Engineering Windows 7

Welcome to our blog dedicated to the engineering of Microsoft Windows 7

UAC Feedback and Follow-Up

UAC Feedback and Follow-Up

When we started the “E7” blog we were both excited and also a bit uneasy. The excitement is obvious. The unease is because at some point we knew we would mess up. We weren’t sure if we would mess up because we were blogging about a poorly designed feature or mess up because we were blogging poorly about a well-designed feature. To some it appears as though with the topic of UAC we’ve managed to do both. Our dialog is at that point where many do not feel listened to and also many feel various viewpoints are not well-informed. That’s not the dialog we set out to have and we’re going to do our best to improve.

This post is an attempt to get both the blog right and the feature right. We don’t like where we are in terms of how folks are feeling and we don’t feel good – Windows 7 is too much fun and folks are having too much fun for us to be having the dialog we’re having. We hope this post allows us to get back to having fun!

To start we’ll just show representative comments from the spectrum of feedback. We’ll then talk about the changes we’re making and also make sure we’re all on the same page regarding how we move forward. In terms of comments we’ve heard the following:

@sroussey says:

You have 95% of the people out there think you got it wrong, even if they are the ones that got it wrong. The problem is that they are the one's that buy and recommend your product. So do you give them a false sense of increased security by implementing the change (not unlike security by obscurity) and making them happy, or do you just fortify the real security boundaries?

And @Thack says:

Jon,

Thanks for sharing your thoughts.  I understand your points.

Now, I want add my voice to the call for one very simple change:

Treat the UAC prompting level as a special case, such that ANY change to it, whether from the user or a program, generates a UAC prompt, regardless of the type of account the user has, and regardless of the current prompting level.

That is all we are asking.  No other changes.  Leave the default level as it is, and keep UAC as it is.  We're just talking about the very specific case of CHANGES to the UAC prompting level.

It will NOT be a big nuisance - most people only ever change the UAC level once (if at all).

Despite your assurances, I REALLY WANT TO KNOW if anything tries to alter the UAC prompting level. 

The fact that nobody has yet demonstrated how the putative malware can get into your machine is NO argument.  Somebody WILL get past those other boundaries eventually.

Even if you aren't convinced by my argument, then the PR argument must be a no-brainer for Microsoft.

PLEASE, Jon, it's just a small change that will gain a LOT of user confidence and a LOT of good PR.

Thack

With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.

@mdaria510 says:

Sometimes, inconsistency with your own ideals is a good thing. Make an exception, if only to put people's fears to rest.

That sums up where we are heading. The first change was a bug fix and we actually have a couple of others similar to that—this is a beta still, even if many of us are running it full time. The second change is due directly to the feedback we’re seeing. This “inconsistency” in the model is exactly the path we’re taking. The way we‘re going to think about this that the UAC setting is something like a password, and to change your password you need to enter your old password.

The feedback is that UAC is special, because it can be used to disable silently future warnings if that change is not elevated and so to change the UAC setting an elevation will be required.  To the points in the comments, we also don’t want to create a sense or expectation of security that is not there—you should still not download code and run it unless you trust the source. HTML, EXE, VBS, BAT, CMD and more are all code and all have the potential to alter the environment (user settings, user files) running as a standard user or an administrator. We’re focused on helping people make sure that code doesn’t get on the machine without consent and many third party tools can help more as well. We want people to be comfortable with the new UAC control and the new default setting, so we’ll make the changes outlined above as the feedback has been clear.

While we’re discussing this we want to make sure we’re all on the same page going forward in terms of how we will evaluate the security of Windows 7. Aside from the UAC setting, the discussion of the vulnerability aspects of the Windows 7 Beta  have each started with getting code on the machine, which the mechanisms of Windows have prevented in the cases shown. We have also heard of security concerns that involve multiple steps to demonstrate a potential exploit. It is important to look at the first step—if the first step is “first get code running on the machine” then nothing after that is material, whether it is changing settings or anything else.  We will treat very seriously the ability to get code on a machine and run without consent. As Jon’s post highlighted briefly, the work in Windows 7 is about the increased protections in place to secure your PC from acquiring and running code without your consent, and of course we continue to make sure Windows code is secure from both tampering or circumventing the protections in the system.

We want to reiterate the security of the system overall. Windows 7 is SD3+C and is designed to be more secure that Vista—that’s our priority. None of us want to have Windows 7 be perceived as being less secure than Vista in any way, because our design point is to make sure it is more secure that Windows Vista, by default.

