For Windows 7, Microsoft has made some changes to User Account Control to counter the criticism that UAC was too intrusive. It didn’t take long before several holes were poked in Windows 7’s default UAC settings, and now one is left to wonder: is it wise to sacrifice security for (perceived?) usability? Ars has an editorial that deals with this question.
First, we need to explain – once again – what UAC is supposed to do. For this, we need to delve into what Windows NT can actually do. Contrary to popular belief, Windows NT is a very well-designed and advanced operating system that introduced all sorts of features back in the early ’90s that other operating systems wouldn’t get 10-15 years later. Windows NT has a security model that was at least as advanced as – but probably more advanced than – what UNIX/Linux have to offer.
Instead of capitalising on the advanced security systems Windows NT had to offer, Microsoft neglected them. It made a monumental error in judgement by assuming that every user should run as “administrator” (root), an assessment probably coming from the pre-internet revolution days. No matter the reasoning, it paved the way for application developers to assume that every user ran with administrative privileges, and developers would design their applications with that in mind. Microsoft happily joined in on that idea, and never really looked after those precious few who were struggling to run Windows NT as a standard user.
Then, the internet happened. Then, to make matters worse, people started buying multiple computers. Suddenly, the entire world’s supply of active computers was networked together, with practically every Windows user having full access to every part of the machine. Combine this with several high-profile security holes, and you’ve got yourself one hell of a problem. A problem that needed solving.
As a sidenote, I have deep admiration for Windows NT. Every time, I’m amazed by the attention to detail, the forward thinking, and the clever ideas Dave Cutler and his team implemented in Windows NT almost 20 years ago to ensure its portability, scalability, expandability, and security. Windows NT foresaw and offered solutions for problems that wouldn’t arise until more than a decade later. This is why I can get rather annoyed when people say that Windows NT needs to be rewritten, or that Microsoft needs to start from scratch – Microsoft seriously messed up the userland of Windows, but Windows NT itself is a very capable, advanced, stable, secure, and portable piece of work, that can easily serve Microsoft for another decade.
Back to the matter at hand – Microsoft needed a solution. It took them far too long to realise they had messed up, but with Vista, they sought to lay down the gauntlet and enforce a much stricter administrator/standard user divide, not only forcing ordinary users to get used to this wondrous idea of security, but also forcing application developers to get their act together and start writing software with limited user accounts in mind.
The solution was User Account Control. Even though the first user created on a Windows Vista system is still a member of the Administrators group, this user’s privileges are severely limited due to the fact he or she receives not one, but two tokens. They share the first token with a normal, non-admin user: it contains all the basic privileges. The second token contains elevated privileges. This user’s applications are started with the first, restricted token, while applications that are granted admin rights (clicking “yes” in the UAC dialog) will be started using the second, unrestricted token. Kenny Kerr explains it better than I do, by the way. In any case, the result of this is that even though the user’s an administrator, he or she still can’t really mess up the system without UAC knowing about it.
Personally, I believe Microsoft didn’t go far enough with UAC in Windows Vista. They conceded to backwards compatibility by implementing the token stuff, which allowed the first user to still be in the administrator group, so it wouldn’t break all those applications that make that assumption. I would’ve preferred a proper implementation: every user is a normal user, and there’s a special administrator account (accessible through elevation) for tasks that require it. That is proper security, and makes the best of all the fancy Windows NT security features.
The rest of the world disagreed with me (surprise). I don’t think I have ever seen as many people whining about any feature in Windows as much as they did (and do) about UAC. This hatred was directed at Microsoft, but for all the wrong reasons: yes, hatred should go Microsoft’s way, but not because of UAC – the hatred should go their way because of their wrong assumption that every user should be administrator. There’s also a lot of misunderstanding about how UAC works and what it is supposed to do that only fuelled the whining.
So, for Windows 7, Microsoft had to make a decision: do we stick to our guns, or do we concede to the public? They decided to go with the latter, and loosened UAC. They came up with this wonderful idea that UAC was not a security boundary, which suddenly allowed them to fall back on their previous behaviour of making the wrong assumptions about security. Users rejoiced because of the promise of less prompts, but those precious few in this world who know a little more about Windows NT got worried. Was Microsoft again making all the wrong assumptions?
Turns out they were. Several easy holes have already been shot in the new default UAC setting of Windows 7, raising the question whether or not Microsoft has gotten a little too confident about security. Yes, Windows Vista has proven to be pretty secure, but that’s no reason to loosen the leash. Just because you’ve been accident-free for 30 years, doesn’t mean you should suddenly stop wearing your seatbelt.
Just like Peter Bright over at Ars, I’m very worried about the direction Microsoft is taking with UAC in Windows 7. For what it’s worth, I strongly urge Microsoft to make the Vista-UAC the default one in Windows 7, as that not only solves the currently-found holes in Windows 7’s UAC, it also provides for a much more secure operating system. In the meantime, I urge everyone who is currently running the beta to move the UAC slider all the way up to where it belongs.
Sure, security is annoying. I hate locking my doors every time as well, but that’s no reason not to do it.
If this is indeed the question, UAC as it was and is can only be a complete failure.
I mean, the UNIX-style rights management has had no major changes since UNIX was born. And it is both secure AND usable.
Microsoft might be better off, doing what Apple did: Get rid of ALL old ties, take a BSD and close-source it, and put a virtual machine with a XP or Vista on the thing to be backwards compatible.
That would give them the opportunity do do several things right:
– No more drive letters.
– UNIX-style permissions.
– strict seperation of administrator and user, like in UNIX-ish opsyses.
– changing directory seperator from “\” to “/”, at some keyboard layouts “\” is a 3rd key function.
– adopting a graphical shell environment.
On top of that they can deliver their usual desktop, probably enhanced by virtual desktops.
Edited 2009-03-05 14:46 UTC
NT doesn’t use drive letters. It was a userland decision to maintain them from Windows 9x-onwards.
NT already has that – and more, through for instance ACLs.
NT already has this. Again, userland decided not to enforce it.
