The Edge

Last week a Windows 7 Beta tester posted a blog entry describing a flaw or weakness in the way UAC (User Account Control) is implemented in Windows 7. For starters, although I titled this post 'Security vs. Usability' I want to to stress that UAC is not a security feature or control. It is a control in Windows Vista and Windows 7 designed to enforce least privileged access and enable users to operate as Standard Users rather than running as Administrator. There are security implications to UAC though. For example, security professionals generally recommend that users run as Standard User rather than Administrator because malware exploits generally operate with the same privileges as the logged in user. If someone running as Administrator is compromised, the malware has much more power to affect malicious change on the computer system than if a Standard User is compromised.

That said, UAC is largely perceived as a security function (I should say that security is 'blamed' for UAC), and it has been one of the most prominent complaints about Windows Vista. Users complain about the constant pop-up alerts asking for Administrator permission every time they want to open a console, install a program, or access an application. Truth be told- if they were running as Standard User, they wouldn't see those prompts. Those prompts are a result of running as Administrator and an attempt on the part of Windows Vista / Windows 7 to alert the user that the action they are about to initiate requires Administrator-level access to the system and could potentially affect or modify the system.

With Windows 7, Microsoft has seemingly caved to the UAC backlash and negative marketing from Windows Vista. UAC is still there, but now it has a slider that lets the user adjust what level they want UAC to operate at. Users can access the Windows 7 Action Center from the Control Panel and click on User Account Control Settings. The crux of the issue described in the blog mentioned above is that by default UAC is configured to not notify or alert when changes are made to Windows Settings. The operating system can not differentiate between a user clicking on options to change Windows Settings, or an application- malicious or otherwise- affecting changes to Windows Settings. Since the UAC Account Control Settings is a Windows Setting itself, a malware program can disable UAC entirely before doing more insidious actions to the PC and the user will not be notified.

The official Microsoft response so far has been that this is not a flaw or vulnerability. UAC operates the way it does by design and after much consideration and user feedback. The foundation of their defense also seems to rest on deflecting the blame to the malware itself. Basically, Microsoft has stated that in order for malware to modify UAC the malware first has to get onto the system and have permission to execute. Therefore, the issue is how to protect Windows 7 from malware, not how to modify the behavior of the UAC Control Settings.I can see where Microsoft is going with this logic. It does seem to make sense on some levels. But, it also seems like it would be a trivial adjustment to exclude UAC itself from the Windows Settings that are ignored so that there would be some sort of alert if UAC itself is modified.

Users may not ever notice or care (until some malware exploit compromises their system through this 'feature'), but the security world is all up in arms. The feeling is that Microsoft is back-pedalling on their commitment to be secure by design and secure by default in order to appease users. Being primarily a security guy- I tend to side with that line of thinking. I think that it makes more sense to alter the behavior of the UAC Control Settings before the RTM release of Windows 7. I think that rather than sacrificing security in the interest of marketing, that Microsoft should invest more in marketing UAC and educating enterprises and users on how and why it does what it does, and how to use it properly.