User Account Control and Security
While Windows XP went a long way towards correcting some of the biggest problems in previous versions of Windows, it's also had some significant problems where its age has not been good to it. Paramount among these is the overall security of Windows, a two-fold problem involving some arguably poor programming practices at Microsoft, and an operating system that nearly expects all users to be full administrators. Microsoft has made some effort to correct this in Widows XP, especially with Service Pack 2 which added support for the no-execute security bit and a dramatically improved firewall, but there's only so much Microsoft can do without completely overhauling the operating system.
With Vista of course, now that Microsoft has the chance to do so, they have made some significant changes to the underpinnings of Vista in order to better lockdown the operating system; specifically, with a feature called User Account Control. The basic premise behind UAC is that the previous way of running everything as an Administrator was wrong, and by doing so it not only allowed applications to make system-wide changes when they shouldn't, but it also meant that compromised applications could be used as a vector to attack the system. As a result, even an administrator isn't really an administrator under Vista.
The most noticeable change as a result of this is that Vista will attempt to run most programs using standard permissions, effectively turning administrators into standard users. For many programs, especially programs included in Vista, this won't be a problem, and they'll be able to run fine with standard permissions. Windows Media Player 11 is one such example of a program that had problems under XP that has been fixed for Vista.
For a second class of programs, those that think they need admin permissions but really do not, Microsoft has engineered what amounts to a partial sandbox for those applications, so that when they attempt to make changes in global locations (the Windows directory, certain registry locations, etc.), they'll instead be secretly redirected to locations inside of the user's home folder and the user's local branch of the registry, allowing these programs to make the file and registry changes they want without having true access to the global operating system. A number of programs that haven't been modified to be completely compliant with standard permissions can be made to work fine under this still-protected mode.
Last, but not least, there are certain programs and actions that simply require administrator privileges, such as deletions outside the user's home folder and most control panel changes. Here, Vista is implementing a very Unix-like system of getting the user's permission, rather than implicitly granting the user permission to undertake the action based on their administrator credentials. Vista will bring up a secure dialog box that informs the user of the action that is to be taken, and gives them the option to either approve or deny it (non-admin users will need to provide an admin account first).
It's this last change that will likely be most jarring for users coming from XP, as it turns out there are a number of actions Windows undertakes right now that are administrator level and are based on implicit permission. At this point, UAC will ask for confirmation a lot; entirely too much in fact (we ended up turning off UAC at one point). We've had to deal with other quirks with UAC as well, for example it's now harder to terminate an administrator-privileged program that's run amok (you have to elevate your permissions in the task manager to do it). There's also the ultimate issue of working out which programs need to be run in administrator mode; if a program isn't working, is it because it's incompatible with Vista, or because it needs administrator powers?
Microsoft is aware of this, and is working on streamlining the process for the release version of Vista, so the obtrusions should not be as bad as with the current beta. Nevertheless, it puts users in the odd position of picking an OS mode that either is secure because it makes it much harder for malware to infect the system at the cost of making every action potentially less convenient, or a more liberal system that gives up the security benefits. This is an especially odd position for enthusiasts who tend to have the skills to prevent a malware infection in the first place; not only is UAC not as helpful for them, but as one of the biggest new features in Vista, is it worth buying Vista if you're not going to use UAC?
Ultimately, UAC is a huge part of the new security systems within Vista, and even if it isn't perfectly streamlined by release, it will be much better for virtually all users to have it enabled and slightly bothered by it, rather than being in the open. If too many users end up turning off UAC, it can create a chicken/egg situation where application developers will not bother to make their programs work without administrative powers (just like today), and where Vista is left with much of the same security mess that XP has today as the other security systems aren't enough to completely secure Vista on their own. Everyone is going to find it's a significant change compared to the easy-going XP, but it's without a doubt this kind of overhaul is going to be for the best: what you don't know can hurt you.
It's also worth mentioning that IE7+ (the Vista version of IE7) will be tied into UAC. Its own sandbox mode, which is intended to keep ActiveX controls from running amok, requires UAC to be active to be effective; otherwise it will only have similar protections to what IE6 offers today. However, given the immense use of IE6 right now as a vector of attack for spyware, on paper it seems like these changes should significantly strengthen IE7 and Windows as a whole.
Besides UAC, Microsoft has made a couple other significant additions to Windows, largely as a tool of last resort, since the ultimate power to install spyware lies with the users; some will still continue to run malicious applications with administrative privileges, and will need tools to deal with that. The Windows firewall has been upgraded to a full-service product that is capable of blocking both inbound and now outbound connections, which provides an additional method of warning users that they have malicious applications attempting to get out to the internet, and a way of containing them until removal. Microsoft Anti-Spyware has also been integrated into Vista, given the new name Windows Defender. Defender has been given a significant upgrade from the previous incarnation as MAS, and now is a real-time scanning application that on top of removing spyware can monitor IE downloads for known spyware and warn users of suspicious user-level changes to programs like IE.
Lastly, Microsoft has implemented a range of parental control features intended to better help parents control their kids' activities, extending some of the previous business-class control features of Windows. On top of the already limited abilities of standard user accounts, new control features includes the ability to lock down computer usage to certain times, and Microsoft has indicated they may expand this in the future to specific applications at specific times. Other features are the ability to outright block specific programs and websites, and to monitor certain activities enacted by controlled accounts (with special attention to internet activity, instant messenger usage, email, and time spent playing games).
While Windows XP went a long way towards correcting some of the biggest problems in previous versions of Windows, it's also had some significant problems where its age has not been good to it. Paramount among these is the overall security of Windows, a two-fold problem involving some arguably poor programming practices at Microsoft, and an operating system that nearly expects all users to be full administrators. Microsoft has made some effort to correct this in Widows XP, especially with Service Pack 2 which added support for the no-execute security bit and a dramatically improved firewall, but there's only so much Microsoft can do without completely overhauling the operating system.
With Vista of course, now that Microsoft has the chance to do so, they have made some significant changes to the underpinnings of Vista in order to better lockdown the operating system; specifically, with a feature called User Account Control. The basic premise behind UAC is that the previous way of running everything as an Administrator was wrong, and by doing so it not only allowed applications to make system-wide changes when they shouldn't, but it also meant that compromised applications could be used as a vector to attack the system. As a result, even an administrator isn't really an administrator under Vista.
The most noticeable change as a result of this is that Vista will attempt to run most programs using standard permissions, effectively turning administrators into standard users. For many programs, especially programs included in Vista, this won't be a problem, and they'll be able to run fine with standard permissions. Windows Media Player 11 is one such example of a program that had problems under XP that has been fixed for Vista.
For a second class of programs, those that think they need admin permissions but really do not, Microsoft has engineered what amounts to a partial sandbox for those applications, so that when they attempt to make changes in global locations (the Windows directory, certain registry locations, etc.), they'll instead be secretly redirected to locations inside of the user's home folder and the user's local branch of the registry, allowing these programs to make the file and registry changes they want without having true access to the global operating system. A number of programs that haven't been modified to be completely compliant with standard permissions can be made to work fine under this still-protected mode.
 |
| Click to enlarge |
Last, but not least, there are certain programs and actions that simply require administrator privileges, such as deletions outside the user's home folder and most control panel changes. Here, Vista is implementing a very Unix-like system of getting the user's permission, rather than implicitly granting the user permission to undertake the action based on their administrator credentials. Vista will bring up a secure dialog box that informs the user of the action that is to be taken, and gives them the option to either approve or deny it (non-admin users will need to provide an admin account first).
 |
| Click to enlarge |
It's this last change that will likely be most jarring for users coming from XP, as it turns out there are a number of actions Windows undertakes right now that are administrator level and are based on implicit permission. At this point, UAC will ask for confirmation a lot; entirely too much in fact (we ended up turning off UAC at one point). We've had to deal with other quirks with UAC as well, for example it's now harder to terminate an administrator-privileged program that's run amok (you have to elevate your permissions in the task manager to do it). There's also the ultimate issue of working out which programs need to be run in administrator mode; if a program isn't working, is it because it's incompatible with Vista, or because it needs administrator powers?
