Skip navigation

Biting the Security Bullet

If you're familiar with my reviews on the SuperSite for Windows, you know that they follow a fairly standard structure: Toward the end of the review, I highlight the issues and problems I feel the product has, and I wrap it up with availability and licensing information and a conclusion. If the review is long enough to warrant multiple parts, I generally handle the "problems" section as the last part of the review, which is what I did recently with my review of the February Community Technical Preview (CTP)/Builds 5308/5342 versions of Windows Vista. Part 5 of that overly long review was called "Where Vista Fails," and it highlighted some problems in those builds as well as some general thoughts about where Microsoft was reneging on promises it had made for the next Windows client.

I didn't think much about it. After all, this was part 5 of a lengthy review, nothing more. But as soon as "Where Vista Fails" was published, my life got very complicated. I received email messages from a few senior Microsoft executives, from numerous Microsoft employees, and even several requests from the press. Part 5 of the review was linked to and scrutinized all over the Web, presumably because I'm a Windows Guy and here I was criticizing Microsoft. The Mac Web loved it, obviously. On and on it went. I was surprised by this reaction because I didn't feel like I'd deviated from my standard review pattern. If anything, I had omitted many valid examples of Vista problems for space reasons and because I figured they'd be more appropriate for future articles. After all, it's just an interim Vista beta build.

My most pointed concerns were about User Account Control (UAC, previously called User Account Protection--UAP--and before that known as Limited User Account--LUA). UAC is a major component of Microsoft's plan to keep Windows users safe from themselves. In earlier Windows versions, most nonmanaged users (i.e., Windows users who aren't part of a correctly designed Active Directory--AD--infrastructure) run with full administrator privileges and not with safer standard user accounts. Running with administrator privileges makes things easier: You can delete files and icons, move data from drive to drive, launch and run any application, and perform any other task your system is capable of. It's also more dangerous. If a bit of malicious code infiltrates your system--all too easy in the Windows world--then it, too, runs with administrative privileges.

UAC emulates the security model that Linux and Mac OS X users have known for years. On those systems, administrator-level tasks--typically actions that could potentially harm the system or change its configuration--require in-place authentication, usually in the form of a dialog box. You might think of this as a graphical form of "superuser do" (SUDO), or "do something as super user," a command-line-based way of escalating your privileges in the UNIX and Linux worlds so you can perform an administrative-level task, even if you usually run as a standard user.

In the various Vista interim builds I've seen, UAC has been a nightmare. That is, the UAC dialog boxes pop-up early and often. Combined with some related permissions issues, you'll even find yourself getting into endless loop situations in which you try to delete a combination of files and desktops icons and find yourself unable to do so, though you're welcome to keep pressing "Try Again" until you're blue in the face.

My issue with UAC is that this type of thing has been done correctly in the past. On both Mac OS X and most Linux distributions, when users are forced to provide authentication for administrator-level tasks, it's not annoying. In fact, it even contributes to a feeling of security, if you can believe that.

There are reasons why UAC is so badly implemented, and I'm sure that Microsoft will figure this out before Vista is finalized in late 2006. But I'm already hearing that the feature might be improved before then. Apparently, Vista Beta 2--due next week--already includes a slightly less annoying UAC implementation. I hope developers find the right balance between security and usability.

UAC isn't the only form of user account improvement in Vista, of course. Although the first user you create on a Vista box is always an administrator-level account, subsequent accounts are created as standard users by default. And Microsoft Internet Explorer (IE) 7, which I discussed last week, runs at an even lower privilege level than a standard user. That says a lot about IE, but it also shows that Microsoft is serious about security. With Vista, most users are going to be forced to bite the security bullet for the first time ever. My only question is whether Windows users are ready for the tradeoffs that occur when you can't easily do the things you could do before.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.