo-admin, which is needed to create a standard user, and it even reccomends to do that.
UAC is more powerfull, more granular, than obsolete linux’s sudo!!!
UAC ask for a click if you’re an administrator user and ask for a password if you’re a standard user
The true is that linux’s sudo is obsolete.
The true is that you have not got a clue.
Indeed, you have no clue. I was never asked for a password, and did pretty much a default install, so I guess vista still makes the normal, first user administrator??? How silly and stupid. There SHOULD be no administrator account. Ubuntu doesn’t even HAVE or ALLOW a root user. Much more safe. To me, it’s pretty clear MS still hasn’t cleaned up their mess, and UAC is just a bad piece of bandaid.
Oh, and btw, when you run Windows Vista, you’re not running in Administrator mode, hence the reason for UAC – it teporarily elevates privilages for that given application, its no different than the use of sudo/gksu in the *NIX world.
Have you ever used sudo/gksu? They require you to enter your password unless expressly configured to do so which is insecure. Does UAC ask you for a password? Not that I can tell.
“Microsoft only provides it for backwards compatibility – I swear there is a legion of pea brain people like you out there claiming that Microsoft makes these decisions for shits and giggles.”
Remember that one time when Apple made a transition to a new platform and the developers came with them?
(Hint: they did it 3 times in just over a decade: 68k -> PowerPC, Mac OS 9 -> Mac OS X, PowerPC -> x86).
I’m not trying to spark a Mac v PC argument, I’m just suggesting that Microsoft’s strategy and your argument in favor of it are fundamentally flawed. Microsoft has way more clout with developers than Apple, it is there decision to continue to base things off the same/a similar kernel. If they wanted to they could completely rewrite the OS in about a 3 year period, provide an emulation layer in the initial release of said OS for it’s first release, and drop support at the second release. They would lose very few customers in the process, and a ninety some percent market share is unsustainable anyway. So they might as well give up a few customers now and have a solid base instead of waiting for legions to find something better.
so true. Windows is a couple decades behind in that they finally implemented running in user mode vs. admin.
On the network I control, 99.99% of the client workstations have users running at nothing more than Domain User and Local User on the machines. They can’t install anything unless it’s something I’ve defined in the GPO. The other 0.01% is my workstation.
I think there are a lot of Windows “administrators” that need to take a share of the blame.
thats a office network i guess. UAC and its like is a creation for the home computer, where win9x was king, and everyone had admin rights.
UAC is Mandatory Access Control.
MacOS X 10.5 Leopard, FreeBSD, OpenBSD, Trusted Solaris, and Linux have MAC implementations that differ from UAC. There are likely other OSes with MAC security frameworks, but those are all that I can think of ATM.
However, just because MAC is supported doesn’t mean its used by default. Very few Linux OSes have support for MAC (let alone any other security measures) out of the box by default. This is why hardened distributions are a unique breed.
Edited 2007-04-28 01:28
However, just because MAC is supported doesn’t mean its used by default. Very few Linux OSes have support for MAC (let alone any other security measures) out of the box by default. This is why hardened distributions are a unique breed.
This is why I think fedora is so great (even though I don’t use it) because it supports MAC out of the box along with SSP and other security protections.
Very few Linux OSes have support for MAC (let alone any other security measures) out of the box by default.
SELinux is part of every linux kernel today although it’s not enabled by default.
This is why hardened distributions are a unique breed.
They are a rare breed because the functionality is disproportional to the gained security.In other words,the more secure a system becomes the less functional it often is.
Edited 2007-04-28 06:25
and hey, don’t forget apparmor…..
(easier to set up compared to selinux btw)
“and hey, don’t forget apparmor…..
(easier to set up compared to selinux btw)
GRSecurity and RSBAC should also be mentioned then.
While UAC is a good concept, the implementation/execution doesn’t fare too well…
Today, I have seen MS Vista in action for the first time. While it did looked quite nice, the UAC kept harassing the user while installing programs or accessing folders on his computer. By harassing, I mean, the user had to click “Continue” twice for accessing a protected folder (once for “Access denied, do you want for continue?”, another time for “Do you want to authorize the app?”). Installing applications from network shares didn’t always worked, probably because UAC kept getting in the way (and the installers weren’t the most recent).
While not perfect, caching supervisor privileges for a little while like Fedora and Ubuntu do seem a better approach to me.
