Posted by: reformedmusings | January 13, 2009

Windows 7 Beta 1 – User Account Control (UAC)

I covered the Windows 7 Ultimate Beta 1 installation into WMWorkstation 6.5 in this post, along with some data on Windows 7 resource usage. In the next series of posts, I’ll check out Microsoft’s efforts at fixing Vista shortcomings, as well as other user and security issues.

Disclosure up front: I’m now an entrenched Linux guy who previously spent decades on Microsoft operating systems. When possible and appropriate, I will offer comparisons between Windows 7 and current Linux distributions. My chief beefs with Windows center on DRM, security, and cost. However, I do enjoy playing with new toys, so I downloaded and installed Windows 7 Beta 1 into a virtual machine primarily for grins.

User Account Control (UAC)

The endless yes/no permission questions in Vista have become the stuff of legend, and not in Microsoft’s favor. Vista even prevented users with proper permissions from executing tasks. One of the core security weaknesses in the entire Windows consumer product line centers on the ease of obtaining access to core system processes, permissions, and files. Virii, worms, trojans, etc., can access and change things pretty much at will. This isn’t theoretical, but happens countless times every day. F-Prot counts about 1.3M malicious exploits targeting Windows systems as of this writing. Here’s one that resulted in yet another Windows emergency patch last month.

One visible and simple part of the answer involves limiting who can make changes to a system. Under Linux, installing/updating programs or accessing system settings requires the explicit permission someone with root access (i.e., administrator privileges in Windows speak). Therefore, any malware other than those that exploit particular core system vulnerabilities would need root’s permission to run and/or change anything on the system. Users (and malware) without root access cannot compromise the system. Simple but effective.

Technically this has been true of consumer versions of Windows since Windows 2000, but has been largely bypassed and ignored. Essentially, Windows allows any user to be an administrator and retain those privileges unimpeded while logged in, thereby completely eliminating this simple security measure. Vista tried to implement the scheme in a clumsy way with its User Account Control (UAC), but Microsoft botched the implementation. According to Microsoft, they improved the UAC in Windows 7, so I decided to see for myself. I do not have Vista available to make a direct comparison, so will simply go through Windows 7’s implementation.

When you install Windows 7, the installing user is automatically granted administrator privileges just as with previous versions. But it’s not quite the free pass it has been before. The default UAC settings are as follows:

win7b1-uac-default

The default allows the user (or malware impersonating the user) to make changes to Windows without being notified, but installing programs will trigger a notification. That notification looks like this:

win7b1-uac-admin-catch1

Note that Windows 7 darkens the background, signaling the disabling of other desktop processes outside of the active dialog box. Here’s Microsoft’s current description of this mode:

You will be notified before programs make changes to your computer that require the permissions of an administrator. You will not be notified if you try to make changes to Windows settings that require the permissions of an administrator. You will be notified if a program outside of Windows tries to make changes to a Windows setting.

However, what’s missing is any request for a password. So, it will notify you but will not actually challenge your credentials. Linux would require you to enter the root or super user password to verify your credentials and to prevent a malicious bypass of the security, plus deactivates any access to programs or processes outside of the security dialog:

win7b1-ubuntu-pass

Without such a credential verification, a malicious program could issue a click on the appropriate button without knowing the administrative password. Microsoft will tell us that’s not possible, but the malware writers have consistently shattered Microsoft’s arrogant facade and hapless Windows users have paid the price time and again. See towards the end of this post about how Vista’s security has been rendered virtually useless.

The highest UAC security level for Windows 7 looks like this:

win7b1-uac-tight

Here, Windows notifies you whenever you (or malware impersonating you) attempt to change Windows settings through any means. In other words, “Always notify” means everything that touches the important system settings requires confirmation. Here’s Microsoft’s current description:

You will be notified before programs make changes to your computer or Windows settings that require the permissions of an administrator. When you are notified, your desktop will be dimmed, and you must either approve or deny the request in the UAC dialog box before you can do anything else on your computer. The dimming of your desktop is referred to as the secure desktop because other programs cannot run while it is dimmed.

Again, no password will be required to proceed, just a click on the Yes button. This setting could get pretty annoying during initial system setup for those used to no security at all, but it should be the default setting after a user has the system configured to their tastes. Clicking on a Yes button provides a pretty simple step that buys a significant measure of protection for your data.

The second-lowest setting prevents Windows from dimming the background when the UAC notification appears:

win7b1-uac-low

This setting allows you to access and/or activate programs outside of the dialog box. This makes it easier for a malicious program to bypass the security. Here’s Microsoft’s description:

You will be notified before programs make changes to your computer or Windows settings that require the permissions of an administrator. You need to either approve or deny the request in the UAC dialog box to continue with that task, but you can still do other things on your computer while the UAC dialog box is open. This setting is fairly secure.

