Security

Microsoft's UAC: A change in philosophy from Vista to Windows 7?

Microsoft changed the way UAC works in Windows 7, weakening the security of the operating system according to experts. Has Trustworthy Computing taken a back seat to functionality?

In January of 2002, Bill Gates initiated Trustworthy Computing, fundamentally changing Microsoft's focus from creating feature-rich operating systems to spotlighting security and privacy. Mr. Gates explains in the memo:

"In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We've done a terrific job at that, but all those great features won't matter unless customers trust our software."

In order to improve trust, Mr. Gates goes on to say:

"So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve."

Most feel this on-going effort has been successful, especially with the advent of User Account Control (UAC).

What is UAC

Microsoft realized that allowing users to have administrative rights all the time (major security risk) is not acceptable under the mandates of Trustworthy Computing. So, Microsoft made changes, starting with the Vista operating system. Those changes became UAC and consist of the following:

  • If possible, operations requiring administrative rights will be changed to work with standard user rights. One notable example of this is granting standard users the ability to change time zone settings.
  • Use virtualization to help programs run without administrative rights.
  • Rework programs, so UAC knows when to request administrative rights.
  • Make sure programs running with administrative rights are isolated from processes that are running standard privileges.
How does UAC work

UAC is complicated. So I defer to Microsoft's Mark Russinovich, who expertly explains the workings of UAC in his TechNet article "Inside Windows Vista User Account Control."

UAC, by default assigns the user standard rights. If a program requires administrative rights to run or load, UAC will ask the user for permission to elevate privileges for that task. This change in approach prevents malware requiring administrative rights from installing automatically.

Admin Approval Mode

The rights elevation is handled by UAC's Admin Approval Mode (AAM). AAM creates two profiles for the user at log-in, one with standard rights and one with administrative rights. As I mentioned earlier, UAC can elevate privileges. I didn't know there were two types of elevation. One is called "Over the Shoulder" (OTS) elevation and the other is "Consent" elevation.

The type of elevation used, depends on whether the user belongs to the local administrator group or not. If not, then UAC uses OTS, requiring permission from someone belonging to the local administrator group. If the user is a member of the local administrator group, UAC uses Consent elevation, asking the current user for permission.

UAC seems like a good idea. It mimics the Linux superuser, while adding some convenience. Or so I thought. Further research uncovered some flaws.

Convenience versus security

Both Mark Russinovich and Jim Allchin (formerly of Microsoft) have admitted that AAM is focused on convenience, not security. In the link about AAM, Mr. Allchin mentions:

"The functionality (AAM) is simply a convenience feature designed for administrators. The admin approval mode does not create a security boundary between processes. In this context, in the absence of process isolation, interference is possible."

Mr. Allchin further explains:

"If an administrator performs multiple tasks on the same desktop, then malware may potentially be able to inject or interfere with an elevated process from a non-elevated process."

I understand the logic. If the user had to switch profiles to perform administrative operations, most users would switch once and never return to the profile using standard rights. Still, isolation of processes running elevated privileges was one of the tenets of UAC. So, is this a relaxation of Trustworthy Computing?

Mr. Russinovich, in another article "Inside Windows 7 User Account Control" explains why Microsoft dropped the use of process isolation:

"While it was an early design goal of Windows Vista to use elevations with the secure desktop, Windows Integrity Mechanism, and UIPI to create an impermeable barrier-called a security boundary-between software running with standard user rights and administrative rights, two reasons prevented that goal from being achieved, and it was subsequently dropped: usability and application compatibility."

In fairness to Microsoft, UAC is still better than nothing at all. Mr. Russinovich points out how UAC helps:

"As for the case where malware somehow does manage to get on a system, because malware authors have assumed users run with administrative rights, most malware will not function correctly."

UAC and Windows 7

Microsoft changed how UAC works in Windows 7. UAC in Windows 7 affords the user more flexibility. To check out the new options, go to Control Panel, select User Accounts, followed by Change User Account Control Settings. Here are the four settings:

  • Top position: Is "Always Notify" and identical to the default mode in Vista.
  • Second position: Is the Windows 7 default setting, prompting the user when a non-Windows executable asks for privilege elevation.
  • Third position: Is similar to the second position. The difference being the prompt occurs on the user's desktop rather than the secure desktop.
  • Bottom position: This setting turns off all protection afforded by UAC.

Besides giving users more say in how UAC works, Microsoft has incorporated "auto-elevation" in an attempt to reduce the number of prompts submitted to the user. Due to the nature of auto-elevation, Microsoft is very particular about which programs can leverage privilege escalation. They place the following restrictions:

  • The executable must be digitally signed by the Windows publisher.
  • The executable must be located in a secure Windows directory.
More convenience, less security

It appears that Microsoft wasn't particular enough and that has security experts concerned. Especially, after researchers Rafael Rivera and Long Zheng developed two "proof of concept" programs, one disables UAC and the other uses UAC's auto-elevation to self-elevate privileges of the attacker's chosen malware.

Enough confusion to go around

As I was researching the changes to UAC, I started to sense what's going on. Microsoft and security analysts have a completely different opinion of what UAC is supposed to be. Analysts want UAC to be Microsoft's interpretation of how Linux controls administrative privileges.

Microsoft doesn't see it that way. I will let Mr. Russinovich present Microsoft's viewpoint:

"The bottom line is that the default Windows 7 UAC mode makes a PA user's experience smoother by reducing prompts, allows them to control what legitimate software can modify their system, and still accomplishes UAC's goals of enabling more software to run without administrative rights and continuing to shift the software ecosystem to write software that works with standard user rights."

Could it be that simple? UAC's real purpose is to coerce software developers into writing code that runs with standard user rights.

Final thoughts

I'm wondering if Trustworthy Computing means the same as when Mr. Gates was in charge. What do you think?

About

Information is my field...Writing is my passion...Coupling the two is my mission.

121 comments
aduffy
aduffy

This quote ?As for the case where malware somehow does manage to get on a system, because malware authors have assumed users run with administrative rights, most malware will not function correctly.? may not apply since the Vista release. I think now the UAC feature IS considered by malware authors.

zefficace
zefficace

I'm a geek at heart, and read TR articles to learn more and I often do. But my problem is this, I never had UAC on xp and still I had no virus at work or home. In my small experience, a well configured router is the first true line of defense. The second line is a paranoia attitude where "no" is the default answer to any unexpected/odd questions prompts. With that simple methodology, the anti-virus and anti-spyware softwares never had any real use save finalizing the last touches on the armor. They scan the whole computer but never find anything. I never needed UAC. Linux is more secure? Whatever, that's not why I use Linux. My router and my love of answering "no" does most of the job anyway. So I submit to you that it is not so much a question of the security of the code, but what the user does. Not installing a layer of protection (router/firewall) is plain dumb, even for consumers. Also, answering "no" can always be undone later, answering "yes" might screw you permanently... how about that for user education.

Ocie3
Ocie3

Quote from article: "Could it be that simple? UAC's real purpose is to coerce software developers into writing code that runs with standard user rights." That is a recurring assertion in many Microsoft articles about security in general and UAC in particular. It seems inevitable to me that Microsoft will eventually be forced to tell developers [i]qua[/i] maintainers of "legacy applications" which cannot run effectively on Standard user accounts to re-design or modify the software to run without requiring Admin privileges, else the software will not be able to run on future versions of Microsoft Windows. The [i]companies[/i] which are running those "legacy" applications must understand that they are running software which, regardless of whether it has security vulnerabilities, nonetheless does expose them to security threats because it requires Admin privileges to run. If Microsoft [i]can[/i] get those customers, who are caught between the need to run a "legacy application(s)" and the need to run a widely-used familiar operating system, to support Microsoft's position - if only for the sake of security - then those who own a "legacy" application will have to change their software to suit their customers. Nonetheless, eventually Microsoft will not be selling enough Windows licenses to stay in business [b]if[/b] they continue to release software with critical security vulnerabilities. As reported in the article, the current problem is that the Windows 7 UAC slider default setting at "medium-high" leaves the system vulnerable. According to the proofs of concept to which the article refers, "medium-high" allows malware to elevate its privileges to those of an Administrator account. Whether the malware accesses Admin Approval Mode (AAM) to do that is not clear. Regardless, IMHO, Vista UAC Admin Approval Mode is an inherent vulnerability just waiting for an admin who is using a Standard account to introduce it while malware is lurking on their computer, running with the same Standard account as the program for which admin privileges are granted by using AAM. It seems that, with Windows 7 UAC the "medium-high" setting introduces the vulnerability to all Standard accounts without any admin participation necessary. :-0 Frankly, I hope that my interpretation is wrong, although I do not doubt that the AAM vulnerability exists. Beyond that, I cannot think of any other security software that has a "slider", or even a set of them, to configure it. It looks as though MS decided to re-use code from the Internet Explorer Security tab configuration for the Windows Vista/7 UAC interface. A slider is so easy that anyone can use it, right? Sure, but not everyone has a clue as to the consequences. And configuring security for a computer and its operating system is not quite the same as using a toaster. Unfortunately, that kitchen-appliance I.E. interface masks a flawed design so that effectively securing the [b]browser[/b] requires a very time consuming effort. If someone does not have time to [i]learn[/i] how to use that interface effectively, where will they find the time to actually [i]use[/i] it effectively? By comparison, using Firefox NoScript, Permit Cookies and Better Privacy is a walk in the park. But I digress. The most secure Windows 7 UAC configuration is to set the slider to Always Notify. The actual results will not be identical to "turning on" Vista UAC, however. The differences are described on the Microsoft web site: Changes in User Account Control http://technet.microsoft.com/en-us/library/dd560669%28WS.10%29.aspx What's New in User Account Control http://technet.microsoft.com/en-us/library/dd446675%28WS.10%29.aspx User Account Control Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc709691%28WS.10%29.aspx The second and third links are in the first article, which has more general information that is repeated in the second article, in particular. Closing question from the article: "I'm wondering if Trustworthy Computing means the same as when Mr. Gates was in charge. What do you think?" IMHO, the fundamental goals, as described previously in TechRepublic IT Security discussions by Deadly Ernest, have not changed much, if at all. If memory serves, not even the half-baked anti-trust lawsuit to which MS was subjected addressed that initiative.