Well, if the NT kernel already has all that, why did Microsoft decide against bringing it to userland?
I less and less understand Microsoft’s behaviour. It is like:
– Do we have one shovel? YES!
– Do we have a 1000 working excavators? YES!
– OK guys, take the shovel and digg the new panama channel, because today I don’t really feel excavatorish.
With today’s computers and a virtual machine with a fully-blown XP or Vista on it, I really don’t see a reason why NOT to pull this off.
Someone with a very nice suite earned a huge bonus that year by saving Microsoft the expense of developing the product beyond the point of “good enough to fool consumers”.
(I have a reoccurring dream where MS competes based on product quality and fair market practices.. then I wake and remember that MS is a corporation who’s primary product is shareholder equities; software is just the retail product they use towards that end goal.)
Permissions are a kernel/file system thing. The only thing in userland which deals with them is icacls on the command line and the security tab in the file properties gui dialog.
It is in userland.
* In device manager you can map devices to a path instead of drive letters
* User accounts are not admins by default in Vista, but even prior to Vista this was possible when users were set up via aministrator tools.
* Paths can’t use “/” simply because command parameters use the same slash (this was the very reason DOS adopted the reverse slash to UNIX when DOS first supported directories)
* Windows already has a graphical shell environment. That’s what Explorer.exe is – Windows’ shell.
If you mean a graphical command prompt, then there’s cmd.exe for the old school and Powershell for those wanting something more modern.
True, Windows has many flaws, but somehow you’ve managed to miss them all and instead, post a list of items Windows _DOES_ support!
I didn’t know this. Somehow Microsoft failed at propagating this feature. The issue here seems to be more a: What is the default setting?
In all those years I had to use Windows at my workplace, and had to keep unmounting and remounting network drives because I ran out of drive letters, I never was given the choice of getting rid of them altogether.
Well, I ALWAYS had admin previleges, because the software I worked with required it. That is bad coding style of the application programmers, I know. But nevertheless, Microsoft should go the hard route and ask for an admin password EVERY time admin access has to be granted. Maybe application programmers finally do what is right and let Microsoft close one huge security risk once and for all.
One more reason to abandon the old cruft, and go for something completely new .
No, I can see the reason why they went with it, and that abandoning it is extremely difficult. On a german keyboard it is not nice however.
I meant the graphical command prompt .
Please don’t get me wrong, but cmd.exe (at least as it is in XP) is not really a graphical command prompt. It is a text command prompt stuffed into a window frame.
A graphical command prompt is resizable ON THE FLY, with the number of columns changing as you resize the window, it is also presenting multiple prompts in tabs. Also copy and paste is no problem in a graphical command prompt, somehow in cmd.exe it just produces funny characters ( ^C] or somthing like this) for me.
I know nothing of Powershell, maybe this is better.
Well, I just posted what I was missing, coming from a Linux/UNIX experience. Those things I mentioned seem to be available according to your list, but somehow are never advanced beyond the very basic 0.1 state. They are a “last way out, if nothing else works”, but no power tools I can use to do my daily work with.
Isn’t that like saying “My car’s engine can push 10lbs of pressure, but the frame, transmission, rings, headers, etc. can’t handle it.”..
You’re only as strong as your weakest link my friend =)
Far as I can see, winNT (distro) already has a graphic interface. Did you mean seporating the graphic and functional layers of most programs?
Back-slash vs forward slash is not a huge issue personally but I can understand how making it a second class citizen on the keyboard causes grief. My own issue is purely habbit, after so many hours at the server prompt, it’s not surprising that my first Windows cli command path returns an error due to using the wrong slash key. (I also giggle every time “/h” brings up a list of Unix like command switches; see shutdown /h for example.)
winNT (kernel) if as discussed in the article could be far better implemented by fixing the userland around it.
I make enough noise about specifying distributions rather than “Linux” as a blanket term. I’m equally willing to look at winNT-kernel separate from winNT-distribution.
Now, if Microsoft can fix it’s corporate culture and allow the developer tallent they’ve collected to actually be talented; win8 could be very much worth a look. (I think it may be too late for some of the “design decisions” in win7.)
Microsoft is between a rock and a hard place. The rock is that their security systems need to be enforced more then they are, the hard place is the billions of dollars customers have invested in the platform in terms of legacy software that relies on them not being enforced.
As of windows XP, nothing at all should have ever been writing to anyting but HKEY_CURRENT_USER in the registry, and nowhere on the disc except for AppData in the user folder. If it is a corporate app designed for NT, it should never have had any excuse to do that.
Usable: Yes
Secure: Sorta. The NSA didn’t think it was good enough. Hence SELinux.
Also, putting a virtual machine underneath XP or vista wont make XP or vista more secure. Don’t really understand how it could. A Trojan on the virtual machine you store your data on, is still a Trojan that has access to your data.
Well, even without SELinux you have to find a privilege escalation hole to get the machine under full control, which is one severe step more than what is required for the usual Windows desktop machine. With SELinux it is even harder.
And yes, you are right, putting XP or Vista into a VM cannot help right NOW, but in a few years time, when nobody needs this “backwards to ancient”-compatibility any more, the system THEN will be in a better state.
If Microsoft stays with current policies, they will have the same bad situation again and again and again.
The idea of root is inherently insecure, because if that is compromised, everything is compromised. Because of that, your system is as secure as the least secure process running as root on a UNIX machine. The upside is that this allows for something that is extremely simple to wrap your head around.
ACLs allow a far more fine grained approach to security, both in regards to root/no root and in regards to cascading permissions. The other edge of this is that it drives the complexity way up from the traditional UNIX DAC approach. On windows, the tooling has gotten a hell of alot better with Vista and 2k8, but even though I know what I am doing and there is a GUI to show me effective permissions, I still sometimes sit there scratching my head wondering where something came from.
All that to say that I actually agree with you that a UNIX approach would be more appropriate for home users, because they dont stand a chance in hell of figuring out ACLs, but that UNIX style ugo is not the end all of security paradigms.
On any computer system, there is going to be at least one user who is all powerful. That is unavoidable. The only thing ACLs give you is the ability to give different permissions to different users. The granularity is good. But you can’t knock UNIX for having root. And besides, you do get ACLs with UNIX nowadays anyway, at least you do in Linux. If you need to.
Nothing should ever run as that user though. With ACLs it is alot easier to do that then with a DAC system
No, you can use SELinux to explicitly define what root can do.
You can’t just talk about UNIX security as a generality. Most of modern UNIX operating systems have ways to deal with containing the all mighty root. The BSDs have TrustedBSD (MAC), Secure Levels and Jails. Linux has SELinux (MAC), UML, and chroot(). Solaris has Zones and MAC. All of these also support POSIX ACLs. In the case of Solaris, it also support NFSv4 style ACLs which are very similar to NT ACLs. FreeBSD should also get this in the near future.
Even though NT doesn’t have the concept of a super-user, for all practical intents, if an admin account is compromised, you’re still hosed because the ACLs pretty much give admins carte blanche access anyway.
NT style ACLs are also really easy to get wrong (most permissive access rather than least permissive access), and its non-trivial to verify that any particular entity has the access that you think they do.
The original poster wasn’t talking about that though, he was talking about the whole user/group/other thing compared to the NT ACLs.
Granted, which is why absolutely nothing should ever be run as an admin user on an NT system. You have very fine grained controls, so you should make least priviledged users to run your services under.
I actually mentioned that in my origional post. The verification got alot better with vista, because you now have an “Effective Permissions” tab that tells you what it ends up evaluating to for a given user. What is still missing though is why it evaluated to that, which can be a real pain to track down, even with the effective permissions tab.
If they’re going to start from zero and do things ‘right’ why would they use these ancient approaches? Even in the Unix world people are looking at ways to move beyond these concepts with technologies like ACL and SELinux.
Windows actually has good file permission and user/admin separation. The problem isn’t one of technology. but one of culture. Windows has always had a culture that everybody could use and access everything and far too many developers have developed their applications based on this assumption. Improving the technology won’t do much without at the same time re-educating the developers.
Doesn’t matter to me. I just bought our household’s 3rd Mac and we’re finally Windows-free(and loving it)!
Or just use Open Source and be really free.
Agreed!!
(… and I hear the sound of a billion gnus yakking at once …)
“Open source” != “free” as far as the FSF is concerned. You’re “free” to disagree, though.
To me, UAC is not enough. After a while, users just click OK. I think there should be a clean separation of the Administrator and the normal user. If an application tries to do something that needs Administrator privileges, pop up a dialog and require the user to enter the Administrator password. If they do not know the Administrator password (such as on a business network), then they can’t do it. Sure people would whine at first, but it is the right thing to do.
Also, I agree that the NT kernel is a good kernel. I just wish they had continued the MIPS/Alpha ports. I think it may really come to bite Microsoft in the booty some day that they are x86 only.
I use Runas daily, it’s almost like having su/sudo available and saves me having to ask users to log off for something I can do in two seconds through ad admin cli shell.
Agreed. And I don’t see many OS X users complaining they need to enter their password to confirm an administrator action. It, well, makes sense. Also, I like OS X’s concept of an admin account, it simply means that you’re in the sudoers file and have elevated access to a few folders. For Ubuntu users, this is the same concept Ubuntu uses for their “administer the system” privilege. It doesn’t give you the power to do whatever you want without prompting–you can still do whatever you want, but you usually have to enter your password before you can do something really foolish. If you’re not an admin account in OS X, and you try to do something that requires one, you need to enter both an admin account and password to temporarily escolate yourself.
People complain that average users don’t know or care about system security. I don’t see many Mac users, many of whom are the same average ‘john doe” type of users, complaining overly much about this on that platform, and it does force them to slow down a bit and think about what they’re doing. An ok button, as in UAC, by contrast is a reflex action. I suppose that was inevitable with UAC, though, given that it was designed primarily to annoy developers rather than actually secure the system against wreckless users.
If all you see is an Ok button, your user is running in the administrators group, which is the equivilent of running as the administrative user on osx, or running as root on ubuntu. Running as a non admin on vista will make a credential box pop up where you enter the username and password of the user you want to execute the action as.
I set up my UAC to always prompt for admin password on Vista and Windows 7 betas. This way, even if I somehow leave my desktop unlocked, I would expect the prompt to pop up for anyone or thing trying to access privileged resources. It really is close to the MAC or Ubuntu way of using a graphical password pop-up.
The point being this should be the default behavior, not that you can’t set it up this way. How many “Joe Users” do you know who know how to do this, or care? Security needs to be imposed on Windows users at this point, not be made optional for them, and the ok or continue button does not count, as it quickly becomes a reflex to just click it regardless of the reason why.
They support x86-64 and IA64 too, so it ain’t all bad. Besides, don’t forget the XBox 360 (PPC-based) and WinCE. So I’m sure they aren’t as stuck in the mud as you think. (Who knows what they’re doing in secret … like Apple did with OS X on x86.)
The XBox machines do NOT run Windows – contrary to what many think. It runs a custom kernel with Windows bits on top.
I know, but it does fall under MS’ umbrella, and it’s non-x86. So ….
As far as I know, they do actually run an extremely divergent but still derivative kernel of NT.
I believe one major difference is that XBox360 doesn’t have a kernel/user separation. They do however have a kernel/hypervisor separation.
Windows NT foresaw and offered solutions for problems that wouldn’t arise until more than a decade later.
Except the inherent security problems of the user being an administrator.
Anyway this part is also wrong: the Morris Worm (which isn’t even the first worm) was in 1988 and the decision in Microsoft to start what will become Windows NT in 1993 was in 1988 also..
The problem with NT+ is that “John Doe” users cannot be bothered to learn how to secure their system. It’s something a system manager would have done FOR them on a mainframe, and make no mistake, many of the file system concepts behind NTFS is a mainframe operating system (linux/bsd users take time to learn the basics about their file systems and OS X users are shielded from much of that, but the protections are still in place).
