May 29th, 2008

Dear Microsoft: Please get UAC right this time

Posted by Ed Bott @ 1:22 pm

Categories: Security, Windows 7, Windows Vista

Tags: Dialog Box, Permission, Window, Control Panel, Microsoft Windows Vista, Microsoft Corp., UAC, Microsoft Windows Vista (Longhorn), Construction, Advertising & Promotion

Alex Eckelberry of Sunbelt Software vents, intelligently, about Windows Vista’s UAC conundrum:

UAC could certainly have been handled better. It does something the security industry has been well aware of for a long time — it creates the “cry wolf” problem of popup fatigue (people turn off or ignore the popups after awhile). Vista is more secure than XP, despite what others might say, but it still gets infected. Since over 80% of all infections are based on social engineering, the popups should focus on that weak point. If UAC targeted the key areas where people run into trouble (as opposed to harassing the user on inane actions), it would be far more helpful and potentially make a really significant impact on infection rates.

Absolutely right. A single request for permission doesn’t bother most people. What gets under the skin is the second UAC prompt, and the third, and the fourth, and so on. The closer together those dialog boxes arrive, the more annoying the phenomenon.

I was all prepared to lay out my modest proposal for how Microsoft should tweak UAC in Windows 7. And then I said, “Hey, wait a minute! I already did this.”

And sure enough, with a little help from Google I was able to reread “How Microsoft can save User Account Control.” which I wrote way back in May 2006, while Vista was still in beta. In that post, I offered four “suggestions that might ease the pain” of UAC. Two years later, I think those recommendations are still valid, so I’m reprinting them here, with a little updated commentary on each one:

Create a special Admin Mode. Power users would appreciate a UAC option that lets an administrator respond to a single prompt and temporarily open a session that runs with full administrative permissions. The devil is in the details, of course. How do you keep people from choosing this option as the default?

I sure hope someone at Microsoft has been actively working on a way to implement this type of behavior, which I like to think of as Advance Consent mode. In Vista as it exists today, I can do this by switching into silent consent mode (as I describe in Fixing Windows Vista, Part 2: Taming UAC), but that setting is persistent, in the current session and in future sessions. If I forget to switch UAC back to its normal behavior, I’ve made myself more vulnerable to a variety of attacks. The default settings could exit Advance Consent mode after a specified time - say, 15 minutes -  in which I take no activity that would have required UAC approval.

Put a time limit on UAC. [E]ach UAC prompt is tied to a single process. When that process ends, so does the elevated set of permissions. But what if a UAC consent dialog box elevated your permissions for 10 minutes? Long enough to install a couple of programs or make a series of system tweaks, but not so long that you forget and fall victim to a piece of malware.

I think this should be an option in every UAC dialog box. It can be hidden, just as the Options section of IE7’s Close dialog box is hidden by default. Give me a check box that says “Automatically approve elevation requests for the next 10 minutes.” That way, I get to approve the first UAC dialog box and then don’t have to worry about a flurry of additional, related UAC prompts.

Provide easy options to open Control Panel and/or Explorer with full Admin rights. As I indicated earlier, it takes only a right-click and a quick OK to open either of these windows with full permissions. So why not offer those options on the Start menu?

This is an especially important change to make for Control Panel. If I open Control Panel and double-click an icon with the UAC shield, that consent should transfer to any other action I execute from Control Panel, until I close the Control Panel window. This feature might work especially well in tandem with the next suggestion.

Identify applications running in an elevated context. Today, if I open two Windows Explorer sessions – one as a standard user and another using an administrator’s process token – I have no way to distinguish which is which. A text label in the title bar, or a blood-red border around the window, would help prevent this convenient shortcut from becoming a security hole.

For Command Prompt sessions, this was addressed (too subtly, in my opinion) in Vista RTM. When you run Cmd.exe as an Administrator, the word “Administrator:” appears in front of the window title in the title bar. I still like the idea of the blood-red border.

As I noted in that original May 2006 post, “Microsoft has to deal decisively with the perception that UAC imposes an unacceptable tradeoff between performance and security. In its current incarnation, too many people are likely to dismiss it completely, and if that happens, everyone loses.”

That plea fell on deaf ears two years ago. Maybe, after more than a year of user complaints and frustration, someone is finally ready to listen.