User Account Control and the Great Slider Debate

After watching months of favorable UAC press, I couldn't resist commenting on the recent negative press that's been swirling around UAC. 

Just so everyone knows, I am an expert on UAC.  I worked as a Program Manager on the UAC during Windows Vista and spent almost 6 years on the Windows Security team.

Here's a video of one of my talks about UAC: http://www.microsoft.com/emea/msdnshowtime/sessionh.aspx?videoid=326

Here's one of my articles: Least Privilege: Teach Your Apps To Play Nicely With Windows Vista User Account Control

You'll notice they're both focused on helping ISVs write better code for the Standard User. 

So, what happened to UAC in the last couple weeks?  Well, according to eWeek:

"The issue relating to UAC was publicized by Windows bloggers Rafael Rivera and Long Zheng. During the week of Feb. 2, Zheng and Rivera have posted proof-of-concept code that circumvents UAC in the Windows 7 beta and allows hackers to use preapproved Microsoft applications to fool Windows 7 into granting malicious code full access rights."

Hmm... herein lies the biggest problem with UAC - Microsoft has continuously proven that they (I would have said ‘we' during Vista) are not great at delivering the core message around UAC.  So let me try to do it the best I can:

User Account Control is about achieving one objective:  Allowing end users to use Windows everyday with an account that is not in the Administrators group (or any other similarly privileged group.) 

Why is this goal so important?  Because running as a Standard User is a markedly more secure and reliable way to run Windows.  In homes, in businesses, on laptops, on desktops, your parents, your kids...wherever, whoever, however you get Windows users to not run as Administrators...you're better off.  After all, Unix and OSX have run this way for years.

So, how did Microsoft go about making this move?  In Windows Vista, we made it so that the default security context in Windows Vista was that of a Standard User.  This sent a clear message to ISVs that we want them to design for users that aren't Administrators.  As a result, we needed to make it convenient to get Administrator privileges and we introduced the UAC prompt.  With a change of this magnitude it takes time for the eco-system to digest the change and many legacy applications (including Windows) needed to be fixed up.  Obviously, folks were upset about the amount they were getting prompted and there was a public outcry.

Personally I think this is a problem that would have fixed itself over time but I appreciate the continual focus on innovating that embodies Microsoft.  In Windows 7, they introduced the new UAC policy settings and the slider to control them, which was designed to strike a balance between usability and continued to make it clear to ISVs that they need to design their code to run as a Standard User.

Now, notice...I've never said UAC is a security technology to this point.  The security technology that UAC actually attempts to employ is the boundary between user sessions.  The boundary has existed since NT4 and is clearly defined.  In fact, by default Windows and UAC actually didn't take advantage of this boundary in the first version (Vista) or the second (Win7) - this is because the first account on the machine is always an administrator account.  UAC was a long term strategic bet and I'm hearing from more and more companies that are deploying their desktops as Standard Users every day.

So, what really happened is that Zheng and Rivera have convinced the press that there is actually a sensational story here and the press have run with it.  Microsoft, ever sensitive about UAC, has Jon and Steven working overtime writing blog posts that as far as I can tell don't clearly articulate UAC's value and continue to muddle the message around UAC.  After living through this for the last couple weeks I simply couldn't resist writing this blog post - I hope it's clear that I really love MSFT and UAC.

When Steven and Jon say they will protect the slider in this blog post: http://blogs.msdn.com/e7/archive/2009/02/05/uac-feedback-and-follow-up.aspx. They are misguided - given the overall implementation of the default slider setting that allows Windows applications to run without a prompt, there is no way that someone else won't be able to find a way to turn off UAC prompting using some other Windows component.  I don't think this is security researcher rocket science and that's as far as I will entertain the security discussion - UAC offers reliability enhancements and allows us all a much more pleasant experience as a Standard User on Windows.

For Jon and Steven to entertain the discussion around UAC and security in their blog posts is ludicrous.   Why would they change a feature to make people think it's more secure when it's not a security feature in the first place?  How is that message not getting out there?  You can say I'm wrong or don't know...I'll gladly have the debate with anyone that so chooses to send me an email.  I would encourage Jon and Steven to consider changing their messaging.  If they don't, there will be a continuous stream of Zheng's and Rivera's attacking UAC as a security technology and Microsoft will continuously be responding with..."we fixed that hole..." when this was never the actual goal of the feature and instead becomes a thorn in the side of Windows 7.

Cheers,

Chris

If you're a company that wants help deploying Standard User desktops then email me - chris@migratellc.com.  (I couldn't resist the plug for my company. :) )