Both Sides of the Windows 7 UAC Problem

I have to come back to the UAC problem again. I just read a good article from Larry Seltzer on eWeek.com:

Both Sides of the Win7 UAC Problem

I think it is one of the first one I read, which takes the emotions out of the discussion and tries to understand the real problem. He made actually an interesting comment: The whole issue is around running malware to change the UAC settings and he says:

The technique could be used for far worse things. Control panel has many important system-wide settings in it. You can set user passwords, uninstall software, disable the firewall, and so on. All of this is possible because of the default UAC setting, and you don't have to change that setting to "exploit" it.

So, let’s think about it: A lot of people wanted us to reduce the number of UAC prompts. We published a fairly good article October last year about User Account control and what we learned.

Now, let me get it straight (after all the pretty emotional comments I got on my last post): I definitely understand your view and your argumentation. What we need – however – is a balanced discussion about what makes sense and what does not.

All the discussions are assuming that the user is administrator on the machine – let’s keep that in mind. Is UAC really the only thing you are concerned about? I think it should be consistent throughout the Windows settings (including UAC) – protecting UAC alone probably does not cover the attack vectors you are mentioning. As an example: I can open the Device Manager without prompt. I can change all Windows Settings without a prompt (including all the security settings). This is what the UAC setting is for. From a Risk Management perspective: What would it really change if we would ask for a prompt if you change the UAC setting? So, the malware we are looking at could now not change the UAC settings but all the other Windows settings (if you are an Admin). How much would this really lower the risks – or would it reduce the risk at all?

So, should we change the default to “High” – which would mean that we are on the similar level as in Windows Vista, where we got a lot of complains?

In my opinion we all should do two things:

  1. Take the emotions out of the discussion
  2. Look at the broad picture from a risk management perspective

And one final thing: Yes, we are listening to you (otherwise I would not have allowed comments, have answered some of the comments and am now writing the second post) and the reason for publishing Beta versions is to have these discussions now, where changes are still possible rather than after the release. So, let’s have this discussion taking the points above in consideration.

Roger

P.S. Read Jon DeVaan's post on this issue