Hello,
I think many expert-level users (especially us programmer types) misread
UAC. We tend to think of it as protecting us from ourselves.
"WHAT? What do you mean DO I WANT IT TO RUN! I *clicked on it*, jeez!
*smack* Stupid computer..."
So ... you want to know why these annoying, useless prompts are a good
thing. OK, let me give it a shot.
I will try to explain what made UAC necessary and what UAC does to fix the
problem, and I hope that will best explain to you, as a technical person,
how it is a good thing.
Many moons ago, in the olden days, long before Vista, there were architects.
And these architects decided that there shall be security in the operating
system implemented in the form of PRIVILEGES.
Performing actions (such as changing the system time or accessing a
resource) on the computer shall be a privilege. And rights to perform
privileges shall be assigned to USER ACCOUNTS. And user accounts shall be
the ONLY THING to which privileges may be assigned.
Now ... there needs to be some way for the phsical USER logged in to a user
account to actually USE those privileges.
To do that, we need APPLICATIONS. Users shall use their privileges by
running and interacting with applications. In fact, applications shall act
as the user's complete and total proxy. All actions performed by an
application shall be assumed by the OS to have been initiated and performed
by the user.
And, since the USER ACCOUNT is the only thing that is assigned privileges,
ALL APPLICATIONS THAT THE USER RUNS shall inherit the privileges assigned to
the user account, so that the user may use the applications that they run to
perform any action that they are allowed to perform.
And so, it was. And for a time, all was good in the world.
Until, one day, terrible applications were created. These applications did
not consume the privileges assigned to the user account ON BEHALF OF THE
USER, as intended by the design of the system ... Instead, these vicious
programs used the privileges of the user FOR THEIR OWN MALICIOUS PURPOSES.
They evaded user detection and control, took control of the computer AWAY
FROM THE USER, and generally interfered with the normal operation of things,
preventing the user from working with the computer in the way that was
intended.
These horrible programs even talked to and convinced the system and other
non-malicous programs to carry out their terrible deeds.
Suddenly, applications could no longer be trusted to be a good-faith agent
of the user. And a dark age was entered. E-mail attachments were fearfully
deleted, screensavers suspect, and a billion dollar industry was created to
scan for, detect, block, and remove known malicious applications.
ENTER UAC (User Account Control)
"Something has to be done!", cries the architects. Applications aren't
fitting the role we designed for them, they are breaking our model!
Applications *MUST* be controlled by USERS (UAC), not the other way around!
And so the architects changed the security model in two main ways:
1- The system now ENFORCES that applications are, IN FACT, carrying out
privileged actions at the request of the user.
In UAC's current form, this is expressed as the infamous UAC prompt. The
system is saying, "Hey, this program says that *YOU* are trying to do
something that could damange the computer. What's the deal here, is this
true?"
This isn't to protect you from YOURSELF. It is to protect you from
applications that run on your computer (whether you started them or not). It
protects you from malicous applications that may execute without you
knowingly starting them. It ALSO protects you from malicious programs that
try to run other programs to take control of your computer.
This is why you can't "trust" a specific administrative application such
that it doesn't prompt; if you could, malicous applications could use those
trusted programs against you.
Right now, the UAC prompt is the *only* way the system can tell that YOU
started an action.
Remember, the system is architected such that it assumes that all programs
are carrying out your actions. Programs act as YOUR proxy, and the system
has no way to differentiate between your actions and applications' actions,
since to the system, these are the same thing.
The only way it can be 100% certain is by asking you.
A common question that creeps up at this point, especially from developers,
is "The system knows when I click my mouse button to start a program - why
does it need to prompt?"
This is a partially incorrect statement. Yes, the system knows that you
clicked the mosue. But the system DOES NOT KNOW that you intended to start a
program.
Remember, APPLICATIONS control how you use your privileges, NOT the system.
The system forwards your input (mouse clicks and whatnot) to APPLICATIONS.
Applications are like a black box to the system - it has no idea what an
application will do with the mouse click. It doesn't know whether a mouse
click will end up deleting a file or sending an e-mail. This is why it must
ASK YOU if an applications request permission to do a privileged action, if
you actually intended for it to do so.
2- The system now allows you to control HOW MUCH of your privileges each
application is given
The system now recognizes that all applications that you run do not NEED to
use all of the privileges assigned to your account. This creates a much more
secure environment, where code that runs only operates with as much
privilege as it needs; this prevents the code from causing as much damange
if it misbehaves and protects against programs using other programs to
escalate privilege.
I think everyone recognizes that internet explorer does not need to be able
to format your hard drive. IE isn't a tool that the user can use to format
the hard drive; hence, there is no logical reason that it should have this
privilege, EVEN THOUGH THE USER MAY BE ABLE TO PERFORM THAT ACTION.
This idea of least-privilege code is a very powerful concept.
Unfortunately, as discussed previously, Windows has always assigned
privileges to users, and has always assumed that all applications running
inside of the user account have the same privileges.
As a result, Windows is not architected to enforce seperation of privilege
between applications, and it is possible for an application to escalate its
privilege to that of a higher privileged application running on the user's
desktop just by talking to it (this is known as a shatter attack).
UAC prevents this type of "shatter attack" by isolating different privileged
applications and preventing them from talking to each other. This is a
stepping-stone solution (and is more of a hack than anything), however, as
Windows really needs to be re-architected in order to natively support this
seperation of privilege.
I imagine that this is why Mark Russinovich put an exclamation point next to
this fact - because UAC does not "replace" the security/seperation of
privilege between USER ACCOUNTS, it ENHANCES IT and in fact *RELIES* UPON IT
in order to function correctly.
If you have a user that shouldn't have an admin account, but give them an
admin account thinking "well UAC is on it doesn't matter" - this is
INCORRECT and a very INSECURE decision.
Admin accounts are STILL admin accounts, UAC does not change this!
.
However, if all user accounts on your computers are assigned the appropriate
privileges (your users are users, and your administrators are
administrators), turning UAC on greatly enhances this security by further
allowing discrimination of privilege to APPLICATIONS based on 1) if the
application needs a privilege and 2) if the user wants the application to
have a privilege.
Wow, this turned out to be a long post, I hope it really gets at the the
core of UAC - why it exists, what problem its solving, etc.
I want to really push that UAC works to extend the seperation of privilege
that already exists between user accounts.
A user should be assigned only the amount of privileges that they need;
AFTER that distinction is where UAC lives, and it further EXTENDS and
FLESHES OUT this sort of concept, by only allowing applications to use the
amount of privileges that they are designed to use.
And if those privileges happen to be "administrator"-level privileges, UAC
confirms that you intended to execute an administrative action when the
program runs, to protect against programs that would use your privileges
against you.
In short: UAC really does give you CONTROL over your computer. That is why
you should leave it on - because turning it off is really giving up A TON of
control over what happens on your computer.
It's not about protecting you from yourself - it's about the system trusting
YOU (over applications) to decide what happens on your computer, rather than
trusting applications and ignoring what you want.
This is a really exciting concept. Right now, UAC is primarily only
concerned with administrative vs. non-administrative applications, and
relies on a prompt to tell if you are expecting an administrative action to
occur.
But, I can easily see a future where the prompts are not necessary and the
discrimination of privileges assigned to applications is MUCH more granular
than admin vs. non-admin.
--
- JB
Microsoft MVP - Windows Shell/User
Windows Vista Support Faq
http://www.jimmah.com/vista/