All the stuff you need to lock down NT+ is available, you just need to use it.
Exasperating the problem is 3rd party software, much of which requires relaxed rules to install and run properly.
Microsoft has gotten themselves into a pretty bad situation by allowing all of this to come to fruition and I really don’t see what they can do now.
”
Microsoft has gotten themselves into a pretty bad situation by allowing all of this to come to fruition and I really don’t see what they can do now.
”
They can setup network repositories through Windows Update. Software available would then be vetted and approved as compatible. Of course, this won’t happen since it would mean including software which competes directly against Microsoft’s own products. The company, if not the shareholders, will never allow such a thing.
Like I said…
They’ve dug themselves in deep. They’ve allowed a culture of (and this is a bad term I know, sorry) dumb users to blossom who expect all their old software to work forever (really another problem I guess) and who don’t know HOW an operating system works, or what it even is, and now it is biting them in the behind.
Well, it isn’t REALLY biting them in the behind because they still hold the vast majority of the market.
isn’t that the truth.. imagine what MS developers could do if the corp culture was not allowed to limit them and if the end users had the average technical knowledge (and interest) to demand better products. Even MS can’t keep to the old ways if enough of the consumer base starts asking questions.
But.. back to reality..
“Well, if the NT kernel already has all that, why did Microsoft decide against bringing it to userland?”
Because security has a very heavy usability price, which they decided not to pay back in the day.
Nice article btw!
This article forgets two things:
1. I’m an advanced computer user. With over 20 years of experience I know when I install a video driver it requires root/administrator access. I don’t mind typing in a password but I do mind a uber-modal dialog blocking everything but the UAC window asking permissions (multitasking anyone?).
2. The average computer user doesn’t know much about security. How the hell does he know when to press Yes/No when it pops up every few minutes?
The only solution seems to set administrator access so that it requires a password (like unix has done since the beginning, shame on you author for ignoring that fact).
The sad reality is that most windows programs are just so crappy they “integrate” too good. Today, flashplayer suddenly updated and required a reboot. For crying out loud, why is such a piece of crap so tightly integrated into the core of my OS that it needs to restart? Until software companies fix their act this problem persists. So just make administrator access a little more difficult to find so software companies have to create better software.
Flashplayer ActiveX plugin will require a reboot becuse it touches IE which forces itself to be deep-throated by the kernel.
Flashplayer plugin standard did not require any reboot when I updated it yesterday. Of course, this is the FF plugin and FF is not bound to the kernel in such an intimate way.
That’s BS and you know it. IE is a program that ships with Windows, just like calc.exe. I dare you to say that calc.exe is integrated with the kernel :-p.
The reason Flash wants a reboot is that it needs to replace previous binaries which may be in use by some running instance of IE. The installer could just ask you to shut down all instances of IE before running, but they took the easier engineering approach of just saying restart the machine (the new files are copied over the old files when the machine next boots).
I can uninstall Calc.exe.. let me know when you can uninstall IE and when the rest of the Windows widget set stops being based so directly on it.
Why is IE locking files when I don’t have it open or a network session active? Why does it allow update requests to reboot the entire system if it can simply restart the IE session? Why is the update process not properly controlled so that third party developers have to write there plugins to update without a restart? And, if they did so, would it be for all developers or only the non-Microsoft developers as they’ve done with UAC?
Adobe can’t be responsible for all the blame. It only seems to be the ActiveX plugin that requires a restart; the other Flash player plugins simply restarted the browser session and restored the page tabs that where open.
Do you even know what a kernel is? you are the one claimining that Internet Explorer is integrated in with the kernel – provide evidence of such besides throwing the bullshit excuse of, “I have to reboot when I install widgybum from Wanker Software Inc.”.
Windows is many things including a big ball of crappy spaghetti code where no one knows where one part finishes and another one begins; I’m not going to argue against the fact that they’ve made some monumental bullshit decisions but to come up with blatent lies claiming that internet explorer is integrated in the kernel is destroying your own credibility in the process.
Edited 2009-03-07 01:43 UTC
You are smart; this is exactly what I want to say.
Add that 99% of applications out their are single threaded and administrator-sensitive and buggy and not well written and has …. oh my god
I still have to see 1 decent game that uses the quad or octa cores on any system.
The `uber-modality’ is by design, and it has a very important reason. Only the true UAC can create such a window, no other app can grey out the screen, etc. This means that malicious apps cannot create a replica UAC window in an attempt to fool the user, like phishing. If you ever get a UAC prompt that’s not `uber-modal’ then you know it’s a fake.
This is the same reason some systems require you to press ctrl+alt+delete to open a login window; no regular app can capture ctrl+alt+delete because it is handled specially by the hardware and keyboard drivers. So when a login window appears as a result of you pressing ctrl+alt+del, you know it must be genuine.
The screen is simply an image. I don’t see why an app could not be written to fake the UAC overbearing parent aproach. I would like to think it’s a unique effect to grey the screen and post a message box over it.. then I remember changing the window theme.. greyed until done.. shutting down.. greyed until shutdown method is selected…
Three finger solute to login? My login prompt is a third party app that waits for a finger print scanner input or, accepts crtl-alt-del and rolls over to the windows login prompt. My remote software provides a command to send crtl-alt-del to a remote session so the key sequence can be generated by software; this being the Windows remote desktop and rdesktop on other platforms. Here, I actually just wish it was easier to implement in a non AD setup. Getting the login prompt without crtl-alt-del and finding the previous username left in place unless you do some reg editing sucks.
I do see the reason for both functions though. UAC locks out the rest of the screen so the user knows it’s authentic (assuming the user is aware enough to realize that), and I always figured it was to keep the user from clicking on other windows while the system was waiting for the privileged elevation.
The only solution for Microsoft is to make the O/S pretend all the files belong to the logged on user. For example, the user can change the windows/system folder. But in reality, the user would only change his copy of the system folder, and thus not sacrifice any security, and without requiring the User Account Control mechanism.
