Paul Thurrott began the beat down with his article "Where Vista Fails" and Bruce Scheier chimed in his support Security is one of those delicate issues that have to be handled with care. Its an interesting case of balance: How do you inform the user, but not bury them under an avalanche of prompts. I like to relate this to a car analogy. In the early days of automobiles, the user needed to be educated in the operation of the car. If it was cold, you activated the choke, set the idle higher, and then cranked your living brains out being careful not to break your arm in the process. You had a fairly intimate knowledge of the cars internal operation and why things were a certain way. As the automotive industry began to mature more user friendly features crept in requiring less knowledge to operate the car (but tons more to fix them:) ) The system became more complex while reducing the barrier to entry. Computers are sort of like that. When the system was first created pretty much everything was manual, you had to set an interrupt here, edit a boot.ini file there all while being careful not to blow up the system. You knew the ins and outs and you could make informed decitions. Now computers pretty much just work and the user doesn't get bothered with technical details. The system ,while more complex, has a much lower barrier to entry. Sounds good right? Unfortunately this is where the analogy diverges. Imagine, if you will, what driving a car would be like if it was the same as a computer on the internet. At every stop you make someone, like some sort perverse window washer, would hop on the hood of your car and try to install various "improvements" on your car. Install our special fuel filter, it gives you free gas. Install our GPS tracking unit. You get the idea, eventually your car would drive like it was dragging the Queen Mary's anchor behind it That is what various malware does, it takes advantage of the normal user not knowing whats going on in the system. The problem is, how do you prevent this from happening? Answer: It's difficult. Windows, being a fairly open system has lots of extensibilty points, unfortunately the same extensiblity points that NetNanny uses to make sure Timmy doesn't visit naughty sites gives an easy entry point to malware to monitor what sites you are going to. There are several ways to deal with this, none of them particularly good:
  • Require all code to be signed to run as administrator vetted by somebody you trust not to do something naughty - not really possible due to various legal issues;)
  • Tell the user exactly what is happening - Most computer users no longer have the necessary background to make an informed decision
  • Tell the user that a program is attempting to do something that may cause permanent changes to the system
Guess what one UAC uses? The third one. Its probably the least poor of 3 poor choices. Unfortunately it has the side effect of annoying power users and overwhelming other users. You want to play WoW? It wants to elevate to administrator because it wants to write to Program Files. Want to run your network app? Need administrator privlages to open the firewall. The Unix equalivent would be an administrator installed program wanting to reinstall it self (for instance vi ). Imagine running vi, and it saying, Please run me as root, I want to install my updates and if you don't, I will fail. (which most programs do, as they assume the user is administrator) I was talking with Dan Kaminsky about the end user understanding security and he mentioned a story he had heard. An online banking site had a problem with their SSL certificate. The browser did it's job, telling the user that the certificate was not trusted, and they may not be secure. Approximately 80% of users continued on anyhow desipite the scary warning. The problem? The choice to the end user basically looked like two buttons [Work] [Don't Work]. And thats the crux of the issue. You've presented the user a choice with a system they either don't fully understand or have to make the wrong decision to get their application to work. And thats just no fun. It's easy to criticise the decision. It's something else entirely to suggest a fix. What are your suggestions in this situation? Hint of the day: Instead of disabling User Account Control (UAC), set the “User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode” policy to “No Prompt”. This enables silent elevation, skipping the interactive prompt, but most of your processes should still run with your filtered (standard user) not let silent elevation give you a false sense of security; it opens a trivial attack vector. However, it is still defense-in-depth and blocks some attacks.