May 02, 2006

Good security decisions keeps slipping in Vista

I'm a big fan of Vista. I see a lot of potential in the new features and function as it relates to security. I love UAC, even though it has a ways to go with its popup dialogs that are annoying many a beta tester. But this post isn't about talking about the goodness of Vista. I want to take a moment to just point out that everything isn't all rosey in the Vista security camp. Much like many security decisions of the past, good security decisions are getting trumped by poor human interaction. And it's really too bad.

People are demanding that UAC be turned off. I just shake my head. The benefits vs the draw backs of a few extra dialog prompts just aren't being seen by the end users. They don't realize just how much safer least privilege really is. Paul Thurrott does a good job to berate the Vista security features in a post about the very subject. Worse yet, Bruce Schneier supports Paul's conclusions, and I think it was best said when Bruce stated that:

Warning dialog boxes are only effective if the user has the ability to make intelligent decisions about the warnings. If the user cannot do that, they're just annoyances. And they're annoyances that don't improve security.

UAC isn't the only problem. Many readers know I spend a lot of time writing secure code. Not just security-related code, but code designed to be safer and more secure. One of the benefits of languages like C# and Java is the fact that its type safe. This is just fancy words for meaning that programmers can't as easily treat a value as a type to which it does not belong. We see a lot of vulnerabilities in the past that relate to the fact the programming language used was not type safe (aka C, C++ etc) and the programmers used it incorrectly, opening us up to new risk. When friends and colleagues of mine continue to see this in the field we shake our heads. Heck, Gary even wrote a good article on the topic in which he points out that Microsoft missed an opportunity with Vista to more enforce type safety. He has a really good point when he says:

I asked Butler why it was that Longhorn (Vista's codename at the time) was not built out of a type-safe language like those available for the .NET framework. He shook his head in dismay and decried the fact that we had let another great opportunity to make a huge impact on computer security pass us by. He said that opportunities like this come only once every decade or so in his experience and that he had seen four attempts to cause widescale adoption of type-safe languages founder on the rocks throughout his career.
The problem, it turns out, is that the .NET builders did not give much thought to providing many of the essential basic building blocks that operating systems construction crews need for their work. Interpreted code has some minor performance issues as well (note that there are many ways to overcome this often overly shrill critique). But the main problem was that the Microsoft OS guys are big C++ users. Getting them to switch over to C# was for these reasons not in the cards.

For those of you that don't know, Gary is referring to Butler Lampson, a legendary scientist, and he has done plenty of great pontificating about security, privacy, software, and technology. Like many superior computer scientists, Butler now works for Microsoft Research.

So we lose out on that opportunity with Vista. We will have to wait another 5 to 10 years for Microsoft's next real advancements to hopefully take advantage of type safety. By then most of the old gear head C coders will have retired or moved on, and C# will be more heavily adopted in the company. Hopefully. Who knows.

Today I heard on Cnet that Microsoft is dropping token support from Vista. Even in the face of Steve Riley coming to the community and asking what we want out of two factor authentication, and Bill Gates predicted death to passwords with the integration of SecurID in Windows for Vista, they have decided to drop it. That's really too bad. The thought of built in one time passwords with two factor authentication really appealed to me.

As Vista continues to be delayed time and time again, we continue to see things get dropped. Now, I respect that security decisions at Microsoft are not easy, and at times its easier to pull them. But it sure makes it difficult to make decisions on the future of security on Windows when Microsoft keeps moving the goal posts around. We can look at the history of the TCPA/NGSCB soap opera on that one.

Maybe a better idea would be to leave those type of things alone and let ISVs take care of that. Instead of running to try to add all these into Windows it would be better to make more generic systems that other vendors with expertise can hook into. Make the GINA (Graphical Identification and Authentication) hooks easier and let RSA, CryptoCard, Authenix etc build their own support in. And then have Microsoft certify and support it with strong Microsoft logo programs. Quit fighting with Windows Defender and work WITH security ISVs who have expertise in the field and use their common body of knowledge to apply directly into the Vista system instead of re-inventing the wheel.

