January 31, 2009

Is UAC really broken in Windows 7? More importantly, does it make us less secure?

OK, so everywhere I turn I am hearing people ridicule the changes in how UAC behaves in Windows 7. There is even proof of concept code that can turn off UAC without even being prompted.

For those with their heads in the sand, the story goes that in Windows 7 the default behaviour for UAC is to “Notify me only when programs try to make changes to my computer” and “Don’t notify me when I make changes to Windows settings”. Because UAC is a "Windows setting", it means you can disable UAC without being prompted. And people believe that due to this behaviour, UAC is broken.

Now, I have to say I am personally not a fan of the new slider tuning functionality of UAC in Windows 7. When Windows Vista came out I applauded Microsoft's approach as it forced people to see the trust boundaries that were being broken in software applications that didn't run properly when using least privilege. After all, that is what UAC is designed to do. It enables people to run with the least privilege they need and to encourage applications to migrate to Standard User. Every time you see a prompt, you know which offending application could be written better. You turn to the vendor of that app and scream at them. And its working. Crispin Cowan, who works on the team at Microsoft focused on UAC, had an interesting chart in his presentations at PDC last year showing the prompt reduction people were seeing in the field by applications that were being fixed as Vista was being adopted. It's rather significant.

This is a positive aspect of UAC.

So if it's working, why would Microsoft change it? Well, it's a balance between security and usability. The goal of a technical safeguard providing value in any security aspect has to be weighed against the usability of the system. If it's too difficult for someone to adopt, people tend to find ways around it. This is exactly what happened with UAC in Vista. IT professionals (I will use the term LOOSELY here) were recommending people turn it off. Customers were complaining about the experience, and Microsoft listened to the feedback. Basically, in Windows 7 you got what you asked for *sigh*

Which is rather disappointing. I think Microsoft is making the right commercial decision, but not the right security one. I am not objecting to the new slider. Only to the default shipping state. Of course, I can easily get the level I want by adjusting BACK to high. Which is exactly what I have done in my Windows 7 installs to date. Let me be clear. If you want the same behaviour you have in Vista, you can get it by setting the slider to the highest setting. This gives you the right elevations with the secure desktop as you have it now.

I may personally object to Microsoft's decision because I don't find UAC a nuisance. I run as a Standard User. NOT as a protected admin in "administrator-approval" mode. I rarely see prompts, and my work desktop is Vista SP1, with a beta of SP2 on another. But as Susan is always so fond of saying, I am NOT a normal computer user.

So with an open mind, let's discuss an external view of Microsoft's decision. Vista got a bad wrap on UAC. Customers complained. So Microsoft changed the behaviour. Does this make us less secure?

Well first off, let's remember that UAC is NOT a technical safeguard to provide security boundaries. Mark Russinovich has shown on several occasions how to get around UAC. The goal of UAC is to help get us to a point where everyone runs as standard user by default, and that all software is written with that assumption. Crispin's stats shows it IS getting better as developers move towards this. However, UAC is NOT a mechanism to prevent applications from communicating with each other at different integrity levels on the same desktop. In other words, its trivial to send window messages from a user's desktop to an elevated process in the same desktop. And because of this, it means if someone can get you to run code on your system, it isn't your system anymore. This is Law #1 in the 10 Immutable Laws of Security.

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

So if you have ever thought UAC prevented this, you are wrong. If you want that sort of isolation, the right way to do it is to use fast user switching and switch to a DIFFERENT desktop and log into an account with the appropriate privileges you need. This is what I do. If I NEED to do a bunch of admin things, I switch to an admin account and log in. If I need to browse places I am not confident in, I switch to a restricted account with almost no privileges. It's just safer that way. And for everything else I do on a daily basis, I use my Standard User account.

Now, let's reflect on the notion that the default settings make us less safe. Is that really true? Well in Vista, most people are told to turn OFF UAC. That's bad advice. But a reality we have seen. So in those situations, yes, UAC in Windows 7 is better. But what about those people that are used to UAC in Vista? Well, interestingly enough, what are we losing here? In Vista, most user's eyes gloss over when a UAC prompt shows up. Because few actually run as a Standard User, they confirm the prompt with a single click without even reading or understanding the message in front of them. So if we are making the choice for them on the most common prompts, is that a bad thing?

