Vista - Re: User Acount Control

> By disabling UAC, you implicitly authorize every program that is run,
> regardless of how it started, to have complete control over your computer.

That is so patently untrue as to be dangerous. We could have bolted UAC on
to XP at XP SP2 release if UAC were some solution to some problem.

There are quite a few things you still cannot do in Vista when only UAC is
disabled. Unobtrusively running a service as Local System that interacts
with the desktop comes to mind.

> This is why Windows complains so loudly when you turn it off - Windows wants
> you to choose which programs have this power.

But let's get back to basics here. Neither UAC nor Vista can inviolate
immutable rule of security number one: If a bad guy can persuade you to run
his program on your computer, it's not your computer anymore. Period. Vista
does not change that. UAC doesn't change that.

I'm concerned that so many posts here are advising that UAC either solves
all malware problems or causes all end negative user experiences.

In practice, UAC provides about as much protection as the IE dialog box,
"Scripts are usually safe. DO you want to allow scripts to run." It's the
guts of Vista that are massively improved. Concentrate on that, not UAC.

>> By disabling UAC, you implicitly authorize every program that is run,
>> regardless of how it started, to have complete control over your
>> computer.
>
> That is so patently untrue as to be dangerous.

I would same the same thing about your statement here. My statement
describes the implications of disabling UAC truely and accurately, at both a
conceptual and technical level.

> We could have bolted UAC on
> to XP at XP SP2 release if UAC were some solution to some problem.

How soon a feature gets added to Windows does not define how well it solves
a problem. I fail to see what you are getting at here. UAC *does*, in fact,
solve a problem.

PROBLEM: All programs run at the highest privilege level available to the
user, even if they do not need such privileges to perform their duties.

SOLUTION: Let applications define what privilege level they need, and let
the user control how these different privilege levels are assigned (UAC)

Hopefully in the future Windows will be able to automagically determine what
privileges a program needs based on mathmatically proven analysis; however,
the user will still need to determine how much control to give to which
programs. UAC is the technical means by which this is accomplished, and the
user interaction is an ESSENTIAL part of it - you cannot take the user
interaction out of the equation.

> There are quite a few things you still cannot do in Vista when only UAC is
> disabled. Unobtrusively running a service as Local System that interacts
> with the desktop comes to mind.

I never intimated that Windows Vista's ONLY security improvement was UAC. To
say UAC is not important because there are other security features of
Windows Vista is a silly argument.

>> This is why Windows complains so loudly when you turn it off - Windows
>> wants
>> you to choose which programs have this power.
>
> But let's get back to basics here. Neither UAC nor Vista can inviolate
> immutable rule of security number one: If a bad guy can persuade you to
> run
> his program on your computer, it's not your computer anymore. Period.
> Vista
> does not change that. UAC doesn't change that.

Back to basics. Sounds good.

You seem to be arguing here that a magical, pretty much unbreakable door
lock is not a good security feature because the door lock cannot stop the
owner of the door from getting tricked into unlocking it. Rediculous! The
point of the door lock is that it allows the owner of the door to decide who
comes through it!

In fact, no operating system will ever be able to stop malware 100%. Vista
won't stop this - Linux won't stop this - This will never be stopped. It is
the nature of the operating system to run programs indescriminately - it
relies on metadata or user assistance (or both) to guide it when it needs to
discriminate.

What can be done, however, is to put Windows in a better position to control
what actions a program can take based on how much permission the user wants
the program to have. Windows cannot determine whether a program is good or
bad, and thus cannot determine this for the user.

UAC is designed to make sure that users KNOW ABOUT and EXPLICITLY AUTHORIZE
a program to run when it requires elevated privileges. It is a security
feature because it puts the reins of control into the user's hands, instead
of just having all programs run with full privileges without the user having
any control over the situation whatsoever.

> I'm concerned that so many posts here are advising that UAC either solves
> all malware problems or causes all end negative user experiences.

Me too. That's why I spend so much time on here explaining UAC to those who
do not understand it.

> In practice, UAC provides about as much protection as the IE dialog box,
> "Scripts are usually safe. DO you want to allow scripts to run."

Technically correct. However, there is a big non-technical difference
between having control over the execution of a script and having control
over what privileges processes have.

> It's the
> guts of Vista that are massively improved. Concentrate on that, not UAC.

UAC is part of the guts of Vista.

--
- JB

Windows Vista Support Faq
http://www.jimmah.com/vista/