For Windows 7, Microsoft has made some changes to User Account Control to counter the criticism that UAC was too intrusive. It didn’t take long before several holes were poked in Windows 7’s default UAC settings, and now one is left to wonder: is it wise to sacrifice security for (perceived?) usability? Ars has an editorial that deals with this question.
First, we need to explain – once again – what UAC is supposed to do. For this, we need to delve into what Windows NT can actually do. Contrary to popular belief, Windows NT is a very well-designed and advanced operating system that introduced all sorts of features back in the early ’90s that other operating systems wouldn’t get 10-15 years later. Windows NT has a security model that was at least as advanced as – but probably more advanced than – what UNIX/Linux have to offer.
Instead of capitalising on the advanced security systems Windows NT had to offer, Microsoft neglected them. It made a monumental error in judgement by assuming that every user should run as “administrator” (root), an assessment probably coming from the pre-internet revolution days. No matter the reasoning, it paved the way for application developers to assume that every user ran with administrative privileges, and developers would design their applications with that in mind. Microsoft happily joined in on that idea, and never really looked after those precious few who were struggling to run Windows NT as a standard user.
Then, the internet happened. Then, to make matters worse, people started buying multiple computers. Suddenly, the entire world’s supply of active computers was networked together, with practically every Windows user having full access to every part of the machine. Combine this with several high-profile security holes, and you’ve got yourself one hell of a problem. A problem that needed solving.
As a sidenote, I have deep admiration for Windows NT. Every time, I’m amazed by the attention to detail, the forward thinking, and the clever ideas Dave Cutler and his team implemented in Windows NT almost 20 years ago to ensure its portability, scalability, expandability, and security. Windows NT foresaw and offered solutions for problems that wouldn’t arise until more than a decade later. This is why I can get rather annoyed when people say that Windows NT needs to be rewritten, or that Microsoft needs to start from scratch – Microsoft seriously messed up the userland of Windows, but Windows NT itself is a very capable, advanced, stable, secure, and portable piece of work, that can easily serve Microsoft for another decade.
Back to the matter at hand – Microsoft needed a solution. It took them far too long to realise they had messed up, but with Vista, they sought to lay down the gauntlet and enforce a much stricter administrator/standard user divide, not only forcing ordinary users to get used to this wondrous idea of security, but also forcing application developers to get their act together and start writing software with limited user accounts in mind.
The solution was User Account Control. Even though the first user created on a Windows Vista system is still a member of the Administrators group, this user’s privileges are severely limited due to the fact he or she receives not one, but two tokens. They share the first token with a normal, non-admin user: it contains all the basic privileges. The second token contains elevated privileges. This user’s applications are started with the first, restricted token, while applications that are granted admin rights (clicking “yes” in the UAC dialog) will be started using the second, unrestricted token. Kenny Kerr explains it better than I do, by the way. In any case, the result of this is that even though the user’s an administrator, he or she still can’t really mess up the system without UAC knowing about it.
Personally, I believe Microsoft didn’t go far enough with UAC in Windows Vista. They conceded to backwards compatibility by implementing the token stuff, which allowed the first user to still be in the administrator group, so it wouldn’t break all those applications that make that assumption. I would’ve preferred a proper implementation: every user is a normal user, and there’s a special administrator account (accessible through elevation) for tasks that require it. That is proper security, and makes the best of all the fancy Windows NT security features.
The rest of the world disagreed with me (surprise). I don’t think I have ever seen as many people whining about any feature in Windows as much as they did (and do) about UAC. This hatred was directed at Microsoft, but for all the wrong reasons: yes, hatred should go Microsoft’s way, but not because of UAC – the hatred should go their way because of their wrong assumption that every user should be administrator. There’s also a lot of misunderstanding about how UAC works and what it is supposed to do that only fuelled the whining.
So, for Windows 7, Microsoft had to make a decision: do we stick to our guns, or do we concede to the public? They decided to go with the latter, and loosened UAC. They came up with this wonderful idea that UAC was not a security boundary, which suddenly allowed them to fall back on their previous behaviour of making the wrong assumptions about security. Users rejoiced because of the promise of less prompts, but those precious few in this world who know a little more about Windows NT got worried. Was Microsoft again making all the wrong assumptions?
Turns out they were. Several easy holes have already been shot in the new default UAC setting of Windows 7, raising the question whether or not Microsoft has gotten a little too confident about security. Yes, Windows Vista has proven to be pretty secure, but that’s no reason to loosen the leash. Just because you’ve been accident-free for 30 years, doesn’t mean you should suddenly stop wearing your seatbelt.
Just like Peter Bright over at Ars, I’m very worried about the direction Microsoft is taking with UAC in Windows 7. For what it’s worth, I strongly urge Microsoft to make the Vista-UAC the default one in Windows 7, as that not only solves the currently-found holes in Windows 7’s UAC, it also provides for a much more secure operating system. In the meantime, I urge everyone who is currently running the beta to move the UAC slider all the way up to where it belongs.
Sure, security is annoying. I hate locking my doors every time as well, but that’s no reason not to do it.