We said we thought we were bound to make a mistake in the process of designing and blogging about Windows 7. We want to continue the dialog and hopefully everyone recognizes that engineering, perhaps especially engineering Windows 7, is sometimes going to be a lively discussion with a broad spectrum of viewpoints expressed. We don’t want the discussion to stop being so lively or the viewpoints to stop being expressed, but we do want the chance to learn and to be honest about what we learned and hope for the same in return. This blog has almost been like building an extra product for us, and we’re having a fantastic experience. Let’s all get back to work and to the dialog about Engineering Windows 7. And of course most importantly, we will continue to hear all points of view and share our point of view and work together to deliver a Windows 7 product that we can all feel good about.

--Jon and Steven

Leave a Comment
  • Please add 7 and 4 and type the answer here:
  • Post
  • The UAC in the Windows 7 beta is very nice, and the default settings are quite pleasant!

    I would be interested if you could do a write-up on Windows Defender development.  The last comparison reviews I've seen about it were a couple of years ago, and it was shown to be not as effective as some other antimalare products at that time.  I wonder if there is any telemetry to share in this regard.

  • Great !

    Microsoft is listening :D

  • I was also hoping that Microsoft would provide a way of installing software as a local user, or perhaps a sort of forced emulation (redirecting the install to C:\Users\CurrentUser\AppData\Local\VirtualStore\Program Files), or wherever is deemed necessary.

    Part of this is simply providing functionality that existed under XP (installing WinRAR to non-C:\Program Files was possible as a standard user) and part of this is to provide additional protection. Sometimes I'm not sure I trust an installer enough to give it administrative privileges, but enough to take the chance that it may trash my personal account. I would like to be able to test out a program before taking the plunge.

  • @MrDiSante and Mech9t8

    Yes - I couldn't agree more with your comments.  

    Currently, UAC *forces* users to continue with an administrative token for installers (and other applications such regedit.exe for that matter).

    The UAC dialogs should have an advanced section (or similar) that allows a user to deny access to the administrative token, but to continue with the Standard User token.

    Currently, you *have* to continue with an administrative token or not at all.  (Unlike on Windows XP where you could choose to install software from an admin account or a limited user account and obtain an admin or limited token respectively.)

    Regards,

    Patrick

  • I was very disappointed with previous blog entry, due to which I was made to think that I, the consumer of the product, am wrong. However, this one resurrects some faith in your promise of 'great experience'.

    Do know it is highly apreciated. I understand you can't listen to everyone every time you hear complaint, but this special time I'm quite proud of your announcement.

    Keep going like this and we really may enjoy Windows 7. (Now awaiting RC with fixed UAC)

  • Great news, especially after yesterday's extremely dissapointing blogpost. Was that part of the underpromise, overdeliver campaign? :P

  • I wrote strong words in the other post, but you need to consider that all systems have a hole, and this hole is the Social Engineering that modify the behavior of the drive between the chair and the keyboard.

    Finally we have light. Congratulations, now UAC will be protect and Feedbacks on Connect have a solution. UAC protects itself against not authorized changes is a very good idea.

  • UAC is just one of several problems, so whilst it's great that one is getting sorted, what about, say, SKUs?

    Stop, Stop, Stop banging out different versions. It is unneccesary, and may cause more problems than it's worth.

    Ultimate should be the only version released. It has all the features. But make each of these features an optional install.

    Don't want/need Aero, Bitlocker? Don't install them. Six months down the line, you decide you need Bitlocker after all (work told you to have it or you can't telecommute anymore) just click on the Add/Remove Windows Components (or the 7 equivalent).

    Either something is integral to the OS, which means it should be in all the versions you release, or it is an optional feature. And options should be the choice of the user. 3.11 didn't have Home, Pro, Office, Enterprise, Guava and Cranberry, Chicken Bacon Ranch and Barbeque flavours. It was Windows, and it was better for it.

  • Excellent news, good to see that you are listening to feedback! Windows 7 is shaping up to be awesome and it would have been a shame to let something like this tarnish it.

  • You shouldn't do that... almost everybody is missing the point.

    UAC is not here to protect you from malware, it's just saying this code require admin privileges, you can have a more or less aggresive prompt.

    The setting we are talking about allow system modifications without prompt and allow users as code to do thoses changes. This is not an issue! If you want a prompt on every modification just adjust your UAC setting.