Microsoft is aware of this, and is working on streamlining the process for the release version of Vista, so the obtrusions should not be as bad as with the current beta. Nevertheless, it puts users in the odd position of picking an OS mode that either is secure because it makes it much harder for malware to infect the system at the cost of making every action potentially less convenient, or a more liberal system that gives up the security benefits. This is an especially odd position for enthusiasts who tend to have the skills to prevent a malware infection in the first place; not only is UAC not as helpful for them, but as one of the biggest new features in Vista, is it worth buying Vista if you're not going to use UAC?
Ultimately, UAC is a huge part of the new security systems within Vista, and even if it isn't perfectly streamlined by release, it will be much better for virtually all users to have it enabled and slightly bothered by it, rather than being in the open. If too many users end up turning off UAC, it can create a chicken/egg situation where application developers will not bother to make their programs work without administrative powers (just like today), and where Vista is left with much of the same security mess that XP has today as the other security systems aren't enough to completely secure Vista on their own. Everyone is going to find it's a significant change compared to the easy-going XP, but it's without a doubt this kind of overhaul is going to be for the best: what you don't know can hurt you.
It's also worth mentioning that IE7+ (the Vista version of IE7) will be tied into UAC. Its own sandbox mode, which is intended to keep ActiveX controls from running amok, requires UAC to be active to be effective; otherwise it will only have similar protections to what IE6 offers today. However, given the immense use of IE6 right now as a vector of attack for spyware, on paper it seems like these changes should significantly strengthen IE7 and Windows as a whole.
Besides UAC, Microsoft has made a couple other significant additions to Windows, largely as a tool of last resort, since the ultimate power to install spyware lies with the users; some will still continue to run malicious applications with administrative privileges, and will need tools to deal with that. The Windows firewall has been upgraded to a full-service product that is capable of blocking both inbound and now outbound connections, which provides an additional method of warning users that they have malicious applications attempting to get out to the internet, and a way of containing them until removal. Microsoft Anti-Spyware has also been integrated into Vista, given the new name Windows Defender. Defender has been given a significant upgrade from the previous incarnation as MAS, and now is a real-time scanning application that on top of removing spyware can monitor IE downloads for known spyware and warn users of suspicious user-level changes to programs like IE.
Lastly, Microsoft has implemented a range of parental control features intended to better help parents control their kids' activities, extending some of the previous business-class control features of Windows. On top of the already limited abilities of standard user accounts, new control features includes the ability to lock down computer usage to certain times, and Microsoft has indicated they may expand this in the future to specific applications at specific times. Other features are the ability to outright block specific programs and websites, and to monitor certain activities enacted by controlled accounts (with special attention to internet activity, instant messenger usage, email, and time spent playing games).
Facebook
Twitter
RSS
75 Comments
View All Comments
dev0lution - Friday, June 16, 2006 - link
I'd happily boot into Vista everyday if all of my hardware devices would work. Not MS's fault, but rather my fault for buying a smaller manufacturer's product who has yet to post even beta drivers.In combination with Office 207 Beta2 and IE 7, Vista x86 has run fine and rather stable for me. It does tend to eat up a bit of memory, but I should probably add another GB anyhow. If I could just solve a couple app related problems and get Media Center (and MC remote) to change the channel on my set top box, I wouldn't be running from my MCE disk much at all anymore.
I kind of like the new layout and explorer...
