Notes on comments.
Welcome to our blog dedicated to the engineering of Microsoft Windows 7
Hi, Jon DeVaan here to talk to you about the recent UAC feedback we’ve been receiving.
Most of our work finishing Windows 7 is focused on responding to feedback. The UAC feedback is interesting on a few dimensions of engineering decision making process. I thought that exploring those dimensions would make for an interesting e7 blog entry. This is our third discussion about UAC and for those interested in the evolution of the feature in Windows it is worth seeing the two previous posts (post #1 and post #2) and also reading the comments from many of you.
We are flattered by the response to the Windows 7 beta so far and working hard at further refining the product based on feedback and telemetry as we work towards the Release Candidate. For all of us working on Windows it is humbling to know that our work affects so many people around the world. The recent feedback is showing us just how much passion people have for Windows! Again we are humbled and excited to be a part of an amazing community of people working to bring the value of computing to a billion people around the world. Thank you very much for all of the thoughts and comments you have contributed so far.
UAC is one of those features that has a broad spectrum of viewpoints with advocates staking out both “ends” of the spectrum as well as all points in between, and often doing so rather stridently. In this case we might represent the ends of the spectrum as “security” on one end and “usability” on the other. Of course, this is not in reality a bi-polar issue. There is a spectrum of perfectly viable design points in between. Security experts around the world have lived with this basic tension forever, and there have certainly been systems designed to be so secure that they are secure from the people who are supposed to benefit from them. A personal example I have, is that my bank recently changed the security regimen on its online banking site. It is so convoluted I am switching banks. Seriously!
As people have commented on our current UAC design (and people have commented on those comments) it is clear that there is conflation of a few things, and a set of misperceptions that need to be cleared up before we talk about the engineering decisions made on UAC. These engineering decisions have been made while we carry forth our secure development lifecycle principles pioneered in Windows XP SP2, and most importantly the principle of “secure by default” as part of SD3+C. Windows 7 upholds those principles and does so with a renewed focus on making sure everyone feels they are in control of their PC experience as we have talked about in many posts.
The first issue to untangle is about the difference between malware making it onto a PC and being run, versus what it can do once it is running. There has been no report of a way for malware to make it onto a PC without consent. All of the feedback so far concerns the behavior of UAC once malware has found its way onto the PC and is running. Microsoft’s position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent. Some people have taken the, “it’s not a vulnerability” position to mean we aren’t taking the other parts of the issue seriously. Please know we take all of the feedback we receive seriously.
The word “vulnerability” has a very specific meaning in the security area. Microsoft has one of the leading security agencies in the world in the Microsoft Security Response Center (email@example.com) which monitors the greater ecosystem for security threats and manages the response to any threat or vulnerability related to Microsoft products. By any definition that is generally accepted across the world wide security community, the recent feedback does not represent a vulnerability since it does not allow the malicious software to reach the computer in the first place.
It is worth pointing out the defenses that exist in Windows Vista that keep malware from getting on the PC in the first place. In using Internet Explorer (other browsers have similar security steps as well) when attempting to browse to a .vbs file or .exe file, for example, the person will see the prompts below:
Internet Explorer 8 has also introduced many new features to thwart malware distribution (see http://blogs.msdn.com/ie/archive/2008/08/29/trustworthy-browsing-with-ie8-summary.aspx ). One of my favorites is the SmartScreen® Filter which helps people understand when they are about to visit a malicious site. There are other features visible and hidden that make getting malware onto a PC much more difficult.
A SmartScreen® display from IE 8
Additionally, if one attempts to open an attachment in a modern email program (such as Windows Live Mail) the malware file is blocked:
Much of the recent feedback has failed to take into account the ways that Windows 7 is better than Windows Vista at preventing malware from reaching the PC in the first place. In Windows 7 we have continued to focus on improving the ability to stop malware before it is installed or running on a PC.
The second issue to untangle is about the difference in behavior between different UAC settings. In Windows 7, we have four settings for the UAC feature: “Never Notify,” “Notify me only when programs try to make changes to my computer (without desktop dimming),” “Notify me only when programs try to make changes to my computer (with desktop dimming),” and “Always Notify.” In Windows Vista there were only two choices, the equivalent of “Never Notify” and “Always Notify.” The Vista UI made it difficult for people to choose “Never Notify” and thus choosing between extremes in the implementation. Windows 7 offers you more choice and control over this feature, which is particularly interesting to many of you based on the feedback we have received.
The recent feedback on UAC is about the behavior of the “Notify me only when programs try to make changes to my computer” settings. The feedback has been clear it is not related to UAC set to “Always Notify.” So if anyone says something like, “UAC is broken,” it is easy to see they are mischaracterizing the feedback.
The Purpose of UAC
We are listening to the feedback on how “Notify me only when…” works in Windows 7. It is important to bring in some additional context when explaining our design choice. We choose our default settings to serve a broad range of customers, based on the feedback we have received about improving UAC as a whole. We have learned from our customers participating in the Customer Experience Improvement Program, Windows Feedback Panel, user surveys, user in field testing, and in house usability testing that the benefit of the information provided by the UAC consent dialog decreases substantially as the number of notifications increases. So for the general population, we know we have to present only key information to avoid the reflex to “answer yes”.
One important thing to know is that UAC is not a security boundary. UAC helps people be more secure, but it is not a cure all. UAC helps most by being the prompt before software is installed. This part of UAC is in full force when the “Notify me only when…” setting is used. UAC also prompts for other system wide changes that require administrator privileges which, considered in the abstract, would seem to be an effective counter-measure to malware after it is running, but the practical experience is that its effect is limited. For example, clever malware will avoid operations that require elevation. There are other human behavior factors which were discussed in our earlier blog posts (post #1 and post #2).
UAC also helps software developers improve their programs to run without requiring administrator privileges. The most effective way to secure a system against malware is to run with standard user privileges. As more software works well without administrator privileges, more people will run as standard user. We expect that anyone responsible for a set of Windows 7 machines (such as IT Administrators or the family helpdesk worker (like me!)) will administer them to use standard user accounts. The recent feedback has noted explicitly that running as standard user works well. Administrators also have Group Policy at their disposal to enforce the UAC setting to “Always Notify” if they choose to manage their machines with administrator accounts instead of standard user accounts.
Recapping the discussion so far, we know that the recent feedback does not represent a security vulnerability because malicious software would already need to be running on the system. We know that Windows 7 and IE8 together provide improved protection for users to prevent malware from making it onto their machines. We know that the feedback does not apply to the “Always Notify” setting of UAC; and we know that UAC is not 100% effective at stopping malware once it is running. One might ask, why does the “Notify me only when…” setting exist, and why is it the default?
The creation of the “Notify me only when…” setting and our choice of it as the default is a design choice along the spectrum inherent in security design as mentioned above. Before we started Windows 7 we certainly had a lot of feedback about how the Vista UAC feature displayed too many prompts. The new UAC setting is designed to be responsive to this feedback. A lot of the recent feedback has been of the form of, “I’ll set it to ‘Always Notify,’ but ‘regular people’ also need to be more secure.” I am sure security conscious people feel that way, and I am glad that Windows 7 has the setting that works great for their needs. But what do these so called “regular people” want? How to choose the default, while honoring our secure design principles, for these people is a very interesting question.
In making our choice for the default setting for the Windows 7 beta we monitored the behavior of two groups of regular people running the M3 build. Half were set to “Notify me only when…” and half to “Always Notify.” We analyzed the results and attitudes of these people to inform our choice. This study, along with our data from the Customer Experience Improvement Program, Windows Feedback Panel, user surveys, and in house usability testing, informed our choice for the beta, and informed the way we want to use telemetry from the beta to validate our final choice for the setting.
A key metric that came out of the study was the threshold of two prompts during a session. (A session is the time from power up to power down, or a day, whichever is shorter.) If people see more than two prompts in a session they feel that the prompts are irritating and interfering with their use of the computer. In comparing the two groups we found that the group with the “Always Notify” setting was nearly four times as likely to have sessions with more than two prompts (a 1 in 6.7 chance vs a 1 in 24 chance). We gathered the statistic for how many people in the sample had malware make it onto their machine (as measured by defender cleaning) and found there was no meaningful difference in malware infestation rates between the two groups. We will continue to collect data during the beta to see if these results hold true in a much broader study.
We are very happy with the positive feedback we have received about UAC from beta testers and individual users overall. This helps us validate our “regular people” focus in terms of the trade-offs we continue to consider in this design choice. We will continue to monitor the feedback and our telemetry data to continue to improve our design choices on UAC.
So as you can see there is a lot of depth to the discussion of UAC and the improvements made in Windows 7 in UAC itself and in improving ways to prevent malware from ever reaching a PC. We are working hard to be responsive to the feedback we received from Vista to provide the right usability and security for people of all types. We believe we’ve made good progress and are listening carefully to the feedback on our UAC changes. Again please accept our most sincere thanks for the passion and feedback on Windows 7. While we cannot implement features the way each and every one of you might wish, we are listening and making a sincere effort to properly weigh all points of view. Our goal is to create a useful, useable, and secure Windows for all types of people.
