I like Vista UAC (User Account Control), really I do. Probably it’s because I haven’t seriously used it myself yet (my primary work computer is still running Windows XP). But I have seen it in action, tried it out a bit, did some development for it, and even discussed it in a presentation I delivered; so I mostly know what I’m talking about. Because of all this I can definitely state that I like the concept of UAC, especially when this concept is running on somebody else’s computer.
Anyway, what’s not to like about UAC? It surely represents a huge shift in Microsoft philosophy – the first time that Microsoft intentionally sacrificed usability and backward compatibility on a grand scale. With UAC enabled lots of applications that used to run fine don’t work anymore. The reason this can actually be a Good Thing is that many of these applications that don’t work anymore are Malware – viruses, trojans, spyware and worms. UAC breaks these applications because it does two important things:
This breaks Malware because such rouge applications generally do require administrative privileges. Hopefully when they asks you for such rights you will Just Say No.
Well, if UAC is so good, what’s the problem? The problem is that any security measure is only worthwhile if it is actually used. And such measures only get used if they are not too much of a pain. How useful would car safety-belts be if they were so tight that nobody could buckle up and still be able to breath? UAC is sort of like that over-tight safety-belt, at least initially.
In a very interesting channel9 video interview, Jon Schwartz, UAC Architect, and Chris Corio, UAC Technical Program Manager explained much of the reasoning behind UAC. Most of what they said made a lot of sense, such as their discussion of applications that required elevation for no good reason, including Microsoft applications, even including such built-in Windows services as the Windows Clock. They also talked about the bit of virtualization they built into Vista to handle legacy apps that will probably not get fixed.
Where the UAC guys blundered IMO is in their handling of the situation Jon termed the “initial installation and configuration phase”. Jon made an offhand comment that, yes, users would get prompted a lot for elevation during that short phase but afterwords everything would be OK. And how long would that phase last? Not long – a few days, maybe a week. Jon is obviously a very smart guy, but it’s also obvious that he has never worked in marketing or sales otherwise he would have known that there’s no second chance to make a first impression. I’m sure most users would not last a week of constant badgering, most would not even last a day. As soon as they can find the switch, they will turn UAC off, and that would be the end of that.
Not being able to resist commentating from the sidelines, here is what I would have done: I would have officially introduced the concept of the “initial installation and configuration phase”. An administrator would be able to easily enter this mode, and would not get any elevation warnings while in it. However, there would be constant visual reminders that the current mode is not secure. For example, the wallpaper and screensaver would change to contain a large, bright security warning. Also system would nag you about exiting this mode once every several hours. Some functionality that has security implications could also be restricted, for example the browser would only allow accessing sites that have been explicitly marked as trusted. This mode would allow the administrator to quickly finish all the installations and configurations and revert back to the goodness of standard UAC.
In a future post I’ll discuss a particular feature of UAC which is Really Bad – Internet Explorer Protected Mode.