May 8th, 2006
Is Vista UAP getting a bum rap?
With Windows Vista Beta nearing "feature complete" status, Paul Thurrott wrote this damning article slamming Microsoft Windows Vista for "broken promises" and its new UAP (User Account Protection) mechanism as a "sad, sad joke". A number of other Microsoft critics including Bruce Schneier have piled on the slam-UAP bandwagon for implementing wizards for maneuvering around administrative restrictions. Normal day-to-day operations will never bother anyone with UAP warnings… The allegation is that the Vista UAP wizards pop up for seemingly innocent tasks that you would think shouldn’t pop up, but these people should really know better. [Editor's note: Ed Bott takes a closer look at the system prompts presented by Vista's UAC.] Bruce Schneier goes as far as trying to have it both ways by criticizing Microsoft for not implementing administrative restrictions sooner in pre-Vista operating systems but criticizes Microsoft for implementing UAP and doesn’t offer any alternatives for handling the task in a more graceful manner.
Thurrott specifically raises the "problem" that when he attempted to delete a Firefox shortcut from the desktop when he had just installed it, it demanded additional user authorization from Vista’s UAP which he thought was so stupid. What Thurrott failed to realize or disclose is that deleting a shared shortcut like the one Firefox installed on the Desktop means that you are deleting a shared shortcut from the "All Users" desktop which requires administrative privileges. With typical Windows XP configurations where most people run as part of the "Administrators" group (one of the main reasons Windows XP is so easy to infect with root kits and spyware), deleting something from the "All Users" desktop is no problem since administrative privileges are already present. Had you been running Windows XP as an ordinary user (enterprises that care about security do this), you wouldn’t have been prompted with UAP warnings but you would have been flatly denied. The only way to delete that shared shortcut is to log out of Windows XP and log back in as a System Administrator. Once you’ve deleted the file, then you have to log out again and back in as the regular user.
Windows Vista UAP tries to make this process simpler by allowing you to elevate your system privileges on the spot and delete the shared shortcut without having to log off and back on again. If you attempted to delete something in a shared user directory from Mac OS X or a Linux operating system, you’re also going to have to elevate your system privileges before you can complete the operation so why is anyone surprised at Windows Vista doing the same thing? Where Windows Vista and UAP does differ from Linux and Mac OS X is that Vista actually goes a step further to protect your data files and not just the operating system. If we look at a recent zero-day Mac OS X exploit, the proof of concept code couldn’t access the system files but it was given full access to the user’s files. This means that while the exploit couldn’t damage the operating system, it could access your family photos and your financial records.
You can always rebuild your system files by reinstalling the operating system, but can you ever recover your family photos? There are actual Malware called "ransomware" roaming in the wild that will attempt to hold your data hostage by encrypting your data until you pay them for the decryption keys. Telling people "too bad you didn’t backup your data" doesn’t exactly help the vast majority of the population get their precious data back. Windows Vista UAP goes as far as running Internet Explorer 7 in a sandbox so that if it ever did get compromised by a documented or undocumented exploit, it can’t access your System or User files. Vista UAP even prevents IE7 from logging keystrokes from the rest of the operating system to prevent privilege escalation. While some will point out that dedicated sandbox accounts can be set up in Mac OS X and Linux, they’re not that way by default and they take manual intervention to achieve which simply means that it won’t ever be done by the vast majority of users. The pundits have failed to recognize the solid security advancements of Windows Vista and are clinging to a non-issue.
The challenge for Microsoft is that Windows users are not accustomed to dealing with user permissions since the vast majority of them routinely run Windows with administrative privileges. There is no simple way of implementing sensible restrictions on user permissions without some growing pains. When Windows XP Service Pack 2 came out, all the pundits slammed SP2 for "breaking hundreds of applications" when all that was needed was some holes punched in the firewall or worst case turned off. The result was that a lot of people didn’t upgrade to Windows XP SP2 and still haven’t and are only harming themselves by not doing so. I fear the exact same thing happening with Windows UAP protection because scaring people about Vista’s UAP feature is only going to help the Spyware and Malware pushers. What’s really needed is user education on the dangers of running their computers as administrator and how UAP helps them get around the restrictions. The reality is that normal day-to-day operations will never bother anyone with UAP warnings and the only time you’ll ever see it is when you need the protection most.
George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.
