May 23, 2006

Microsoft... Eat your own UAC dogfood already!

According to an article on ZDNet, Microsoft is CONSIDERING using UAC for their employees.

"We haven't made that final determination yet. We would like to absolutely look at scenarios where we can look at elements of User Access Control -- that is the feature in Vista -- so that we can start moving in that direction," said Estberg.

Why haven't you made a final determination? On the CORPORATE net, this should be a no brainer. EVERYONE should be running with least privilege (Yes, that means Bill and Steve too). Those secondary dev machines... ok maybe think twice. But put them on their own private network! Or use Virtual Server. Yes, some software will break. But then you can turn to those 3rd party vendors and get them TO FIX THEIR BLOODLY POORLY DESIGNED SOFTWARE, or at the very least, fix UAC so its not a pain for most users as we are seeing in the field.

It drives me bonkers that people think you cannot install software with a limited account. I do it all the time. I just point the install to c:\documents and settings\dana.DOMAIN\program files (a directory I created) and install it there. If the app requires privileged registry or file access, I weigh the risks accordingly and decide if I need to give permission, or scrap the app. If I need permission, I request it (of myself... I don't have a large IT team to do it for me). But I am making a concious risk decision when I do that.

To be fair, I REALLY like Estberg's attitude towards security accountability.

When asked about the one thing he would change about Microsoft's internal IT systems, Estberg said: "The thing that I would most like to change is driving awareness of security accountability across individuals in the company."

Imagine if, with the return of towels at Microsoft, that there was a 3 strike firing policy if you installed administrative installed malware on your desktop. (Yes that is extreme). I bet MORE people would be willing to give UAC a try then.

UAC has the potential of making a huge impact on safer computing in the Windows world. But only if its used properly. It will eliminate entire attack vectors, and make the attackers go back to the drawing board. If someone like Microsoft cannot even demand it of themselves, how will others embrace it? Eating one's own dogfood is NOT about taking a taste. Its about making 3 square meals of the thing and seeing how your palette REALLY likes it. How much more effective will the UAC rollout be if they find the right balance between automated security decisions and the hated dialog prompting? Thats a HUGE potential opportunity being squandered away.

Microsoft... eat your own dogfood. If it tastes THAT bad, then maybe you have a bigger problem to address than the Vista release date.

Posted by SilverStr at May 23, 2006 09:29 AM | TrackBack

While I agree with the majority of this post (and live the non-admin life myself on ALL my machines!), I want to point out that while installing programs to a non-\Program Files location may make things easier, but it also means that the program's binaries aren't protected from modification like they otherwise would be and they're not as likely to be accessible to other users. By installing programs to \Program Files as an Administrator, you know that when you run as User your OS *and* programs are protected from tampering.

Love your blog - keep up the great work!

Posted by: Delay at May 23, 2006 11:50 AM

Hey Delay,

I could be wrong, but I don't believe the Program Files directory is a protected one. The Windows directory is, and only from those that are under WFP (the "Windows File Protection" feature you speak of). Normally it only protects those files stored under %systemroot%\system32\dllcache.

What you may be referring to is how the MSI system supports binary overwrite and repair. However, if you use a proper MSI and retarget the destination directory, it will still "repair" itself if its under a different directory, including a user's dir.

I do conceed that installing it in a user's dir does prevent others from accessing it. But thats not a bad thing if you ask me :)

Posted by: Dana Epp at May 23, 2006 01:02 PM

Try: cacls "%ProgramFiles%"
It should show you that Users have read-only access to the entire Program Files directory tree (at least that's the case on W2K3SP1). Granted, it's not the same active protection that WFP provides, but it's a pretty trivial way to prevent users from accidentally (or deliberately!) stomping on any installed programs.

Posted by: Delay at May 23, 2006 01:20 PM

I can't argue with that logic. You're right. Unless someone is granted Pwoer User perms.

That's just an ACL issue though. You could manually reset your own ACLs to prevent "accidental" problems. Of course, nothing prevents the user from nuking their own software installs.

It's a balancing act. I would rather allow a limited user the ability to nuke their own untrusted software installs, rather than force an admin to install untrusted software just so the user can't muck with the files.