The fact this change exists in Windows 7 means Microsoft DID lower the bar for malware authors. It has gone from extremely difficult to disable UAC (but not impossible) to trivial. However, the malware has to first be executed. In most cases users will have had to install that software, in an elevated manner giving the malware a chance to run with higher privileges already.

Now before you go off and start pointing out malware can run directly in the browser without the user's knowledge or need to install anything, remember how IE works. When surfing online it runs in its own sandbox in the LOW integrity level. Microsoft called it "Protected Mode IE" (PMIE) for a reason. It is significantly more difficult to get hostile code on the Internet to run without your knowledge and be able to do things like modify UAC settings. Microsoft is working hard in IE8 to make that even more difficult. So as an attack vector, that is unlikely unless the attacker first breaches the IE sandbox. If they do that, you have bigger things to worry about than a UAC prompt going missing. :-)

So am I for Microsoft's default behaviour? Not for me personally. But I understand it. They have taken a look at the security risk and balanced it against the usability of the system. Remember, security is all about risk mitigation, NOT risk avoidance. They have looked at the real world experience of UAC in Vista and tweaked it to give the best experience, while being cognisant of the implications to security. For users coming from an XP world (which is most people since Vista adoption has been so slow), it means their experience will be better, and still more secure. And the chances of them following the guidance from the "IT professionals" who don't know any better to turn it off probably won't be followed.

So no, UAC is not broken in Windows 7. And it DOESN'T really make you less secure. But if you have concerns, stop using that damn adminstrator-approval mode account and move to use a Standard User account. And increase the UAC settings to High. You can always use the fast user switching and jump to a higher privileged desktop as needed. Of course, that shouldn't be a lot of times if you have software that actually works in a least privileged environment. And that is what is REALLY broken out there. Application vendors need to fix their stuff. Period. Which is what UAC was designed to help with!

Posted by SilverStr at January 31, 2009 02:35 PM | TrackBack

I hear you but I'm still groaning and sighing.

It's still a step back.

In addition to the switch user feature, one can also use the new PCSafeguard which is SteadyState built into Windows 7 gui:

This will build a kiosk-frozen user account that will drop all settings and data from a session. It's a cool feature that consumers can use in a home setting if they need to.

Posted by: Susan at January 31, 2009 02:45 PM

Unfortunately you missed the point.

UAC's point was to annoy users into yelling a app developers into fixing their broken apps.

What's easier, fixing an app or adding a few lines of code to have an app elevate itself silently on startup all without annoying the majority of users (most of whom will never change any option from the default)

Posted by: The Dave at January 31, 2009 05:51 PM

Let me see if I understand you correctly Dave. You want Windows to just elevate automatically without users knowing? Doesn't that defeat the purpose of UAC?

In Windows 7, Microsoft is giving you the opportunity to elevate without prompt for trusted applications which has been signed with Microsoft's certificate. This gives you the behaviour you want, while still asking for consent for 3rd party apps which you may or may not trust.

How would you expect the behaviour to work if you feel the current behaviour is incorrect?

Posted by: Dana Epp at February 1, 2009 11:24 AM

The problem with pushing back on application vendors like Microsoft tried to do with UAC is that the application vendors generally have a better trust relationship with the end user than Microsoft do. Hence a lot of application vendor help desk staff say "disable UAC" to close the case in record time and add another point for the vendor's help desk KPIs.

The Windows 7 change in my mind simply highlights this harsh reality.

Posted by: Chris Knight at February 3, 2009 04:10 AM

I agree with Dana here. Allowing poorly coded applications and low quality application developers to define the security of your network is a recipe for disaster. App vendors *may* well have a better trust relationship with the end user, but in no way does this make reducing the security on your network a valid option.

Posted by: Hilton Travis at February 3, 2009 11:49 AM