I disagree with that last sentence. It’s not a setting that I would recommend for routine use. The last setting tells Windows 7 never to notify the user:

win7b1-uac-never

Here’s Microsoft’s description:

You will not be notified before any changes are made to your computer. If you are logged on as an administrator, programs can make changes to your computer without you knowing about it. If you are logged on as a standard user, any changes that require the permissions on an administrator will automatically be denied. If you select this setting, you will need to restart the computer to complete the process of turning off UAC. Once UAC is off, people that log on as administrator will always have the permissions of an administrator.

I would never recommend the lowest setting under any circumstances. This setting opens your system completely to any malware that manages to socially engineer or otherwise find its way onto your computer. I find the note about programs not being certified for Windows 7 interesting. It looks like yet another cash cow for Microsoft and more expensive software upgrades for its hapless vassals. Why should programs require special support for UAC? Shouldn’t the security work the same for all programs? This will be interesting…

I’ll go a step further and say that I don’t think that Microsoft should even offer the last two options. To do so, especially “Never notify”, shirks their responsibility to take reasonable steps to protect their users from having their data and systems compromised. Just my humble opinion.

The UAC settings, BTW, can be changed from the Action Center, which can be quickly accessed from the System Tray:

win7b1-action

User Account Control settings appears as a choice on the left. I’ll have more to say about the other settings in this window in another post.

So what do I suggest that the UAC challenge should look like in the Windows 7 UAC context? To see that, let’s create a new user:

win7b1-create-account

Note the differences between the Standard user and Administrator. The latter has “complete access to the computer and can make any desired changes.” This is the default for the initial user. As for the part about “may be asked to provide their password”, I never encountered such a situation in my testing, and I tested every reasonable task that one might perform. Password entry isn’t mentioned in the help screens, either. This shortfall is very disturbing. Anyway, we created the new standard user “Bozo.”

Next, I tried logging in as the standard user and then changing a Windows setting. This is the warning I received from Windows 7:

win7b1-uac-catch

Now we’re getting somewhere. This box requires that an administrator enter their password to approve the action. Since “bob” is the only admin on the system, that user comes up by default.

Next, I tried to install a new program as a standard user:

win7b1-uac-prog-caught

Looks familiar. I still need the admin password to proceed. Any malware trying to install itself is stymied at this point, because simply clicking on the Yes button will not accomplish the desired action. So is any hapless user trying to compromise the system. This provides real protection against malware simulating user actions.

Standard users, and even admin users running at the highest UAC setting, can change most simple preferences without activating the UAC. Examples include changing your desktop theme, wallpaper, mouse/keyboard sensitivity, etc. These common options that do not affect the system security or data integrity require no user interaction with the UAC system. That’s as it should be.

Wrap up

I think that Microsoft has brought a significant level of improvement to the UAC scheme as far as uniformity and predictability. However, I do not think there’s enough security for admin (default) users. But that’s not the subject of most Vista users’ complaints. Their complaint was having to grant permission to virtually anything. In this regard, the normal Windows user who logs in (assuming that they use a password at all) with admin privileges does have a uniform experience. Simply clicking on Yes in the notification boxes will keep them rolling along. On the default setting, that shouldn’t happen often so shouldn’t be a major inconvenience. So far, I think that Microsoft has done well in that respect.

Overall, though, not requiring the default admin user’s password for system changes is still a significant security hole. Malware writers in the past have proven that they can simulate user actions, including mouse clicks in known locations within dialogs. That Yes button on the UAC dialog will be their prime target. My guess is that they’ll have it cracked by the time Windows 7 releases to OEMs at the end of this year. The “unbreakable” HD-DVD and Blu-Ray codes were broken as the first disks hit the streets.

Will the average Windows 7 user be happy with these improvements? They should be, but my guess is that most will set the UAC to “Never notify”, thus disabling the UAC, and then complain when their system becomes compromised by malware, just as they do now. In my opinion, Microsoft should not even offer that option in a serious operating system. Yet, I also know that they’d be roundly roasted if they didn’t. I’m no Microsoft fan, but I think that in this regard they deserve some credit for at least trying to ease their vassals into a more secure computing lifestyle.