That’s a security hole. Installers will get updated, so that hole won’t be necessary.
In one article they admit that UAC is a failure (relative to the bar they set themselves up against – especially considering this is Microsoft we’re talking about, “Quelle Surprise”) and in the next they say everyone should be doing this?
Left hand unaware of actions of right hand.
There’s talk of MAC and like, but that’s not really necessary for implementing something similar to UAC.
All UAC requires is that whenever an application needs to perform some security task, it asks the user first. You can also do this in an app on Linux by simply shelling out to sudo (or a wrapper like consolehelper). However, in order to be actually secure, you’d also need XACE running and the confirmation dialog would need access set such that only “secure” apps can access the dialog (otherwise, a virus could send events to the window to automatically click OK).
Sure, MAC is nice because it’s finer grained than just sudo, and UAC uses finer grained controls, but the core UI doesn’t need it. Linux distros have thus had the base UI for UAC for years and years, and only the lack of XACE support makes Windows (in theory) more secure with its UAC implementation.
Whatever, other operating systems don’t have to aspire towards it – they already have it!
I’ve been getting nice popups from KDE whenever it needs privileges to do something since I started using it – must be three years now? I’m sure it’s been in there much longer than that too.
Last time I used OSX it also provided a nice privilege escalation prompt when it needed it.
This is just typical Microsoft BS trying to cover up the fact that they’ve done it absolutely horribly. Hardly surprising though – the last time I had the joy of using Access 2003 I had to click my way through three totally obtuse popups just to open a database, all the while thinking “I bet UAC will be just like this…”.
They can say what they want about users blindly clicking through popups, but has there ever actually been anyone, anywhere who has gone to install/run some program or opened a file and got one of these type of popups and then changed their mind?
Lets play it your way and do a UAC for Linux, will that mean you’ll sue us, will we have to pay you for protection money like Novell?
Vista UAC has been out barely 4 months, hardly enough time to claim other OS need to aspire it.
yeah, especially since it does not work properly in the first place…
http://blogs.zdnet.com/security/?p=175
Xaero_Vincent wrote
Very few Linux OSes have support for MAC (let alone any other security measures) out of the box by default. This is why hardened distributions are a unique breed.
The default Unix/Linux practice of having a seperate root account for doing insecure stuff covers 99% of your security needs. Other than Windows pseudo-geeks, who actually uses advanced NTFS file permissions? Until Microsoft stops the default of running Windows as Administrator every new-fangled idea they conjure up to secure Windows will be a waste of time for the average joe who will always take the line of least resistance.
Microsoft has created a security monster and other software vendors have followed this scandalous practice. Many off-the-shelf Windows applications will not run well unless you are administrator.
This is my advice to Microsoft: Swallow your pride and copy Unix security standards from 1971 then use that as a foundation for any other advanced features.
“This is my advice to Microsoft: Swallow your pride and copy Unix security standards from 1971 then use that as a foundation for any other advanced features.”
If all it took was “swallowing pride”, they’d have done this already. They had their own unix implementation, after all, so it wouldn’t even be an issue of “swallowing pride”.
*nix nerds like to think that *nix is the be-all and end-all of security, and indeed OS architecture in general. Those that think that are unaware of unix’s history. It had a pretty shoddy security record during the 70’s and first half 80’s. The first worms were Unix worms. It wasn’t regarded as the state-of-the-art in security, but just barely adequate. It improved through trial-and-error and trial-by-fire, just as Microsoft’s systems have been doing since 1995.
Microsoft shouldn’t adopt unix’s system, as NT’s security system is already superior. The problem the Microsoft had to deal with is that DOS, Win3.x, and Win9x were single-user systems with no concept of accounts with different privileges, and programs written for those systems were designed to operate under that assumption. In order to provide a smooth transition from those systems to the NT-based systems, Microsoft made the default NT accounts admin, so that the Win9x programs would run with no problems. Maybe this was a poor decision, but it is orthogonal to whether they should’ve adopted Unix permissions over NT’s ACLs.
With Vista, the default accounts are not “admin”, per se (they are “admin” but run with limited permissions, unless OK’ed by UAC). So there’s no need to copy Unix let alone “swallow pride”.
Edited 2007-04-28 03:52
Microsoft shouldn’t adopt unix’s system, as NT’s security system is already superior
that line made me laugh some hard, I spilled my coffee. Thanks a lot Mollyc, I now have a nasty scald in a private place
And why was that? How come they did build an OS in 1995 and 1998 and 2001 still which didn’t take ANY security into account, while in the FOSS and Unix world, security has been a problem since what, 1970? They are to blame, simple as that.
