In January of 2002, Bill Gates initiated Trustworthy Computing, fundamentally changing Microsoft's focus from creating feature-rich operating systems to spotlighting security and privacy. Mr. Gates explains in the memo:
"In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We've done a terrific job at that, but all those great features won't matter unless customers trust our software."
In order to improve trust, Mr. Gates goes on to say:
"So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve."
Most feel this on-going effort has been successful, especially with the advent of User Account Control (UAC).What is UAC
Microsoft realized that allowing users to have administrative rights all the time (major security risk) is not acceptable under the mandates of Trustworthy Computing. So, Microsoft made changes, starting with the Vista operating system. Those changes became UAC and consist of the following:
- If possible, operations requiring administrative rights will be changed to work with standard user rights. One notable example of this is granting standard users the ability to change time zone settings.
- Use virtualization to help programs run without administrative rights.
- Rework programs, so UAC knows when to request administrative rights.
- Make sure programs running with administrative rights are isolated from processes that are running standard privileges.
UAC is complicated. So I defer to Microsoft's Mark Russinovich, who expertly explains the workings of UAC in his TechNet article "Inside Windows Vista User Account Control."
UAC, by default assigns the user standard rights. If a program requires administrative rights to run or load, UAC will ask the user for permission to elevate privileges for that task. This change in approach prevents malware requiring administrative rights from installing automatically.Admin Approval Mode
The rights elevation is handled by UAC's Admin Approval Mode (AAM). AAM creates two profiles for the user at log-in, one with standard rights and one with administrative rights. As I mentioned earlier, UAC can elevate privileges. I didn't know there were two types of elevation. One is called "Over the Shoulder" (OTS) elevation and the other is "Consent" elevation.
The type of elevation used, depends on whether the user belongs to the local administrator group or not. If not, then UAC uses OTS, requiring permission from someone belonging to the local administrator group. If the user is a member of the local administrator group, UAC uses Consent elevation, asking the current user for permission.
UAC seems like a good idea. It mimics the Linux superuser, while adding some convenience. Or so I thought. Further research uncovered some flaws.Convenience versus security
"The functionality (AAM) is simply a convenience feature designed for administrators. The admin approval mode does not create a security boundary between processes. In this context, in the absence of process isolation, interference is possible."
Mr. Allchin further explains:
"If an administrator performs multiple tasks on the same desktop, then malware may potentially be able to inject or interfere with an elevated process from a non-elevated process."
I understand the logic. If the user had to switch profiles to perform administrative operations, most users would switch once and never return to the profile using standard rights. Still, isolation of processes running elevated privileges was one of the tenets of UAC. So, is this a relaxation of Trustworthy Computing?
Mr. Russinovich, in another article "Inside Windows 7 User Account Control" explains why Microsoft dropped the use of process isolation:
"While it was an early design goal of Windows Vista to use elevations with the secure desktop, Windows Integrity Mechanism, and UIPI to create an impermeable barrier-called a security boundary-between software running with standard user rights and administrative rights, two reasons prevented that goal from being achieved, and it was subsequently dropped: usability and application compatibility."
In fairness to Microsoft, UAC is still better than nothing at all. Mr. Russinovich points out how UAC helps:
"As for the case where malware somehow does manage to get on a system, because malware authors have assumed users run with administrative rights, most malware will not function correctly."UAC and Windows 7
Microsoft changed how UAC works in Windows 7. UAC in Windows 7 affords the user more flexibility. To check out the new options, go to Control Panel, select User Accounts, followed by Change User Account Control Settings. Here are the four settings:
- Top position: Is "Always Notify" and identical to the default mode in Vista.
- Second position: Is the Windows 7 default setting, prompting the user when a non-Windows executable asks for privilege elevation.
- Third position: Is similar to the second position. The difference being the prompt occurs on the user's desktop rather than the secure desktop.
- Bottom position: This setting turns off all protection afforded by UAC.
Besides giving users more say in how UAC works, Microsoft has incorporated "auto-elevation" in an attempt to reduce the number of prompts submitted to the user. Due to the nature of auto-elevation, Microsoft is very particular about which programs can leverage privilege escalation. They place the following restrictions:
- The executable must be digitally signed by the Windows publisher.
- The executable must be located in a secure Windows directory.
It appears that Microsoft wasn't particular enough and that has security experts concerned. Especially, after researchers Rafael Rivera and Long Zheng developed two "proof of concept" programs, one disables UAC and the other uses UAC's auto-elevation to self-elevate privileges of the attacker's chosen malware.Enough confusion to go around
As I was researching the changes to UAC, I started to sense what's going on. Microsoft and security analysts have a completely different opinion of what UAC is supposed to be. Analysts want UAC to be Microsoft's interpretation of how Linux controls administrative privileges.
Microsoft doesn't see it that way. I will let Mr. Russinovich present Microsoft's viewpoint:
"The bottom line is that the default Windows 7 UAC mode makes a PA user's experience smoother by reducing prompts, allows them to control what legitimate software can modify their system, and still accomplishes UAC's goals of enabling more software to run without administrative rights and continuing to shift the software ecosystem to write software that works with standard user rights."
Could it be that simple? UAC's real purpose is to coerce software developers into writing code that runs with standard user rights.Final thoughts
I'm wondering if Trustworthy Computing means the same as when Mr. Gates was in charge. What do you think?
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.