boxfiddler
boxfiddler

UAC can be disabled by Administrators on Vista systems, and given that most users found it a royal pita promptly doing just that, I think Mr. Gates focus on security was off in the first place. I think it was ploy to rob yet another computer niche of its place in the scheme of computer things. Obviously, I don't trust Uncle Billy or MS.

JCitizen
JCitizen

8 out of 10 malware samples! See here on ZDNet: http://talkback.zdnet.com/5208-12691-0.html?forumID=1&threadID=71315&messageID=1376234 It seems it has already started Michael! Of course, one thing the article may not have addressed is the fact that some of the worst malware needs no elevated privileges to do its dirty work. I suspect this may be the case in many of the samples. I am pretty sure I got at least one maleware that bypassed it, but NIS 2010 found it later. Fortunately it was on my honeypot account. Doubt if it did much damage, but what if I got one now, lurking in my main restricted account. If it is in the temp files, CCleaner already removed it, but what if the malware is capable of simply moving out of temp folders? Does that take admin rights to do? I doubt it.

vadodsantos
vadodsantos

I always preferred Vista to XP because I found it more secure and UAC adds to that.

Michael Kassner
Michael Kassner

I was surprised to find that Microsoft has a different opinion on what UAC does compared to what the security experts think. That's not a good thing.

Michael Kassner
Michael Kassner

I just did a post on Zeus and it runs just fine with standard user privileges.

mdietelbach
mdietelbach

I do understand the position stated here but the bottom line on many aspects is that sometimes the user with elevated privledges does not get prompted. UAC helps in that area by not allowing those to occur. I have seen the mear clicking on a webpage to result in installing of something, kept the user busy with opening multiple windows etc but in the end the virus was on the system regardless of how many times you closed or answered NO. Even under Windows 2000 which we were running 2 years ago, we had 85% of the users without admin rights. Why? It made sense, why have a user install software when you have tools to put the software onto their system consistently the same way. Windows 2000 was far from locked down even if you didn't have admin rights, but it was better. Of course when you ran into application not working in the non-admin state you had to resolve the issue or in some cases allow admin rights for that user until there was a work around. When we went to Vista Enterprise we did suffer considerably with poorly coded applications from developers that made statements like "to get our application to work, put in the SDK disk and install the entire SDK, give the user Admin rights and our app works just fine" Of course we never did that we always pushed back on the vendor. "What exactly do you need installed as far as runtimes etc on the machine before installing your application for it to work, and NO we don't want the user to have admin rights so what limits will that have on their functionality and what workarounds are there to achieve what we want?" Microsoft definitely didn't make this easy with UAC in the Vista era but hopefully Windows 7 (and most reports support this) has gotten it much much better. Mark

JCitizen
JCitizen

we were always pressuring our software vendors to run without admin privileges. HIPAA made it a legal requirement. I would like to see more intervention in this by law. I'm not for big government, but I'm not for hanging customers out in the wind for every crime cracker to take them to the cleaners either. I'm sure Microsoft gets tired of the old vendor run around too. I hope Secunia is tracking these worthless softwares also, because I won't allow them on anything my clients use. Maybe all the beleaguered reputation for Vista, will pay off for Microsoft, in the long run. If they re-tighten the ropes in later Win 7 service packs.

Michael Kassner
Michael Kassner

I did not know that my statement was out and about that much. I hope it did not imply my stealing someone else's thunder.

Michael Kassner
Michael Kassner

Waiting for you, J. I know you are a big proponent of UAC. Thanks for chiming in. As an aside, the "proof of concept" malware I referred to is very real. Still all said and done, in my opinion, UAC is a very good thing. I say that even thought I have a great firewall/program guard that basically does the same thing.

Michael Kassner
Michael Kassner

Anyone, but I like UAC as well. It is way better than the alternative.

tnboren
tnboren

for fear of tempting fate, but we are running Win XP for 50 standard (limited) users on an AD domain and I've had no issues with malware/viruses for the 4+ years I've been here. Users call me it they want to change or install something and I am happy to do so. I can either terminal service in, or use UltraVPN so we can both see the desktop. Not a single user has a local admin login. Windows XP included a little known 'run as' mode which I use frequently (either right clicking or from a command line) so I don't have to log users out to do things as an administrator. It's become second nature to me. I have Vista running on a server and two workstations at home and barely notice UAC. It has popped a few times saving me from allowing something to run. I would be insane to turn it off.

O & G IT Guy
O & G IT Guy

I think this is a good example of a chicken and the egg type of problem. In WinXP everyone was an admin, and developers (like all people) took the easy way and assumed that everyone would always be an admin and coded poorly. Virus/Malware writers took advantage of this. In Vista, Microsoft went from a everyone running as an admin to total lock down. No one was an admin, UAC nagged on nearly everything you did (due to the poor coding practices established in XP), and software failed to work at all. Thus Vista was not adopted by the masses, and developers weren't forced to change their ways. In Win 7, Microsoft has taken a step back (that is unfortunately needed at least temporarily) and reduced the security a bit to allow more applications to run, and reduce the nag factor for users. Windows 7 is being accepted by the masses, and the nags will still require developers to change their coding practices to appease users. This will result in a more secure system, and a platform to move to an even more secure system (IMHO). Where I think Microsoft failed us all (windows XP is the past, so let's not go there) is that there should be another spot on that slider that implements the Vista UAC with segregation that users could select as the software eco-system adapts to the new model, or if they just want to remain more secure and avoid poorly coded software to begin with. So if Microsoft had gone from Win XP (no UAC) to Win 7 (non-segregated UAC) to Win Vista (segregated UAC) we all would be a bit safer, and the world would be populated with better coders too! Does this mean that people shouldn't move to Win 7? Not in my opinion, the security improvements of Win7 over WinXP are huge, and let's face it Vista was not adopted by the masses so we aren't really looking at a Vista to Win 7 change, we are looking at a WinXP to Win7 change. And no matter what the benefits of the various Linux distributions are, it does not have mass market appeal, and to expect Jane/Joe user to switch to it isn't really realistic.

Marty R. Milette
Marty R. Milette

Microsoft is in a no-win situation. If they tighted up security to what these "security experts" think is good -- then nobody would be able to use the operating system for anything. Microsoft has to walk a very thin line between usability and security. No matter which side they step of that line -- some people won't be happy. To be honest, a handful of "security experts" don't buy millions of licenses for any product -- so we have to lean slightly to the side of usability sometimes. To be honest, the only 'true' security for a computer is to encase it in steel and bury it in a mine shaft in concrete somewhere with no connections whatsoever with the outside world. Anything less MUST be a compromise. :)

Craig_B
Craig_B

In security there is always a balance between usability and security. If you want your computer to be secure, make it a stand alone system with no network connection. No IE flaws to worry about and you don?t need to vote for a browser, etc. Of course this makes it hard to work with others or leverage the internet. For usability, connect to the internet; don?t use a firewall, anti-virus, etc. Of course your computer will most likely get infected with malware. Somewhere between these points is where most people want to be, make it secure enough but maintain the usability. I think the Windows 7 UAC has achieved this. The Vista UAC was the first draft and Microsoft went a little too secure, so the UAC became nagware and many people turned it off, which defeated the purpose. The Vista UAC did stop a virus from getting on my computer, so it did do its job. The Windows 7 UAC has a better balance and even better information about what is trying to do what from where, so the user can make a better choice. Remember the UAC is just one layer of Windows security. If it helps users and/or encourages developers to write more secure software than we all benefit.

art
art

Microsoft security is broken because it is too complex. There is no reason any regular user should be able to start any process that has more rights than that user. I use Linux. I support Windows. I am often appalled at Windows security design. Why can Outlook (that I run) do things that I can't? You are just asking for trouble. UAC just makes things worse by adding more complexity. The more complex a design, the more chances for flaws.

digitalb
digitalb

Until I reinstalled Windows a year later and forgot to turn it off. It saved me from a virus attack while I was downloading updates on my machine. For that....I have rewarded UAC by leaving it on and will not turn it off now. I have Windows 7 now and it doesn't bother me in the least bit anymore. It actually makes you think a minute before accepting the install. i like it and it si a good/necessary component to Windows.

zefficace
zefficace

But then, shouldn't the browser be unable to install anything capable of affecting the system from now on? Maybe nothing directly from the web unless from officially recognized channels. In other words, unless you take the time to add a software source, only MS should add these sources. Web pages are disqualified as a source because of their very nature. A web page can be hacked and the effect remain unnoticed for a while. Hacking a server, like those of Windows Update, surely is more difficult as I'm presuming MS is vigilant for it's own update servers. (Some goes for Linux distros and their repositories) Therefore, the question for me is why do we need the convenience of any kind of automatic install from a website? Isn't this the source of the problem? Maybe I'm just an idiot and I don't get it... ;)

JCitizen
JCitizen

everytime an attempt is made to modify a file from an untrusted program. This Comodo feature does not work on XP since IE 8, but works like a champ on Vista x64. When my Norton expires, I'm going back to it and either NOD32 or G-DATA. AV comparitives gave it very high marks over all.

mdietelbach
mdietelbach

I agree one would be insane to turn off UAC especially in a corporate environment. We went even a step further and avoided the UAC prompt for elevated priviledges for the user. The user gets the message "You do not have administrative rights" and an OK button. They then call IT and we discuss what it was they needed to do with the configuration of their system... (or they don't mostly) If they need a piece of software, we discuss then deploy it to them. We have standard set of software available to our users and try to leverage these standards to help drive down complexity. Just because you like a Word Processor does not mean that we should support the use of it on the corporate network. Why have multiple types of the same software when it is more cost effective to select one, support one and switch if that one doesn't meet your organizations needs. Of course this doesn't work in all cases and you sometimes need to support 2... :) BUT you should never be supporting 5, 10 different pieces of software that do the same thing. Then when it comes to changing operating systems, the number of software titles will not be so astronomical that you just will put stuff in and see how it goes instead of testing because testing 3000 apps just isn't feasible. If we are talking about a home PC, run whatever your heart desires but in Corporate economies of scale are required.

Ocie3
Ocie3

Funny you should mention it. When I first began using XP I was aware of it, but since then I have forgotten about that option. For a while I had a "limited user account" (XP jargon), but I couldn't run all of the software. Many programs would not run unless I was using an "Administrator account". After a while I became tired of switching log-ins between the two accounts for this or that reason and simply started using the Admin account all of the time. In retrospect, I suppose that I could have used the "run as" option from the context menu to "run as admin" for the programs that required it. When I access that option now while using my Admin account, the first option seems to be to drop Admin privileges and run as a "limited user". It does not say that explicitly, but by the way that it describes the effect of using the option, that is probably what it does.

Michael Kassner
Michael Kassner

The only thing I might contend is that Vista was not isolating the processes either. It is my main point of contention, the bad guys are going to capitalize on that. If you read Mr. Russinovich's explanation, it's both the software developers and Microsoft's fault that isolation cannot be included.

Slayer_
Slayer_

AT the bottom, its like XP, at the top its Like Vista. At the top, it is not vulnerable to the elevated privileges hack. W7 security should protect you from all XP and older viruses, but no protection from Vista and newer. It infact, provides almost no protection at all from newer viruses, as there is proof of concept code available on the internet on how to defeat W7 UAC on its default setting.

Ocie3
Ocie3

you don't have to encase a computer in steel and bury it in a mine shaft filled with concrete in order to "secure" it. You do not have to throw the baby out with the bath water. You do [i]not[/i] have to run software that contains buffer overflows which can be exploited for remote code execution. You do [i]not[/i] have to run an operating system that always loads each process in the same part of memory. You do [i]not[/i] have to run an operating system that allows a process to inject code into the memory occupied by another process. Those are three flaws that, as far as I know, have been corrected in Windows, whether also in all of the software that runs with Windows. But there are plenty of other vulnerabilities which MS simply has not corrected, whatever their reasons. (MS usually refuses to discuss either their reasons or the flaws.) What we [i]need[/i] is software and an operating system that does not contain such vulnerabilities. So far, Microsoft Windows is not as secure as it can be made, but, as I understand it, because of its fundamental architecture Windows [b]never[/b] can be truly secure. Yet, by all report, operating systems which do not have the fundamental architectural flaws of Windows do exist. So why are we all running Windows? May I suggest that it is because so many of Microsoft's customers do what the herd does, and fail to even seek, let alone heed, the advice of those who [i]do[/i] know which operating systems would make better choices, at least from the perspective of security. Well, where there are herds, there are predators. Just hope that your computer system(s) are not their next entree.

Tony Hopkinson
Tony Hopkinson

Security doesn't necessarily have to mar usability. I've had UAC on at work and at home in Vista since day one. Barely notice it. I'm not of course lumbered with legacy software, nor do I do that much admin work. One of the things I did when I got Vista was leave it turned on, for me I've had about two or three unexpected hits, the rest I would expect, not different to running up an su style session in other OS's Security is a mindset, without it you'll never get it, and whether an insecure system is in fact usable is open to question. Look how much resource even the least intrusive of virus checkers use up on our machines. Now if you could reasonably do an su type manouevre in windows....

Michael Kassner
Michael Kassner

UAC is a huge improvement over automatic admin rights. I was surprised to learn that UAC is not isolating the elevated processes though. That could become a problem.

regan.thomas
regan.thomas

What I never got about UAC was the modal popup screen. Why so obnoxious? I would just as easily notice a change in taskbar color or Windows 7 Action Items Icon. Because of its intrusive and attention-seeking notification mechanism (to support Craig_B's point), I quickly turned the sucker off of Vista. With Windows 7, the first thing I did was try to turn it off, when I noticed some more options. Needless to say, the option "Notify in Taskbar Only" was still missing; and so I turned it off anyway. I can't stand being shouted at and that's basically UAC's way of communicating, so nighty night.

Michael Kassner
Michael Kassner

I appreciate your thoughts. Are you concerned about the fact that processes are not isolated and that the bad guys are starting to leverage that?

Jessie
Jessie

But it's the problem of software manufacturer's who build their apps so they MUST run with admin privileges, which is ludiculous. Normal operation of an application should not require the user to modify files and folders not "their own." The company I work for locks down all desktop machines except for a couple which have to run software that updates the freakin' windows system files all the time... there's no NEED for that. These non-locked down systems are where ALL of our viruses come from.

asif
asif

It is very simple Art...remove users from the local admin group and they run as normal users. It is actually Linux that is to complex for normal users, and that is why you dont find it on most company desktops. Since moving to Windows Vista (and now slowly moving to Windows 7) 2 years ago, we have not experienced a single virus, worm, or malware. It was very simple...dont add users to the local admin group, which Vista made easy. As for Linux, I ran an evaluation of both SUSE Linux & Ubuntu desktop as a possible cost saving measure for my company with 5 test users for a month, and all rebelled and demanded to go back to Windows. Enough said on that

Michael Kassner
Michael Kassner

Are you using Windows 7 yet? Have you been supporting Vista as well? I would be curious to learn what users have thought about UAC.

Michael Kassner
Michael Kassner

For sharing your experience. In your case, UAC worked as the security experts say it should. Did you have it in the default setting?

Michael Kassner
Michael Kassner

If a Web site is a malware-delivery platform (knowingly or not), the dropper code will be looking for weaknesses in the operating system. The dropper program will then leverage the weakness to get malware installed. Typically that has required local admin rights, hence UAC helping prevent that. The only problem is the bad guys are starting to develop code that does not require admin rights to install.

JCitizen
JCitizen

solutions weren't the best thing since sliced bread. For SMBs, I like to use the regular desktop version with a gateway solution. Some clients even bone up for the AV/AS services on these devices. So far, a lot cheaper, by my estimates; unless you have a better solution, (price wise). Thanks for you input!!! I have experience using basically weak solutions like Trend Micro's Office scan; which was okay, where your GPO s.o.p, basic server security, and AD policies were properly implemented. In other words it was the last weak link in a very strong IT security model. So it served our purposes, at the time.

Gh0stMaker
Gh0stMaker

Nod32 is a very nice malware solution with a very small footprint as far as resources being used. They have a nice Server Admin console that can control all aspects of the solution.

Michael Kassner
Michael Kassner

I don't hear from too many people that are running Vista in the enterprise. How has that worked out? Are you going to move to Win 7?

JCitizen
JCitizen

but my MCSE training left me with the impression that since folders could be set up with limited rights, then I assumed giving a process "Run as" rights would only apply to that process; and I am pretty sure I was wrong. Of course that was pre SP2, so I'm not sure how NTFS or other account security features may have changed since then. I was hoping this had changed with Vista, but I have no idea. I did believe that any malware existing on a limited account would have the same opportunities as I would on that account. So if I logged onto a process and was using it, the malware could too, but I was hoping it would only be limited to that process alone. That would at least mitigate any damage done.

