Notes on comments.
Welcome to our blog dedicated to the engineering of Microsoft Windows 7
Hi, Jon DeVaan here to talk to you about the recent UAC feedback we’ve been receiving.
Most of our work finishing Windows 7 is focused on responding to feedback. The UAC feedback is interesting on a few dimensions of engineering decision making process. I thought that exploring those dimensions would make for an interesting e7 blog entry. This is our third discussion about UAC and for those interested in the evolution of the feature in Windows it is worth seeing the two previous posts (post #1 and post #2) and also reading the comments from many of you.
We are flattered by the response to the Windows 7 beta so far and working hard at further refining the product based on feedback and telemetry as we work towards the Release Candidate. For all of us working on Windows it is humbling to know that our work affects so many people around the world. The recent feedback is showing us just how much passion people have for Windows! Again we are humbled and excited to be a part of an amazing community of people working to bring the value of computing to a billion people around the world. Thank you very much for all of the thoughts and comments you have contributed so far.
UAC is one of those features that has a broad spectrum of viewpoints with advocates staking out both “ends” of the spectrum as well as all points in between, and often doing so rather stridently. In this case we might represent the ends of the spectrum as “security” on one end and “usability” on the other. Of course, this is not in reality a bi-polar issue. There is a spectrum of perfectly viable design points in between. Security experts around the world have lived with this basic tension forever, and there have certainly been systems designed to be so secure that they are secure from the people who are supposed to benefit from them. A personal example I have, is that my bank recently changed the security regimen on its online banking site. It is so convoluted I am switching banks. Seriously!
As people have commented on our current UAC design (and people have commented on those comments) it is clear that there is conflation of a few things, and a set of misperceptions that need to be cleared up before we talk about the engineering decisions made on UAC. These engineering decisions have been made while we carry forth our secure development lifecycle principles pioneered in Windows XP SP2, and most importantly the principle of “secure by default” as part of SD3+C. Windows 7 upholds those principles and does so with a renewed focus on making sure everyone feels they are in control of their PC experience as we have talked about in many posts.
The first issue to untangle is about the difference between malware making it onto a PC and being run, versus what it can do once it is running. There has been no report of a way for malware to make it onto a PC without consent. All of the feedback so far concerns the behavior of UAC once malware has found its way onto the PC and is running. Microsoft’s position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent. Some people have taken the, “it’s not a vulnerability” position to mean we aren’t taking the other parts of the issue seriously. Please know we take all of the feedback we receive seriously.
The word “vulnerability” has a very specific meaning in the security area. Microsoft has one of the leading security agencies in the world in the Microsoft Security Response Center (email@example.com) which monitors the greater ecosystem for security threats and manages the response to any threat or vulnerability related to Microsoft products. By any definition that is generally accepted across the world wide security community, the recent feedback does not represent a vulnerability since it does not allow the malicious software to reach the computer in the first place.
It is worth pointing out the defenses that exist in Windows Vista that keep malware from getting on the PC in the first place. In using Internet Explorer (other browsers have similar security steps as well) when attempting to browse to a .vbs file or .exe file, for example, the person will see the prompts below:
Internet Explorer 8 has also introduced many new features to thwart malware distribution (see http://blogs.msdn.com/ie/archive/2008/08/29/trustworthy-browsing-with-ie8-summary.aspx ). One of my favorites is the SmartScreen® Filter which helps people understand when they are about to visit a malicious site. There are other features visible and hidden that make getting malware onto a PC much more difficult.
A SmartScreen® display from IE 8
Additionally, if one attempts to open an attachment in a modern email program (such as Windows Live Mail) the malware file is blocked:
Much of the recent feedback has failed to take into account the ways that Windows 7 is better than Windows Vista at preventing malware from reaching the PC in the first place. In Windows 7 we have continued to focus on improving the ability to stop malware before it is installed or running on a PC.
The second issue to untangle is about the difference in behavior between different UAC settings. In Windows 7, we have four settings for the UAC feature: “Never Notify,” “Notify me only when programs try to make changes to my computer (without desktop dimming),” “Notify me only when programs try to make changes to my computer (with desktop dimming),” and “Always Notify.” In Windows Vista there were only two choices, the equivalent of “Never Notify” and “Always Notify.” The Vista UI made it difficult for people to choose “Never Notify” and thus choosing between extremes in the implementation. Windows 7 offers you more choice and control over this feature, which is particularly interesting to many of you based on the feedback we have received.
