Slashdot Log In
Windows 7 To Dial Down UAC
Posted by
kdawson
on Fri Oct 10, 2008 01:38 PM
from the cancel-or-allow dept.
from the cancel-or-allow dept.
Barence writes "Engineers working on Windows 7 have admitted Vista's User Account Control was too intrusive, and are promising to tone it down in the forthcoming Windows 7. 'We've heard loud and clear that you are frustrated,' says Microsoft engineer Ben Fathi. 'You find the prompts too frequent, annoying, and confusing. We still want to provide you control over what changes can happen to your system, but we want to provide you a better overall experience.' According to Fathi, when Vista first launched, 775,312 unique applications were producing prompts — so some may be annoyed that it won't be scrapped entirely, but at least Microsoft is listening. The comments echo those of Steve Ballmer, who admitted at a conference in London that 'the biggest trade-off we made was sacrificing security for compatibility. I'm not sure the end-users really appreciated that trade-off.'"
Related Stories
[+]
UAC Whitelist Hole In Windows 7 496 comments
David Gerard writes "Microsoft tried to make Vista secure with User Access Control (UAC). They relaxed it a bit in Windows 7 because it was such a pain in the backside. Unfortunately, one way they did this (the third way so far found around UAC in Windows 7) was to give certain Microsoft files the power to just ... bypass UAC. Even more unfortunately, one of the DLLs they whitelisted was RUNDLL32.EXE. The exploit is simply to copy (or inject) part of its own code into the memory of another running process and then telling that target process to run the code, using standard, non-privileged APIs such as WriteProcessMemory and CreateRemoteThread. Ars Technica writes up the issue, proclaiming Windows 7 UAC 'a broken mess; mend it or end it.'"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Cancel or allow what?! (Score:5, Insightful)
Re:Cancel or allow what?! (Score:5, Funny)
If only there was some sort of button, or perhaps a downward facing arrow, that would provide additional details about what is happening. That would be awesome.
Parent
Re:Cancel or allow what?! (Score:5, Informative)
The details only tell you what application is requesting access.
It most certainly does not tell you:
What file - well, that's not completely true, it gives you the file name but not the path!
What the file operation is (read? append? replace? delete?)
Anything that might help you make your decision
And when I said it tells you what application it is, I mean it tells you the process name, which is generally something very helpful like "RUNDLL32.EXE".
Parent
Re:Cancel or allow what?! (Score:5, Interesting)
Parent
Re:Cancel or allow what?! (Score:5, Interesting)
Parent
Re:Cancel or allow what?! (Score:5, Insightful)
I've said it before, and I'll say it again in the hope that someone from Microsoft might actually see this and have it sink in...
If a program wants to create a new directory in c:\program files, that's not really a big deal.
If a program wants to overwrite an existing non-executable file in an EXISTING directory of c:\program files, it's probably worth bothering me about.
If a program wants to overwrite an existing executable file, dll, or device driver... or change a shortcut to point to a different file... THAT is a very, VERY big deal that merits my full attention.
What Windows 7 REALLY needs is a way to run untrusted programs (untrusted by ME, not untrusted by Hollywood) in a chroot jail, complete with firewalled network access, spoofed system and registry settings, and parallel-universe copies of system files. Basically, a way to run apps that might be outright trojans in a way that limits the scope of their damage to their own subdirectory tree and phantom system files that are meaningful only to that app.
Hell, Microsoft OWNS VirtualPC. DO SOMETHING with it. Give me an option that basically works something like, "Spawn a virgin installation of Windows... updated, but crap-free, with Explorer (the file manager) NOT spawned by default, and windows opening up in windows managed by the "real" hypervising-copy of Windows 7... then copy the installer to that instance's chroot jail, and launch it. Going forward, spawn the virtual instance of Windows, then launch the app in it." Think: the long-awaited sequel to WinOS/2... 15 years late, but better late than never ;-)
The acid test: make it so someone can install a DRM'ed game that's a shameless rootkit (Starforce comes to mind...), emulating Windows well enough with phantom files (any files the program changes are local copies that apply only to the session that spawned them) and spoofed drivers so the Evil App never even realizes it's not screwing up the user's PC. Then be very, VERY anal about warning the user before anything is able to change a "global" (common to all instances of Windows spawned under the hypervisor) setting or file. Big hint... if you don't, Sun or VMware eventually WILL.
Parent
Re:Cancel or allow what?! (Score:5, Insightful)
Seriously. I run Vista, and I've NEVER seen a UAC prompt come up where I didn't know what it was for.
And if you DON'T know what it is? Freaking hit cancel! What's the worst that'll happen? Something you're trying to do errors out? OH NOES!
Parent
Re:Cancel or allow what?! (Score:5, Insightful)
I use Ubuntu more than I've ever used Vista, but from both experiences, I see sudo/password requests when it makes sense and the UAC dialog when it makes sense.
Parent
Re:Cancel or allow what?! (Score:5, Insightful)
My main complaint with UAC is the lack of granularity. You have to either approve or disapprove fairly broad strokes.
Try right clicking on computer, then selecting 'manage'. That should bring up UAC every time, unless it is turned off.
Yeah, see, if I do that, I'm pretty sure I'm going to know what the damn UAC prompt is for.
Fair enough. Trying to run Computer Management is what brought up UAC. But what exactly are you authorizing? Just running the Computer Management screen, or anything and everything you can do in there? Why do I need to authorize it if I just want to look to see if a service is running - not make any changes at all?
For a more annoying example start up a command prompt without administrative credentials... Then try to do an IPCONFIG /RELEASE... It'll tell you that you can't. And you can't just SUDO it like you would on a Linux box. You have to create a new command prompt with administrative credentials...but now everything you do in that command prompt has administrative credentials, so you've got no added security at all.
Parent
Re:Cancel or allow what?! (Score:5, Insightful)
"Oh, I feel your pain on that one. I would LOVE to see an app that can escalate/de-escalate permissions in a cmd window, and it annoys me that Microsoft didn't provide it."
On 2003 (don't have vista to try), runas /?
RUNAS USAGE:
RUNAS [ [/noprofile | /profile] [/env] [/savecred | /netonly] ] /user: program
RUNAS [ [/noprofile | /profile] [/env] [/savecred] ] /smartcard [/user:] program /noprofile specifies that the user's profile should not be loaded. /profile specifies that the user's profile should be loaded. /env to use current environment instead of user's. /netonly use if the credentials specified are for remote /savecred to use credentials previously saved by the user. /smartcard use if the credentials are to be supplied from a /user should be in form USER@DOMAIN or DOMAIN\USER
This causes the application to load more quickly, but
can cause some applications to malfunction.
This is the default.
access only.
This option is not available on Windows XP Home Edition
and will be ignored.
smartcard.
program command line for EXE. See below for examples
Examples: /noprofile /user:mymachine\administrator cmd /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc" /env /user:user@domain.microsoft.com "notepad \"my file.txt\""
> runas
> runas
> runas
NOTE: Enter user's password only when prompted. /netonly. /profile is not compatible with /netonly. /savecred is not compatible with /smartcard.
NOTE: USER@DOMAIN is not compatible with
NOTE:
NOTE:
Parent
Re:Cancel or allow what?! (Score:4, Interesting)
No, they specifically broke runas in a command prompt window in vista in favor of the right click -> run as administrator (bing UAC) route.
It was a totally stupid idea. Even going with a runas which then triggered UAC to gain the required privileges would have been a better plan that no runas command.
Bryn
Parent
Re:Cancel or allow what?! (Score:5, Insightful)
I think it would be better if Microsoft implemented something closer to sudo or su, but I think people would complain about that too.
Parent
Re:Cancel or allow what?! (Score:5, Informative)
>I think it would be better if Microsoft implemented something closer to sudo or su, but I think people would complain about that too.