“This is my advice to Microsoft: Swallow your pride and copy Unix security standards from 1971 then use that as a foundation for any other advanced features. ”
How about the copy some Unix standards from 2001 and not 1971? Besides, Unix is far from perfect, it just has a more knowledgeable and savvy user base who practice defensive computer using techniques.
And that’s the real problem. Most groups that keep rolling back to Microsoft products would rather move to the newest now and patch the problems later. IT should always be conservative with their data security. Yet the ones revolving around Windows tend to take the opposite approach. I cannot imagine the ramifications if stockholders actually knew what went on in the corporate world when it comes to their company’s internal network’s integrity and security.
it just has a more knowledgeable and savvy user base who practice defensive computer using techniques
You mean users like my mother ?
People who have no concept about computer malware, never mind security ?
I installed Xubuntu 6.06 on her machine in September last year. She uses like a normal user would, she clicks on everything, opens all attachements etc. No problems.
Malware is not always the fault of the user. If it was, her machine would be swamped.
He doesn’t have a clue. If it wasn’t for Linux/Unix’s many possibilities to lock the system down while remaining highly usable my family, relatives and friends would still be fighting regular Windows problems.
Now I just install everything they need and mount as many partitions as possible with “noexec,nosuid” and after reading this thread I will add “acl” in the future.
“/tmp” and “/var/tmp” are also on a tmpfs. Further locking down on Slackware is achieved in a BSD way by configuring “/etc/suauth” to only allow su to those who are in the “wheel” group so a user who or process that doesn’t need them to can be prevented from ever gaining root priviledges.
There you have it a virtually unbreakable, uncrashable operating system on which the user can do anything he/she wants, even try to break it.
And they will not be prompted with useless UAC type popups. They can just be normal unknowing users just like Microsoft wants Windows to be to its users (but isn’t in practice).
And this is even without such things as SELinux, Grsecurity, RSBAC or Apparmor which will harden the system even more against remote, local and user exploits. And Solaris Trusted Extensions supposedly goes even further.
It tell my friends and relatives to try to break and crash it but so far none have managed to do so 🙂 The approach to security should really be to do all that you can to secure the system by default but being aware that it could always be improved.
When they come back to me after one or two years the only thing I do is install (actually untar a preconfigured image of) the newest version and then they can go happily compute again.
Microsoft knows Windows is insecure by default and instead of fixing all problems once and for all they invent kludges like UAC. They probably don’t have anything left to give the impression of improved security.
As butters said earlier in the thread it is maybe not so much the insecurity of the NT kernel system but more the total lack of authentication in the Win32 layer in which any user window can pass a message to another window regardless of priviledge levels.
There might be a reason for UAC-like authentication, that resembles Solaris Trusted Extensions but that’s exactly the difference. In Solaris it’s optional for ultra-secure environments, in Windows Vista it’s been annoyingly enabled by default for everyone.
Life is so easy with Linux and Unix compared to Windows, they don’t compare at all 🙂
Microsoft cannot lecture anyone on security until they change their track record on security. Even the six year old XP system has suffered mayhem in the last few years. I realize Vista is supposed to be latest and greatest in security according to Microsoft, but they will have to earn the trust of customers, and they will not do that overnight. I find it appalling that they would attempt to tell other OS’es how to be secure.
Look at Windows 2003 and IIS6. Apparently they have done a much better job and *have* changed their track record. Microsoft has learned a lot, the harder way, so they do indeed have things to teach the industry at large.
Here is a revelation to many: Put a few hundred million people in front of computers and a whole lot of them will do really dumb things. Part of the security problem out there is not just MS’s fault, but ignorant (not necessarily dumb) users who’ll run that iloveyou.exe file. UAC helps mitigate this and so does Vista in warning users that bad things can happen when running unknown/untrusted executables.
The reason unix security works as it does has a lot to do with the fact that it requires much more computer smarts to use and therefor the root user is far more likely to know smart computer use practices. True though, the software for *nix was written knowing better system level access from the start.
The UAC prompts will diminish as 3rd parties catch up with the new model, imo.