Ocie3
Ocie3

Thank-you for letting me know about that potential consequence of using the Windows XP "run as" feature. Do you remember whether you were using a "limited account" when you used the "run as" feature? With regard to Windows Vista/7: if you simply use an Administrator account, then any software that you are running which requires "admin privileges" will be isolated, thus protected, by a "security boundary" from all other processes that are also running [i]via[/i] the same account. Of course, since you are using an Administrator account, if a "dropper" that has been introduced to your computer wants to install malware, then it has the privileges that it needs to do it. That is the risk of "running as admin". Of that much I am certain. :-) I don't recall reading whether any processes that are run by using a Standard account are "isolated". However, Windows 7 has some added security features regardless of account type. One is detection and prevention of "code injection" attempts (in which a running process attempts to load or copy executable code into the memory allocated to another process, then execute it). Another is segregation of executable code and data, so that attempts to "execute" anything that is in an allocated "data space" are prohibited. And the Windows 7 kernel also has a feature that "randomizes" the location of processes in memory. For example, a driver is not always loaded beginning at the same address during system boot. This prevents malware (or any program) from being able to "jump" to a location in memory, outside of its own allocated space, with any assurance of which instruction (if any) will be at the address to which it executes the jump. It seems to me that program processes that are run with a Standard account must be "isolated" by security boundaries in order to implement the first two features, in particular.

JCitizen
JCitizen

on an application,and the OS promptly gave ALL the malware on that account full administrative rights/priveleges. I never did that again. I ignorantly thought MS introduced better isolation this time; but I'm glad you made me a doubter, ocie3!!

Michael Kassner
Michael Kassner

Being as large as MS, must require a lot of patience. Legacy applications must be fun for them too.

Gh0stMaker
Gh0stMaker

Microsoft would like to be 3 steps from where they are in security, but have to wait for thousands of programs to correctly develop and market secure software, and then the OS can become more secure. If windows were like a Mac, and ran a limited amount of application, the masses would not buy it.

Michael Kassner
Michael Kassner

I guess the way I look at it, MS by using UAC has incrementally improved their OSs. Just by making the user aware. As I mentioned, MS seems to be doing this mainly to force software developers to design their code to run with standard privileges.

Ocie3
Ocie3

explanation is much clearer, although not as technical, than Mark Russinovich: Admin Approval Mode in Vista http://news.softpedia.com/news/Admin-Approval-Mode-in-Windows-Vista-45312.shtml In Windows XP, Vista and 7 (and, I believe, for Unix and its derivatives), the isolation of a program's processes from another program's processes is implemented by account. Namely, the "boundaries" within which a program executes are defined by the account with which it is executed, and the actions that the software can take are defined by the privileges of that account. So, on Windows XP and subsequent, accounts are divided into Standard user accounts and Administrator accounts. Everyone should use a Standard account to run their software, and only use an Administrator account when the software needs administrative privileges. Jim Allchin affirms that in his remarks as being the most secure way for Vista and, by extension, for Windows 7. However, for the sake of CONVENIENCE, an admin who is using a Standard account can "elevate" the privileges for a program to administrative by using Admin Approval Mode. Doing that is not secure, because malware which is running on the admin's computer [i]via[/i] the same Standard account can interact with the program also running [i]via[/i] that Standard account but which has been given administrative privileges, and acquire those privileges for itself as well. So, if anyone is at fault, it would be Microsoft, for introducing the Admin Approval Mode to make Windows and the programs "more usable", i.e., more convenient - but also inherently less secure when AAM is used.

Michael Kassner
Michael Kassner

There is also a proof of concept available that disables UAC completely on Win 7.

Michael Kassner
Michael Kassner

Deep in coding a new VPN client right now. I never miss a podcast.

Ocie3
Ocie3

Steve Gibson for his list of them. Are you familiar with Leo LaPorte's webscast with Steve Gibson, Security Now!: http://www.grc.com/securitynow.htm His most recent series begins with Episode #217: The Fundamentally Broken Browser Model That and #221 The Oxymoron of 'JavaScript Security' are the current vector of his explorations. But I don't believe that Steve plans to develop another browser. ;-)

santeewelding
santeewelding

Which are you? Didn't think so. You hold (an)other alternative(s) up your sleeve, pushing the first, and only two, for rhetorical purposes.

JCitizen
JCitizen

Does the UAC time out by doing nothing or does it assume you give the action permission by doing nothing. I'm afraid at least once, it went away, before I could make a decision, but I do not know if it may have possibly been one of these fake messages that have been prevalent of just exactly what it did. I finally found a virus trapped in one of the restricted accounts; was this it's attempt to get out? I have also found what may be false positives on a document that was identified by one of my AS solutions as a .gen trojan. Was it truely false or what is happening? I almost wish I was back in XP, where I had at least some rock solid 3rd party security utilities that left that question a little more assuredly answered.

Tony Hopkinson
Tony Hopkinson

not the least of which is those who are nagged so often , that they cease to bother reading the query and just click OK anyway as a matter of rote, which in my opinion is UACs biggest weakness possibly along with it's lack of granularity. The latter is I believe addressed by domain in W7 though apparently not even close to ideally. I'd have preferred by behaviour myself. I'm not sure what MS can do, except make the move towards more secure third party and in house software gradual. Imagine Vista's take up, if there was no option to disable UAC. That would have had their sale and marketting boys screaming blue murder wouldn't it? The real problem to me was Vista offered so little advantage to business in and of itself, that justifying none to f'ing huge amount of resource required to beome compitible and possibly against a moving target, was near impossible. Catch-22 time. No compatibility = no take up, no take up = no justification for making it compatible....

Michael Kassner
Michael Kassner

Your input, Tony. I do not have your experience with UAC, so your thoughts are welcome. Did you read the part of my article about where UAC has the isolation weakness? The bad guys are just starting to look at it. Does that change your mind? This is complicated, as UAC is way better than nothing, but it could turn into false security. Your thoughts?

apotheon
apotheon

How does it nag? Unix-like systems simply prohibit you from doing something stupid, by default. I haven't seen any "nagging". It's not like the first time I run Pidgin, Firefox, or tmux, it pops up an ugly little dialog that steals focus away from whatever else I may be doing, asking if I want to allow the software to run. The software just runs, if the user account I'm using to try to run it has the permissions to do so. That's it. If not, it just fails -- because allowing an unprivileged user account to execute a command for which only an account with administrative privileges should have access would be incredibly stupid from a security standpoint. Where's the nagging you say you've experienced?

apotheon
apotheon

The free/open source software Unix-like systems, including the various major BSD Unix systems and Linux distributions, require administrative privileges to install software system-wide. This is the only intelligent way to allow system-wide software installation, for security purposes, because to allow just anyone to install software system-wide means you're allowing anyone to affect everyone. It is, however, possible for a normal, non-administrative user account to install software. Those accounts just can't install any software system-wide. They have to install the software within their own home directories (or some other directory where they have read, write, and execute permissions), and the software can then only be used by them (or by someone else who has read and execute -- and usually write -- permissions there as well). It's pretty simple to understand why this is and how it works if you have a general grasp of basic Unix file permissions.

Michael Kassner
Michael Kassner

I tend to feel the same, yet that thinking keeps the doors open. So, I am glad they are watching.

Tony Hopkinson
Tony Hopkinson

The lag in Vista compatibility which would have negated how UAC was percieved was a business decision, just the same as Vista capable av suites, and hardware drivers, both of which lagged badly as well. Who should take the honours MS, or 3rd parties is open to debate , but us programmers program what the business tells us to, with the tools they buy us in the time they give us. Hardly a new phenomenon either, the smaller the impact on revenue and the larger the impact on cost, the less likely we are get a chance to do somthing. I believe they call it alignment or some such.... When some thing looks abysmally stupid from a technical point of view, put your business head on.

Michael Kassner
Michael Kassner

I think we both were generalizing, focusing on the whole application industry. Microsoft has mentioned that several times. I suspect that MS should take some blame as well.

Tony Hopkinson
Tony Hopkinson

Ain't nuffing to do with programmers, aside from one or two who can't be arsed and probabbly writing stuff no one sane would make part of their critical process, it's business telling programmers that they won't resource such an effort. Tha't not even counting the fact that MS as a business have, do and will use exactly the same mindset. That's like blaming you for the lack of IPV6 take up, or why people still use unsecured TelNet or FTP sessions.

Michael Kassner
Michael Kassner

I agree with your thoughts. Until I started researching this article, I was under the impression that UAC had a totally different job, I know differently now.

Gh0stMaker
Gh0stMaker

Lets face it, due to very slow application development and developers, Microsoft is in a mine field waiting for programmers to actually right secure code. The developers should stop creating software that is 'easy' instead of secure. It's like doing a job 1/2 way and then hiding behind security experts to blame the OS creators.

Michael Kassner
Michael Kassner

It is much more limiting. As in you have no option. You have to switch to a super user profile to install software. At least that has been my experience.

Michael Kassner
Michael Kassner

I have talked to some developers and they are counting on that to inject malware. The code is smart enough to sit and wait until some process escalates rights and then it pounces.