Its called runas and its been around since the first days of NT. When running as limited user you just right-click on an executable and select runas or you can use the command line.
Parent
Re:Cancel or allow what?! (Score:5, Interesting)
Actually, their plan was to make it annoying in order to force developers to fix their apps so they don't require so much administrator access.
It's hard to fault them for their motivation, even if the execution perhaps left something to be desired.
Parent
Re:Cancel or allow what?! (Score:5, Insightful)
The end result, unfortunately, is even more dangerous. Any product that requires updates to be installed results in a UAC prompt every time. Developers hate that, so they started writing *services* that install on the first run. That way the user gets one UAC prompt, the service installs (probably not telling the user that it is a service), and then that developer can forevermore install anything to his hearts delight, without prompts, by going through the privileged service.
Parent
Re:Cancel or allow what?! (Score:5, Informative)
UAC is just a slightly different implementation of Linux's graphical sudo prompt. If Linux were used by the hordes of ordinary intarweb surfers and other everyday lusers, sudo would annoy them enough to want to turn it off permanently (or just log in as root).
Parent
Wrong (Score:5, Insightful)
On a modern linux installation, the number of times you need to log in as root to do ordinary stuff is ZERO. All of those desktop things that you used to have to do as root is now being done by setuid programs or other such carefully designed gateways.
My wife uses my linux laptop all the time and does all kinds of useful things on it and she does not know the root password.
Parent
Re:Cancel or allow what?! (Score:5, Insightful)
Parent
Re:Cancel or allow what?! (Score:4, Insightful)
A temporary elevation of rights for a single process (and its children) is the goal here, and it appears UAC only elevates a specific action, not the process containing it.
On some apps, it's a per application basis. One example is opening a command prompt by right-clicking it and choosing "Run as administrator", which allows you to run any command or activity with elevated permissions.
With Windows Vista, I do have specific complaints about UAC elevation:
- It's an automatic prompt on some applications (i.e. anything called Setup.exe triggers UAC even when it isn't required.)
- If you block UAC on some programs, the program doesn't even attempt to run. In some cases, this is inappropriate since the program in question doesn't require those additional privilages or is semi-capable of running without them.
- If you run one elevated command, any subprocesses it creates have full access. You can use this to temporarily disable UAC, but...
- For Windows Explorer, it only does elevation for one task. In some cases, the elevated permissions need to persist a bit more to do what you want.
- Also in Windows Explorer, it sometimes interprets a file already being in use as a necessity to use UAC (consequently causing the filer operation to fail again.)
- It bumped the "Run As" prompt, which prevents running applications through other accounts.
This feature is easily disabled in the control panel. Of course, you might as well login to a Linux box as root.
Parent
Re:Cancel or allow what?! (Score:5, Funny)
Allow.
A left mouse click was detected. Cancel or allow?
Allow.
A left mouse click was detected. Cancel or allow?
Allow.
A left mouse click was detected. Cancel or allow?
Allow.
and so on....
Parent
Re:Cancel or allow what?! (Score:5, Informative)
Or maybe they are sometimes vague because the program wanting control of the system is vague itself. I remember being glad the UAC actually worked when browsing a webpage recently. It looked like a completely innocent webpage but all of the sudden the UAC panel comes up with a request for who knows what attached to the website. I still am not sure what it was and why it wasn't picked up by the more robust security systems running on my computer.
Parent
Re:Cancel or allow what?! (Score:5, Interesting)
You can't really be vague about a file. If I want to gain access to a system file, I pretty much have to do it by name. Also, Windows is blocking it for some reason. Why does that reason have to be hidden?
"Oh, I see you have peon user rights, but you need power user rights to gain access to c:\winnt\notepad.exe"
"______ program needs access to a restricted part of the registry to be able to read/write data.
Cancel/Allow?
(Click here to more details on the requested operation) >>
someapp.exe is trying to request access to HKLM\Software\Microsoft\Windows\CurrentVersion\ProductKey"
And while we are on it... you should at least be able to specify conditional allowance. (Cancel | Allow This | Allow All)
Parent
Re:Cancel or allow what?! (Score:5, Insightful)
How do you *know* that it's Apple's software updater that's causing the UAC box to appear, and not an opportunistic bit of malware that's been watching for the software update dialog to show up?
Parent
Re:Cancel or allow what?! (Score:5, Insightful)
How do you *know* that it's Apple's software updater that's causing the UAC box to appear, and not an opportunistic bit of malware that's been watching for the software update dialog to show up?
Apple software update is an opportunistic bit of malware.
Parent
Re:Cancel or allow what?! (Score:4, Funny)
That's easy. I distinctly remember that when the "An opportunistic bit of malware wants to be installed. Cancel or Allow?" dialog came up, I hit Cancel.
Parent
A Comment is Being Added to this Thread (Score:4, Funny)
Dumb (Score:4, Insightful)
No, don't write secure software, staple on a bunch of dialog boxes to shift the onus onto the user.
Re:Dumb (Score:5, Interesting)
Does it really have to prompt me every single time? After prompting me to run the same program 5 times, couldn't it just ask me if I want to white list that program until the executable changes?
Parent
Re:Dumb (Score:5, Insightful)
That's because those systems run apps which are designed from the start not to require admin access. Windows doesn't have that luxury.
Parent
So how about fixing UAC in Vista??? (Score:5, Informative)
Seriously, why doesn't Microsoft spend its considerable resources helping fix UAC for Vista? Do it as part of SP2... Since answering UAC is modal (systemwide), it's not like any user-level apps "depend" on it behaving in a specific way/at specific times, so changing its behavior should have no negative effect on those apps...
Or are they admitting defeat and preparing for the next battle (a.k.a. Windows 7)???
Re: (Score:3, Insightful)
Seriously, why doesn't Microsoft spend its considerable resources helping fix UAC for Vista?
At this point, why would they when they could just charge people to upgrade? So many people stuck with XP that fixing UAC in Vista wouldn't do anything for them.
Or are they admitting defeat and preparing for the next battle (a.k.a. Windows 7)???
Not in words, but in actions. I have a feeling that in the future this version of Windows is going to be referred to in much the same way as we refer to Windows Me now.
Wish I could participate... (Score:5, Funny)
I couldn't be happier not having experienced the headaches mentioned in this article.
Linux does it right (Score:5, Insightful)
In most Linux distros, if you do something that requires admin access, it asks you for the admin password and holds onto privileges for a little while. That way, if I rearrange a bunch of icons I don't get 100 different prompts. This is simply common sense. It amazes me that the Microsoft developers didn't get fed up with the prompts and do the obvious thing.
Re:Linux does it right (Score:5, Interesting)
That assumption is no longer true. Since the number of programs is so enormous (the 775k mentioned in the summary), it's easier to deal with the privilege-escalation by putting in something like UAC than it is to fix every faulty application. Hopefully, developers have now learned to assume least privileges, so new programs won't require elevated privileges.
I don't think anyone will agree that UAC was the best way to handle the situation, but it sure was the easy way out. As an earlier poster said, better sandboxing could handle the issue better, but it's obvious that the investment (money and potential schedule problems) wasn't worth it from MS's point of view.
Parent
Re:Linux does it right (Score:4, Interesting)
Between using Windows and Linux, I've noticed that Windows is becoming more Linux/Unix like with every release. With XP the Documents and Settings folder really started to feel like
The UAC issue is an issue that every company has when it does something wrong and tries to fix it. The users and developers get used to doing it the wrong way and it's very difficult to get them to do it right. Microsoft has to go through this pain if it wants to be a serious operating system.