Edited 2007-04-28 03:05
people who do really dumb stuff while sitting in front of a computer are better off with linux. if they use a polished linux-distro *now*, they can do everything they need for their digital life, without having to think about iloveyou.exe, don’t need to think about trusted or untrusted software. the software is organized in repositories, even digitally signed.
the whole thing about uac is, that it annoys you like hell, but in the end it lets do do every stupid thing you want. this is not security, this is idiotic.
and btw, *who* judges which executable is untrused which trusted?
in the windows world you get your software from all kinds of diffrent channels and directions, how would someone (who does dumb things) know, which exe is trusted in which not?
“and btw, *who* judges which executable is untrused which trusted?”
Our overlords at MS, of course.
That is a no brainer statement. Of course all os’s should use UAC – that way they all suck just as much as Vista.
I cant believe how many MS fanboys are on this forum. The UAC on Vista is annoying and pesters you for far too many operations that seems unnecessary. I was using a Vista system and it wanted me to confirm copying a file from a network drive. Gotta love it.
>I cant believe how many MS fanboys are on this forum
Webmasters: care to share some browser and OS statistics about the readers of OSNews?
Edited 2007-04-28 05:29
They would probably not be too accurate.
I use Linux at home to look at this site, and windows at work. It is possible that nearly everyone else here does too.
UAC needs some serious tweaking, but I would much rather have an os that asks too much then an os that asks not enough. Unlike what has been stated here, it doesnt ask if you want to change the theme, only if you are accessing files or areas of the system where you dont have the nessicary permissions.
What it does is fantastic, the system itself is much better designed then any linux distro I have ever used. Where it falls on its ass is that it bothers you way too much, between not allowing any way to install user specific applications, and having legacy apps requiring admin priviledges to run, it seems like UAC is constantly at your shoulder (like in that apple ad).
IMHO, OSX is the only desktop OS that handles security properly. It is by far the closest to that sweet spot of doing its job, and staying out of your face. Vista security is a massive step in the right direction for ms, where the work needs to go now is allowing for a more pleasent experience for non priviledged users, or the first thing joe average will do on install is turn off the very feature XP got trashed for the most for not having.
“Where did Microsoft guarantee that Visual studio 2005 would work on Windows Vista flawlessly?”
That is exactly the problem!!! Vista was well into beta at that point the security model should have been nailed down as an advancement of what they already had. This is typical of such a big company that they won’t do more than the minimum to make the product “just work” rather than rewriting what they need to be in compliance… and now the next version is out and it doesn’t quite work because they didn’t do it 100% in the first place. Multiply that by the thousand other companies that don’t have the knowledge of the secret bits MS the MS programmers do.. that’s the recipe for disaster.
If you develop software and it turns out that by most of your clients it’s being “misunderstood” then you made something wrong, easy as that.
I don’t think they need to fight on that (well, their PR could but not the tech guys), better try to realize the problem and do it somehow else next time.
Yes, you read it right. People simply turn it [UAC] off. Yes. I’ve already had a bunch of people tell me that they’ve turned it off because it was annoying. And it is. It’s not user friendly, having to have a person/user click twice…not good imho.
As one of the earlier posters said, it’s better to give users too little permissions, than too much and then try and take them away. He’s absolutely dead right imho. Your average Windows user doesn’t want to have security…they simply don’t care.
Dave
Sometimes I really wonder why Microsoft is called a Software company.
With all those stand-up comedians employed at management positions they’d make a good entertainment company.
I bet they could successfully broadcast a weekly “Microsoft Night Life” comedy feature.
using UAC in every os also serves other purposes.
the problem of overpopulation for example.
‘you clicked the open button. are you sure you want to open that file?’
‘you clicked the ok button. are you sure you want to click ok?’
BANG!
the whole world using a system like this, overpopulation is not a problem anymore.
sorry, couldn’t resist
I’ve seen a lot of “highly technical” pro Microsoft talk here, but until you can answer this question with either technical(better be a good one) or security reason, UAC is just another piece of Microsoft trash for me:
Why can’t I just rename my desktop icons in Vista without confirming?
Since 2000/xp we have Desktop per user. I’m changing a file on my home. Why the hell should I confirm?
Edited 2007-04-28 09:04
Are you sure you want to do that Dave?
Dave, stop please.
Dave, what are you doing ?
I do not think you should do that Dave.
Hall 9000 or Vista UAC ?
You decide.
YOU SHOULD LEARN THE DIFFERENCES BETWEEN **YOUR FILES*** AND ***ALL USERS FILES***.