RogueSpear - Friday, June 16, 2006 - link
I've had been using Vista on one of my computers until shortly after the Beta 2 was released for public consumption. Once I saw that there was no appreciable improvements in that release, I finally decided to revert back to the relative comfort and superior performance of XP. First off, I have nightmares when I think of the mass confusion that will ensue among the mass of computer neophytes that are just now getting over the adjustment from moving off of 98/ME to XP. These will be trying days for help desk staff and even those are the "computer guy" in their family.More importantly, changes that are allegedly substantial, seem to me more cosmetic than anything. Yes, I realize that there are a lot of serious changes under the hood, but the benefits you can see and touch appear very superficial at best. This seems like an extreme makeover in an attempt to get people signed up for even more pervasive and hideous DRM. I know I'm living in the past, but I'll always be nostalgic for the days when my computer was actually my computer and the software/media I paid for were mine to use as I saw fit.
Pirks - Friday, June 16, 2006 - link
I noticed this sentence: "As currently implemented, UAC surpasses Tiger's security features by giving more information about what application is requesting privilege escalation" Could you please elaborate a little on what "more information" exactly Vista provides in UAC dialogs that Tiger does NOT provide?From my experience Tiger gives the same information, I probably misunderstood you on that, could you please explain in more detail?
johnsonx - Friday, June 16, 2006 - link
Ok, these two sentences seem contradictory. First you say you don't know if 32-bit and 64-bit versions will come on the same disc with an installer that can pick correctly, then in the next sentence you say the installer will pick based on product key because both versions will use the same install media.
So which is it, or there there something I'm not getting?
Ryan Smith - Friday, June 16, 2006 - link
There's something you're not getting. A disc can install any variation of Vista(e.g. 1 disc can install Home Basic x86, Home Premium x86, Ultimate x86, etc); it can only install that bit-version of Vista however.DerekWilson - Friday, June 16, 2006 - link
it is difficult to say ... i think three different editors mucked around with that sentence :-)to try a different angle, both of these are true statements:
1) the x86 disk can install any x86 version of vista
2) the x64 disk can install any x64 version of vista
dhei - Friday, June 16, 2006 - link
When you can, do a test to see how well they redid it please. Someone told me this would be noticable on those with broadband easily, not just LAN or network tests. Im really intrested in this aspect, though not sure how to really test it.Did you try a LAN benchmark vs winxp to see if any diffrence?
Ryan Smith - Friday, June 16, 2006 - link
We did not do that, it was already a 12k word article + the time to run the benchmarks we did use. We'll be taking a much heavier look at performance once we have a final version of Vista to look at.Pirks - Friday, June 16, 2006 - link
and read this while you're at it:http://developer.apple.com/internet/security/secur...">http://developer.apple.com/internet/security/secur...
You can minimize the risk of a network service being used to attack your machine by using the firewall built into Mac OS X. Called ipfw, it can prevent potential attackers from reaching these services. As of Mac OS X 10.2, Apple has included a simple GUI for configuring ipfw. The GUI is good for adding simple rules to your machine; more complex rules will require you to use either the command line tools for manipulating the firewall, or a third-party GUI that has more features.
Ryan, do you know what BSD ipfw is? It blows any XP firewall to ashes, Vista is only pathetic attempt to get to its level (well hopefully MS will get something similar in Vista, I really hope they do)
Also read this: http://personalpages.tds.net/~brian_hill/brickhous...">http://personalpages.tds.net/~brian_hill/brickhous...
That's another GUI to configure ipfw in OSX.
Otherwise an excellent article, I'm impatiently wait for your review of the final Vista release, but please don't do such stupid mistakes again, Mac boys will hack and slash you for that ;-)
"it's time for a full featured firewall for Windows and Mac OS X alike, and only the former has it" - what a funny lie :-) Please read about OSX ipfw (I gave you a couple of links) and fix it ASAP. Thanks.
Ryan Smith - Friday, June 16, 2006 - link
I'm aware of IPFW, and what it can do(and boy is it nice!). But this is a competition among what the two OS's can do on their own, without significant intervention from the user. Out of the box, Vista's firewall is a full-featured firewall that can block inbound and outbound connections. Tiger's firewall can't do the latter, and in the age of spyware(and as you saw in our spyware test), it's sometimes the last thing keeping spyware and other malware from breaking out.Tiger may not have significant malware problems at this point, but there's no good reason why it(and more so Leopard) shouldn't have outbound protection too.