I've seen similar problems in manufacturing. When we try to bring a process under control, the operator at that station will resist and say, "but I've been doing it that way for 20 years!" Then we have to explain that they have been doing it wrong for 20 years. It's very difficult to change your way of doing this after that long. Some companies have tried, but weren't successful. [wikipedia.org] It's painful at the moment, but it will improve. Windows will become a better product because of it.
Parent
Re:Linux does it right (Score:5, Insightful)
Perhaps I was not clear in my explanation.
In Vista, if you open the "all users" start menut and re-arrange 10 shortcuts, you get 10 prompts (actually, 20 - moves involve two prompts). In Linux, if you use the KDE/Gnome/whatever tools to reorganize the "start" menu, you get one single prompt when you save the changes.
In Vista, you also get prompts merely for viewing some information in the control panel. Then you get another prompt when you save/apply it, then another if you apply it again. In Linux, running the appropriate "control panel" tools requires no special privileges until you change something, at which point it prompts you once. And if you change something else without closing that window, you don't get another prompt.
I am guessing that the underlying difference is that Vista is confirming each particular action (system call?) whereas Linux is prompting for a privilege escalation which then applies to that process.
Parent
I never understood... (Score:5, Insightful)
... how getting computer users to blindly click through continuous, repetitive, and annoying dialog boxes kept computers more secure in the first place. It would seem under any reasonable analysis to do the opposite.
How about fixing the developers instead? (Score:5, Insightful)
It would be a much better idea to force every programmer to run under a non-Administrator account (and no Administrators or even Power Users group membership either!) Anyone who complains is obviously writing bad code, since there is absolutely no friggin' reason that a regular application should require administrative privileges. Whatever you set during setup is IT! And, for God's sake, learn to open registry keys in read-only mode!
Trade-off my ass... (Score:5, Insightful)
This problem of imbecilic prompts is directly related to the entire inane history of DOS and then Windows, where all the lessons of multi-user systems learnt decades before were wilfully and sanctimoniously ignored by the resident Microsoft "geniuses". Thus application "developers" were allowed to, and soon came to depend on, access to what in nearly every other OS in existence are "root only" subsystems. Even in editions of Windows which were supposedly multi-user capable, the prevalent lazy practice of majority of "developers" was to depend on system-wide registry keys, administrative privilege level processes and what not to accomplish most mundane of tasks.
And so now the chickens are home to roost, with literally hundreds of thousands of apps written to kindergarten competence levels. And Microsoft is in a bind: secure the OS and either break these stupidly written apps altogether, inundate the user with prompts every time one of them tries something stupid, or give up.
They are scared to death of the implications of the first choice, tried the second, and now seem to be heading toward that last one.
Let me type su (Score:3, Interesting)
If I'm root I want to be able to do ANYTHING with no questions asked. Kill the filesystem with one commandline? Sure. Kill my databases? Sure. Change settings of anything? Sure.
Yet the Administrator accounts in Windows get just as many annoying prompts (if not more) than the standard users. I should be able to configure rights below me easily to allow my standard user to not get bothered by prompts that they can just click through.
br I see it as a huge issue because is faux security with the UAC mostly. It creates warnings basically, but doesn't prevent action (mostly again).
To reverse Ben Franklin :) (Score:4, Funny)
Those who would give up Essential Security to purchase a little Temporary Liberty deserve Microsoft products.
I am for one appreciating this function... (Score:4, Interesting)
After the system, software is setup and running, I hardly run into any UAC prompt, except for one of the bank applications that for unknown requires admin privilege.
If Vista didn't push for that, we will need admin privileges to run Windows, forever, because of the bad design of applications!
There are, definitely, room for improvements, for example, combining the ActiveX Install prompt with UAC, reducing two to one. Combing the warning of running the Internet downloaded .exe and UAC, and allows a Explorer.exe to have the admin token for a while once granted, for those file manipulation operations.
All in all, I love UAC! It's more convenient than typing "sudo ..." for every commands i need to run at root's right.