Ocie3
Ocie3

but I doubt that it is as bad as running Windows XP with a "limited account" instead with an administrator account. With WinXP, the "limited account" is simply too limited to be meaningful. But the most common opinion of Vista UAC that I've encountered, notwithstanding the ones that were ventured at the start of this discussion, is that it "nags" the user(s) too much, even the admins. And from the description of its behavior, I would not want to use it. I would rather have a combination of the features of a good firewall, anti-malware and Sandboxie.

mamies
mamies

This Sounds more like a Linux environment where the root user installs all of the software. I am a Linux user but do not recommend it for Windows users because it does "nag" when you want to change a system setting or install new software which is quite a pain

Ocie3
Ocie3

is only effected when an application is run [i]via[/i] an Administrator account. If it is running in Admin Approval Mode on a standard user account, its process could be affected by malware which is running with the same account. That is why Jim Alchin recommended that Administrative tasks such as installing software be done only with an Administrator account, and all other tasks be effected with a standard account. It is more convenient to use AAM, but you lessen security when you do.

regan.thomas
regan.thomas

I suppose my only point is, if you can successfully put out the effort to create a secure environment with the entire desktop space, it couldn't be any more difficult to create less 'intrusive', yet equivalently secure, means of notification; or at least the option for this. From some administrators' perspectives the 'modal pop-up' experience is valuable to ensure their attention at critical moments; no argument there. But there are others who would either simply not require, or be just as attentive to and therefore appreciate the option for a notification system similar in look and feel to, for example, the 'Action Center' icon; I for one never fail to notice the fact that the little white flag has a red X, and consequently take the appropriate action.

apotheon
apotheon

I guess we have different definitions for "similar", then.

Michael Kassner
Michael Kassner

I wrote "firewall/program guard" Almost every software firewall application has the ability to act similar to UAC. They may use different names for the feature, though.

apotheon
apotheon

A firewall protects the computer from the outside world. UAC is supposed to protect the computer from itself. It is intended, if you want to compare it to a firewall, to act as a firewall of sorts between parts of the running OS and the software installed on it. Since Microsoft is unlikely to let third party software developers insert filters on process privileges between parts of the OS, UAC is basically your only option for that.

santeewelding
santeewelding

About how [b] you [/b] are. Do you, Ocie, pay attention to such, aside from my taunts?

Ocie3
Ocie3

It seems that you are referring to the Secure Desktop, which is designed to appear the way it is so that you will know that you are looking at Windows output, and not what some malware that happens to be running has decided to display. Malware cannot intercept or alter whatever you do [i]via[/i] the Secure Desktop. If you are making "admin" changes to programs or to Windows without the Secure Desktop, then those changes often can be intercepted and altered by malware. Of course, the malware -- acting as a "man in the middle" -- can do quieter, less "intrusive" and trivial things such as changing the taskbar color or displaying an icon. So how would you know that what you are doing as an admin is secure?

Michael Kassner
Michael Kassner

I was curious if you have a firewall/product guard that basically does the same thing as UAC?

Michael Kassner
Michael Kassner

I pretty much do that now with Sandboxie and VMs. But, it is not a user-friendly way to go.

Craig_B
Craig_B

I believe the best way to resolve all this is to come up with a new version of Windows built based on security and reliability from the ground up. The reason this has not happened is that it would most likely break all your applications. People complain now when an app from 5 or 10 years ago will not run properly on the latest OS version. Microsoft has been trying to add security while keeping things somewhat backwards compatible, this of course keeps the vulnerabilities as well. The way past this is by using VM technology for backwards compatibility as we are starting to see in Windows 7 with XP Mode. In the future maybe we will have a core OS that lives in its own world while the applications live in their own world. Or in other words, first we isolated the network from the internet, then the computer from the network and now the application from the OS. One final note, Windows 7 64 bit is more secure because they could write new drivers and components without having to really worry about backwards compatibility since there are not a lot of old x64 apps and drivers.

apotheon
apotheon

It has never been clear (to me) whether the .NET Framework is a component of the Windows XP operating system per se, because the only software that needs it to run is software that has been developed to use the "framework". I didn't mean to suggest that the .NET Framework is a core component of the OS. I was simply pointing out a recent example of Microsoft pushing out patches that actually damage security rather than enhancing it, to make the point that blindly trusting Windows Automatic Update (for instance) is a bad idea, and more importantly to make the point that one should always apply at least some minimal due diligence to finding out what one is installing on a computer. If you want to make a point about some distinction between OS and additional application security as affected by updates pushed out by Microsoft using its Windows Update utility, go for it. I'm not sure what the point of such a statement would be, though, since both types of updates are delivered by the same mechanism, there's no innate distinction between the two types that guarantees that OS patches will always be 100% benign, and ultimately you can't be even remotely certain of the safety of any update if you don't even know what it is -- which was my point. Although I did not mention it explicitly, I do use the "Custom" option for Microsoft Update -- just not to download patches one at a time and test each one before I install another one. I don't test each one individually for an MS Windows test system I have at home, either. Of course, that's not my primary workstation by any stretch of the imagination. What I do, though, is first read Microsoft's explanation of what's in each update, then do a few minutes' research to ensure there aren't any hidden gotchas that others have discovered, then install everything I want and nothing I don't want in one shot. The process is actually fairly similar to the process I use for updating my FreeBSD systems, as described in Update your FreeBSD software with care, except that it's less orderly and a little more prone to error since the vendor (Microsoft) doesn't provide as much, or as complete, information about its updates as the FreeBSD project does. As I have said before, the amount of time put into researching and/or testing updates should be commensurate with your circumstances. I don't expect everyone to obsessively and exhaustively test all patches all the time. I was just pointing out that if you aren't at least doing minimal research, you're going to get screwed eventually, and to some extent you're going to deserve it. If the Firefox alterations are a reliable guide, then sometimes the capsule descriptions do not always tell me what I really need to know. This is why I make a point of searching other resources (including Google, naturally) for further information when I research an update prior to allowing it to install. Considering the unwillingness of most people to expend any effort in seeing to the security and stability of their computers, however, I consider it a win if I can get them to just read Microsoft's descriptions and think about whether they actually need a given update before approving everything. Going back to the beginning of this particular back-and-forth, I have to ask: Is there anything in what I said that actually still sounds to you like it only applies to a mainframe priesthood? If not, I think you might finally understand my point. If so . . . I guess I'll just have to resign myself to the idea that you're one of the people I tend to think of as the fifth column, working to use willful ignorance as a weapon to oppose any attempts to get people to actually try to run secure systems on the grounds that nobody should ever have to think about anything. Ultimately, if you really believe you should not have to think about security at all when operating and managing a computer connected to the Internet, that it's too much to ask for someone to take a little responsibility for his or her own security and privacy, and that any attempt to suggest that's reasonable is the leftover cliquishness of some kind of elitist mainframe priesthood ethic, I guess maybe you should follow that to its ultimate conclusion: You don't have to think about your own security at all. You really don't. All you have to do to completely ignore any suggestions that you should take some responsibility for your own computer security while still remaining secure, if you aren't going to pay someone else to see to it for you, is stop using computers. It's that simple.

apotheon
apotheon

You complained about local administrative privileges being needed to install updates. In what way do you mean that if not in the ways I addressed? To recap, I mentioned that it's insane to not need administrative privileges to affect the entire system, and I mentioned that one can centrally manage updates by pushing them out over a network. What is your complaint, if not the fact that unprivileged users cannot just install updates?

Michael Kassner
Michael Kassner

At several clients. What I am referring to is that MS digitally signs every update. The signature is checked by UAC, if it is not correct the update is not installed. MS is trying hard to get other TPV developers to use that same process. That would allow the move to UAC and standard user rights and more importantly not requiring intervention by millions of users that do not have your IT skillset. Edit: Spelling

Ocie3
Ocie3

In response to my assertion: [i]"That said, frankly, I cannot recall any patch that was applied to Windows XP on my computer during the past seven years that proved to be a mistake. Downloading and installing some of the other software has not always been worthwhile, though." (italicization added)[/i] You reply: [i]"You're lucky, I guess. Luck is not security, though. Perhaps you should follow the news a little more, and notice that bad patches happen to good people entirely too often in the MS Windows world. ...." (italicization added)[/i] Thank-you for the reminder that Microsoft included a plug-in and an extension for Firefox when they created the .NET Framework 3.5 Service Pack 1. At the times that they were respectively published, I read the blog article to which you refer in your remarks, written on October 18, 2009, as well as another blog article that you wrote on June 2, 2009 (http://blogs.techrepublic.com.com/security/?p=1716). Of course, I uninstalled the "click once" Firefox extension, as instructed by a Microsoft article to which your June article referred, and disabled the Windows Presentation Foundation plug-in. The extension has never reappeared, but I have begun to suspect that running Microsoft Update re-enables the plug-in. Whether the plug-in has any effect without the extension, I don't know. It has never been clear (to me) whether the .NET Framework is a component of the Windows XP operating system [i]per se[/i], because the only software that needs it to run is software that has been developed to use the "framework". If memory serves, I have exactly one application program, which I seldom use, that requires .NET 2.0 to run. I have been considering a completely clean re-install of Windows XP, and if I do it, then I might decide to leave .NET out at least until I encounter a more significant need for it. Although I did not mention it explicitly, I do use the "Custom" option for Microsoft Update -- just not to download patches one at a time and test each one before I install another one. If the Firefox alterations are a reliable guide, then sometimes the capsule descriptions do not always tell me what I really need to know. So, as I said, downloading and installing some of "the other Microsoft software" has not always been worthwhile. But if you consider .NET to be a component of the Windows XP operating system, and the service pack update for .NET as a "patch" to that OS, then why should I quibble? In regard to other matters, as you may realize, it seems that each of us has a penchant for misinterpreting what the other has written. The older you get, the more difficult it becomes to suspend your own frame of reference while you consider that of someone else. There is also an old adage that "The devil you know is better than the one that you don't."

apotheon
apotheon

Are you saying you want to be able to manage updates for an entire network centrally? That capability does exist in MS Windows (and basically any other OS in the world that is, or pretends to be, multi-user).

Michael Kassner
Michael Kassner

Requiring local admin rights to allow Windows Updates is a huge problem for enterprise situations. MS digitally signs their updates and UAC will not allow them to install if there is a problem. MS feels that having a verifiable digitally signed Windows update and standard user rights is a viable approach. That solution does not apply to any other updating. I mentioned in the post that MS is trying to get developers to sign their installs and updates. But, that is slow going at the present.

apotheon
apotheon

If memory serves, according to Microsoft, whether someone who is using a Standard account can, in fact, install Windows Updates is configurable via Group Policy. . . . and all of that is fine, if it's implemented properly (I won't go into that part in more detail just now). What raises my hackles is when people suggest that non-administrative users should always be able to apply updates to the system, rather than the possibility of specific users being prohibited by default but perhaps gaining such privileges at a sysadmin's discretion. Flexibility: Good Rigid Enforcement of No Privilege Restriction: Bad Also, often I spent enough time and effort on "administering and operating" the computer -- in contrast to using it for the activities for which I bought it -- that it certainly became inconvenient to run with a "limited user account". I doubt that any other OS would lessen the amount of that time and effort, and might even increase it. Actually, the privilege separation model of some other OSes -- specifically Unix and Linux based systems -- makes things a lot easier to manage, because you don't have to log out of your non-administrative user account, or even switch user environment contexts, to have secure and isolated access to administrative privileges. UAC attempts to provide similar benefits, but fails to actually keep things secure and isolated because it true, architectural privilege separation doesn't yet exist in MS Windows. Instead, UAC can be configured to allow an unprivileged user to elevate its privileges "temporarily", thus offering plenty of opportunity for malicious code running elsewhere within the user environment to take advantage of that elevation to wreak untold havoc across the system with full administrative privileges. That's why the only really safe (and understand, "safe" is here used as a relative term) way to perform administrative tasks on MS Windows is to actually start a fresh login session as an administrative user account, and do nothing within that account's user environment that might expose the computer to malicious code (including opening a Webpage somewhere out there on the Internet with a browser). If that problem were fixed, you'd find that much of the problem you describe could be made to simply evaporate. Which is to say that all of your remarks are quite appropriate to the original context of mainframe computing. They're also perfectly appropriate to your use of your home computer, as I hope you'll realize after my responses to your comments here. But in the context of installing Windows Updates on the millions of computers that are used directly by individuals for their own benefit, you know who does - or doesn't - install them. If you are installing your updates from within an unprivileged account that is regularly exposed to the dangers that lurk on the Internet, you actually may not know who is installing the updates -- because some malicious security cracker may gain access to administrative system management tools via the non-administrative account and use its access to administrative functionality when you mistype a URL and end up getting directed to some phishing Website. Your remarks seem to assume that anyone who is using a Standard account can "make changes" to Windows 7 on an entire network of thousands of computers, and not just to the instance of Windows 7 that is installed on the computer on which they actually have the Standard account that they use. Um . . . what? What gave you that idea? Please see above, in this comment post, to see what I meant. The changes are made by the Microsoft personnel who design, code and produce the Windows OS patches, and any other software that MS chooses to "push" onto our computers. This is ultimately a very harmful perspective. It ensures that you willingly give up control of your computer to some faceless corporate drones who may be thousands of miles away from you. When you do that, you also willingly give up control of any data that you store on, or that passes through, your computer. A more security-minded perspective would be the one that assumes all decisions about changes to the system are yours to make, and your responsibility. This is the perspective taken by people who research and test updates before deploying them, because they do not want mistakes made by MS Windows programmers in Redmond to destroy their lives by causing their credit card numbers and private love letters to get emailed to hundreds of identity fraudsters. Do you expect that I will use the Windows Update "Custom" option to download and apply the first patch, then test the entire computer system exhaustively to determine whether the patch makes an unacceptable change? Only you can decide how much time and effort to devote to researching and/or testing a patch before committing it to use on a "live" system. If you do not, at the very least, skim the descriptions of the updates Microsoft gives you before deciding whether to apply them, you are just handing responsibility for your own well-being to someone at Microsoft headquarters, though -- and when (not if, but when) that bites you, you'll deserve exactly what you get. Has it occurred to you that Microsoft has already done that with a significant sample of computer systems? Has it occurred to you that Microsoft tests these things to make sure they won't affect Microsoft's bottom line, and only gives half as much of a crap about your bottom line as is absolutely necessary to ensure it won't lose scads of money in a lawsuit or by way of mass exodus of users to a different OS? Considering how willing people are to just keep shelling out money for an OS that screws them year after year, and how effectively impossible it is for an end user to successfully sue Microsoft over the low quality of its software, that's not much of an incentive to look after your needs. That said, frankly, I cannot recall any patch that was applied to Windows XP on my computer during the past seven years that proved to be a mistake. You're lucky, I guess. Luck is not security, though. Perhaps you should follow the news a little more, and notice that bad patches happen to good people entirely too often in the MS Windows world. I recommend you go up the thread two posts from here, to my immediately previous comment in this subthread, and click on that "update cautiously" link for more details. Contrary to your assertion, however, there is no guarantee that removing the software will always make the system more secure. That's not actually what I said, and if you really think it is, I don't think you're reading very closely. What I said was that removing the affected software is a guaranteed fix for that vulnerability. Full stop. There's nothing there about any assumption that it necessarily improves the overall security of the system as a whole. Please don't put words in my mouth then tell me that that, because of those words, I'm "wrong". Considering that the remainder of your comment, after that last quoted snippet, is a load of poppycock entirely predicated upon your assertion that I said something I never said, I'll just do you the favor of ignoring it rather than repeatedly telling you how you're talking about crap that never happened. At least all your mistakes prior to that point could be reasonably attributed to a lack of common ground for understanding the implications of my statements, but as of that point in your response you left the realm of reasonable misunderstanding and entered that of making crap up as you go along because it's easier than actually reading what I said, as I said it, and responding to exactly that.

