imnuts' Blog
Random stuff from my mind…

UAC: Securing your Computer and More

With Windows Vista, security has always been a top priority. Ever since people started complaining about spyware, viruses, and other nasties that can affect your system, Microsoft has been working at keeping this stuff off of computers. To help sort things out, they introduced Service Pack 2 for Windows XP. This brought the Security Center and other features to help protect users from these things and also to keep annoying popups away. So, to prevent future issues, they have been working on making Vista one of the most secure operating systems ever. There method of doing so is User Account Control (UAC), which is also known as User Account Protection (UAP). This sits there and moniters the users activities and when something comes up asking to work in a certain area, like the Windows folder, it gives the user a prompt asking if they want to allow this. In theory this is a really good idea as it would prevent anything from modifying system files or trying to take control of your system without you knowing.

Then, in comes reality. As always, things don’t always follow what we are wanting them to, and so far, UAC is no exception to this rule. UAC is likely one of the most criticized items in Vista at the moment. Where the user would expect to be able to delete items as they please (mostly) or save things where they want to, UAC comes in and displays itself, hindering productivity. For any user actually playing around with Vista, I’m sure you’ve noticed it, there isn’t really any way that you couldn’t have unless you were prepared and circumvented it from the beginning. So, is UAC really the answer that we’ve all be looking for in securing our systems and preventing all the junk that is out there floating around the web? I think that it somewhat is, but it needs a lot of refinement. We can look at what UAC is and where it is going, and see where Microsoft is going wrong with the implementation of it.

To do this though, we need to look at similar security implementations that are currently out there. So, what have others done to accomplish the same thing that UAC is trying to do? We can look at a similar implementation of this in what is likely the origin of this type of security, the Linux and Unix arena. Here, you have one user that can do anything, root, and other users that are there to perform day to day tasks. The standard user(s) can do basically anything they want on a daily basis, like surf the web, check their email, programming, watch movies, listen to music, you can really go on and on with what this simple user can do. The thing that they can’t do though is modify the system in anyway. A standard user cannot add more users, they can’t install programs or updates either. Why you might ask? Well, programs have security holes, updates can cause more trouble than they’re worth or break things, and adding more users give more folks access to the system. This is why we have root, to perform all of the management tasks associated with running the computer. They make the decisions about the programs, updates and users. If a user needs to install something or modify a system setting, many standard Linux operating systems give users an easy way of elevating their priveledges to do so, provided they know the root password. This has worked very well and also very securly for some time now, and isn’t changing any time soon. If it didn’t work, then it would have changed long ago, but it didn’t since it is basically the best implementation of what Microsoft is trying to accomplish from what I can see. The security here is basically flawless and would really have no trouble that I can see standing up to a majority of the issues faced by Windows currently. It may be slightly annoying at times, but it really is one of the best security implementations around right now.
Then we have the only major competitor to Microsoft at the moment, Apple with Mac OS X. The implementation of this type of security here is essentially the same as it is for Linux/Unix, seeing as OS X is based off of FreeBSD. The main thing is though, OS X has a root user, although it is disabled by default and essentially not used at all. You have the main Admin, which can essentially do anything, and many times, is the only user on the system. If they attempt to do something that is going to affect the system, like updates, you need to enter the password. It is similar for system preferences and settings, at least it can be. The admin user can also add less priveldged users and specify what they can and cannot do, such as change preferences, install programs and the like. Overall though, OS X is less secure than Linux, but still offers the security prompts when attempting to modify the system. However, it is really hard to tell how the security that OS X does have would stand up to the threats that are currently plaguing Microsoft products. So far, they have held up fairly well against the threats posed against them, but more and more issues are surfacing as the system becomes more popular. The biggest issue currently are folks installing gadgets that have malicious code behind them. Other than that, there really isn’t anything currently posing a major threat to the system, although Apple has been releasing many more patches for holes than previously as more and more holes are being found due to the increase in popularity.
Then we get to Vista and its UAC protection. It is intrusive, annoying, and hinders productivity immensly at its current stage of development. You need to confirm deleting files from your desktop, saving files outside of your user profile directory, moving files, changing settings, installing programs. It seems as though you never get done seeing the prompts asking for confirmation to use your computer. It almost seems as though they want to make sure you want to do every action that takes place on your own system. Luckily, the developers have been listening to loads of feedback from testers, the public, and everyone that has touched Vista in some way, shape, or form, and are currently working to improve the system. The latest release, which went out to the beta testers this past weekend, has a slightly reformed UAC system. It is an improvement over what was available in the public Beta 2 release, but still a major pain to the standard user. The biggest issue now is that prompts are no longer showing up in the foreground and are instead launching behind everything else, even if nothing else is open. The have reduced the number of prompts that a user is seeing, but there are still far more than most users will ever want to put up with. There are also issues with detecting which programs require elevated priveldges and which do not. The system is still under a lot of work and hopefully will not be an annoyance or hinderance to work in the future, but it still needs a lot of work.

So what does need done? Truthfully, a lot still needs to be done before the UAC “feature” will be considered useful. The big issue that I see currently is that the prompts cannot show up in the background. If they are going to be there, they need focus and now. Putting them in the background only slows everything down as it is possible that you won’t notice it. The next issue that needs sorted out is that it needs to be able to recognize 99% of the applications that are going to need elevated priviledges to run. If it doesn’t see this, then it is hurting productivity by slowing down the user, as they will have to close the program if it does manage to open, then go back and start it up again, hopefully not losing any work in the process. It also needs to recognize when a program doesn’t need the higher user rights 99% of the time and avoid a ton of false positive results. If it is wasting the users time prompting them about running a program or doing something that it doesn’t have to, it’s slowing things down. It will also need to develop an ability to learn in some way and remember previous actions taken for a given situation. Things like a certain program that needs elevated priviledges running during startup. It should ask the first time and then remember it, much like the Windows Firewall currently does for programs accessing the network. If they can successfully get these things down, it would be much better for the end user as that would essentially eliminate many of the prompts that are there that are causing an annoyance.

Overall, I think that the product team is doing a decent job with working out the issues currently seen with UAC. They have listened to what users want to see and have done their best to implement it. Since the testers can find many issues before they can be fixed in the actual product, it is likely taking the public or the testing community much longer to see the changes that are being implemented. Build 5456 has given a small preview of where it is going, but it is still under going a lot of work. Hopefully the entire system is revamped over the next month and as the time for Release Candidate 1 (RC1) nears, the prompts will be much less intrusive and much more bearable for everyone using the operating system. In the interim though, we can watch the UAC Development blog and see what information the team is giving out publicly about the development of the whole system that is annoying so many users in its current state.

Advertisements

No Responses to “UAC: Securing your Computer and More”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: