This is the final part of a three part response to a comment made by Matt in his comment regarding the least privilege model in Windows Vista.
Part 1 was: Let's review how privilege is used in Windows NT, XP, 2000 and 2003:
Part 2 was: How will User Account Protection work in Windows Vista?
As I mentioned in Part 2 it is possible to override the default UAC behaviour of Windows Vista. We don't yet know what the default behaviour will be of the equivalent of "XP Home". I suspect that during system installation the owner of the computer will be asked to enter their name and an administrative account will be created just like it is today in Windows XP Home Edition. Personally I think this is the right approach because (as Matt mentions in his comment) folk do not want to be constantly entering credentials and as there's unlikely to be a "System Administrator" other than the owner the concept of entering another set of credentials is overtly complicated.
Now I may sound like I'm contradicting my earlier advice given for Windows XP where I stated that two accounts were required to mitigate the risks posed by malware. Windows Vista's significantly improved privilege model (User Account Control) enables me to do exactly this.
When an administrative task is required the user of the system will simply accept that their privilege is to be used by accepting the request using an interface dialog like that shown below:
As mentioned in Part 2 the point to this interface is that the user is made aware that a privileged operation will take place - it they're not conciously changing their system configuration (installing software perhaps) then this could signify that malicious software is attempting to infiltrate / compromise their system.
To answer Matt's question directly: I think the default behaviour of UAC for Windows Vista "Home Edition" will make sense and will ensure that they leave it active.
I wonder if there's been any research into how effective these precautions are in general. While I agree wholeheartedly that least privilege is an excellent idea (and it's good to see Vista using it by default; hopefully now the application vendors will start to lose the "I must be admin" mentality!), I wonder if people will just start to hit "yes" by default.
A case in point was the "I love you" email malware. A colleague of mine reported that in a Government environment where any external mail generated a "This is going out on the internet, are you sure, etc" message, that people were blindly clicking OK even though the warning clearly showed the message title and destination.
I think it might depend on the frequency of the prompts; for email you'd get loads every day so may rapidly be desensitised, whereas with UAC I'm guessing it will mainly be "sysadmin" type stuff (installing software, configuring disks etc) which is less common.
Of course the use of an untrusted path for authentication raises another possibility, trojans spoofing the dialogue to capture passwords. This is a general problem with such things and is by no means just a Windows issue. Is there any way of using the Ctrl-Alt-Del SAS in conjunction with UAC?
Nik> I agree that the new challenge will become (continue to be) "but my users just hit "Yes" / "Go away" when asked any security questions. Security awareness training is the only way I can see to help that problem.
As for concerns about malware stealing the credentials IT SHOULDN'T be easy for them to do so under Windows Vista - I have been reliably informed that the elevate privilege consent UI has been implemented in such a way that it's difficult to intercept.
It wasn't so much hijacking the elevate privilege UI I was thinking of, more an impersonation (or reasonable facsimile) of it. You're right that education is probably the best defence (as good security education is also fairly platform independent!).
However, it looks like a real improvement on the current situation, and I look forward to seeing it in action.