    By doing this change, you let everybody think "UAC is here to protect us from *bad* code that try to get elevated rights". Now geeks are happy to say : "there is a vulnerability, I can change settings, run a service, whatever and this way I dont have an UAC prompt". Of course... you have choosen to!

    If you want to protect yourself against malware go buying an antivirus/antispyware. Moreover, a malware doesnt need admin privileges to spam, get information about you, to listen your keyboard and send it over internet.

  • I enjoyed this post very much, it gives me the impression that engineers at microsoft really are good because a good eng. really is open minded and result driven with no problem with what route was taken the achieve the goal.

    Congrats for all the great work.

    I had an idea that i don't know if it's implementable or doable to the global users. I think windows should not let users, or should advice users, not to work or use windows with admin privileges, so what i thought was, why should, at the end of installation, let you create a normal non-privileged user, this should be the default profile of users, and create an administrator user with the users login as password for that admin user (this is to avoid an attacker to know the default admin pass), this password could be changed later on or even at installation, but imagine this, i create a user like i do today, no password accs should be advised as not secure mode of windows, and the admin user will be the user needed to install stuff or alter anything in windows, like uac, the thing is, i think that

    two users as a default installation is much more secure than it is today. The uac is the remedy for this subject, but if you really have two users and run every change with the admin user, then plenty of virus and attacks were avoided. But this is like UAC, but with two different users, and if the programs need to install, this should be with the admin pass, this is bad for all users, but once and for all if information is so important as is getting today, this should be the default, ppl need to know that with no admin user, the system is vulnerable, so i hope this could lead to a great change of thought about security... This idea has to be user-friendlier, like uac is now...

    Maybe this is just more complex and stupid, but hope to see what ppl thinks about this...

    Thanks.

  • Thank you very much for listening to the community. It seems that you have fixed both the technical issues AND the perception issues. Both are equally important in the end.

    My only suggestion would be that you should actively monitor for upcoming issues like this and nip them in the bud more quickly next time. You let this UAC incident build for a couple of weeks before you made any statements or addressed it. This gave the issue time to be widely reported, theorized upon, misunderstood, bashed, etc.

    Many of the popular news blogs and sites enjoy view count increases from bashing Microsoft. They will eagerly report anything slightly negative very quickly. These negative stories will be placed on the "front page" in big bold text. However, when the issue they reported negatively is resolved, they might report it as a minor story buried somewhere in the middle of their other stories. As a result, many people who read these news sites will see the negative press but may not hear that the issue reported has been fixed. This fosters negative perception and other PR issues.

    Actively monitoring for upcoming issues and issuing a statement ASAP will help prevent negative perception from forming BEFORE it becomes widespread.

    Your products are great! Windows Vista was and is a great product! Its biggest issue is negative popular perception. Windows 7 is even more fantastic than Vista is. However, Microsoft needs better PR to combat the negative press of an Apple infatuated media and the word of mouth that ensues from the people who subscribe to them.

  • Cheers for listening!  And from my partial understanding, a good change.

    Just writing to comment on:

    > if the first step is “first get code running

    > on the machine” then nothing after that is

    > material

    That's a stunning disconnect from reality.  There are shades of gray from virus to malware to good program.  Many, many computers run stuff that's at least partly malware! Think real player or IE addons.

    These programs will not go as far as to generate UAC prompts, but they would silently turn off UAC. So with the prompt you'll make them behave better.

  • http://community.winsupersite.com/blogs/paul/archive/2009/02/05/microsoft-backtracks-on-windows-7-uac-pretends-it-was-all-part-of-the-plan.aspx

    Yep. But at least you made the chance - it doesn't matter if it helps. The customer is king.

  • @p_rynhart

    A good example of an installer that does not require Administrator privileges to run is the Firefox installer. It seems more like a problem in the way the installers work rather than UAC's fault.

    However, it would be nice if programs could be forced to run with a Standard token (at the user's own risk of the program not functioning as expected, of course).

    ------

    @GuillaumeM

    I think the UAC serves the purpose of asking for user consent when non-trivial changes are being made (or might be made). UAC does indeed "protect" by making you think twice before taking critical actions.

    ------

    If a non-elevated program can use a non-elevated whitelisted program to get itself elevated:

    http://www.withinwindows.com/2009/02/04/windows-7-auto-elevation-mistake-lets-malware-elevate-freely-easily/

    It needs to be fixed.

Page 3 of 14 (198 items) 12345»