Windows 7: Release Candidate 1 Preview
by Ryan Smith and Gary Key on May 5, 2009 11:00 PM EST- Posted in
- Systems
Reworking UAC
Predictably, one of the most common complaints about Vista was the User Access Control (UAC) feature, which firmly established a real degree of security in Vista by blocking applications from attaining administrator-level privileges by default. It was something that was long overdue for Windows given how easy it is to compromise a machine when everything runs with admin privileges, but that doesn’t mean it was taken well.
Half of the problem going into Vista’s release was that few applications were coded following best security practices, even though Microsoft had been recommending such a thing for years, and such practices were necessary for applications to work correctly under limited user accounts. With so many poorly coded applications misbehaving under Vista until they were brought up to spec by their developers, it left a bad taste in the mouths of many. Compounding the problem was that Vista’s UAC implementation was not streamlined very well, resulting in redundant notices. Microsoft resolved some of the streamlining issues in Vista SP1, but this never completely satisfied users who were expecting a more XP-like (and insecure) experience.
With Windows 7 we have an attempt at a compromise, which is a noble intention by Microsoft, but leaves us concerned about the security implications. Previously UAC could only be turned on or off (Group Policy settings not withstanding), which would sometimes result in unhappy users shutting it off and giving up most of Vista’s security abilities in the process. With Windows 7, UAC has now been divided up into four levels: Off, followed by three levels of increasingly strong security. Level 3 is the equivalent of Vista’s UAC mode, meanwhile Level 2 is the default setting for Windows 7. With Level 2, certain signed Microsoft applications (basically most of the Control Panel apps) are allowed to elevate to administrator privileges without needing user confirmation. The working belief here is that most people are encountering most of their UAC prompts when initially configuring Windows, and if they didn’t encounter those early prompts they would have no great reason to turn UAC off entirely, particularly since 3rd party applications are so much better behaved these days.
The UAC Control Panel With Level Slider
Hence the compromise is that UAC prompts are disabled, but only for the Control Panel apps, meanwhile all other regular apps are still controlled by UAC as normal. The concern we have with this compromise is that with applications allowed to auto-elevate from user to administrator, it creates a potential local privilege escalation exploit. For Beta 1, a proof of concept exploit was put together that used rundll32 to disable UAC entirely without informing the user or requiring their intervention. In return Microsoft removed the UAC control panel from the auto-elevating list so that any direct attempts to manipulate it still require user intervention. This blocked the proof of concept exploit while maintaining all the other benefits of Level 2 UAC. It should be noted however that similar exploits could still work with Level 1, as it’s Level 2 without the secure desktop screen (thereby allowing apps to fake pressing the Allow button).
At this point it remains to be seen if Level 2 could be exploited in a similar manner, such as by breaking out of another auto-elevated application and attacking UAC from there. The fact that it leaves an obvious potential attack vector open leaves us leery of Level 2. Microsoft had the security situation right in the first place with Level 3/Vista, and it may have been better if it stayed that way.
With that said, Level 2 does what it’s advertised to do. Compared to Level 3/Vista, you’re going to get far fewer UAC prompts when messing with Windows’ settings. Undoubtedly it won’t satisfy those who absolutely abhor UAC, but at some point Microsoft has done everything they can.
Quickly, the other security element that was reworked for Windows 7 is the Security Center, which has been expanded and renamed the Action Center. Besides being a one-stop-shop for various Windows security features, now it is also home to an overview of system maintenance tasks and troubleshooting help. This doesn’t significantly change the functionality of the Action Center, and the biggest change that most people will notice is the GUI.
The Windows 7 Action Center
Facebook
Twitter
RSS
121 Comments
View All Comments
Jman13 - Friday, May 8, 2009 - link
I installed the x64 version of RC1 last night. Painless install, and VERY fast. Much faster than my XP install. I'm talking about actual usage of the computer, not the install (though that was fast too). I skipped Vista, but Win7 really looks to be a very good OS. Some of the usability features in Win7 are really nice (half screen docking to the side, for instance. I'm now using RC1 as my main OS, and likely will stay that way until the actual release, where I will finally upgrade from XP.I'm very pleased.
Jackattak - Friday, May 8, 2009 - link
Mine also went completely as planned last night. I loaded it onto my Dell XPS420 on a spare 160GB HD I had in there.Painless, flawless, and runs like a dream (as does Vista, so that was to be expected).
Loaded the 185 drivers from nVidia for my 8800GT 512MB, installed Left 4 Dead (and Steam), and played for an hour without any issues at all.
Lovin' the new UI. Hopefully it gets even cooler when the retail release comes out, but I doubt they'll make any drastic changes by then as there would be lots of RC users taken aback.
Great work so far, M$. Keep it up.
~Jackattak
Grandpa - Friday, May 8, 2009 - link
I absolutely hate the menu in Win 7. 3 to 4 clicks to open a program that would only take 1 click in XP or Vista. Also, in Control Panel, there is no option for the Classic look there. I don't see any performance boost over Vista whatsoever. There just isn't a good reason to pay good money for this. Linux is a much better value.Jman13 - Friday, May 8, 2009 - link
There's an option for the classic look. Just change the view to large or small icons in the upper right corner.Grandpa - Monday, May 11, 2009 - link
It isn't just the look. When you hover over the folder you want to open, it doesn't open unless you click ( even though the option for that to happen is checked ).PS: I have used Linux. It's just a little difficult to play the games I like playing with it.
B3an - Friday, May 8, 2009 - link
Oh look a linux fanboy bashing Win7. Like your've even fucking tried it.HellcatM - Thursday, May 7, 2009 - link
I thought Vista was ok, I liked the start menu and it just bets better with Windows 7. I find things just as easy as well, if not easier because I can just type in the search.I think setting up a network, wireless and a printer is much easier too. I haven't tested home network because I don't have two computers computers to test it on. I like the idea though.
The UI I like, the launch bar is good. I'm just wondering if Microsoft is going to do a UI change for the gold release. My thought is they know that since they did an open beta they way they did where anyone can use it, that people at Apple are going to be looking at it really closely and they'll make changes to Mac OS. With a UI change it'll give a curveball to Apple. Maybe MS has a major jaw dropping UI change. I just don't think their going to take a chance that Apple is going to test Win 7 and not make changes to their own. I know if I were Apple I would.
I think Windows 7 is ready now. Its a strong OS and I haven't had any major problems. Its quick, has some nice features, and it looks nice.
Jackattak - Thursday, May 7, 2009 - link
Loved it. I have downloaded both the x64 and x86 versions and will be installing them tonight.My one comment on OS brands (I use all of them for one thing or another at work and at home):
When Apple has a serious market share in the personal computing world and can truly develop an operating system for use on hardware from thousands (millions?) of different manufacturers, THEN (and only then) Microsoft will have a problem. Until then, Microsoft will continue to rule the planet, complainers and whiners be damned.
Apple has no serious market share in the home or business.
Linux is for computer professionals and tinkerers.
Microsoft is for the other 97% of the world.
:D
~Jackattak
DrRap - Thursday, May 7, 2009 - link
windows has left the building guyshttp://www.youtube.com/watch?v=wVM32aEABGY&fea...">http://www.youtube.com/watch?v=wVM32aEABGY&fea...
Techno Pride - Thursday, May 7, 2009 - link
I don't get it. It's just an OS, a tool. Does it really matter what brand of hammer you use?Shouldn't it matter more whether any tangible results are produced using whatever tools are available?