User Account Control and Security
While Windows XP went a long way towards correcting some of the biggest problems in previous versions of Windows, it's also had some significant problems where its age has not been good to it. Paramount among these is the overall security of Windows, a two-fold problem involving some arguably poor programming practices at Microsoft, and an operating system that nearly expects all users to be full administrators. Microsoft has made some effort to correct this in Widows XP, especially with Service Pack 2 which added support for the no-execute security bit and a dramatically improved firewall, but there's only so much Microsoft can do without completely overhauling the operating system.
With Vista of course, now that Microsoft has the chance to do so, they have made some significant changes to the underpinnings of Vista in order to better lockdown the operating system; specifically, with a feature called User Account Control. The basic premise behind UAC is that the previous way of running everything as an Administrator was wrong, and by doing so it not only allowed applications to make system-wide changes when they shouldn't, but it also meant that compromised applications could be used as a vector to attack the system. As a result, even an administrator isn't really an administrator under Vista.
The most noticeable change as a result of this is that Vista will attempt to run most programs using standard permissions, effectively turning administrators into standard users. For many programs, especially programs included in Vista, this won't be a problem, and they'll be able to run fine with standard permissions. Windows Media Player 11 is one such example of a program that had problems under XP that has been fixed for Vista.
For a second class of programs, those that think they need admin permissions but really do not, Microsoft has engineered what amounts to a partial sandbox for those applications, so that when they attempt to make changes in global locations (the Windows directory, certain registry locations, etc.), they'll instead be secretly redirected to locations inside of the user's home folder and the user's local branch of the registry, allowing these programs to make the file and registry changes they want without having true access to the global operating system. A number of programs that haven't been modified to be completely compliant with standard permissions can be made to work fine under this still-protected mode.
Last, but not least, there are certain programs and actions that simply require administrator privileges, such as deletions outside the user's home folder and most control panel changes. Here, Vista is implementing a very Unix-like system of getting the user's permission, rather than implicitly granting the user permission to undertake the action based on their administrator credentials. Vista will bring up a secure dialog box that informs the user of the action that is to be taken, and gives them the option to either approve or deny it (non-admin users will need to provide an admin account first).
It's this last change that will likely be most jarring for users coming from XP, as it turns out there are a number of actions Windows undertakes right now that are administrator level and are based on implicit permission. At this point, UAC will ask for confirmation a lot; entirely too much in fact (we ended up turning off UAC at one point). We've had to deal with other quirks with UAC as well, for example it's now harder to terminate an administrator-privileged program that's run amok (you have to elevate your permissions in the task manager to do it). There's also the ultimate issue of working out which programs need to be run in administrator mode; if a program isn't working, is it because it's incompatible with Vista, or because it needs administrator powers?
Microsoft is aware of this, and is working on streamlining the process for the release version of Vista, so the obtrusions should not be as bad as with the current beta. Nevertheless, it puts users in the odd position of picking an OS mode that either is secure because it makes it much harder for malware to infect the system at the cost of making every action potentially less convenient, or a more liberal system that gives up the security benefits. This is an especially odd position for enthusiasts who tend to have the skills to prevent a malware infection in the first place; not only is UAC not as helpful for them, but as one of the biggest new features in Vista, is it worth buying Vista if you're not going to use UAC?
Ultimately, UAC is a huge part of the new security systems within Vista, and even if it isn't perfectly streamlined by release, it will be much better for virtually all users to have it enabled and slightly bothered by it, rather than being in the open. If too many users end up turning off UAC, it can create a chicken/egg situation where application developers will not bother to make their programs work without administrative powers (just like today), and where Vista is left with much of the same security mess that XP has today as the other security systems aren't enough to completely secure Vista on their own. Everyone is going to find it's a significant change compared to the easy-going XP, but it's without a doubt this kind of overhaul is going to be for the best: what you don't know can hurt you.
It's also worth mentioning that IE7+ (the Vista version of IE7) will be tied into UAC. Its own sandbox mode, which is intended to keep ActiveX controls from running amok, requires UAC to be active to be effective; otherwise it will only have similar protections to what IE6 offers today. However, given the immense use of IE6 right now as a vector of attack for spyware, on paper it seems like these changes should significantly strengthen IE7 and Windows as a whole.