Posted by: Dana Epp at May 23, 2006 01:29 PM

So far, Microsoft have basically just slapped the shield icon everywhere that has access to what was traditionally shared, common configuration data. What they need to do now is to consider very carefully whether the option they're protecting actually is shared system state, or whether it's something that should be a user preference.

For example, which media player opens my MP3 files? This should be my choice as a user, not the administrator's configuration. The registry supports this - HKEY_CLASSES_ROOT, which contains file associations, is a merged view of HKEY_CURRENT_USER\Software\Classes and HKEY_LOCAL_MACHINE\Software\Classes, where the user's settings override the machine settings. What does Windows Media Player do? Hide the File Types tab in the Options dialog if you're not an administrator. Maddening.

Posted by: Mike Dimmick at May 23, 2006 03:15 PM

I'm glad that MS took my advice from ages ago and have copied the way that Apple does things, but man, the way they have done it just sounds and seems crazy. I really hope that this is in the list of stuff to clean up that's on the list that delayed the release.

Posted by: Arcterex at May 23, 2006 05:03 PM

Seriously. In what real world computing environment is this valid?! The # of IT Geeks and Drones is minimal in comparison with what is in between. What is in between is a class of people that need the rights to do things that involve a higher level of access than USER. Microsoft is at fault for not providing a REAL platform for secure business computing. But if our IT helpdesk had to be contacted everytime that someone needed something because they didn't have the rights we would be under water. YOU can do it because you're in IT and you work for/by yourself. I love the attitude that people have of "well I do it, so why can't a company with thousands of people." Wake up, that's not the real world. When I hear this again at Teched this year my head is going to explode.

Posted by: Aaron at May 23, 2006 05:04 PM


Its this type of attitude which causes such resistance. It's NOT about IT geeks here. It should be ALL users of the system. You might want to check out my latest post "LUA with UAC vs Least Privilege" ( where I discuss how least privilege is SUPPOSED to work.

To me, least privilege means that you are given the privileges to accomplish your task/role/job. Nothing more. That's the whole point of the LEAST part. It is giving enough privilege to accomplish what you are deemed responsible to accomplish, and prevents you from doing things you aren't. When least privilege is rolled out properly, users won't even know they are using least privilege unless they do something they aren't supposed to do on the system. And that is the appropriate time to educate them on why they were not authorized to perform that function in the first place.

I have worked in both big and small networks, and I must say, in the properly controlled environments where least privilege is used to meet corporate security policies, there is less admin hell in fixing and managing desktops and people STILL do their job. In fact productivity is typically higher due to the fact the computing resources are used as TOOLS, not TOYS... focusing users to complete their job function and not installing software not needed in the business. If they need software installed, IT gets involved to validate the software functionality and lock it down so that its safe to be used on the network.

I appreciate your feedback and comments. If we remove the vexation and 'head blowing' promises from your comments... you hit on a vital issue. People will continue to have a poor attitude towards least privilege and assume that it can't be rolled out until we show them it can be done. Microsoft needs to lead the way here. That was the one of the key points to my post in the first place.

Thanks for the rant. Hope you enjoy TechEd. :)

Posted by: Dana Epp at May 23, 2006 10:21 PM

The way I do it in my (mostly Mac) office--
Mobile users have two accounts on their computer: a regular davepooser account and an admin account named dpadmin. Both accounts share the same password. So any time the user is prompted to authenticate as an administrator, he can; my goal is not to lock the computer down entirely but to make sure that any time the user is acting as administrator, it's the result of a conscious decision on his part. (And, of course, admin privileges that are abused can be revoked.)
On the other hand, local users do have to contact the IS department (me) to gain admin privileges as needed. Average calls per week? Roughly 1 per 50 users. It hasn't swamped me yet.
All this is true of the Mac side. If Vista provides a similar experience on Windows, that will be the best argument I've heard for corporate users to upgrade sometime in 2007. (Assuming it doesn't slip again, but that's a whole 'nother story.)

Posted by: Dave Pooser at May 24, 2006 09:48 PM