The recent feedback on UAC is about the behavior of the “Notify me only when programs try to make changes to my computer” settings. The feedback has been clear it is not related to UAC set to “Always Notify.” So if anyone says something like, “UAC is broken,” it is easy to see they are mischaracterizing the feedback.
The Purpose of UAC
We are listening to the feedback on how “Notify me only when…” works in Windows 7. It is important to bring in some additional context when explaining our design choice. We choose our default settings to serve a broad range of customers, based on the feedback we have received about improving UAC as a whole. We have learned from our customers participating in the Customer Experience Improvement Program, Windows Feedback Panel, user surveys, user in field testing, and in house usability testing that the benefit of the information provided by the UAC consent dialog decreases substantially as the number of notifications increases. So for the general population, we know we have to present only key information to avoid the reflex to “answer yes”.
One important thing to know is that UAC is not a security boundary. UAC helps people be more secure, but it is not a cure all. UAC helps most by being the prompt before software is installed. This part of UAC is in full force when the “Notify me only when…” setting is used. UAC also prompts for other system wide changes that require administrator privileges which, considered in the abstract, would seem to be an effective counter-measure to malware after it is running, but the practical experience is that its effect is limited. For example, clever malware will avoid operations that require elevation. There are other human behavior factors which were discussed in our earlier blog posts (post #1 and post #2).
UAC also helps software developers improve their programs to run without requiring administrator privileges. The most effective way to secure a system against malware is to run with standard user privileges. As more software works well without administrator privileges, more people will run as standard user. We expect that anyone responsible for a set of Windows 7 machines (such as IT Administrators or the family helpdesk worker (like me!)) will administer them to use standard user accounts. The recent feedback has noted explicitly that running as standard user works well. Administrators also have Group Policy at their disposal to enforce the UAC setting to “Always Notify” if they choose to manage their machines with administrator accounts instead of standard user accounts.
Recapping the discussion so far, we know that the recent feedback does not represent a security vulnerability because malicious software would already need to be running on the system. We know that Windows 7 and IE8 together provide improved protection for users to prevent malware from making it onto their machines. We know that the feedback does not apply to the “Always Notify” setting of UAC; and we know that UAC is not 100% effective at stopping malware once it is running. One might ask, why does the “Notify me only when…” setting exist, and why is it the default?
The creation of the “Notify me only when…” setting and our choice of it as the default is a design choice along the spectrum inherent in security design as mentioned above. Before we started Windows 7 we certainly had a lot of feedback about how the Vista UAC feature displayed too many prompts. The new UAC setting is designed to be responsive to this feedback. A lot of the recent feedback has been of the form of, “I’ll set it to ‘Always Notify,’ but ‘regular people’ also need to be more secure.” I am sure security conscious people feel that way, and I am glad that Windows 7 has the setting that works great for their needs. But what do these so called “regular people” want? How to choose the default, while honoring our secure design principles, for these people is a very interesting question.
In making our choice for the default setting for the Windows 7 beta we monitored the behavior of two groups of regular people running the M3 build. Half were set to “Notify me only when…” and half to “Always Notify.” We analyzed the results and attitudes of these people to inform our choice. This study, along with our data from the Customer Experience Improvement Program, Windows Feedback Panel, user surveys, and in house usability testing, informed our choice for the beta, and informed the way we want to use telemetry from the beta to validate our final choice for the setting.
A key metric that came out of the study was the threshold of two prompts during a session. (A session is the time from power up to power down, or a day, whichever is shorter.) If people see more than two prompts in a session they feel that the prompts are irritating and interfering with their use of the computer. In comparing the two groups we found that the group with the “Always Notify” setting was nearly four times as likely to have sessions with more than two prompts (a 1 in 6.7 chance vs a 1 in 24 chance). We gathered the statistic for how many people in the sample had malware make it onto their machine (as measured by defender cleaning) and found there was no meaningful difference in malware infestation rates between the two groups. We will continue to collect data during the beta to see if these results hold true in a much broader study.
We are very happy with the positive feedback we have received about UAC from beta testers and individual users overall. This helps us validate our “regular people” focus in terms of the trade-offs we continue to consider in this design choice. We will continue to monitor the feedback and our telemetry data to continue to improve our design choices on UAC.