I want to thank everyone for their energy and comments. It is really exciting to be part of such a passionate community! Yes, even when we are having a spirited debate.
Steven and I just posted a follow up where we describe how we want to move forward based on the feedback today. I encourage everyone to read that. I am sure many people will be very happy!
As I described in my post, we will continue to listen to the feedback and improve our design of the UAC feature.
@Thack: Thank you very much for your post! I was hoping that I was going to be able to reach people who could understand our reasoning and then provide clear feedback in that context.
@mechBgon: Thank you for this feedback on better ways to measure malware infestation. It is very constructive. We only had defender in the sample study. We will be sure to use better sources for the beta study.
@artfudd: Please be fair. I am glad to share my point of view transparently and accept the full criticism from the community (some posts get more criticism than others :-)). I won’t claim our data gathering is perfect, but it is valuable to understand what is really going on vs. what we think is going on in the real world. This does not diminish our desire to hear from and be responsive to our beta testers.
Some of the comments are attributing sentiments to me in the post that I did not intend. I sincerely apologize for any bugs in the post. I hope that taking the time to explain our thinking is not automatically assumed to be closed minded. I will work on my ability to put myself more in your shoes when I communicate in the future so that my communication is clearer. I remain sincere in my statement that we are listening carefully to the all of feedback and that we will use it to improve the UAC feature.
Thank you again for engaging with us and helping us make Windows 7 great!
I have a simple question:
What is the security benefit of using the "Notify me only when programs ..." as opposed to "Never notify"?
Think about it:
Malicious or compromised programs can change the UAC setting or even worse , simply use a trusted Windows binary like rundll32 to run arbitrary code with full privileges without ever asking for elevation.
You say that "The most effective way to secure a system against malware is to run with standard user privileges." and I agree.
I'd argue that UAC *is* a security boundary, but only with "Always notify". Anything else and the prompts become completely optional for programs. Good programs will do it as a courtesy to the user, bad programs won't bother.
Here's a prediction: Sooner or later there are going to be 3rd-party programs that use the rundll-hack whenever they feel like they need administrative privileges. Makes programming much easier, without any pesky prompts for the user... and we're back to pre-WinXP-SP2 times.
OK this is what you all need to know, this is a great system working for over a month and nothing is getting me a freaked out, even the UAC. I have a done what was said to try by the man in reason for all of this, and he is full of it. I am a business owner I run a computer repair company, and use a ton of MS product and have one issue, vista it runs one min and not the other. what I mean is I have it on two laptops and don't want to downgrade to XP for the warranty, and most of the time its OK, but some of the time it cant find some or even a lot of the hardware. so I follow the basic steps for finding before and after a restart LOL. I have looked deeply into the UAC in windows 7 and have some issues but nothing like being said from some people I love win7 it will smoke the OS Vista, in security and usability. all I can say to the ones responsible for this blog is get over it,yourself and grow up. This is not high school. I see nothing wrong with setting your own security for apps or installs, easily done with a few up grades to the windows system and cheap or even free and most of the public can find any of this info on THE WEB. Windows needed a foothold and have my hand as one. I feel it necessary to help out my big brother when I can and they have me and my business with the software's they offer. all anyone needs to know they screwed up with VISTA and they know it get off the back of a friend in software. they are and always will be the OS leader in the world.
Perhaps you need a different perspective on this UAC situation. Bryant of AeroXP, a Windows Enthusiast Community of which I am proud to be a member of, has written a great article. I will provide the link for you.
This really explains why an easy disabling of the UAC can be so problematic.
As Bryant said, it could be common downloadables that are hijacked to compromise the UAC. The recent incidents with pirated software that hid trojans in Mac software should be the first reason for change. Pirated iWork and Photoshop CS4 with trojans, could easily be a podcast or some other legit program. That is why the UAC has to be much stronger. VB is taught my old high school. With practice and internet resources, some high school kid and a genius intelligence could compromise the UAC. That is why I'm glad you guys are taking a second look at this.
The simple answer is this. UAC to most folks represents a level of security in Windows 7 and Vista. To dismiss that is leading many people into a false sense of security. As for me, I do not. That is why I have anti-virus, a router with encryption and a firewall, a program to cleanup both Registry and programs, and I check Windows Updates on a DAILY basis. I check software updates on a WEEKLY basis. I have a routine that I have developed since my first copy of Windows XP. This routine has helped me avoid Blaster, Sasser, Conflicker, and many of the worms out there.