Ocie3
Ocie3

If memory serves, according to Microsoft, whether someone who is using a Standard account can, in fact, install Windows Updates is configurable [i]via[/i] Group Policy. As far as I know, Group Policy can be used to define the "privileges" of any group of users for both Standard and Administrator accounts, respectively. As you may recall, originally, during the era of the mainframe there was a definite division of IT personnel into two distinct groups: (1) those who acquired, operated, maintained, repaired, upgraded and replaced all of the computer hardware ("CPU" and "peripherals") and its operating system and other "system software" such as utilities, compilers, etc., and (2) those who were programmers, systems analysts, data acquisition and input staff, etc. Of course, both then and now all of the IT personnel collectively supported, and were paid by, their "clients" AKA "users", whether in academia, in government or in private enterprise. My own participation in the IT paradigm of the day was in Group 2; I knew only as much as I needed to know about how and why the computer ran, and cared even less as long as it correctly executed the programs that I designed and wrote. If it didn't then that wasn't my problem to solve. The first thing that I realized while I did the system integration of components and assembled the first microcomputer that became my personal property, was that I would be the System Administrator and the System Operator. That is, I would be responsible for evaluating, acquiring, installing, maintaining, repairing and upgrading (or replacing) and for [i]operating[/i] not only all of the hardware, much of which is peripherals. I would also perform the same tasks for its operating system and "system utilities", [i]and[/i] for the "end-user" software as well -- very little of which I designed and wrote, so almost all of which I "purchased", whether by paying a one-time license fee or, eventually for some programs, an annual license fee. My first microcomputer ran IBM PC-DOS as the OS, and the microcomputer that I use now currently runs Windows XP. The only account in addition to the default Administrator account is SYSOP. Initially, I experimented with using a "limited user account" (XP jargon), especially while running software that accesses other computers [i]via[/i] the Internet. However, some programs required that I run them with an "Administrator account" even though it seemed that they did not need administrator privileges. Also, often I spent enough time and effort on [i]"administering and operating"[/i] the computer -- in contrast to using it for the activities for which I bought it -- that it certainly became inconvenient to run with a "limited user account". I doubt that any other OS would [b]lessen[/b] the amount of that time and effort, and might even increase it. Which is to say that all of your remarks are quite appropriate to the original context of mainframe computing. In most respects, they are also applicable to large organizations that use networked hundreds or thousands of microcomputers. But in the context of installing Windows Updates on the millions of computers that are used directly by individuals for their own benefit, you know who does - [i]or doesn't[/i] - install them. With regard to Windows Updates [i]via[/i] a Windows 7 Standard account, you remark: ".... Do you really want just [b]anyone[/b] to be able to make changes to the system that affect any and all users on the system, that can conceivably affect any software running on it, or any data stored there?" First, we are not discussing the OS of a mainframe that a considerable number of people use. Your remarks seem to assume that anyone who is using a Standard account can "make changes" to Windows 7 on an entire network of thousands of computers, and not just to the instance of Windows 7 that is installed on the computer on which they actually have the Standard account that they use. I do not believe that assumption is correct, if only because what anyone can actually do can be governed by Group Policy, as I stated at the start of these comments. Of course, there are System Administrators who do have the authority and access to the appropriate software that can "make changes" -- not only Windows OS updates -- to thousands of networked computers from their workstation. But they are not "just anyone". With respect to my own personal property, I do not want anyone at all to "make changes" to my computer without my prior knowledge and explicit consent. Those others whom I do allow to "make changes" usually expect me to pay them money. But the point is, regardless, [b]I[/b] am not the one who is [i]making the changes to the system[/i]. The changes are made by the Microsoft personnel who design, code and produce the Windows OS patches, and any other software that MS chooses to "push" onto our computers. I am simply the one who has the task of running the Windows Update software that downloads and applies the patches, a task that could be "automatic" if I chose (I do not use the option to do that). If I used MS Office software, then sometimes it would be patched, too. Do you expect that I will use the Windows Update "Custom" option to download and apply the first patch, then test the entire computer system [i]exhaustively[/i] to determine whether the patch makes an unacceptable change? Then repeat the process for each patch until all of those that are available have been examined and either applied or rejected? Has it occurred to you that Microsoft has already done that with a significant sample of computer systems? You may have the time and inclination to perform such testing with your own computer(s), but I do not. Paying someone else to do those tasks would make owning and operating a microcomputer financially infeasible for all but a relatively few individuals. Perhaps that would suit you, too. Granted, it is quite understandable that, if I may excerpt your words "... large enterprise networks that aren't run by complete nincompoops test patches, including critical security patches, before deploying them across the entire network." They have much more to lose than I do if a Windows patch happens to have an adverse effect upon their particular collection of hardware and software. They also have the resources to make such a testing endeavor feasible. No one is paying [i]me[/i] anything for my time and effort. That said, frankly, I cannot recall any patch that was applied to Windows XP on my computer during the past seven years that proved to be a mistake. Downloading and installing some of the other software has not always been worthwhile, though. However, a significant percentage of Windows microcomputers that are operated by individual end-users, and other family members and/or their friends, are not patched regularly, or even not at all. Many people adopt the policy that "if it ain't broke, don't fix it." Of course, they think that [b]as long as they can use it at all[/b] (whether to their complete satisfaction), "it ain't broke" even after their microcomputer has been incorporated into a botnet, thus threatens the security of each and every other microcomputer that accesses the Internet, especially the others running an unpatched Windows OS. Obviously, I ordinarily regard installing a Windows patch that removes an exploitable vulnerability as [i]increasing the security of the OS[/i]. [b]In fact,[/b] it should do exactly that. There are, of course, inherent risks. Some are that there might be a flaw in the patch itself, and/or that installing the patch introduces a new vulnerability, and/or "breaks" some function of the OS. It might also adversely affect the use of an OS service(s) by other systems software and/or by end-user applications. Apparently your response to these inherent risks is ".... If you discover that there is a security vulnerability in a piece of software, the guaranteed fix for it is to [b]remove the software[/b]." On the face of it, removing the software would remove the vulnerability from the system as a whole, although neither the flawed software nor anything else is "fixed". Contrary to your assertion, however, there is no [b]guarantee[/b] that removing the software will [b]always[/b] make the system more secure. If you find Linux has a security vulnerability, then you should uninstall it, correct?? So, by your apparent definition, a computer that cannot do anything is guaranteed to be secure. Since we are discussing OS vulnerabilities, I suppose that you have an OS in mind which has never been patched, if only because [b]no one has ever found any vulnerability in it.[/b] That does not mean that it does not have any. Whichever OS that might be, I would suspect that it has never been installed and executed on a few million microcomputers that have a very wide array of hardware, including a vast array of peripherals, not to mention the software. About the only thing most of these computer systems have in common is that their CPU chip is made by Intel, or perhaps by AMD, with a common architecture. So, all things considered, I am inclined to accept the [b]convenience[/b] of installing security patches to an OS that allows me to continue enjoying the use of the computer system that I have. Especially with respect to my inherent role as [i]the[/i] system operator, installing Windows and patching it quite likely require far less time and effort than I would have to spend if I adopted any other OS instead.

apotheon
apotheon

Malicious security crackers will probably make use of the fact that the default setting for UAC on Win7 allows standard accounts to update the system (among other things), but perhaps more disturbingly they'll probably also make use of the fact that one can change so much about which user accounts are allowed to do what by changing UAC settings. This is the problem with an OS that violates the principle of privilege separation: malicious security crackers have innumerable options for reaching across the bounds between account privileges and doing things you thought they wouldn't be able to do. True, architectural privilege separation limits the behavior of unprivileged accounts along very clear, well-considered boundaries; superficial privilege filtering of the sort employed by MS Windows applies a somewhat heuristic boundary that shifts and changes and looks more like a sieve than a wall, because minor bugs in the privilege management applications or minor oversights in the design of the privilege filtering schemes can prove to have tremendous consequences for the security of the system as a whole.

apotheon
apotheon

I also am amazed that it requires local admin rights to update Windows. Actually, I'm amazed that Microsoft has continued to do this part of its system security right. Considering its decades of track record sacrificing security for some insubstantial specter of "user friendliness", and the way Microsoft seems to be so strongly of the opinion that all updates from the mothership should be immediately and uncritically applied all the time, I would have expected Microsoft to make it possible for unprivileged users to update MS Windows a long time ago. Hell, by Microsoft's way of thinking about how updates to the OS should be applied, random passers-by on the street with bluetooth cellphone headsets should be able to use Windows Update on your computer for you, it would seem. Allowing just any schmuck in the office to update the OS would be incredibly stupid from a security perspective, though. Do you really want just anyone to be able to make changes to the system that affect any and all users on the system, that can conceivably affect any software running on it, or any data stored there? Is that really a power you want to grant to unprivileged users? How would you be able to ensure you update cautiously if updates can be initiated by anyone at any time? At that point, you may as well just remove the ability to use any update policy other than Windows Automatic Updates from any and all MS Windows systems, worldwide. Why let users -- administrative or otherwise -- have any discretion at all when it comes to applying updates to the system when the administrative user account can no longer prohibit other users from making system-wide changes with updates? I can only guess that you think it's "backwards" because you think of updates as "security". Unfortunately, that's what a lot of people think -- probably most people. They aren't security, though. They are, in fact, a security threat, and should be viewed as such, because what you have installed on the system is a known quantity and updates are not. If you discover that there is a security vulnerability in a piece of software, the guaranteed fix for it is to remove the software. Updates to the software to resolve security vulnerability issues are a convenience that allows you to keep the software while hopefully eliminating that specific vulnerability. At the same time, you might conceivably be introducing new vulnerabilities. This is why updating must be done with care. This is why large enterprise networks that aren't run by complete nincompoops test patches, including critical security patches, before deploying them across the entire network. This is why only a user account with administrative privileges should be allowed to update software. Period.

Michael Kassner
Michael Kassner

Ocie, very clear and concise description. Until, you mentioned this topic, I really had not thought about what the other setting would do. Thanks for pointing it out.

Ocie3
Ocie3

"The default UAC setting ...." FWIW, I don't recall finding anything in Microsoft's articles on Windows 7 UAC as to what effects other settings will have. My guess is that the maximum UAC security setting will require "Over The Shoulder" admin elevation for a Standard account, for example, to install Windows Updates. Although, an admin who is using a Standard account could presumably use Admin Approval Mode (thus introducing a vulnerability). It is not clear from Jim Allchin's remarks whether OTS introduces the same vulnerability as AAM, but it seems reasonable to suppose that it does and for the same reason. The third setting is not likely to be more secure than the default (second setting from the top). Maybe turning UAC off would be the best option if setting it to maximum is too inconvenient or causes problems. Then one would have to rely upon using routers, AV, firewall, VM and/or Sandboxie for security. To reprise: according to a couple of the articles to which you referred, the Windows 7 UAC [i]default[/i] setting introduces a vulnerability that can be exploited by malware while a process that is running on the same account has "admin privileges". So, with the Windows 7 UAC default, someone who is using a Standard account can install Windows Updates, which presumably grants that process admin privileges that malware can gain for itself and exploit (if and when malware is simultaneously running during the Windows Update). The key question now is whether Microsoft is apprised of the vulnerability and what response they will make (if any). On the basis of Mark Russonovich's explanation of how Vista UAC works, it can be rectified by creating process isolation for a program that is "running with admin privileges" in the context of using a Standard account. But doing that will adversely affect "usability and application compatibility".

Michael Kassner
Michael Kassner

Especially Windows Update. I hope the bad guys can't make use to that fact though.