A year ago if you asked me I would have given Microsoft an A on its report card for its secure software development lifecycle. But as we see the Vista shipping deadlines come and go, I start to wonder. What else is going to be cut before the shipping date? Just where will the security lie by the time Vista goes GOLD RTM. I really hope they don't do anything drastic like turn off UAC or minimize its effectiveness becauses users demand it. Security will always have compromises, but we need to make sure we don't sacrifice good security decisions to appease the user. We need to think more critically and find ways to simplify the process so the user can benefit from the security decisions without being heavily taxed in having to make the decisions themselves. UAC was not designed to absolve Microsoft from bad security decisions (ie: "Well you clicked ok to install that hostile code"), but to notify the users that a privilege operation is about to take place. Problem is, too much of that and the user will gloss over and just stop reading. I think Microsoft is going to need to keep working on that in the coming months to find the right balance.

In the meantime, here is a tip for the Vista users out there right now. If you feel compelled to turn off UAC, DON'T! That's a bad security decision if you ask me. Instead set the "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" policy to "No Prompt". In this way, when a privileged operation is required it will elevate as required. However, all other apps will run with standard user privileges, and you can turn on auditing to monitor the system a bit better. It's like turning UAC off, but better. Remember though, you are losing the benefit of being notified/prompted when a privileged operation occurs. Of course, I would recommend above all things to try running with a limited user account and NOT an admin account, and live with the UAC dialogs. After you use Vista for a while you will notice when a prompt will be required (you will see the security shield beside the function), and can decide if you really need that privilege or not.

Lets all hope that by the time Vista ships, that more security functionality doesn't slip out of the system. If anything, that some of this stuff comes back in. Or that a more clear path is available to understand where ISVs can add value without stepping on Microsoft's toes.

Posted by SilverStr at May 2, 2006 12:50 PM | TrackBack

Sadly, the reason that you get flooded with UAC prompts is often that you're running software that unreasonably demands high privileges. The developers of this software aren't going to change these programs until their users decide to dump the software, and the users aren't going to dump the software until they feel it as painful. They will only feel it as painful while UAC is enforced - but they may just as likely dump Vista, if UAC is enforced.
Damned if you do, damned if you don't.
Just keep reminding your vendors that in the fight, you will dump their software, if it insists on admin privileges unnecessarily, rather than Vista's UAC protection.

Posted by: Alun Jones at May 2, 2006 02:44 PM

No prompt is as bad as too many prompts in terms of implementation and engineering. What one would expect from an operating system about which you'll start hearing very soon that "it's so much safer and secure than Windows XP" is that they would have taken their time to get it right, i.e. prompt once to elevate, show a clue that it's running elevated, allow things elevated to run, up until it goes down. In other words, a smart prompt with a state.

Posted by: Mike at May 3, 2006 04:35 AM


Thanks for continuing to harp on this important message. I too shake my head at those users who want UAC turned off. I've said it before, and I'll say it again ...

A decade from now, MS's (Win2000) decision to basically bypass ACL security by defaulting everyone to Administrator will be considered the Worst Mistake They Ever Made.

I disagree that Defender represents a tactical error, though. IMHO, MS AntiSpyware led to OneCare, which is raising the 'secure-ness' level for a *lot* of people. I keep recommending that MS integrate MBSA into OneCare, and if they do that (making a passing grade in MBSA essential to a green OneCare icon), 'secure-ness' goes up again. I'd also like it if MBSA included a big warning if the number of Admin accounts is greater than 1 (and detailed, Grandma-level instructions for lowering acocunt privs)...

Re: changing the whole OS dev process over to a type-safe programming language. Woulda been nice, sure. But woulda probably delayed Vista another 5 years. Too much!

Finally, kudos to Alun Jones who put his finger right on the button. Until LUA/UAC focusses attention on programs that needlessly require elevated privs, those programs won't get fixed. I'm kinda hoping that all those dialogs in Vista previews are there on purpose, to light a fire under the asses of the many 3rdparty software devs committing this sin.

Posted by: Bryan at May 3, 2006 12:49 PM