Jesper's Blog

Obligatory file photo: I am a Senior Security Strategist in the Security Technology Unit at Microsoft. My job is to explain to our customers how to run Microsoft products securely, and to the extent that it is needed, help the product groups figu

Blogs

Please don't disable security features, at least while we are testing them

  • Comments 42
  • Likes

I couldn't tell you how many times I have either had the question "how do I turn off User Account Control" or heard the statement "boy, I sure hate all those annoying user account control popups in Vista."

Yeah, security sucks, it gets in the way of doing things, some bad, some good, but that's a fact of life. The other fact is that User Account Control (UAC) is one of the most important ways that we hope to protect people in Windows Vista. I have many times told the story about how Steve (Riley) and I were at an event when he gets a call from his wife asking for help with her computer. Apparently it was getting all sorts of popups, ads, and other weirdness; clear signs of spyware. He stated that he'd fix it when he got home. When he did he downloaded and ran all kinds of cleaners, and then called me with the astonishing results. The computer had about 168 separate pieces of spyware. So I went and ran the same cleaners on the computer in our kitchen, the one most of the family uses. On that one we found exactly zero problems. The difference? Steve is a nice guy, so he gives his wife administrative access to her computer and everything installed nicely, including the spyware. I am, well, there is a term for it, but it is not suitable for electrons, so none of my users ran as an administrator. The result, nothing installed, including the spyware. This experience obviously does not guarantee that just by running as a normal user you will not get spyware, but it will make it more difficult to get it, and it will make it easier to clean off.

The problem is that without considerable savvy, or lots of time spent in Aaron Margosis' blog, the vast majority of people today can't run as a non-admin user. The reason is all the apps that require administrative privileges. To solve that problem, we can do a couple of things. We can try to plead with the app vendors to fix their stuff, and you know how well that has worked in the past. We can stop buying these defective apps, and you know how well that has worked in the past. And, we can build a technology that allows most people to do most of the things they need to do to run the computer on a daily basis as a non-administrator. That technology is called User Account Control.

Windows Vista includes a number of features that work as part of, or in conjunction with, UAC to meet three important goals. The first is that these features allow a lot of applications that did not previously run as a non-administrator to do so. This is done by virtualizing key operating system locations, such as the Windows directory and Program Files. UAC also changes the privileges required for many common tasks, such as changing the time zone, power settings and even installing approved devices and ActiveX controls, so those tasks can be performed by ordinary users. This allows users to run as non-privileged users while allowing many scenarios and applications that did not work that way under Windows XP to still work. The second promise is to create an easy elevation path for applications that really do require administrative privileges, while still allowing even users who are administrators to run as non-administrators most of the time. This means that even for users who are in the administrators group, applications like Internet Explorer and the mail client do not actually have administrative privileges all the time, reducing the damage attacks against those applications can inflict. Finally, UAC allows us to quickly spot all the broken apps out there so that we can either shim them to run as non-admins or get them fixed. This latter is at the same time the most subtle and arguably most important of the things UAC does. It is also in many cases the most obvious, and the reason many people want to turn UAC off. By doing so, they allow applications with fundamental design flaws to still work, reducing the pressure to actually fix those applications so they work as non-privileged users, as most of them should.

None of that will work unless people use the feature. To do all those things we need your help, yes, yours, as a beta tester of Windows Vista. Unless we get feedback on what works and what does not we can't fix it. If you disable critical technologies that we are trying to get to work, we can't fix them. That means that, yes, some things will be annoying and not work quite right in the final release, unless people work with us to fix them. Going out with statements like "this is the worst feature ever and I already disabled it and will never re-enable it" based on unfinished beta code is simply silly. Why not instead realize that allowing people to run as a non-admin is one of the most important things that can be done when it comes to protecting your system, and that it won't happen if the only people trying to get it done are a few program managers at Microsoft. Work with us on this one and help us build a great, usable, and useful UAC. If you find prompts that are absolutely egregious and need to go, send us feedback on that. We need to know. If you can't find any other way to submit it, send me a comment on the blog and I will get it filed.

Disabling UAC also removes many other protections. For instance, if you set the "User Account Control: Run all administrators in Admin Approval Mode" security policy item to disabled you actually remove all of the benefits of the integrity controls and the restricted security tokens from your administrative account. That means that Internet Explorer, for instance, will run as a full administrator, just like it does under Windows XP. By extension, it means that any missed click or accidental navigation could completely compromise your system, just like under Windows XP. If you have to disable UAC temporarily, for example while you are building out the system and you can't stand all the prompts, do not turn off Admin Approval mode. Instead, change the behavior of the elevation prompt for administrators in Admin Approval mode to not prompt. That way you at least leave Internet Explorer protected with a low integrity token.

Once the OS is released, if you absolutely can't stand a security feature that is designed to protect you, by all means, turn it off. For now though, realize that this is beta code. It is not quite done yet, and it won't be quite right unless we get help from the people entrusted with pre-release copies of the operating system.

To learn more about UAC, check out the UAC team blog. A lot of questions and concerns about UAC are probably already addressed there.