Besides UAC, Microsoft has made a couple other significant additions to Windows, largely as a tool of last resort, since the ultimate power to install spyware lies with the users; some will still continue to run malicious applications with administrative privileges, and will need tools to deal with that. The Windows firewall has been upgraded to a full-service product that is capable of blocking both inbound and now outbound connections, which provides an additional method of warning users that they have malicious applications attempting to get out to the internet, and a way of containing them until removal. Microsoft Anti-Spyware has also been integrated into Vista, given the new name Windows Defender. Defender has been given a significant upgrade from the previous incarnation as MAS, and now is a real-time scanning application that on top of removing spyware can monitor IE downloads for known spyware and warn users of suspicious user-level changes to programs like IE.
Lastly, Microsoft has implemented a range of parental control features intended to better help parents control their kids' activities, extending some of the previous business-class control features of Windows. On top of the already limited abilities of standard user accounts, new control features includes the ability to lock down computer usage to certain times, and Microsoft has indicated they may expand this in the future to specific applications at specific times. Other features are the ability to outright block specific programs and websites, and to monitor certain activities enacted by controlled accounts (with special attention to internet activity, instant messenger usage, email, and time spent playing games).
While Windows XP went a long way towards correcting some of the biggest problems in previous versions of Windows, it's also had some significant problems where its age has not been good to it. Paramount among these is the overall security of Windows, a two-fold problem involving some arguably poor programming practices at Microsoft, and an operating system that nearly expects all users to be full administrators. Microsoft has made some effort to correct this in Widows XP, especially with Service Pack 2 which added support for the no-execute security bit and a dramatically improved firewall, but there's only so much Microsoft can do without completely overhauling the operating system.
With Vista of course, now that Microsoft has the chance to do so, they have made some significant changes to the underpinnings of Vista in order to better lockdown the operating system; specifically, with a feature called User Account Control. The basic premise behind UAC is that the previous way of running everything as an Administrator was wrong, and by doing so it not only allowed applications to make system-wide changes when they shouldn't, but it also meant that compromised applications could be used as a vector to attack the system. As a result, even an administrator isn't really an administrator under Vista.
The most noticeable change as a result of this is that Vista will attempt to run most programs using standard permissions, effectively turning administrators into standard users. For many programs, especially programs included in Vista, this won't be a problem, and they'll be able to run fine with standard permissions. Windows Media Player 11 is one such example of a program that had problems under XP that has been fixed for Vista.
For a second class of programs, those that think they need admin permissions but really do not, Microsoft has engineered what amounts to a partial sandbox for those applications, so that when they attempt to make changes in global locations (the Windows directory, certain registry locations, etc.), they'll instead be secretly redirected to locations inside of the user's home folder and the user's local branch of the registry, allowing these programs to make the file and registry changes they want without having true access to the global operating system. A number of programs that haven't been modified to be completely compliant with standard permissions can be made to work fine under this still-protected mode.
 |
| Click to enlarge |
Last, but not least, there are certain programs and actions that simply require administrator privileges, such as deletions outside the user's home folder and most control panel changes. Here, Vista is implementing a very Unix-like system of getting the user's permission, rather than implicitly granting the user permission to undertake the action based on their administrator credentials. Vista will bring up a secure dialog box that informs the user of the action that is to be taken, and gives them the option to either approve or deny it (non-admin users will need to provide an admin account first).
 |
| Click to enlarge |
It's this last change that will likely be most jarring for users coming from XP, as it turns out there are a number of actions Windows undertakes right now that are administrator level and are based on implicit permission. At this point, UAC will ask for confirmation a lot; entirely too much in fact (we ended up turning off UAC at one point). We've had to deal with other quirks with UAC as well, for example it's now harder to terminate an administrator-privileged program that's run amok (you have to elevate your permissions in the task manager to do it). There's also the ultimate issue of working out which programs need to be run in administrator mode; if a program isn't working, is it because it's incompatible with Vista, or because it needs administrator powers?
