During Conficker we realized that a lot of customers are on unsupported OSs. I would like to draw your attention to a few things:

• There is a webpage called Microsoft Support Lifecycle where you find all the information on the lifecycle of our products. Let me just quote two things:
  • Through the policy, Microsoft will offer a minimum of 10 years of support (5 years Mainstream Support and 5 years Extended Support) at the supported service pack level for Business and Developer products.
  • When a new service pack is released, Microsoft will provide either 12 or 24 months of support for the previous service pack (Remark: It is 24 months for Windows)
• You can subscribe to a quarterly newsletter with regards to this issue: Subscribe to Microsoft Support Lifecycle Quarterly Update Newsletter
• There is a side, where you can search for products including the products that leave Extended Support e.g. in the next 6 months http://support.microsoft.com/lifecycle/search/
• There is one page dedicated to Service Packs: http://support.microsoft.com/gp/lifesupsps
  • If you look at that, you will see that Windows Server 2003 Service Pack 1 will be retired on 14. April 2009. This means that this is the last time you will get Security Updates for SP1! If you did not already, please start to roll-out SP2 immediately.

Hope this helps

Roger

It is always interesting how some things spin off. The claimed UAC vulnerability in Windows 7 in one of those events. There are numerous blogs which claim that they found a huge vulnerability in Windows 7. The reason for that is that you can change the settings for UAC without getting a UAC prompt.

Let’s have a look at it: A lot of people complained about UAC in Windows Vista – I guess you remember. I heard all these statements “I do not want to get all the UAC elevation prompt just because I change my Windows settings”. We heard you loud an clear. So, we decided to do what you asked us: Not show you an elevation prompt when you change settings in Windows. So the default configuration in Windows 7 looks as shown below:

And guess what: We do not notify you when you make changes to Windows settings – UAC being one of those!

However, if you want to go further and put the slider up one level to “Always notify”, the same screen looks slightly different:
And again, guess what: We notify you when you make changes to the Windows settings – UAC being one of those.

So, basically to give you my view:

• We did, what you asked us to do: Reduce the number of UAC prompts especially when you change your Windows settings
• We do what the prompt tells you we are doing

In my opinion, this is not a vulnerability. We can debate now, when we should generally show a UAC prompt but this is a completely different debate than to claim this being a vulnerability. And if you come to me now and say that we should show more UAC prompts, please carefully reconsider your statement before you comment and think about all the Windows Vista discussions.

BTW: I am a big fan and supporter of UAC and think that the team did an outstanding job – already in Windows Vista

Roger

I have to come back to the UAC problem again. I just read a good article from Larry Seltzer on eWeek.com:

Both Sides of the Win7 UAC Problem

I think it is one of the first one I read, which takes the emotions out of the discussion and tries to understand the real problem. He made actually an interesting comment: The whole issue is around running malware to change the UAC settings and he says:

The technique could be used for far worse things. Control panel has many important system-wide settings in it. You can set user passwords, uninstall software, disable the firewall, and so on. All of this is possible because of the default UAC setting, and you don't have to change that setting to "exploit" it.

So, let’s think about it: A lot of people wanted us to reduce the number of UAC prompts. We published a fairly good article October last year about User Account control and what we learned.

Now, let me get it straight (after all the pretty emotional comments I got on my last post): I definitely understand your view and your argumentation. What we need – however – is a balanced discussion about what makes sense and what does not.

All the discussions are assuming that the user is administrator on the machine – let’s keep that in mind. Is UAC really the only thing you are concerned about? I think it should be consistent throughout the Windows settings (including UAC) – protecting UAC alone probably does not cover the attack vectors you are mentioning. As an example: I can open the Device Manager without prompt. I can change all Windows Settings without a prompt (including all the security settings). This is what the UAC setting is for. From a Risk Management perspective: What would it really change if we would ask for a prompt if you change the UAC setting? So, the malware we are looking at could now not change the UAC settings but all the other Windows settings (if you are an Admin). How much would this really lower the risks – or would it reduce the risk at all?

So, should we change the default to “High” – which would mean that we are on the similar level as in Windows Vista, where we got a lot of complains?

In my opinion we all should do two things:

1. Take the emotions out of the discussion
2. Look at the broad picture from a risk management perspective

And one final thing: Yes, we are listening to you (otherwise I would not have allowed comments, have answered some of the comments and am now writing the second post) and the reason for publishing Beta versions is to have these discussions now, where changes are still possible rather than after the release. So, let’s have this discussion taking the points above in consideration.

Roger

P.S. Read Jon DeVaan's post on this issue

Jon and Steven released another blog post on UAC and explained their decision how to change things:

They start with the risk of blogging:

When we started the “E7” blog we were both excited and also a bit uneasy. The excitement is obvious. The unease is because at some point we knew we would mess up. We weren’t sure if we would mess up because we were blogging about a poorly designed feature or mess up because we were blogging poorly about a well-designed feature. To some it appears as though with the topic of UAC we’ve managed to do both.

And then they showed the change they decided to make:

With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.

Now, this is what you were asking for and – as I told you – we are definitely listening to your feedback. However, let’s be clear here. If you have the UAC settings like the screen below:

you will not be notified whenever something changes at the Windows settings. So, you will be prompted in the future when changes happens on UAC but there are still a lot of other areas where malware could change settings. So, if you are very security conscious, move the slide to “Always notify”, otherwise make sure that your Anti-Malware solution does, what it is supposed to do

Roger

A few days ago, we released the Security Compliance Management Toolkit. I think that this toolkit might definitely help you to secure your environment and monitor it against a security baseline

Security Compliance Management Toolkit Series

Roger