Comments
  • I would be interested in seeing how many Vista systems get compromised by malware in the first few months after its full release and then comparing that with the number of those systems that have disabled the built-in security and protection systems that the developers at Microsoft have been working on.  I would imagine that, while only a percentage of wide open systems will be breached, almost all breached systems will have the security measures disabled. Of course, all the blame for this will go squarely on the shoulders of Microsoft and, being a large corporation with a public image to maintain, they will just have to take it.

  • I have blogged in the past about how much I hate the current implementation of UAC (User Account Control)...

  • So you loaded up Vista and you want to try it on a SBS network... so while you 'can' ... I'd read the...

  • You convinced me. Good post.

  • I have a related question. When being a member of the Administrators group most applications do not actually run with Administrator privileges. Is running as an admin with UAC enabled less secure than running as User with UAC enabled? (Assuming there is a user at the keyboard who knows what (s)he is doing and does not click "Allow" blindly.)

    The answer is Yes probably because some processes do in fact run with Admin privileges? Which are these?

  • My biggest gripe with Vista (as of Beta 2) is that there is no way to elevate myself to work with control panel applets, I have to start an elevated copy of Windows Explorer, navigate to the Control Panel and THEN work on whatever changes I needed to make (ie. Remove networks from the Network List).

    This is mainly a bother with the control panel, but this happens as well in other parts of the OS where there is no clear way of elevating priviledges to accomplish a task.

  • "...so none of my users ran as an administrator. The result, nothing installed, including the spyware."


    Here's the crux of the problem -- computers exist to be usable for productive work.  Systems administrators act like computers exist to make as little work as possible for them.  

    I realize the author problem didn't mean to write that he has nothing installed on his computer.  But really, if no one ever uses an administrator account, more software is unusable than usable.

    And this is the user's fault?  We're supposed to beta test this stuff so that Microsoft knows what we need to do and what we don't need?  I'm not on Microsoft's payroll.  

  • If you are not willing to beta test software because you are not on Microsoft's payroll, why are you running Vista? Is it just so you can say "I'm cool - I'm running Vista!"?

    Part of the responsibility of running the beta software is to give your knowledge back to the creator of the software. I know of no cases where Microsoft has come along and forced a user to install software from a beta program on their machine - generally people volunteer for the privilege of being in a beta program. However with privilege comes responsibility - follow the test protocol, report errors fully and completely, and give feedback on your experience. It's not just a popularity contest.

    Sorry if this seems like a rant - but I have to "support" beta users who think that beta program member = I'm in the cool crowd.

  • Excellent post Jesper! All these whining people should shut up, help test Vista, and submit constructive feedback to MS. First people blast MS for crappy security, now they blast them for being too secure. No matter what MS does people want to yell at them.

  • Microsoft Sucks!! Disable everything and format hard drive!!! Why would anyone use a product that is so crappy unsecure and spys on you as a user and keeps that in a database. MICROSOFT is a criminal company.

  • Thanks for posting this, Jesper. It has been picked up by some of the news outlets (e.g. eWeek) so hopefully there will be a wider audience starting to get this message.

    I was pretty annoyed when one of the Tech-Ed presenters suggested turning UAC off during testing. As you have said, it is only through proper testing of Vista and getting the feedback to MS that we are going to all benefit and get a version of UAC that works as everyone needs it to work.

    UAC is a big improvement - my step-son recently got hit by spyware. Vista can't come soon enough with its tighter security as far as I'm concerned.

  • Well this has been a problem for a long time, and it is the software writers that are to blame not Microsoft. A lot of simple programs write temp or other files to protected areas that then require you to run the program as an administrator. We have been using WINDOWS NT long enough to know how to write programs so they Do not need to have administrator rights, why has it not happened? Because NO ONE MAKES THEM FIX THEIR SOFTWARE! Look at PALM sync software, you have give the user ADMIN rights, then install it to a directory they have normal rights to read and write from, then you can remove their ADMIN rights... This is the FIX they posted on their website. It is totally absurd. I should be able to install the software as an administrator for every user on the PC then log off and the software should work. I think what Microsoft is doing with this software is great, one it should give the software vendors more opportunity to see how their software is broken and FIX IT, two it will hopefully stop administrators for given USERS admin rights that they should NEVER have. I wish I could have been in the BETA to see it first hand.

  • Second post, it cancel previous one.

    I use Vista with standard parameters and I test my application in this mode.
    I test installation of my programs, that use MSI technology and a Boostrap setup.exe
    I have prerequisite to install. So to avoid nested installation, I use Prerequisite. The Bootstrap launch sub setup.exe before launching the main msi .
    But to install each sub setup.exe, I have UAC Windows...
    I read that for installation, the high privilege was transmitting from on program to another one. Is it true?  Is there something to do to allow sub setup to be installed without any UAC Dialog box?
    Thanks for your help.
    Gilles

  • Why not make the UAC functionality ask only once per logon session but, with a timeout that is configurable. So say you need to do some admin priv stuff, you enter your credentials and after 5-10 minutes the credentials expire. If that is not long enough or is too long, let the use configure the timeout.

    The best of both worlds.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment