Why Vista? (Volume 1 -- UAC)

Today begins the first in a series of posts about the value in upgrading to Windows Vista.  I've decided to start out with a tough one, too.  I'm going to write about one of the most oft-maligned features in Windows Vista -- User Account Control (UAC).  Don't know what that is?  You may have heard it referred to in my least favorite of the Apple ads -- "Mac is issuing a salutation-- Cancel or Allow?"  In the spirit of transparency, the reason it is my least favorite is because I find it the most amusing.  If you haven't seen it, you can find it here.  Now, what the heck is it?

UAC is designed to help mitigate security threats.  To understand the premise, we need to get into why it is necessary.  For years, Microsoft has advocated that users not run their PCs as administrator-level users.  The why behind this is simple -- if you are logged in as administrator (or a user that is a member of the administrators group), then you have carte blanche access to the machine.  You can perform tasks like editing the registry, changing system files, and installing software.  Want to guess how most malware infects your system?  The correct answer would involve editing the registry, changing system files, and installing software.  But no one would ever grant administrator-level access to a virus, right?  The truth is that software which is launched under your account has the same privileges that you do, regardless of whether you meant to launch it or not.  So, clicking a button on a website that is meant to infect your PC launches a process running under your account.  If you are an administrator, so is it.  See the problem?

The obvious question that comes to mind is, then why run as administrator?  Why haven't we just been running as normal users all this time?  This answer, too, is quite simple -- it required more work.  In order to run as a normal user in previous versions of Windows, you would need to create a user account (easy enough) as well as an administrator account (also quite simple).  When you needed to perform an admin-level task, you would have to do a "run as" and use your admin credentials to perform the task.  (While this isn't tremendously difficult, it wasn't as easy as it could have been.)  Incidentally, this is where the Power User came from in Windows XP -- it was designed to alleviate this very problem.  The Power User, by default, has more access than a Standard User, but not as much as an Administrator.  But, when either user wanted to perform a task for which admin-level permissions were required, you had to right-click the program's icon and select, "Run as..."  This allowed you to provide the username/password for the administrator level account, which allowed you to perform the function you wanted.  Since the Power User had more access, you would not have to perform the run as operation as often as if you were a Standard User.   

This was more difficult when you were trying to achieve a task other than launching a program.  In fact, when you create a local "limited" account (non-administrator) in Windows XP, it tells you:

Users with limited accounts cannot always install programs.

and

"...programs designed prior to Windows XP or Windows 2000 might not work properly with limited accounts."

That second one might not seem like a big deal now, but it sure did back in October of 2001 when Windows XP was released.  "That whole library of Windows 98 software I have won't run under a limited account?  Ok... I'm an administrator."  In fact, when you created your first account in Windows XP, it had to be administrator level.  (After that, the Administrator button is pre-selected for a new account.)  When setting up XP, it asks for a user name.  Most people put in the name of the account they planned on using every day.  Since that first account is always admin, most people ran as administrators.  (Obviously, this wasn't always the case in the business environment, but I saw it enough to recognize it as the norm, rather than the exception.)  This certainly makes life easier -- installing a program is as simple as... well... installing it.  No commands to worry about.  No extra steps need to be taken.  Just launch the setup file and away you go.  The problem is that any software is this easy to install, including software you never intended to install.  Let's look at one of the most destructive virus attacks (in terms of $$ in the US) -- the ILoveYou virus. 

The ILoveYou virus spread via e-mail.  You may have even got that e-mail (and possibly the virus that went with it).  I know I did.  It had a VBScript attachment that, when launched, did all sorts of nasty things to your machine.  One of the things it did was to edit the registry to include itself in the startup process.  Thus, rebooting was not effective against ILoveYou because with each reboot, the virus started up again (the same way most viruses work).  Had everyone been running as Standard Users, rather than administrators, this would not have been possible.  Because a Standard User does not have access to modify the registry, a program launched by a Standard User doesn't, either.  Thus, a simple reboot would have stopped the virus from continuing to wreak havoc on your infected system.  (In fairness, damage would still have been done to your system, but the nightmare would've ended with the reboot.  At least until you launched another instance of the virus.)  This is the case for many viruses -- running as a non-administrator user severely limits the chaos that a virus can cause on your machine. 

Viruses aren't the only problems you can experience when allowing your users to run with admin-level privileges.  In a business environment, the possibilities for problems are rife.  Unlicensed software, for instance, could be downloaded (or even installed from physical media) causing legal problems.  All those carefully crafted group policies at work in your domain?  Forget them.  As an admin, those are easily modified.  In fact, forget the domain all together.  As an admin, a user has the ability to permanently remove themselves from the domain.  They also have permission to go in and create new local admin-level accounts, so any time someone leaves your organization on a bad note, might be worthwhile to make sure they didn't leave themselves a backdoor to get back in...

I think I have made my point -- the dangers inherent in running as an admin-level user on a day-to-day basis are numerous.  But what's the alternative?  Enter UAC.  The concept behind UAC is to provide you with the ease and functionality of running with an admin-level account, but the safety and security of being a standard user.  "How is this possible?"  I'm glad you asked.  Windows Vista, while UAC is turned on, treats your admin account as if you were a standard user.  (It actually generates two tokens, rather than one.  One is a standard user token and one an administrator token.  If you want to read about some technical workings behind UAC, you can start here.)  If you wish to do something that requires admin-level access (denoted with a shield icon as shown below), Vista recognizes this

shieldicon

and offers you the option to elevate your access to perform the needed function.  If you are logged in as an administrator, then a prompt appears asking if you want to Continue or Cancel.  The box also has a "details" section that will tell you the program name that is requesting the elevation.  Clicking Continue will allow the elevation and the program will perform the action you started.  Clicking Cancel will deny the elevation and the program will fail.  If you are not logged in as an administrator, then a box will pop up showing you the names of the administrators on your local PC so that you can find one of them and ask them to type in their password.  (Note:  This is the default behavior, but there are many ways you can set up UAC.  You can set it so that admin-level users see no prompts, but are automatically elevated (essentially circumventing the whole purpose of UAC).  You can turn off the prompt for credentials for Standard Users.  (Most businesses with more than a few PCs should investigate this option.)  You can read all about the different scenarios here.)

The whole point of UAC is to reduce the vulnerabilities associated with running as an administrator.  If, for instance, you are logged in as an admin, and you hit a website that is going to drive-by install some software (essentially triggers the UAC prompt for no apparent reason), you should be cautious of clicking Continue.  That prompt is exactly the point -- a step between you (and every piece of software that runs under your account) and phenomenal cosmic power.  Is this the be-all and end-all of PC security?  Nope.  But, it is an important step along the way.

And there you have it -- Reason Number 1 (or one reason -- they're not in any particular order) for upgrading to Windows Vista.  Stay tuned.  Lots more to come.

 

Technorati Tags: Windows, Windows Vista, Vista, Microsoft, UAC, User Account Control, security