UAC doesn’t prompt for your files!!!!
You should learn the concept of ANYTHING ON MY #%&*&^$$%^& DESKTOP IS MINE!
Even if it is a link to a system level resource, the link is MINE.
This whole issue with UAC is that it is still making up for horrible design choices. There is nothing to discuss. It’s a partial fix to a partial problem to a partially useable OS.
“You should learn the concept of ANYTHING ON MY #%&*&^$$%^& DESKTOP IS MINE! “
Why are you getting so upset?
The initiator of this sub-thread asked for a reason why renaming a desktop icon might cause a UAC prompt. The reason was given, which was that certain of the desktop prompts you see are in the “All Users” desktop, meaning that all users see those icons on their desktops. So renaming or deleting such an icon, affects *all* users, not just you. You’re basically doing an operation outside of your own user profile. UAC prompts do not occur when manipulating desktop icons that aren’t shared with other users.
If there is enough outcry regarding this, it’ll be tweaked in SP1. No biggie.
Yup, it’s a BAD technical reason. So as I said, UAC is not a good implementation for me, not until Microsoft get their act together (see Linux for how the desktop should be).
There’s no reason why files on user desktops should be shared. Installers should put copy to each if the program is installed with administrator privileges, not some kind of “shared icon” which btw caused me problems in XP as well (I deleted icon on my desktop and my mom’s got deleted too. That’s just stupid layout system).
Your complaint is how system-wide programs are installed, not with UAC.
“There’s no reason why files on user desktops should be shared.”
Yes there is. I’ve placed files in the “All Users” desktop myself so that other members of my family can see it easily (without having to explicitly dig into the “Shared Documents” folder). Why should I make a copy for each desktop and then have to change each one whenever I update the file? And yes, for such files, I *do* want the user warned if he decides to delete it.
And save the “See Linux for how the desktop should be” line. The “Linux is the epitome of OS design and anything that differs is therefore wrong by definition” line is so played out.
Yes there is. I’ve placed files in the “All Users” desktop myself so that other members of my family can see it easily (without having to explicitly dig into the “Shared Documents” folder). Why should I make a copy for each desktop and then have to change each one whenever I update the file? And yes, for such files, I *do* want the user warned if he decides to delete it.
This can be solved in a much more elegant way with hardlinks.
Not exactly. If you uninstall a program under the current model, you remove it from the “All Users” desktop. If you make a hardlink there, then you have to go hunting for all hardlinks in order to remove a program. This can fail in so many ways, depending on how your permissions are set (say, for instance, one user decides to use personal directory encryption on their desktop… you’re screwed then).
There’s obviously a design rationale for having an “All Users” desktop. Now, if you want to get rid of or rename an icon there, you do it once and face a UAC prompt. If you’re renaming the file every few minutes, then you seriously need to find better things to do with your computer.
If you make a hardlink there, then you have to go hunting for all hardlinks in order to remove a program. This can fail in so many ways, depending on how your permissions are set (say, for instance, one user decides to use personal directory encryption on their desktop… you’re screwed then).
Then don’t hardlink to programs. Use symlinks for that. I really don’t see the need for an All users directory.
FALSE
FALSE
Very informative. Can you now give actual reasoning?
an administrator is able to control what icons, programs, files and links the all users have in their desktop and this is made using “all users” files.
This is also true in Linux with UGO permissions (User Group Other).
Edited 2007-04-29 08:00
This is also true in Linux with UGO permissions (User Group Other).
From this sentence it is clear that you have never actually used a linux machine.
I was not getting upset. I was replying in the fashion that casuto used.
However, I still think the whole issue is really silly. Nothing on my desktop should effect the system or the other users, Period.
As to other commentors saying that it is a good thing to be able to have one thing install on everyones desktop. Yes, that is handy. However, there is no reason that user x cannot delete that icon or rename it without admin rights Maybe that user never uses whatever it links to.
The desktop is just the desktop, a picture of what resources you can use. The system owns the resource, the user should own links to the resource.
I’m a teacher and I want my students don’t delete icons, links, files I prepared for them. And so *all users” files in the desktop accomplish this.
Edited 2007-04-29 08:07
NO.
On your desktop you can have *your files* but also *all users files* created by an administrator.
You can’t delete files if you don’t have the permissions. This this true in Linux (UGO user group others) and in Mac OS X.