So as you can see there is a lot of depth to the discussion of UAC and the improvements made in Windows 7 in UAC itself and in improving ways to prevent malware from ever reaching a PC. We are working hard to be responsive to the feedback we received from Vista to provide the right usability and security for people of all types. We believe we’ve made good progress and are listening carefully to the feedback on our UAC changes. Again please accept our most sincere thanks for the passion and feedback on Windows 7. While we cannot implement features the way each and every one of you might wish, we are listening and making a sincere effort to properly weigh all points of view. Our goal is to create a useful, useable, and secure Windows for all types of people.
Jon, let me quote poster above, just in case you missed it:
Jon, you're missing the point. The people only want to see an UAC notification when the UAC level is changed. That's all.
You don't have to change anything else.
Please stop giving *@*! excuses. It is not working as expected. Surely if I run vbs script I don't expect it to be able to completely turn off UAC. Let me know if it tries to change my UAC settings. That is all.
Don't deal with treat UAC settings like Windows settings, this would cause UAC prompt when people change UAC settings, would be a perfect solution in my opinion.
In this situation there are no reductions in security and usability.
Think of it like the security/ID badges you use at work. If you are authorized to enter a certain area, this is reflected by your badge and you walk right in. If you are not, then you must show some documentation granting permission.
This would be a UAC prompt.
If the change is to be made permanent and you are given full access you would still expect to the change to be validated before being granted access.
This is a UAC prompt for UAC changes.
Why should it be easier to get permanent access to a controlled resource than to get temporary access? Sure, no one in the company SHOULD be asking for access if they are not supposed to have it, but that doesn't mean they won't.
Why should it be easier to turn off UAC than to act maliciously with UAC? Sure, no malware SHOULD be running on the PC, but that doesn't mean it won't.
1 additional prompt that very few people will ever see and it greatly increases the faith people have in this whole system. If I know that changes needing elevation will be prompted and I don't see any prompts, I feel fine. If I know that at any time, UAC prompts could be disabled without prompting, then I would immediately turn it up to full and live with the extra hassle.
I rarely ever leave comments anywhere. In fact I had to register just to leave this comment, but I feel strongly enough about this issue that it definitely warrants attention.
OK, one BIG point here: You're showing the danger of integrating your browser with the OS. The protections offered in the browser should have NO brearing whatsoever on the security features of the OS, because the OS team should not be assuming that the user will be using the integrated browser. As great as IE8 is, I still have Firefox on my machine to render certain pages, and no matter how great you make IE, there will still be a significant portion of W7 users who prefer an alternative browser. You CANNOT make assumptions on security of the OS based on the behaviors on IE8.
Here's a few ideas, from my experiences with Vista's UAC, how people react to it and why they turn it off:
1. The initial installation period when you are installing your applications leaves a false bad impression of how many times UAC will be bugging users. What needs to happen here is the implementation of an "install mode" for UAC - a prompt when the first piece of software is installed that allows the users to turn off UAC for the remainder of the current session with a warning to not access potentially unsafe locations or files while this mode is active, along with a CLEAR notification to the user that they are in this mode - perhaps changing the desktop theme to a special one while the mode is active. On the next reboot, a greyed screen UAC prompt will ask them if they are done installing applications, and offering them a yes or no prompt; a yes puts the computer back into normal non- auto-elevate mode, a no leaves install mode active.
Second, change the implementation of the "always run as administrator" checkbox so that it auto-elevates the application in question and runs it without a prompt. It's just plain silly for me to have to approve an app that I have already auto-approved every time I start it - especially when I had to go through UAC elevation just to check the box!
Last, allow application designers to prompt the user with an auto-elevation prompt on install; this would simply check the "run as admin" checkbox, as implemented above. This would allow applications that always need to run elevated to do so without the user having to be smart enough to go in and check the box themselves (MMO games that auto-update themselves spring to mind).
I hope you take these suggestions to heart, they're a much better alternative to just allowing apps to elevate themselves and relying on the user to use data access sources that you have control over.
I really like UAC. No, wrong, I LOVE UAC.
And John, you are right in all points and it everything you say is correct.
However most people are worried about the issue mentioned here: http://www.istartedsomething.com/20090130/uac-security-flaw-windows-7-beta-proof/
So I'd like to provide a little different view and ask: Why do you force people to enter the old password when changing it? In fact they already had to enter the password when logging on to their PC so why bother with it again?
