This is good, but I think the dialog needs more than an Ok/Cancel. Most users just click Ok without ever reading dialogs, anyway.

Response on my blog.
http://www.lobrecht.com/rick/SecurityGettingBetterInVista.aspx

Nice reply on your blog Rick.

One thing though... how do you know the user ISN'T challenged for credentials when then hit ok? :)

Thats why I said I am going to have to install the CTP bits and check it out. Otherwise, a simple work around for malware would be to simply programmatically click the "Ok" button to elevate privileges when the dialog pops up.

Sweet! At least now we can allow a single "bad" app admin rights without having to let the whole thing run as admin. Certainly will make the whole spyware control problem a lot easier.

Hmm, I wonder which makes more sense, asking for credentials on the first dialog or a subsequent one. I'll have to think about that.

There's still something psychologically unapplealing about operating as Administrator. I suppose it would be like logging in as root, being able to make certain changes (Control Panel, etc) but having every application act as a normal user.

I can also vision the conversation:
"The administrator/ive user is way too ingrained to do what we want. Since we can't gut everything for a LUA approach, lets just drop the rights of every X program. (where X equals companies other than Microsoft, or other criteria since this doesn't apply to services and other areas of the OS) This involves the least amount of work with some seemingly noticable benefits. We don't have to get rid of the 98 one-user-to-rule-them-all code which is deeply imbedded and security types will feel special about themselves."

A step in the right direction? Yes. I really like what is being done regarding the registry and the redirection there.

At the end of the day though, I'm still wondering what good is an Administrator account? If UAP is off, it operates as "normal" in XP, meaning it can do whatever it wants (lets hope this isn't a simple registry setting some malware can tick on/off). If it's set to on then an Administrator is as good as a normal user so why have the distinction in the first place? Why not use normal accounts as a default? I do think remembering two passwords is a little annoying at first but if I can manage it with Linux and OSX (which is incredibly easy for even mom and pop users) then I shouldn't have a problem doing it with Windows.

I will let time be the judge though and give it a shot. Maybe it will evolve through the Beta phase into something a little more worthy. The security looks good on paper (and in Beta1) but until someone pokes at it enough with a stick, it'll be a house of cards in my mind.

You said: "I even think this method is easier than how Apple did it with OSX. No weird grace period that lets everything run elevated. "

Not to sound like a total fanboy, but it's worth noting that the grace period is only for sudo, not for privileges that you grant applications through the GUI. In that respect, the Microsoft approach (from what you describe) is nearly identical.

That said, you're right about the unawesomeness of having timestamps in sudo (which seems to be a historical artefact, more than anything), and it's the first thing I turn off on new installs of any unix.

Incidentally, there's been a trend on OSX for applications (especially installers) to just ask for privilege straight off, on the off-chance it'll be needed, and to ask for permissions far in excess of what's needed. For example, most installers need a privilege called system.root.install (I think) that seems to allow them to write to disk, change preferences, etc. Instead, they seem to increasinly ask for system.root.user, which has substantially greater privilege.

So, while it's a really good idea for the operating system to operate in this way (least-privilege and password-to-upgrade), there's still a very substantial chunk of work that needs to be done in educating developers to ask for (and use) privileges responsibly. Otherwise, I can just see having to grant system.root.user every time I want to play a game.

Thanks for the updates. :)

I am really confused about this.Sometimes this worksout just fine for me and sometimes I have to struggle, when i used it the last time. I just hope it turns out well this time

The problem with prompting for credentials is _spoofing_. If you get the user trained to enter their administrative credentials every time a password dialog appears, they won't consider carefully whether to do so, and possibly will enter their credentials into a fake dialog. Result: stolen credentials. This is a major reason that Single Sign-On exists (apart, of course, from it being extremely annoying to keep entering passwords).

Too, you must recall that Windows does not have a single 'administrator' login as Unix does. Would the user therefore enter their login credentials as confirmation?

I think Microsoft are aiming *not* to have the user enter credentials. It doesn't really add much more security - presuming that the process isolation works and therefore a low-privilege app cannot click the button by sending input or a window message. If the 'confirm' dialog is spoofed, no credentials can be stolen simply because you haven't entered them!