Most folks don't do that. They browse and click on things with ignorance. Windows 7 has to consider the uneducated user who just clicks and doesn't think. It has to provide a greater defense, balanced with not annoying the piss out of an average user. Its something that both OS-X and Linux has mastered.
However, I have to agree with LinuxGuyInRI. Using a combination of white lists and black lists of programs, known viruses, known virus techniques, and other patterns of malware, Windows 7 can have a much stronger defense. Windows 7 needs to neutralize these black listed ones before they find a place on the Hard Drive. Thats just common sense in my opinion.
I really do appreciate your hard work Jon. If I had the expertise, I'd be working for you guys. I'd love to be in the thick of creation of a new OS. I don't envy the tough choices you guys are having to make. However, as you can see by the interest, people want Microsoft and Windows to be a huge success.
Thank you, God bless, and Good luck. Also, big thanks to Steven Sinofsky for the blog.
I agree with the comments above! Under no circumstances should any program be able to make silent changes to UAC. Every single UAC level change should show the secure desktop and require user input.
NO OTHER CHANGES TO W7 UAC ARE NEEDED! I can't believe that MS doesn't get this...boggles my mind.
If MS leaves W7 the way it is, UAC is completely worthless and should be removed from the OS.
So the only problems seem to be that the default setting of "Notify me only..."
1) allows UAC level to be changed by a non-elevated malicious program
2) is easily exploited to elevate malicious programs
It's alright to trust your research that this is the best balance, but we users are just asking Microsoft to FIX this setting.
I hope you are right, but the real trouble is that as I am a consultant I am honour bound to make them aware of all the different versions.
If I know that there are different versions I have to explain them and give my reasons for why I would avoid version A over Version B. It would just be a lot simpler if they kept the complexity down.
I would rather have the two versions and use the option to add bits like they are doing with the unbundling of things like Windows Mail, so that the user can add bits as they like or need.
We are into a tough period economically and keeping the prices down and complexity down I feel will be the best policy.
Sorry again, I know, off topic!
OK, I really think EVERYONE has missed the point that this doesn't have to be MALWARE! I can download any legitimate program, and it could internally turn UAC off without me knowing. This could simply be a matter of the programmer was too lazy to write it to be 'compatible' with UAC, but the fact remains, this isn't malware. So, the design decision they have made is bad, since it allows good intentioned people to do bad things, and make my system vulnerable. Yes, there's a lot of other things that same programmer could do to make my system vulnerable, but this is one that can easily be fixed. How hard could it be to add another 'if' statement to the code?
Disclaimer: I have not tested Win 7, so these remarks are based on what I read in this and other places. I do use Vista with UAC on and have never had an issue with it, except for the fact it commonly prompts me twice, when once would be sufficient.
That access control to, say, an office building constitutes a security perimeter is obvious. Even so, not restricting access to the security system on/off switch (isn't that what UAC is, in essence?) to people already in the building would be incredibly irresponsible.
"We don't consider an unlocked door to the security control room a security issue, because an intruder still has to get through the front door. People don't seem to like it locked." This seems disingenuous. It is certainly counterintuitive.
If someone wants to turn off the access control system to my factory/office/whatever, I certainly want to know about it and approve it or not. If I am clueless about security and have a security firm monitoring things, I want THEM to know and alert me.
Going with the lowest common denominator of "user experience" (a term I dislike, btw, because the term "user" doesn't seem to include people who need to get actual work done with their systems) is a really, really, really bad idea.
Once upon a time, guns didn't have safety catches. This made for a better "user experience."
I found out that while it is necessary to accept UAC prompt to turn OFF Windows Defender with Windows 7 Beta, turning ON defender in standard account do not trigger the UAC prompt. Yes, I have set the UAC prompt at its highest level. I think they made this change “by design”, but it doesn’t conform to consistent experience. If turning OFF is an administrative task, so is turning ON. This could create a lot of problems to administrators especially using third party anti-spyware solution & turns OFF windows defender. The standard account users may turn on windows defender without permission causing the computer to slow down.
And we don't want our computer to slow down!
They really have to reconsider the current implementation of the new UAC level and I think (as mentioned earlier) a more extensive use of integrity levels could possibly do the job here.
at least feel safe and confident that UAC will work as it should. If these UAC issues aren't resolved by RTM, I simply won't be upgrading to 7 and I won't be recommending it to anyone.
Though acknowledge that you will suddenly have lots of similar items in the same class of "I installed something and it is doing something I didn't think it would do".
if for no other reason than to get Win 7 off on the right foot. After Vista they could use some good press and rumors of a security problem before launch won't help.