Ocie3
Ocie3

with a Standard Account. "The default UAC setting allows a standard user to perform the following tasks without receiving a UAC prompt: * Install updates from Windows Update. * Install drivers from Windows Update or included with the operating system. * View Windows settings. (However, a standard user is prompted for elevated privileges when changing Windows settings.) * Pair Bluetooth devices to the computer. * Reset the network adapter and perform other network diagnostic and repair tasks." http://technet.microsoft.com/en-us/library/dd560669%28WS.10%29.aspx

wyattharris
wyattharris

This is certainly the main issue. We attempted to secure several dozen workstations so users would not be able to modify the system. Sure enough there were 2 apps that required admin privileges to function and these were business critical. So all of that work had to be diverted to protecting the now elevated user rights.

Michael Kassner
Michael Kassner

I also am amazed that it requires local admin rights to update Windows. Seems backwards.

Gh0stMaker
Gh0stMaker

The applications are exactly the issue that makes things complex, not OS security. Unfortunately in manufacturing there are still many applications that will not run unless the account is a local administrator, or the security professional modifies NTFS and registry permissions to get the software to run without elevating the permissions.

apotheon
apotheon

Tell ya what -- you, Michael, and santeewelding need never worry that I'll try to offer any of you the benefit of any of my experience or knowledge again. I wouldn't want to tax your tolerance by trying to figure out why any of you refuse to help someone else help you.

apotheon
apotheon

Are you going to make a cryptic, condescending comment that seems specifically designed to make people hate you? Oh, wait . . . Y'know, you're a lot more tolerable in person.

apotheon
apotheon

Just tell me whether my answer actually answered your question for you, please. If it didn't, please give me some more information about what you want to know so that, if I have an answer, I can share it with you. Maybe we can put that question of yours to rest with a solid answer, one way or another. Maybe there's something AD does for which there isn't any equivalent functionality on a Unix system (though I doubt it, and can't think of any such functionality). If there's something specific you feel needs to be addressed, let me know and I'll see if I know of a solution to that problem. Amidst all this, you still haven't actually let me know whether your question has been answered sufficiently, and I don't want to find out it hasn't been answered to your satisfaction by way of you saying that nobody can offer an alternative to AD that runs on Unix and Linux systems in another year or two. If you tell me now what question you meant to imply, that I haven't answered, maybe I can answer it or tell you whether there's any answer short of writing new software, so you'll have an answer now rather than just having the same question in a year or two.

Michael Kassner
Michael Kassner

If I have offended you in any way. That was not my intent.

apotheon
apotheon

Second, as much as I value your opinion, I also value the opinion of others and why I may ask a question more than once. I feel bad you have a problem with that. The problem isn't that you ask other people for more information. It's that you have, apparently, ignored what I've said in answer to your question -- then gone on to state that nobody has ever answered your question. What kind of interpretation do you thing I should take from your statement that you get nothing but silence when asking for Unix options for solving the "problem" of not having Active Directory in the Unix world? As for your comments Chad, I read every one, as well as your posts. If you feel that I need to respond to each, I can't. There are occasions where I do not have enough time. I don't expect you to respond to every comment. Please don't put words in my mouth. I just find it odd that you act like I haven't said anything in response to your questions, asking the same questions again and explicitly stating that nobody has ever answered them. If there's some aspect of the question that I haven't answered, because you haven't made that aspect sufficiently clear, please clarify. Otherwise, please stop asking the question as if everybody has sat silently dumbfounded when you ask a question that I've actually gone out of my way to try to answer helpfully. I wondered if maybe you had simply overlooked the answer in the past, but frankly, your offended response here as if I'm accusing you of kicking puppies just tells me that you have read my answers and still insist on acting like I haven't when you ask the same question again. Are you just behaving like nobody has ever answered the question to push some kind of agenda? What's going on here? edit: The following quote is what you said that elicited my response. I think it's pretty clear, and have no idea why you're acting like it's unreasonable for me to want you to take a moment to acknowledge that I have, in fact, provided an answer to your question to the best of my ability with my understanding of what you asked -- and you have expressed zero dissatisfaction with the answer. I have asked Linux aficionados about their equivalent of AD and I still am waiting for an answer. So . . . what's the problem? Is it that I'm not technically a "Linux aficionado", and you for some reason demand that the answer come from such a person -- that it's somehow not valid coming from me instead? Shall I get some Linux aficionado friend of mine to quote me word-for-word for you, or is there some other problem?

Michael Kassner
Michael Kassner

First, I am sorry you feel obligated to repeat things, you don't have to. Second, as much as I value your opinion, I also value the opinion of others and why I may ask a question more than once. I feel bad you have a problem with that. As for your comments Chad, I read every one, as well as your posts. If you feel that I need to respond to each, I can't. There are occasions where I do not have enough time. Edit: Spelling

apotheon
apotheon

I seem to vaguely recall you saying something like this before, about a year or two ago maybe: I have asked Linux aficionados about their equivalent of AD and I still am waiting for an answer. I also seem to vaguely recall responding to it with a series of options similarly to how I responded this time. Then as now, as I recall, you never indicated you saw my comment. I hope you actually read what I have to say and, if you find it lacking some important piece of information, I hope you'll tell me -- so this same damned pattern will not repeat itself a year or two from now.

apotheon
apotheon

How about you use NIS on your Unix and/or Linux systems? There you go; easy client configuration management.

apotheon
apotheon

If what you want is Active Directory, you should use Active Directory (which, by the way, many Unix and Linux systems support). If what you want instead is just a way to manage many computers centrally, the reason there isn't a single equivalent is that there are many different ways to do so. There's even more than one way to skin that cat with MS Windows; AD is not the only option. Taking a look at the Unix/Linux side in particular: 1. AD is basically MS Windows' version of LDAP + Kerberos + NDS/BIND + a network filesystem, all of which have been supported by Unix systems for at least ten years longer than on MS Windows systems. 2. Novell offers a suite of "enterprise management" software. Do a search for Novell eDirectory to get started. 3. OpenNMS is a relatively recent addition to the mix. 4. Many Unix/Linux systems can actually plug directly into AD networks -- not just duplicate the functionality, but actually duplicate the Microsoft-specific implementation of that functionality. In fact, back in early 2006 I wrote an article for TR about Samba 4's upcoming support for Unix/Linux based Domain Controllers for Active Directory. 5. As always, Unix and Linux systems offer the tools to roll your own network management systems. Maybe if you pointed out some specific capability large networks get out of Active Directory that you think you can't get somewhere else, someone can tell you how to get it on other OSes.

mgschaef
mgschaef

Please don't put Linux and Windows side by side when we are talking security!! I have used both, I have supported both, and it is windoze that caused my hair to no longer grow on my now shiny bald head. Just because you have not had a virus for 2 years is because the entire IT world had to build fort knox around their network to protect the vulnerable MS devices that are the root cause of security breeches. I do not like MS but will admit, that they have moved up a notch with Win7... so to finalize, Linux and windows should never be compared...it would be like putting a 1st grader up against a college professor with a doctorate degree!! :)

Michael Kassner
Michael Kassner

I suspect it is one strong reason why MS rules the business world right now. It allows enterprise IT admins to control thousands of computers from one Domain Controller.

Ocie3
Ocie3

Now I see why I don't have an AD on my LAN which consists, at present, of one computer and one router. :-)

Michael Kassner
Michael Kassner

Are you referring to a business environment? If so, does Linux have something similar to Active Directory and Group Policies? If not, do you set up each individual computer?

Michael Kassner
Michael Kassner

AD is short for Active Directory. It's Microsoft's management software. It pushes Group Policies out to every computer in the domain.

mamies
mamies

I really think that this was a case of the user prefers Windows and why shouldn't they it is a much more familiar environment. I have some users that hadnt used computers before running on Suse with the KDE desktop and now if i tried to put them on Windows or change the desktop they would be lost.

Ocie3
Ocie3

I don't recall seeing that as an acronymn in any of the sources to which you referred in your article.

Michael Kassner
Michael Kassner

You are one of the few I know that is running Vista and Win 7 on AD. Is that correct? I also appreciate your bold statement about Linux. I have asked Linux aficionados about their equivalent of AD and I still am waiting for an answer. What are your thoughts on that?

Michael Kassner
Michael Kassner

I appreciate you sharing your experiences. UAC seems to have more positive responses than negative ones in this forum.

wyattharris
wyattharris

I can't remember the last time I've gotten a virus but it's been over 10 years. Just not a problem for me so I get no use out of UAC. My Dad on the other hand is not an IT guy, he's in Sales. UAC has saved him numerous times from getting MalWare on his computer. When it comes to plain users it seems to be quite effective, though it does seem to annoy everyone equally regardless of profession.

Michael Kassner
Michael Kassner

The drivers must of had digital signatures to not trip UAC. Thanks for the comments, I can tell people interested in security are reading this post. I am seeing very few complaints about UAC.

eddyrox1
eddyrox1

since ive had a similar situation thought i'd reply.. vista was very good.. windows 7 default is not so good. i upped it to the highest as soon as i got it... there was some driver software that i installed that didnt get any prompts for on the default setting which kinda rang warning bells in my head. so pushed the settings up