Security in Windows 7, User Account Control (UAC) and You

Some people just love Vista; others hate it with a passion. Most of the haters fall into two main groups. The first group upgraded to Vista from XP, possibly without running the Windows Vista Upgrade Advisor to make sure their hardware and software would be compatible. They spent hours trying to get printers to print, accounts receivable programs to account, fax modems to fax, and so on, and they heartily blame Vista for their woes. Many of those in the second group think Vista is the cat’s pajamas…except for those blasted User Account Control pop-ups.

The Problem

Vista was designed to be significantly more secure than XP, and UAC is a cornerstone of its security scheme. The point of UAC is to make sure no system-level changes occur without your knowledge and without an Administrator’s permission. Even if you’re an Administrator user, all of your day-to-day activity happens at the low-privilege Standard level. Before a nasty virus (or a useful application) can do something scary, like write to the Windows folder, it has to get permission.

UAC popups in Vista can be especially shocking because of what’s called “secure desktop mode.” The screen blanks out briefly, then everything except the UAC pop-up goes dim. Vista’s UAC holds all your other interactions hostage until you respond to the pop-up. The purpose of this measure is to prevent sneaky programs from spoofing or manipulating the UAC prompt, but it’s jarring and unpleasant.

Less frightening but equally annoying is the “I just TOLD you!” scenario. You launch a program and UAC immediately asks if you want to run this program. D’oh! Of course you do! Users can really get steamed about this, even Administrator users who merely have to click Yes. Imagine the frustration of a Standard user who must type an Administrator password or (more likely) go track down a supervisor who’s available to enter the password. One time in a thousand this precaution might prevent a malicious program from launching, assuming (and it’s a big assumption) that the user was alert enough to say No. The other 999 times it’s just a pain.

In the Engineering Windows 7 blog Microsoft’s engineers do indeed trot out the notion that requiring a UAC confirmation for every sensitive action “forces malware or poorly written software to show itself and get your approval before it can potentially harm the system.” That same rationale gave us old-style (and now obsolete) personal firewalls that deluged us with incomprehensible popup queries; ugh! Indeed, Microsoft’s designers admit that UAC can’t really keep out malware, because users don’t know enough to respond to its prompts correctly. Joe User can’t distinguish a scary UAC prompt about a perfectly valid program from a scary UAC prompt about a malware attack. Most users just click Yes, and allow the program to do what it was going to anyhow. Microsoft’s own figures show that users click Yes about 90 percent of the time.

Big Ideas

The User Account Control entry in that Engineering Windows 7 blog I mentioned is substantial. The engineers spend a fair amount of time congratulating themselves over the fact that UAC has made program developers leery of techniques that unnecessarily require Administrator privilege. (Thanks, guys, but couldn’t you have found a way to whip developers into line without torturing users?) Eventually, though, they fess up to UAC’s problems. For example, their research shows that Windows itself accounts for about 40 percent of all UAC prompts. That’s right: A Windows component tries to do something important, then UAC stops it until you give the okay. They say we “can expect fewer prompts from Windows components” in Windows 7. That’s a worthwhile aim; I hope they stick to it. The blog lists several other admirable goals for UAC in Windows 7. The designers hope to:

* Reduce unnecessary and redundant UAC queries
* Make customers confident that they’re in control
* Make UAC prompts more informative
* Offer better and more obvious control over UAC

My earlier experiences in the previous part of this series suggested that they’re not very close to realizing these goals, so I decided to dig deeper.

The Solution?

In Part 1, I reported a plethora of pop-ups from UAC at its default setting. They seemed little different from UAC prompts in Vista, except for being more verbose. Where Vista says “Windows needs your permission to continue” Windows 7 may say, “Do you want to allow the following program to make changes to this computer?” I don’t see how this makes a difference to the average user, but Microsoft claims its focus groups show better understanding. Oh, there is one other difference: The prompts I encountered didn’t force secure desktop mode. That is, they didn’t dim the screen and put all other activity on hold. That made them less shocking, but no less annoying.

Some Vista users get so irked that they just turn off UAC, but then they lose any security benefits. Windows 7 offers a milder alternative. By tweaking a simple slider, users can select one of four different notification levels. Counting down from the most restrictive to the least, they are:

* Level 4. Notify when programs install software, make changes, or change Windows settings. Notify when the user changes Windows settings. Wait for a response.
* Level 3. Notify when programs install software, make changes, or change Windows settings. Notify when the user changes Windows settings. Do not wait for a response.
* Level 2. Notify when programs install software, make changes, or change Windows settings. Do not notify when the user changes Windows settings. Do not wait for a response.
* Level 1. Do not notify at all.

I interpreted this to mean that I would have to answer the standard pop-up query only if UAC was set to Level 4. Based on my experience in setting up Windows 7, I assumed Level 4 was the default setting. Further, I thought that at the lowest level I’d still have UAC protection, but without pop-ups. In between, I thought I’d get simple notifications with no response required. That sounded pretty good! Too bad I was absolutely wrong in every part of my interpretation.

When the designers say “notify,” they’re talking about the standard UAC pop-up query. That’s weasel wording. It’s not a notification, it’s a request for confirmation. To me, a notification is a discreet message that appears and disappears on its own—like the new-mail notifications that you get in the lower right-hand corner of your screen for Outlook 2007. When the designers say “wait for a response,” they mean that the OS goes into secure desktop mode, halting all other interaction until you answer the pop-up.

The annoying level of UAC control that I experienced during setup was not, in fact, what I took to be the most restrictive, Level 4. It was Level 2! That’s the lowest level that includes notifications. At a higher level, you get even more pop-ups. For example, if you’re running at Level 3 and downshift to Level 2, you’ll get a UAC prompt asking whether to allow the change. This is progress?

As for getting protection without pop-ups at Level 1, nope, I was wrong-headed there too. If you choose Level 1, you’re asking to turn off UAC. Windows 7 reports that a reboot will be needed and chides “Your computer is safest with User Account Control turned on.”

My UAC Wish List

The UAC may have security benefits, but its current implementation is a huge annoyance. And, like a chatty old-style firewall that bombards the user with incomprehensible queries, it’s putting responsibility for security in the wrong place. It really protects against malware only if the user is expert enough to determine when to click Yes and when to click No. Like the boy who cried “Wolf!” the UAC teaches users to ignore its warnings.

This is an early pre-beta, of course. The Windows 7 engineers talk about making UAC less annoying, and there’s plenty of time for them to work on that. My advice? Never ask users whether they want to do something they’ve just asked to do. That only makes them mad! Never ask whether to allow elevated privilege to a known, valid program—certainly never ask when it’s a Windows component. And if it’s not a known program, examine all of its behaviors, not just the fact that it needs Administrator privilege. Then make a considered analysis of the program and allow or block it. Don’t foist that responsibility off on the user. Now that would be a classy version of UAC.

The UAC still needs work, obviously. The much-maligned Windows Firewall, on the other hand, is already showing off some new tricks. And there’s a tantalizing suggestion of a major enhancement yet to come. Stay tuned for Part 3 of this series on security in Windows 7 to get my detailed look at the Windows Firewall.

Source: PCMAG, Neil J. Rubenking