And you should learn the difference between writing polite and WRITING IN CAPS!!!!
Mac is a broken design that hides what a proper form of Mandatory Access Control (MAC) would do without the annoying popups.
Linux has MAC ala SELinux, Solaris has it via Trusted Extensions, and other platforms have it like SEDarwin.
All linux’s distributions haven’t Mandatory Access Control.
Ubuntu 7.x doesn’t have Mandatory Access Control
Windows Vista has Mandatory Access Control enabled by default.
The true is that linux still has an obsolete security model and linux fanboys are trolling on every Windows Vista news.
UAC implemented in Windows Vista is the best.
Edited 2007-04-29 08:21
Ubuntu != All Linux.
Quit trolling, windows has 0 form of mandatory access control. Windows Vista has Mandatory Integrity Control, not Mandatory Access Control, they are *not* even close to the same.
I can’t come up with anything more intelligent to say than “bone headed”. This is such a mind numbingly dumb thing to say I cannot rightly comprehend the confusion of ideas that produced it.
I have seen this in action. You get bugged with dialog windows asking you to enter your admin password. This lessens the user’s awareness of how important the admin password is, and makes him type the password into dialog windows opened by malicious programs.
The exact same can be seen in Ubuntu BTW (and I guess other Linuxes); on OSX these windows do appear but more seldom. They are a typical non-solution that is completely unaware of the behaviour of our all-time favourite “Joe Average”, and so far I haven’t seen a good real solution.
OSX comes close by only popping these dialogs up in really important situations (OS update), which is simply due to the fact that installation of applications or changing system preferences doesn’t need the admin password. This opens up the danger of somebody fiddling around with your system, but this still needs physical access to the machine (in which case you’re pwned anyway).
I’m glad they like UAC so much, but they can keep it.
Yeah, the idea of having underprivileged user accounts and asking them for a their password whenever they need to perform an administrative task is an amazing Vista innovation… that has been part of almost every other desktop OS before vista came out.
The end user.
Most end users just click on yes whenever a dialogue box comes up. God forbid that they would actually read what was on screen. Of course that implies they can read.
All of the schemes for security that are dependent on the end user are useless.
I fart in your general direction.
No, UAC is not MAC:
http://en.wikipedia.org/wiki/Mandatory_access_control
And for all the Windows fanboys out there: sudo is not the same as UAC.
UAC prompts for administrator rights using a administrator account while sudo prompts for YOUR password. It is _NOT_ the same.
No, UAC is not MAC:
We all know what UAC is- User Annoyance Control…
How exactly is it not the same? They both elevate you temporarily to a higher status. The only difference is, sudo asks for a password, windows doesnt.
Prompting for a password is a purely cosmetic difference. Id be willing to bet MS could have easily forced you to enter the admin password on every prompt, but thought better of it [it would be a bit much (as it is in Linux) considering how often this comes up].
Other than that minor detail, no matter what is going on in the background (whether you are just confirming an action, or are actually being elevated in status), the end result is the same. If you click no in windows, nothing happens.. If you click cancel, ctrl-c, wrong password in linux, nothing happens.. If you click yes, it happens in windows. If, in Linux, you enter your password and continue, your elevated temporarily, it does its thing, and your demoted again.. Either way the start condition is the same, and the end condition and visible behavior are the same.
Edited 2007-04-29 09:05
I knew Sudo, Sudo was a friend of mine, and UAC, you are no Sudo.
Sudo, askes for a PASSWORD.
UAC lets me click a BUTTON.
My co-worker walks away from his computer for 5 minutes.
I can:
1) Jump on, goto a “Bad” URL
2) Download a bad app
3) UAC askes me to press a BUTTON: I WIN!
Micorosoft Learn SUDO.
What is the threat model here? You leave your machine and I get on it and install a keylogger running as YOU. I don’t need to sudo or anything to do this. I’ll get the password in a few days.. or next time you do something elevated and you’ll be none the wiser.
I think the UAC security complaints by most people are idiotic and DO reflect a misunderstanding. Too many people like you don’t understand the threats and therefore barely understand the tools you use. If you don’t properly understand the threats, then you get idiotic security that is annoying without protecting you (cf. airport security in the US) or a false sense of security because you don’t understand how your tools can be broken. I’m glad people like you merely USE Linux security and don’t participate in the design of it. Hint: under the threat that UAC is designed to prevent, a password only buys you inconvenience, not security.
UAC does require a password for non-admin accounts, and can be set to require a password for admin accounts as well. This can be done via group-policy, which would eliminate your “co-worker” scenario.
ACL’s are better then SUDO: True.
I’m still waiting to see a Windows Server with 1 ACL used.
What you can do on a Windows machine,
and what is done, “In the Field” are Far Different Worlds.
And, you Microsoft FanBoys Know It.
Unix Default Permissions Model is VASTLY SUPERIOR to Windows Default Permissions Model.
Once a user
has been authenticated, a timestamp is updated and the user may then
use sudo without a password for a short period of time (5 minutes
unless overridden in sudoers).
Though I think a better approach would have been for Microsoft to start hammering on their ISVs, and even some of their internal application groups, to start coding with a least-privilege mindset — WHEN NT WAS RELEASED. Now they are basically passing the burden on to the user, and in their typical “Bill knows better than you” fashion, have tried to dumb it down so much that it becomes annoying for those with enough brain cells for a menage-a-trois.
Being a *nixhead, I tried for awhile to run as a normal user on XP SP2. But I constantly needed access to my wireless configuration to kick it in the butt to get it to connect, and since it ran as a tray app from a service under the LocalSystem account, none of the sudo-like utilities I found for Windows would let me at it. Of course this could be blamed on Windows’ crappy wireless implementation. I’d even accept that it was the third-party driver, except that I tried 3 different ones. I finally gave up.
On the other hand, our relatively static desktops at work, we run as normal users generally without problems.
I’d agree that minimally-obtrusive least-privilege is something all OSes shold aspire to. I’m not so sure that UAC fully fits that description. But this is not the primary reason I have yet to install my free upgrade of Vista. I just can’t bring myself to use an OS that requires 1GB of RAM. Jeez…
While we are at it let’s all go back to driving a Ford Pinto and using DOS.
Seriously. The UNIX family of operating systems, read Solaris, the BSDs, OS X and the Linux distributions are more secure than any Winderz NT version.
If McSoft had went ahead and chosen to do what Apple had done and completely design a new operating system then they may have garnered respect. Most businesses simply wish to be able to do their work, store it, retreive it and have it protected.
“While we are at it let’s all go back to driving a Ford Pinto and using DOS.”
DOS does not seem so bad when compared to Vista.
*rtflmao*
oh they are serious
Sounds like typical Microsoft. Company A invents a great technology. Company B adopts it too.
Microsoft adopts it and changes 3 things to work better with its own OS.
Microsoft says it invented it and asks why everyone else isn’t using it (even though they are).
“Sounds like typical Microsoft. Company A invents a great technology. Company B adopts it too. Microsoft adopts it and changes 3 things to work better with its own OS. ….”
Active Directory – ahem – LDAP + McSoft broken additions.
In one article we see MS telling us that Malware etc will continue to thrive despite UAC, then in another they are telling us that everyone should adopt it. Ummm, am I missing something here?
UAC is a good thing for Windows. It does need some tweeking but it is way more beneficial than having Past Windows lapse security model.
Those who think we should all run Admin level and to hell with it, thanks for the attitude that has allowed spam to flurish. As for slack ass app writers who can’t deal with restricted user accounts, piss off and leave coding to people who can. We don’t need your shite here.
Would like to have the option to allow unsigned drivers on a driver basis as atm I have yet to get a signed driver for my Jmicron SATA controller and I hate having to startup and use F8 to enable me to use the unsigned driver. I don’t want any other driver to be unsigned but just that one so having a control list that would allow the choice would be nice.
microsoft was so close to a proper solution :
http://www.microsoft.com/resources/documentation/windows/xp/all/pro…
“””””Watson conceded that “the problem you can never get around is if the user is just going to sit there and blindly hit the enter key” when UAC message dialogs pop up on screen.”””””
and yet that sounds all to familiar.
as much as i hate to say it but hey at least they’re trying to help the common Joe. people have a tendency to just click the default response without even reading what the question is. I’ve worked tech support for 8 years and i know that for a fact.
Its sad to finally see Microsoft trying to do this after all these years. This is the UNIX structure of having a root account and a regular user account.
UNIX protects its system files by having users log in as users so they cant harm the system. The name of the game is “imitation” …
and on a side note have you all noticed how theres no “Documents and Settings” now? its C:Users ?? again. that reminds me of our beloved UNIX.
take it away joe!