Actually this exists in Windows Vista and newer systems and it’s turned on for some applications through a flag in the application compatibility database. It doesn’t solve all problems though since the application(s) may depend on some change in the global settings which wouldn’t happen when the file/registry access is virtualized.
Interesting idea. I’d add too it user specific applications. “docs and settings\uname” already exists.. drop a “program files” in the home directory and let apps meant for only one user be installed there rather than in the global “program files” directory. I’d still require admin to install the software but then your not mucking about with permissions in global directories.
I actually do this now with a “ProgramFiles” directory on the admin desktop with a few key portableapps uncompressed into it. Admin has some tools needed from time to time while they remain out of the global app directory and view of non-admin users.
I just switched from a Mac to a computer running Windows Vista SP1. Maybe they changed things in SP1 but I don’t find the UAC a hassle at all. It’s not it asks every time I want to move a folder or delete something.
Maybe people were used to no prompts and saw this whole new thing and freaked.
Vista has some issues but I never had an issue with UAC.
I’m with you.
UAC isn’t a big deal at all. Maybe it is for those that change their settings every 15 minutes, but those types of people know how to turn UAC off, make their changes, then turn it back on.
Microsoft is caving to the idiotic tech media and slashdot-types that hyperbolized the UAC issue. These groups don’t exactly have Microsoft’s best interests at heart (quite the contrary, they root against Microsoft every single day), so why is Microsfot caving in to them? Absolutely pathetic weak-knee’ed management on Microsoft’s part. Additionally, Apple vastly exaggerated about the issue in their ads, and rather than call Apple out on it, the tech media applauded Apple.
Microsoft needs to get a backbone (it’s sadly lacking at that company) and leave UAC the way it is in Vista. There’s nothing at all wrong with it.
Microsoft makes so many bone-headed decisions based on BS rather than science (I use that term in its broadest sense).
Normally when an edtiorial like this appears (from a credible source), a Microsoft developer or program manager working on the issue will respond in a blog. So we may see counter-arguments to the editorial. I still see nothing wrong with Vista’s UAC.
Vista was pretty broken previous to it but word is that SP1 corrects a number of issues. I believe it also relaxes UAC a little. I’m guessing that between the relaxed triggers and apps slowly being ported to Vista rather than continuing to behave int he older Windows way causes the reduction in “allow or deny”.
I can’t comment on Win7 directly as I was too late (or early) too the website for my beta copy. It looks nice where I’ve seen it installed but haven’t had a chance to poke at it myself.
User Account Control shouldn’t be used to grant privileges higher than user. It should be used to control programs that try to execute with out the users consent or programs that try to modify the users account setting. If a program needs privileges higher than user then an administrator password should be required. Maybe Microsoft can implement the AAC (Administrator Account Control ie. sudo) to control privilege granting and leave UAC to do what it’s name suggests and control the user account and deny unwanted code from executing or changing settings.
In the end it’s still up to third party vendors to make sure that their programs run in user space with user privileges. The UAC should control weather or not a program is allowed to run on the user level and an administrator password should be required to run a program beyond user privileges and no user executed code should be automatically granted privileges beyond user.
…which is exactly what UAC does. Let me explain.
There are two possible user accounts in Windows NT: administrator, and standard user (greatly simplified, in essence you can create an endless amount of different types of users through fine-grained control). If you are a standard user, and you want to perform an action that requires elevated privileges, you need to enter the admin password. This makes UAC exactly like sudo.
However, UAC is more advanced than sudo. If you are an administrator, and you want to perform an action that requires elevated privileges, UAC will know you are an admin, and will only offer a click-through dialog – no password. If you’ve never seen the password dialog, it means you are running as an administrator.
So what you’re asking Microsoft to do is something they’ve already done.
Edited 2009-03-05 17:05 UTC
…and to expand on that, Administrators on Vista only start out with the privileges granted to the standard user. To perform an Admin action, you have to confirm it, which is no different from how sudo works in Linux and OS X (clicking a dialog box in a secure window is no less secure than typing a password…). It is actually slightly better given you can’t steal the password (and people tend to use the same weak password for everything), and the default for OS X and Linux is to allow sudo a 5 minute grace period, which allows always-on malware to just wait until sudo is called and piggyback on the graceperiod.
Can I specify a username/command or group/command combination for UAC? When configuring UAC, can I specify an alias for a command then bind that alias to a specific user or group?
It sounds bad but this is an honest question as my understanding was that UAC was more binary. “something is trying to do something; let it happen?” rather than allowing specific users to approve only specific escalation cases.
“Windows NT has a security model that was at least as advanced as – but probably more advanced than – what UNIX/Linux have to offer.”
Said who? Is he a kernel developer? No. Is he a multiplatfrom kernel developer or designer? No
How could he claim that?
Please be logical for once.
Thanks
Windows NT has all the security features UNIX/Linux has – with the added functionality of ACLs. ACLs are way more advanced than anything UNIX/Linux had, but as google_ninja already pointed out a few comments upward, you could easily argue that while UNIX/Linux might have a simpler approach to security, that could still, in the end, be the better option for home users.
ACLs are a tad bit, well, complicated, you see, while UNIX security is pretty straightforward.
I’m confused. The standard file permissions on UNIX (e.g. 755) are an ACL. Extended ACL bits, like the mask, are also available. Furthermore, SELinux gives you even more granular MAC (mandatory access control) policies.
So how can you say Linux/Unix doesn’t have access control?
Call unix’s 9 rwxrwxwx bits an `ACL’ if you like, but it’s a very short and limited one – compared to NT ACLs. In NT you can specify a permission like ‘User Alice is allowed to append to this file, but not truncate it. Bob is allowed to create subfolders in this dir, but not new files.’ Also permissions can be inherited from a folder to its subfolders & files. You can’t do those things with old 9 bit unix permissions.
Linux & other OSs do have better ACLs *now*, but they didn’t in 1990 when NT was developed. One might wonder how much they copied from NT’s ACL design?
