Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Last week at the RSA conference, I had the excellent opportunity to talk to a lot of people about security (in general) as well as about security enhancements in Windows Vista.
One of the interesting discussions I had centered around UAC and it's security value. I *think* the conversation started when someone asked me about the new Apple ad that tries to poke fun at the Vista UAC elevation dialog (though I didn't see that one until this weekend), but the the conversation made me realize that their seemed to be some common misunderstandings about UAC which might be interesting to talk about.
What about those Pop-ups?
First, let's start with the elevation prompts. Similar to the implications of the Apple ad, I fielded several comments about the "frequent UAC pop ups." My first response for questions like these is to ask "How long have you been running the RTM release of Windows Vista?" The answer (to date) has fallen into one of two categories:
I follow that up with a discussion my own real-life experiences. I've been running the RTM Vista at home and at work for a couple of months now and here is what I did:
I did get a few elevations in the first week or two, mostly when I was installing an application that I hadn't thought of initially, such as the Adobe Reader. Also, once in a while my wife (who has her own normal user account) comes to me to say she can't do something she wants and is getting a prompt. Every time, it has been something I would classify as an administrative task - again, typically installing a new application - and I was happy that I was forced to be involved (though she was not, necessarily, always happy).
Honestly, I can't recall the last time I got a UAC prompt, at this point - but, needless to say, they are relatively few and far between.
Purpose of UAC - Run as non-admin
I think the above examples of "me & UAC" really demonstrate the purpose of UAC changes in Vista, which was to enable users to run as non-admin. I quickly migrated my whole family to our WIndows Vista machine(formerly Jeff's personal gaming machine, cry, sniff, sniff) so I could have everyone running as normal users and especially so I could apply Parental Controls to my children's accounts.
It was pretty well accepted that one of the problem security areas for previous Windows platforms was the fact that a majority of users were forced to run as admin users to have a good user experience and do common tasks such as Windows Update. That has changed with Windows Vista, in a very positive way. I never login as admin on my Windows Vista machines for daily work (once in a while to do some administrative tasks, but that is very rare - and appropriate).
UAC is not an "admin Firewall"
Question - "how exactly does UAC stop users from escalating to admin?" This was a serious question that I got after our session on Windows Vista Security last Thursday. At first, I was a bit confused, so I asked the person to explain - and when they did, my answer was "UAC is not an admin firewall."
What I mean by that is that a Firewall is a barrier technology, designed primarily to stop things. UAC is not a barrier designed to stop normal users from elevating. Quite the contrary, UAC is composed of a set of changes enabling users to utilize non-admin accounts on a day-to-day bases.
For a much deeper exploration of this, check out Mark Russinovich's blog entry: PsExec, User Account Control and Security Boundaries. Mark explains the point very well by contrasting UAC changes with the PsExec technique utilized for limited sandboxing on Windows XP and it is a very good read.
Finally - you will have your own experience with UAC. If you like it or hate it, share your story with me too. Best regards ~ Jeff