Microsoft lacks clout with developers. (Score:5, Informative)
If Microsoft only allowed products to show any kind of Windows logo if they complied with the security rules, this wouldn't be a problem. Microsoft loosened up on the logo program because developers weren't willing to bother.
This happened to Apple when they went to the PowerPC, and were dumped by many major software vendors. Apple wasn't in a position to order developers around, and they hadn't realized that. It took years to recover from that.
UAC is attacking the wrong problem. (Score:5, Insightful)
The biggest security problem in Windows is that the design of the HTML control and ActiveX in conjunction with the "security zone" model is inherently insecure. It provides a huge surface are to remote code execution exploits that simply does not exist in any other web browser... or any other software on any other platform that uses HTML and HTTP. The problem is that it's an explicit and deliberate mechanism for an object that should never be trusted... that is to say, a remote website... to request full local application permissions and run unsandboxed code.
Until this model is changed and only explicitly installed applications can run outside the browser's sandbox, Windows is going to remain the poster boy for "insecure systems".
Being able to prevent an already compromised application from performing system administration tasks is laudable, but it's not really all that important to the user. Everything on their computer that they care about isn't owned by the administrator, it's owned by their regular user account. And there's plenty of places owned by the end user that malware can hide to keep being restarted after the computer is rebooted. UAC is a partial sandbox, at best.
Being able to restrict what the web browser can do after it;s been compromised is laudable, but since the browser has to be able to save files for the user, it can still inject an exploit into the users account. So the reduced privilege mode on Vista (and the much touted sandboxes on OS X) are leaky protection at best.
And leaky sandboxes, and partial sandboxes, are more useful in providing a false sense of security to the user than actually keeping malware out.
Getting rid of the "security zones" model and replacing it with hard impermeable sandboxes will cause some disruption. Programs like Windows Update will have to be rewritten to use plugins. ActiveX games will have to be rewritten as flash or modified to run in a full sandbox using something like .NET or a JVM. But this WOULD be a matter of trading off convenience for security. UAC is trading off convenience for the illusion of security. That's not the same thing at all.
Re: (Score:3, Insightful)
Because only Vista runs Win32 apps well (Score:3, Interesting)
If you're not installing Vista for enhanced security, why exactly are you installing it?
Because I'm buying or building a new computer other than a subnotebook. Between June 2008 and December 2096, Windows XP is not available on computers other than subnotebooks, and I want to use applications that work better under Windows Vista than under Ubuntu with Wine.
Re:The best solution is to... (Score:4, Interesting)
I have been forced to use vista (since beta) on my machine at work. UAC comes up:
when you install software
when you are getting to the management section (users, groups,etc)
when you run regedit
If you add new desktop to the wallpapers folder
If you run a program that is accessing the 'protected' sections of the computer
That is it for me. When you first get a computer, you set it up the way you want it. You ARE accessing the protected sections. UAC is doing what is was written to do. Once you are finished setting up the computer how often does UAC come up? It comes up for me now when I am remotely managing someone else's computer or I am putting some new software on. That is it. I have 5 people here that think they are using XP since I change the UI to classic. Which is really sad if you think about it. I had to tell the VP as he was complaining how vista sucked and XP on his desktop worked that his machine that we replaced 7 months ago was vista with the classic UI turned on. I think I might be looking for a new jobs soon.....
Parent
Re:Famous last words (Score:5, Insightful)
It's funny that Microsoft is trying to clean up the mess they've been producing for more than a decade (I'm being nice here), just to find themselves locked in just like the rest of us.
Parent
Re:Famous last words (Score:5, Insightful)
Parent
Re:Famous last words (Score:5, Insightful)
The really interesting thing about this is in the article where the reporter says that they've toned it down a bit , but the Microsoft spokesman only talks about programs changing to fit Vista's security model. Makes sense. Windows programs try doing all sorts of things they really shouldn't sometimes ( especially of the crapware variety).
Parent