Edited 2009-03-05 21:12 UTC
man chattr
The letters ‘acdijsuADST’ select the new attributes for the files: append only (a), compressed (c), no dump (d), immutable (i), data journalling (j), secure deletion (s), no tail-merging (t), undeletable (u), no atime updates (A), synchronous directory updates (D), synchronous updates (S), and top of directory hierarchy (T).
“a”.. append only
Granted, it’s file attributes in addition to the security attributes attached to the file. It’s not unique to Windows ACL though.
>Also permissions can be inherited from a folder to its
>subfolders & files. You can’t do those things with old
>9 bit unix permissions.
$ chmod g+s <topleveldir>
OSX has ACLs, OSX is a *nix…
Try to keep up. The article clearly states I’m talking about the time of NT’s inception. Mac OS X didn’t even exist back then.
Edited 2009-03-05 23:39 UTC
Precisely so.
Since NT was written, however, there have been a number of security-enhanced versions of Linux implemented.
http://en.wikipedia.org/wiki/Selinux
“In free community supported Linux distributions, SELinux is supported in Debian as of the etch release, Ubuntu as of 8.04 Hardy Heron, Fedora since version 2, Hardened Gentoo, and Yellow Dog Linux.”
I believe it is supported, but not the default, except in RedHat/Fedora.
There is also AppArmor.
http://en.wikipedia.org/wiki/AppArmor
“AppArmor was first used in Immunix Linux 1998-2003. AppArmor was first made available in SUSE and openSUSE, and was first enabled by default in SUSE Linux Enterprise Server 10 and in openSUSE 10.1. AppArmor was first successfully ported/packaged for Ubuntu in April 2007. AppArmor comes installed default in Ubuntu 7.10 Gutsy Gibbon, and came as a part of the release of Ubuntu 8.04, although it only protects CUPS by default, the user can install new profiles and enforce them.”
I think Ubuntu are proceeding along the “AppArmor by default” route:
https://blueprints.launchpad.net/ubuntu/+spec/jaunty-security-defaul…
There is not much point, however, in providing systems like NT’s ACLs, SELinux or AppArmor if they aren’t applied sensibly.
PS: AppArmor first appeared in Immunix Linux 1998-2003. When exactly was NT written? Sometime aroud the same timeframe, wasn’t it?
http://en.wikipedia.org/wiki/Nt_kernel
Edited 2009-03-06 00:49 UTC
Haha, no. NT development started in 1989, and the first version was released in 1993.
Just as a note, the developer of AppArmor works at Microsoft as part of the Windows Security group.
FYI… we have a little PEE CEE user revisionist history going on here.
The commercial Unixes (AIX, Solaris,HPUX, IRIX etc) had ACLS before WindowsNT(er OS/2 v3) was a spooge in someones pants at IBM.
And frankly the Unix guys learned what the Windows guys have apparently not learned yet.
FRANKLY ACL’S SUCK.
WHY?
When was the last time you saw a normal user play with the ACL’s on a bunch of files in a directory?
I don’t know about you but for me the answer is …I HAVE NEVER seen it happen working in enterprise IT that even a windows admin let alone a normal user ever TOUCHES ACL’s. The only people that even try are those that setup the builds/installs, and those that manage NAS storage or something.
Contrast that to UNIX, easy to use permissions system, were just about everyone who reaches something between newbie<>poweruser status has totally mastered, understands and USES file permissions correctly.
Put a combination lock that takes 1000 different codes to lock, and unlock on your door, and no one in the house will bother to lock it when they leave.
Put a lock with one key, and it will probably be locked every time.
Bragging about ACL’s just makes you look stupid, because anyone with real world enterprise IT experience knows they are worse than useless in real life and end up being less secure due to complexity.
Okay Milo,
How do I solve this very simple problem that I encountered in real life with UNIX security?
I’ve got a set of data files for an engineering project in my home directory of a Linux file server. I want to share it with my colleague but with no one else. I am not root on the server and I have no friggin’ clue who actually is. How do I make it so that we can both see the file even though we are not exclusive members of any group on the system?
On an Discretionary ACL-based system like NT, as the creator of the file, I have the right to grant my friends access to it on an individual basis without giving access to other people.
Btw, ACL support was added to Solaris in 1996, to AIX in about the same timeframe, and to Linux in 2002 (!). POSIX ACL standardization did not begin until ~1995 or so and many systems did not implement ACLs until that standard was beginning.
Unix security is really not that interesting until SELinux or AppArmor. It’s just that people only use Unix for a narrow set of tasks (or a narrow type of user) so they think it’s good because it meets those needs fairly well. Even then, how many of those users actually have adapted their needs because of the limitations of the UGO nonsense and only think they are satisfied due to their scaled-back desires?
This is a common question asked by people with little real world unix experience.
The answer:
$ man newgrp
http://linux.about.com/library/cmd/blcmdl1_newgrp.htm
We have users that do this all the time. Our DBA’s in fact do this very thing to switch their group to equal that of what oracle runs as.
No need for overly complicated ACL’s.
Your strawman == fail.
I looked at the man page for that and I don’t really understand how to use it. You’re right that I’m not particularly experienced in UNIX administration so I don’t know all the tricks.
Could you please explain to me how I can share my file with my friend on a persistent basis using newgrp or some other supported technique other than ACLs?
Complexity can be, in itself, a security vulnerability just as over the top ease of use and automation can result in complacency, lack of quality feedback and security problems resulting from services running (and the admin doesn’t know about them).
I question how much features many enterprises use because I’ve seen numerous cases where people have praised Active Directory but very rarely used many if not any of the advanced features in it. Same situation with ACL’s, praised to the high ceilings but when the rubber hits the road, how many use them and out of those, how many of those who do use them use them because they have to. Again, complexity can be a security flaw too.
Edited 2009-03-07 01:59 UTC
Don’t forget that home users don’t actually care about a lot of this kind of thing. For a single-user machine, the concept of different logins and levels of privilege is kind of obscure – the user just wants to use the machine. How do you explain that to install a program, they need to be some kind of administrator user? They don’t want to be some other user, they just want to install a program.
users don’t want to know about oil changes or wear restrictive seat belts.. and god forbit they should share the road with other drivers.. yet, one has to have a license which demonstraits a level of competency when piloting a vehicle.
One needs to take five minutes to understand the user of a hammer, screw driver, type of screwdriver or more automated power tools. If it’s imobile shop tools, things become even more complicated.
Heck, the first time one sees a toaster, they have to take the time to realize that bread goes in the slots then you lever is pushed down (or whatever the mechanism).
Why is it just assumed that computers will work from most basic to most advanced features with no training, or interest in training?
(just a general comment.. it’s a double-standard that comes up from time to time)
Because end users see computers as big magical and wonderful machines that whirl, hum with lots of flashing lights and bright pictures on the screen. They randomly click on shit in a vein hope of something loading and then do what they have to do. To the end user they, for some reason, view a computer as some sort of magical device that does a whole heap of things for them – ignoring the fact that a computer is nothing more than a tool to get a job done.
Does it show end users are dumb? no. What it demonstrates is that marketing is working because 30 years ago people didn’t have that perception. Computers were seen as giant number crunchers – you put stuff in and got stuff back. Now, thanks to the wonders of marketing, we have end users who think that a computer is more than that.
Edited 2009-03-07 02:04 UTC
So true. If only they where really like the marketing hype.
It’s nice to see people understand NT instead of jumping on the bashing bandwagon.
Yeah I concur, this is actually a very good article regarding UAC, and goes some way toward restoring my faith in Thom Holwerda’s ability to write an article which isn’t intelligence-insulting flame-bait.
I have to agree that the fundamentals of the NT operating system are very sound; being created and architected by people who worked on operating systems that were dealing with workloads that Windows itself wouldn’t encounter for a decade.
It’s just unfortunate that it has to lumber around with the win32 userland on it’s back, which has required sending key parts of the OS into kernel space to achieve acceptable performance.
Good work Thom!
An analogy…
In my back yard I have a chlorinated swimming pool, not salt chlorinated like many these days, old fashioned “add chlorine every day” style. So each day I have to remember to add chlorine. I could use tables and dispensers but those things cost a fortune so I choose to add liquid chlorine. However, often I get a bit busy and forget – for a few days – so instead of a pool I end up with a swamp. Ten hours work later I would again have a pool, but the cycle would repeat. So I decided to set a daily alarm in my calendar that syncs with my phone to remind me to chlorinate the pool.
This process worked very well for the first week or two. The alarm would go off and I would dutifully get up from whatever project I was working on (my office is at home) and go put some chlorine in the pool. But after a while the alarms became white noise and I’d start thinking “ah yer, I know what that is, I’ll do it later”, and just dismiss the alarm. A week later, I had a swamp in the back yard again.
So did the alarms fail? No, I did. I chose to just dismiss them without bothering to check what they were. Further, I actually missed an appointment one day because I dismissed it’s alarm when it was set for the same time as the pool alarm.
And therein lies the problem with UAC. People just dismiss it or click through it, and see it as an inconvenience because it comes up so much…
I get kind of that way with Ubuntu asking me for my root password occasionally. The difference is, I have a fair idea when to expect to need root privileges. If I think something shouldn’t be asking me when it does, I do a little bit of research into it, and if I’m not satisfied, I don’t use it. Whenever I start up synaptic or a system configuration thing I just automatically type my password in and ignore it, but it does help to raise alarm bells when it shouldn’t be there.
The problem with UAC is that almost every XP program requested admin rights, whether it needed them or not, for installation and even for running. When they boy keeps crying wolf, you eventually stop listening. Then he gets eaten, though apparently that tale has been changed by the think-of-the-children types, and the woodcutter saves him.
Anyway, I have one idea that I think would go down well for programs that ask for admin rights in Windows. In WINE and Crossover, you can make seperate WINE prefixes, or bottles in Crossover. Why not make it an option to give a program a whole virtual file system to trash? I’m pretty sure Windows can’t symlink files (but it does have ‘junctions’ for directories…), but the ideal way I’d want it to work, to cut down on the bloat of having a dozen “system32” folders, would be to symlink (for lack of a better word) the necessary files into the virtual file system, so programs have access to all they need, but when they want to modify files, copy them. Then you have your nice little infected mess of .dll files completely independent of your nice little uninfected mess of .dll files.
it is a failure from both the users(mostly),apps devs,and userland dev.
Microsoft decided to keep userland compatibility with win32 layer ( that was introduced with NT 3.1 ), but was introduced in a windows 3.x (which is well know for it’s stability and security ), so app dev went on and developped decades of application that relied on the same security features ( none ) of pre NT kernel ( DOS based shell ). User didn’t complained about it.
And Microsoft decided to keep compatibility as it is why business still largely use Windows ( hell even some DOS application can still run in my vista ).
Plus XP/Vista/7 are marketed as a Desktop OS were in term of security, user can happily accept any dialog that the application show to them ( EULA anyone ? ).
Today user do not face the same security problem as yesterday, old virus/trojan/malware were just written by prick whereas today they are written by business peoples. Business people dont care about kernel security, they do care about compromising your personnal data and a kernel access is a nice plus but not mandatory.
I still do think that most of the security problem still come from the user ( password on a post it anyone ? ). But security is by definition obstrusive, guards, fences, watchdogs are “real life” security feature and they can be some time annoying and most of it obstrusive, so should be a secure os (obstrusive and annoying).
I don’t think that a super prompt is a way to secure things ( hell you can download a package than you think you trust and happily answer to the prompt on install ). Running as admin/root login should be annoying at best, like getting a key in a vault before opening another vault, performing an admin task should be painfull.
But I do see the need for user to have their own applications, and use common apps for the sake of saving disk space, keeping their own data. But you are asking normal people ( average joe, your grand mother ) to act as system admin for their own computer when it’s totally not their primary job (and not even an hobby).
How to fix it ? You might have you solution right now.
Web applications and light client, storage (back to thin, incapable client, and big fat mainframe ), leave security to people that are paid to do so. and run a client that is only capable of connecting to your more secure source, and if they fail they get fired ( into the sun ).
But still people will complain….
Agree with you, though to those who say that UAC should prompt for a password like Unix does, I’m not sure how this would be any more helpful? I mean, if Joe Dumbass is going to click OK to anything that promises him nude pics of Angelina Jolie, he’ll certainly enter his admin password for the same purpose, so how is it different, exactly?
Note: That question wasn’t specifically aimed at the person I replied to, but just to whoever wants to answer.
It would help in that it would slow the user down a bit, and maybe that extra couple seconds is what they’d need to realize something was wrong, and wondering why those supposed pictures, or greeting cards, or whatever it happens to be is asking for their password. For a lot of people I’ve supported, the concept of having to put in their password makes them do a double-take, as the idea is passwords are needed to do something important. It’s a mindset, and perhaps invoking that requirement would slow down Joe Sixpack long enough for him to realize something was not right with this picture. It would also guard against the users who leave their computer logged in, one could not just walk up to their computer and simply click “continue” to install something unwanted as they usually can now. UAC should always prompt for a password, not just when being run under a non-admin account, especially since the default account created has admin rights and very few people end up changing that account.
It should be a pretty easy thing to teach to end users – hell, have an ad campaign along the lines, “unless you’re installing/uninstalling an application or changing settings – if something is asking for you password it is obviously a virus” (well, the word virus is more well known than malware or any other variation).
A basic rule like that will go a long way – badly written applications that needlessly prompt for administration password should not be given the Windows compatible logo. The moment when people learn that basic rule will be the moment security improves.
Oh, and someone mentioned multiple accounts; it is easy to explain to an end user. I explained that a user account protects the computer from nasties by not allow software to fiddle with the system without you giving it permission”. Use nice, simple, straight foward words and you’ll find that only the dumbest of dumb will have problems understanding.
Edited 2009-03-07 02:14 UTC
FYI… we have a little pee cee user world-revolves-around-microsoft never-worked-with-anything-else revisionist history going on here. The commercial Unixes (AIX, Solaris,HPUX, IRIX etc) had ACLS before WindowsNT(er OS/2->NT) even had multi-user support. But, who cares that is beside the point.
What is really going on here is that the Unix guys learned a LONG TIME AGO what the Windows guys have apparently not learned yet.
FRANKLY ACL’S SUCK.
WHY?
When was the last time you saw a normal user spend the time to work with the ACL’s on a bunch of files in a directory?
I don’t know about you but for me the answer is …I HAVE NEVER seen it happen working in enterprise IT.
Heck I cant even remember seeing a pro windows admin let alone a normal user ever TOUCH ACL’s.
The only people that even try to fiddle with them are those that setup the builds/installs, and those that manage NAS storage or something.
Contrast that to UNIX, with its easy to use permissions system, were just about everyone who reaches something between newbie<>poweruser status has totally mastered, understands and USES file permissions correctly.
The fact is……
Put a combination lock that takes 1000 different codes to lock, and unlock on your door, and no one in the house will bother to lock it when they leave.
Put a lock with one strong key and a good deadbolt, and it will probably be locked every time.
Bragging about (my OS has ACL’s, neener neener) just makes you look reality challenged, because anyone with real world enterprise IT experience knows that outside of the NSA/CIA etc, they are worse than useless in real life and end up being less secure due to complexity causing then to end up never being used by users who create and own the data to secure their files and everything just ends up being thrown about with wide open permissions in a very insecure manner. At least newbie UNIX users can understand about groups and world easy enough to secure sensitive business data as needed to those that only need access. In my experience that makes simple UNIX permissions about 100000x better than any ACL system you could dream up.
Edited 2009-03-06 02:44 UTC
(See my comment above to the first copy of this text)
P.S. It’s quite possible (and extant) to write policy sets and programs to go through all the ACLs of interesting objects on the system (ACLs in NT apply to many things.. not just files)and check that they match some given policy.
I touch them all the time, and I’m not a sys admin…
I don’t know that NT is a better kernel than Linux or any other Unix-like OS today. It might have been one of the more advanced _PC_ OSes at the time it came out, though some of my IT buds felt it was a BIG step down from VMS (another little OS that Dave Cutler worked on). I say this because it was quite prone to crashing — less so than 98, but still too much for an “advanced” OS. It has gotten better up through XP. I don’t use Vista, and won’t until it goes on a diet, but there may be further stability improvement there.
Not everyone disagrees with you about every user being a normal user. Check out nonadmin.editme.com for a good bit of information about running non-admin on XP.
After looking at that site, and running normal user for awhile on XP, I’m inclined to agree this whole UAC thing is an approach from the wrong direction. Not because UAC is annoying — it’s not, in my brief experience with it — but because of the extra token and other “fancy footwork” required to revoke privileges, rather than going the other way. That’s an opportunity for holes, even if none have been found so far.
In my experience, running normal user in XP is not much more trouble than sudo on Unix/Linux, if any. There are a few issues and workarounds, but nothing insurmountable so far. Microsoft should have cut the cord with NT; it was different enough (from 98) that they could have started introducing this idea then, and avoided a lot of security egg on their faces.
I disagree. When Vista warns me every time I try to use anything with “patch” or “update” or “install” in the file name, I can’t help but feel irritated. (Especially since we all know that Larry Wall’s patch is harmless. Oh noes, mah tekst fahlez ‘R hax0red!)
There are two solutions to your problem: rename the file (easy) or regenerate the executable with an embedded manifest with a runAsInvoker property (basically ‘do not elevate’)
A lot of stability bugs were fixed in the NT4 service packs and tons of improvements were made for Windows 2000 and even more for XP and then 2003. I’ll agree that NT4 shipped with a lot of issues at RTM, but that’s not indicative of the system today.