Answer: Because it's more secure.
Why not take the same route with UAC and always ask about elevation when the elevation settings are changed? Even if it wouldn't be more secure (according to your studies) people would at least FEEL more secure - and that is most important for technical folks.
> "The people only want to see an UAC
> notification when the UAC level is
> changed. That's all."
Remember that today in Windows, just about any setup.exe program you run will automatically prompt you to elevate since it usually needs admin rights. At that point you are pwned anyway. An evil setup program has no need to disable UAC. If it decides to do so, it would most likely change the registry setting directly rather than go to the trouble of pushing keystrokes into the UI the way Long Zheng's "exploit" did.
So can anyone explain a scenario where this one extra annoy-o-gram ("You are attempting to change the UAC setting via the Windows dialog, please confirm") is going to have any real effect?
It's obvious MS still doesn't take this issue seriously. Hell, they don't even consider UAC to be a security boundary. I'm just gonna go back to Vista so I can at least feel safe and confident that UAC will work as it should. If these UAC issues aren't resolved by RTM, I simply won't be upgrading to 7 and I won't be recommending it to anyone.
The biggest mistake was bending to the will of idiots who simply do not understand UAC, so now we get this inconsistent behavior about UAC by default.
The simple solution is to pop-up a UAC prompt *regardless of its current setting* whenever the UAC level is modified. The only time you'd expect to see such a prompt is when you just finished making a change to UAC preferences. If you saw it any other time, it would clearly be malware.
I see where Microsoft is coming from - the lower level by design doesn't prompt for Windows settings. However, UAC should be an exception.
#2- If they want people to run as reduced-privilege accounts, OFFER to set one up during installation. Most people don't go out of their way to give themselves fewer privileges, but if you explain the merits of it during install and let them optionally set up a 2nd username/password, chances are increased. My XP runs as power user but nearly everyone else's XP runs as administrator.
#3- Elevation prompts are a reality of any OS, OSX and Linux both prompt you to elevate privileges, albeit with a password prompt instead of a yes/no box. Apple's silly ad was a little unfair there, it appeared more often in Vista because everyone was running software written in an era where nearly everyone's Windows account was an administrator.
It's the exploited Outlook scenario. Imagine a bug in Outlook allows arbitrary code execution:
* On Vista, that code can't get elevated permissions without a UAC prompt.
* On Windows 7 (as is) it can disable UAC and then elevate silently.
* On Windows 7 (if it took a UAC prompt to disable UAC) you'd be in the same situation as Vista.
Of course, if you agree to the UAC prompt, then anything can happen in either case. But that isn't the scenario UAC provides protection for and it never was.
One final thought- Microsoft should fix this "problem" even if not considered a vulnerability, if for no other reason than to get Win 7 off on the right foot. After Vista they could use some good press and rumors of a security problem before launch won't help.
@xiphi: UAC can be configured on Windows 7 to behave exactly as it does on Vista. You only have that problem with the default configuration.
@Ooh: I agree with you. Although I can see the point MS is making, now it's a matter of perceived security (and bad press).
Wouldn't a simple and transparent fix be to run control panel windows (like the UAC change window) at a high integrity level automatically? Then there would be risk of the control panel being hijacked at all.
As it stands I just can't understand the logic that says 'this isn't a problem'. UAC could get annoying in Vista sometimes, but it was worthwhile regardless because it provided some tangible benefit. The default setting in Windows 7 is just pointless! Why bother having an annoying elevation dialog which only applies to well behaved software? When Vista came out the philosophy was defence in depth. How quickly we forget.
My conspiracy theory is that Microsoft disabled UAC by default in Windows 7 to raise this very discussion which even got its way into printed press. Their goal is to make us ask to have UAC in “Always Notify” mode in RTM. And I do ask that because people I know don’t have any issues with Vista UAC because they only use Internet Explorer and Microsoft Word.
When I first heard about UAC changes what I hoped for was more granular control over changes. I mean why you need UAC to change DPI? What kind of malware might want to change DPI? And that was changed in Windows 7. There is no UAC prompt to change DPI in Windows 7.
Here we have another thing which is to allow specially signed executables to change critical settings without UAC prompt.
Here is interesting thing. With UAC in “notify only when programs try…” mode I am still presented with UAC prompt when I try to run regedit.exe (WHY??). But if I go and disable UAC at all – which is allowed without any prompt I immediately can go and run regedit.exe without any UAC Prompt.
If MS does not allow running regedit.exe in “broken-UAC” mode why does it allow switching UAC mode off?
This all seems very inconsistent. I have switched to “always notify” mode.
After your explanation I think SEVEN = Software Enviroment Vulnerable Exploitable Nackered. Why UAC at this point anyway. Why not just remove it Microsoft.
The joke today on internet is sponsored by Microsoft Windows 7 UAC Team: The Windows 7 shirts have four holes on them, but the manufacturer has been assured that it is by design. So is better distribute condoms because have only one hole and is more secure against virus and infections by design.
The fact Jon is missing is a malware can 'become' any application written in what is technically known as memory-unsafe (or type-unsafe) computer language like highly popular C or C++. These two languages are still widely used by Microsoft and other developers. The problem with such languages, while praised for their efficiency and speed, is their vulnerability to errors that can lead to the program itself changing behavior - programs can be reprogrammed while they are running if an attacker knows the error and and abuses it.
With this in mind we can see that every program written in said languages can never be trusted completely, we can be never completely sure the program is free of errors and because of this every program can start acting as 'malware'. Microsoft Office, most of Windows, IIS and Internet Explorer are written in C(++) and are historically known to be vulnerable to attacks that use errors I described above. While it is hard to believe MS Word would ever act as malware, but if feed the right input (example would be a file user received through email) the program will make an error and because the input was specially crafted beforehand the Word will get reprogrammed to act as malware, maybe it will even resend document to other people and act as a worm.
This is not science fiction; it is real world problem that security experts have to deal with. The fact that every application can act as malware is in contrast to Jon's belief that file/binary with virulent content has to be present on user's disk for user to get infected.
The problem is that when program is running in default/'Medium IL' mode of UAC in Vista a program is not able to control the system. In Windows 7 with default UAC setting however a program in 'Medium IL' can circumvent the protection, disable UAC altogether and start running 'High IL' mode - all this automatically without the need for user to confirm anything. While Vista would stop and display UAC dialog in Windows 7, a malicious code can just walk away and help itself.
This is not frightening only because there is by default no boundary between 'Medium IL' and 'High IL', but also because the user is misled by a belief that he is running in 'secure mode' because every program that did not come with Windows, has not yet been compromised and is running in 'Medium IL' will display UAC window when it will require administrative privileges ('High IL').
Because applications will still display UAC dialogs user will think he is safe, but because UAC can be currently easily avoided user is not really safe - the way UAC works now is highly ambiguous.
Now I'll go to what I think the team responsible for security in Windows 7 had in mind when they implemented the new model.
Because many applications that come with windows cannot receive input originating from other than the user himself Windows will allow it to make administrative tasks without UAC dialogs. Windows Explorer and Control Panel for example do not open documents, neither do they access internet and thus have a small attack surface meaning it's highly unlikely anyone can compromise them and so it's safe to automatically run them in 'High IL' mode. On the other hand Internet Explorer has a huge attack vector and has been thus running in 'Low IL' since Vista.
I have to agree that this model is neat, it will remove a lot of UAC dialogs when working with Windows and will be secure - the only problem is the bug bloggers described - it can be easily fixed by disallowing any messages that originate in 'Medium IL' and are moving towards 'High IL' - just like 'Low IL' cannot talk to 'Medium IL' currently.
I should also mention that if this bug does not get fixed Windows 7 will fall back into XP model of 'full admin by default'. In recent news a company claimed that more than 90 % of vulnerabilities could be prevented if users did not run in Admin mode. If this bug stays it means Windows 7 will see more worms than Vista had.
If the bug stays then Microsoft will indeed see less negative responses from those that think UAC is annoying, but I expect much much bigger backlash from bloggers for relaxing security.
I'm writing this response to this UAC fiasco only after many MS employees (some in very high positions) tried to deny the existence of the bug. I firmly believe the team responsible security is aware of the bug, it just bothers me to see people so high in the management hierarchy talk about something they know in details - it is not good promotion for a company and it really reduces confidence in the competence of people inside. The security of a system is not something you can play with and people will not forgive Microsoft for making the system less secure - even if most people have never praised MS for their security (when will we see Zones from Solaris / true sandboxing of every application).