Microsoft is aware of this, and is working on streamlining the process for the release version of Vista, so the obtrusions should not be as bad as with the current beta. Nevertheless, it puts users in the odd position of picking an OS mode that either is secure because it makes it much harder for malware to infect the system at the cost of making every action potentially less convenient, or a more liberal system that gives up the security benefits. This is an especially odd position for enthusiasts who tend to have the skills to prevent a malware infection in the first place; not only is UAC not as helpful for them, but as one of the biggest new features in Vista, is it worth buying Vista if you're not going to use UAC?
Ultimately, UAC is a huge part of the new security systems within Vista, and even if it isn't perfectly streamlined by release, it will be much better for virtually all users to have it enabled and slightly bothered by it, rather than being in the open. If too many users end up turning off UAC, it can create a chicken/egg situation where application developers will not bother to make their programs work without administrative powers (just like today), and where Vista is left with much of the same security mess that XP has today as the other security systems aren't enough to completely secure Vista on their own. Everyone is going to find it's a significant change compared to the easy-going XP, but it's without a doubt this kind of overhaul is going to be for the best: what you don't know can hurt you.
It's also worth mentioning that IE7+ (the Vista version of IE7) will be tied into UAC. Its own sandbox mode, which is intended to keep ActiveX controls from running amok, requires UAC to be active to be effective; otherwise it will only have similar protections to what IE6 offers today. However, given the immense use of IE6 right now as a vector of attack for spyware, on paper it seems like these changes should significantly strengthen IE7 and Windows as a whole.
Besides UAC, Microsoft has made a couple other significant additions to Windows, largely as a tool of last resort, since the ultimate power to install spyware lies with the users; some will still continue to run malicious applications with administrative privileges, and will need tools to deal with that. The Windows firewall has been upgraded to a full-service product that is capable of blocking both inbound and now outbound connections, which provides an additional method of warning users that they have malicious applications attempting to get out to the internet, and a way of containing them until removal. Microsoft Anti-Spyware has also been integrated into Vista, given the new name Windows Defender. Defender has been given a significant upgrade from the previous incarnation as MAS, and now is a real-time scanning application that on top of removing spyware can monitor IE downloads for known spyware and warn users of suspicious user-level changes to programs like IE.
Lastly, Microsoft has implemented a range of parental control features intended to better help parents control their kids' activities, extending some of the previous business-class control features of Windows. On top of the already limited abilities of standard user accounts, new control features includes the ability to lock down computer usage to certain times, and Microsoft has indicated they may expand this in the future to specific applications at specific times. Other features are the ability to outright block specific programs and websites, and to monitor certain activities enacted by controlled accounts (with special attention to internet activity, instant messenger usage, email, and time spent playing games).
Facebook
Twitter
RSS
75 Comments
View All Comments
Pirks - Friday, June 16, 2006 - link
Excuse me, what? How about this then: http://www.macworld.com/2006/05/reviews/osxfirewal...">http://www.macworld.com/2006/05/reviews/osxfirewal..."The emphasis is on incoming. As it ships from Apple, the firewall does not monitor traffic that may be originating from your own computer. If your Mac gets possessed by a malware application that then attempts to attack or infect other computers via your Internet connection (a not-uncommon trick), OS X’s firewall won’t, by default, pay any attention. And, there’s no way to change this default setting from your System Preferences. To force the firewall to monitor outbound traffic, you must use Terminal’s command-line interface."
See - IT CAN monitor and block outbound traffic, contrary to what you say. It's just a matter of configuring it properly. You should at least correct your article and stop saying OSX ipfw CAN'T track outbound connections. You can say this: it's SET UP not to monitor outbound connections BY DEFAULT but anyone can CONFIGURE it to monitor outbound connections either through third party GUI like Flying Buttress or via command line. Then you won't look like a liar to any Mac guy who cares to read your review.
Ryan Smith - Friday, June 16, 2006 - link
I see your point, but I believe there's nothing in the article that needs changing. Tiger's firewall can't block outbound connections without having to drop to the terminal to muck with IPFW, I do not classify that as an ability any more than I classify Vista x64 as being amateur driver programmer friendly(since you need to drop to the terminal to turn off the x64 integrity check). When a version of Mac OS X ships with a proper GUI for controlling outbound firewalling(as is the Apple way), then it will be capable by a reasonable definition. Right now it's nothing more than a quirk that results from using the BSD base.Pirks - Friday, June 16, 2006 - link
Excellent point! So, when (and if) Mac OS X will see its share of virii and malware, THEN Apple will incorporate outbound connection settings in OS X GUI - right now it's not needed by Mac users, and the rare exceptions are easily treated with third party apps and command line.OK, got your point, agreed, issue closed. Thanks :)
bjtags - Friday, June 16, 2006 - link
Vista x64I have been pounding on it for 4 days never crash or even farted once!!!
Have all HalfLife 2 and CS running Just Great!!!
Had at one time 10 IE windows open, MediaPlayer, Steam updating, download driver,
updating windows drivers, and 3 folder explorer windows open, and tranfering
4gig movie to HD!!!
Still ran fine... I do have AMD 4800 x2 with 2gigs...
Poser - Friday, June 16, 2006 - link
Two questions:1. What's the ship date for Vista supposed to be? Q4 of 2006?
2. I seem to remember that speech recognition would be included and integrated with Vista. Is it considered too much of a niche toy to even mention, not considered to be part of the OS, or am I just plain wrong about it's inclusion?
It was a extremely well written article. Very nice job.
Ryan Smith - Friday, June 16, 2006 - link
1. Expected completion is Q4 with some business customers getting access to the final version at that time. It won't be released to the public until 2007 however.2. You're right, speech recognition is included. You're also right in that given the amount of stuff we had to cover in one article it was too much of a niche; voice recognition so far is still too immature to replace typing.
ashay - Friday, June 16, 2006 - link
"Dogfooding" is when a company uses their own new product (not necessarily beta) for internal use.(maybe even in critical production systems).Term comes from "eat your own dog-food". Meaning if you're a dog food maker, the CEO and execs eat the stuff. If they like it they dogs hopefully will.
http://en.wikipedia.org/wiki/Eat_one%27s_own_dog_f...">Wikipedia link
fishbits - Friday, June 16, 2006 - link
Yes, I know it's still beta, we'll see. The UAC and signed drivers schemes sound like they'll be flops right out of the gate. Average user will quickly realize he can't install or use anything until he adopts a "just click 'Yes'" attitude, which will reward him with a functioning device/running program. I've lost count of how many drivers I've installed under XP that were for name-brand devices, yet didn't have the official seal of approval on them. Again, get trained to "just click 'Yes'" in order to be able to do anything useful. Without better information given to the user at this decision point, all the scheme does is add a few mouse-clicks and no security. Like when you install a program and your security suite gives a "helpful" warning like "INeedToRun.exe is trying to access feccflm.dll ... no recommendation."As expected, it looks like the productivity gains of GPU-acceleration were immediately swallowed up by GUI overhead. Whee! "The users can solve this through future hardware upgrades." Gotcha. For what it's worth, the gadgets/widgets look needlessly large and ugly, especially for simply displaying things like time, cpu temp/usage. Then it sounds like we're going to have resource-hungry programs getting starved because of GPU sharing, or will have an arms-race of workarounds to get their hands on the power they think they need.
Ah well, I've got to move to 64-bit for RAM purposes relatively soon. Think I'll wait a year or two after Vista 64 to let it get stable, faster, and better supported. Then hopefully the programs I'll need to upgrade can be purchased along the lines of a normal upgrade cycle. Games I'm actually not as worried about, as I expect XP/DX9 support to continue for a decent bit and will retain an XP box and install Vista on a brand new one when the time comes.
shamgar03 - Friday, June 16, 2006 - link
I really hope that will mean for BETTER GPU performance not worse. I would really just like to be able to boot into a game only environment where you have something like a grub interface to pick games and it only loads the needed stuff for the game.darkdemyze - Friday, June 16, 2006 - link
beta implies "still in developement". chances are very high performance will see an increase by the time of release. I agree with your seconds statement though.