Advertisements

Responses

  1. To me it seems misleading to make this statement:
    “However, what’s missing is any request for a password. So, it will notify you but will not actually challenge your credentials. Linux would require you to enter the root or super user password to verify your credentials and to prevent a malicious bypass of the security, plus deactivates any access to programs or processes outside of the security dialog:”

    Then show a screenshot of ubuntu 8.10 which is clearly asking you for your current user password and not the root password. I mean isn’t this the same thing as vista / windows 7 except that you have to enter the current logged on user’s password to access root privs in ubuntu?

    Not arguing that you’ve provided a great post here and I’m sincerly considering more and more move to linux for the cost more than anything else but I’m not sure we should argue UAC is so terrible when Ubuntu 8.10 to me is very similar.

    What am I missing?

    GW

  2. Hi GW,

    Thank you for taking time to comment. I’m not sure how familiar you are with Linux, so please forgive me if I get too basic here.

    Under Linux, similar to most operating systems, every user has a set of permissions assigned to them. Any user can be given administrator or super user (sudo) privileges by an administrator, although this is best limited to one or two people.

    In the case of my example above, I am being asked for my user password, which will be used to verify my super user or admin privileges. If I don’t have those privileges, the system will reject my request and notify the administrator of my attempt to exceed my privileges. I am also a member of the “root” group, which gives me root privileges with my password. That sounds bad, but that access expires automatically after about 15 minutes. That allows you to do what’s necessary, but closes the barn door so the wolves don’t get in behind you. There are other limitations as well. It is NOT equivalent to initially logging into the system as root in that respect.

    Under Windows, it is a bad idea to log in routinely as an admin because then whatever trojan or virus hits your system inherits your privileges. That’s one reason why trojans, worms, and virii are so successful under Windows. The correct use of Windows would be to log in as normal user so that malware can’t alter the system, but then you’d have to enter the admin password whenever you wanted to make those changes. Most folks are too lazy for that, so they just blindly operate as admins all the time.

    The equivalent would be to log into Linux as “root” every time for normal system use. I don’t know of anyone who does that because it would be incredibly stupid. You’d leave yourself wide open to system corruption. The root access would not time out in this case but be persistent until you manually log back out. It would also have no system limitations. By default, most systems will not allow a login as root through the GUI to discourage this behavior.

    I feel like I’m rambling at this point. Have I answered your concern?

    Bob

  3. I understand what you are saying yes. I guess I just didn’t know ppl were logging on the windows system as administrator and not a member of the domain admins group but logging on the ubuntu system as a user in the root group. I was thinking more like apples to apples. I login as joeadmin (in admins group) in windows and I login as joeroot (in root group) in ubuntu.
    Now if that were the scenario then when each tried to do an administrator level accation you’d get:
    uac would kick in for joeadmin but he/she would not have to put a password in
    uac or what i see as similar would also kick in for joeroot but he/she couldn’t click yes – he/she would also have to enter his/her password again (slightly more secure and slightly more annoying)

    Now if neither the ubuntu nor the windows user were in the administrators/domain admins/root group we’d see something different.
    In windows you would get a prompt saying not allowed. In ubuntu you would get a prompt asking for password then after entering password you’d be told you should be careful with root and you are not allowed and you are logged.

    Feel free to cut any of the below out:
    As you pointed out I’m new to linux but I don’t think of myself as supernewb. I just started a blog about some of the stuff I work on at home and a lot of it is linux related (“gwlab.netnegotiations.com”). So bare with me as I’m showing my support at the same time as learning some of the concepts as percieved by others.

  4. Yep, your two scenarios are accurate. The average Windows user won’t want to be annoyed, so will simply disable the UAC warning, which Windows 7 will allow. So, they opt out of security. This should NOT be an option. Like any net, the Internet is only as secure as its weakest link. As those who disable the UAC become bots, they in essence opt in to become part of criminal enterprises running DOS, spam attacks, etc. Their poor choice affects everyone, not just themselves.

    No problem with the paragraph about your site. I with you the best of luck with it.

  5. […] security hole confirmed in Windows 7 beta Vindication! I posted in my earlier look at Windows 7 User Account Controls, the UAC could easily be bypassed by a key-press generating routine because, unlike Linux, Windows […]

  6. […] software which are included in Ubuntu’s distribution. During that process, I encountered the User Account Control […]

  7. […] User Account Control (UAC) default hasn’t changed, which still leaves it open to […]

  8. […] Well, I’ve been writing that without requiring a password to make system changes here and here, Windows 7’s User Account Control (UAC) can be bypassed. The situation is even worse […]

  9. […] bypass Windows 7’s UAC. That shouldn’t come as a surprise to anyone who read my previous blog post on the UAC. I offered that only two settings in the UAC had any meaning: Never notify and Always notify. […]


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: