UAC should have been a Business class feature, not for Home Users

[Richard Urban]

Right. People who repair computers for a living just love it when consumers
click on an attachment they get in the email and install malware onto their
computer. 95% of computers users are NOT knowledgeable and need protection
from others, and from themselves.

It helps pay the rent.

--


Regards,

Richard Urban MVP
Microsoft Windows Shell/User

 

[Hugh Wyn Griffith]

Because the only thing the 
system is interested in is if the user intended to start a program that 
would have full control over their computer.

PMJI -- I'm largely on your side on this discussion but I do feel that
what you say above is also the weakness of the situation:

(1) It is inevitable that human beings, whether the highly intelligent
ones like me or the normal users, will autorespond "Of course I wanted
that program to run; I would not have done what I did if I didn't"

(2) When you start to run an "untrusted" application it just asks if
you wanted this program, that you know where it came from, that you've run
it before (approximation from memory).

I don't see anything about full control over the computer or even why this
might be dangerous. Perhaps it is in the tutorials or guided visits that
everyone jumps over? <s>

I'm in favor of the concept of UAC and I recognize the difficulty of
making it a selective control that can be turned off by the "qualified"
user but at present it just disappears into mist like most nag screens.

I wish I could suggest a perfect solution .....

 

[Jimmy Brush]

You're right, it doesn't say anything about full control... I think they
should have thrown that in there somewhere. I assume the reasoning is that
they wanted to make the message as short as possible, and so they went with
"If you started this action, click continue".

That really does get down to the point, and is really the only reason the
prompt exists ... to make sure the user started the action, as opposed to
software.

That does make it seem like a nag screen, which is unfortunate (it is not
really a nag screen as it is not warning the user about what they are doing,
just making sure that they want it to happen).

99% of the time, the user will have started the action, and will continue.
And at first glance and by just by reading and thinking about that, it would
seem to make the prompt useless, as wouldn't the user get used to clicking
continue over and over.

But, after having used the prompting system for a while, I can tell you that
yes, i get used to clicking continue, but *only* when I expect to get a
prompt ... I notice *very much* unexpected prompts, or prompts from programs
that I don't recognize.

Here's why I think this works:

- The prompts hardly come up at all
- When they DO come up, users inspect them and get used to clicking continue
when they start that program
- Even with being used to clicking continue for expected prompts, unexpected
prompts still have that "stop!" effect

So, when an UNEXPECTED prompt comes up, it is *very* noticable to me,
because the only prompts that I click on are the ones that I expect.

For example, Adobe updater likes to throw up a UAC prompt randomly, and it
scares me every time it pops up... while I quickly dismiss all the prompts
that I expect to happen.

Of course, that might just be me, I don't know.

--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Hugh Wyn Griffith]

So, when an UNEXPECTED prompt comes up, it is *very* noticable to me, 

I think the screen dim, that I've seen people complain about, is a
brilliant idea.

Do you know if UAC does have a learning curve -- after NN accesses it
will stop asking -- or will it go on flagging forever?

I ask partly because before replying to your message I thought I'd
better check the wording that comes up and it took me quite a few tries
on desktop icons that I reckoned predated VISTA and should be flagged as
non-conformist.

while I quickly dismiss all the prompts that I expect to happen.

That's what I see as the progression that is inevitable, and so
defeating the UAC

 

[Adam Albright]

You're right, it doesn't say anything about full control... I think they
should have thrown that in there somewhere. I assume the reasoning is that
they wanted to make the message as short as possible, and so they went with
"If you started this action, click continue".

That really does get down to the point, and is really the only reason the
prompt exists ... to make sure the user started the action, as opposed to
software.

For those that don't know or maybe haven't experienced it yet, there
are DIFFERENT nag screens with differnt color title bars and other
changes based on the "threat level" of any preceived security breach
to the system. Only one that really matters is red. This you can't
dismiss, there being no continue button to click through.

That does make it seem like a nag screen, which is unfortunate (it is not
really a nag screen as it is not warning the user about what they are doing,
just making sure that they want it to happen).

Like everytime time you turn the water on at your bathroom sink a neon
sign would flash saying don't forget to use soap then another one that
said dry hands afterwards and oh... don't forget to hang up the towel
and another sign over the toilet reminding you to put seat down. ;-)

The point there are WAY TOO MANY nag screens.

99% of the time, the user will have started the action, and will continue.
And at first glance and by just by reading and thinking about that, it would
seem to make the prompt useless, as wouldn't the user get used to clicking
continue over and over.

But, after having used the prompting system for a while, I can tell you that
yes, i get used to clicking continue, but *only* when I expect to get a
prompt ... I notice *very much* unexpected prompts, or prompts from programs
that I don't recognize.

That's the biggest design flaw. Prompts get ignored if they happen for
operations you do constantly. Its like crying wolf, people just ignore
it after awhile, so it's purpose is severely muted if not outright
defeated.

Here's why I think this works:

- The prompts hardly come up at all
- When they DO come up, users inspect them and get used to clicking continue
when they start that program
- Even with being used to clicking continue for expected prompts, unexpected
prompts still have that "stop!" effect

So, when an UNEXPECTED prompt comes up, it is *very* noticable to me,
because the only prompts that I click on are the ones that I expect.

Vista should be smart enough to ONLY come up when something unexpected
happens. Hint: According to the two main Microsoft engineers that
wrote the code behind UAC, that is how it is suppose to work. Duh...
remember we're talking about a computer. It should (can be) programmed
to learn and come to logical decisons on its own based on past
behavior.

 

[Richard Urban]

UAC is a user "aid" and will always depend upon the user applying some
thought before responding to a prompt.

It is no different that all the prompts that ZoneAlarm Internet Security
Suite throws up when run under Windows XP. If a user clicked on something to
initiate an action - accept. If a user "did NOT" initiate the action - they
had better not accept and say no. Something else is trying to control your
computer.

Common sense rules. Unfortunately, all too many people show a complete lack
of this god given talent when it comes to using a computer. I have a younger
brother, 59 years old, who should use a shoe box and index cards. Even then
he would screw up.

--


Regards,

Richard Urban MVP
Microsoft Windows Shell/User

 

[Adam Albright]

UAC is a user "aid" and will always depend upon the user applying some
thought before responding to a prompt.

It is no different that all the prompts that ZoneAlarm Internet Security
Suite throws up when run under Windows XP.

UAC is VERY different than ZoneAlarm which uses a rules list and
remembers what you tell it. UAC keeps showing the same nag screen the
first time you try to do something it don't like or the 1000th time.

If a user clicked on something to
initiate an action - accept. If a user "did NOT" initiate the action - they
had better not accept and say no. Something else is trying to control your
computer.

Excuse me, the most serious of these have a red title bar and no click
through option. This is where UAC should have stopped instead of
trying to be a Net Natty and throw a fit for moronic things like
trying to delete a desktop shortcut.

Common sense rules. Unfortunately, all too many people show a complete lack
of this god given talent when it comes to using a computer.

Indeed. There often called MVPs.

 

[Hugh Wyn Griffith]

will always depend upon the user applying some 
thought before responding to a prompt.

True, but any psychologist, or parent, will tell you that repetitive
warnings breed contempt!

Sad but true. I can't think of a good solution.

 

[cquirke (MVP Windows shell/user)]

UAC is VERY different than ZoneAlarm which uses a rules list and
remembers what you tell it. UAC keeps showing the same nag screen the
first time you try to do something it don't like or the 1000th time.

The reason egress-monitoring firewalls can do that, is they can bind a
"allways allow this" to clearly-defined values of "this" - i,e, not
just the name of the file and where it is, but an MD5 checksum that
would change if the file were infected or replaced.

I don't know whether UAC has that level of awareness. If it is fuzzy
(i.e. spoofable) in terms of context (i.e. loose values for "this")
then that would be one good reason not to allow UAC alerts of a
particular type to set to "always allow".

The other reason why one may not want to allow UAC exclusions, is that
MS OSs enjoy far less "security by obscurity" than one particular
3rd-party firewall, and as such settings are likely to be stored
somewhere, malware can write itself a "blank cheque" once active.

We've already seen this effect with XP firewall, which gets clobbered
by several malware in ways that make it impossible to turn back on
unless the relevant registry settings are re-asserted.

It may be that the UAC team learned from this, and did not add a
setting to "always allow..." for this reason.


Just to be clear here: I'm not defending the design so much as
speculating why it might have been designed this way.

-- Risk Management is the clue that asks:

"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"

 

[cquirke (MVP Windows shell/user)]

Vista should be smart enough to ONLY come up when something unexpected
happens. Hint: According to the two main Microsoft engineers that
wrote the code behind UAC, that is how it is suppose to work.

See http://cquirke.mvps.org/exblog/natural.htm

That's mainly about WiFi, but the point of "Use hard scopes as natural
cover" is that modern OS design strives to dissolve such scopes - so
that the context of "the user is doing this interactively" is lost.

In the old days, features would be primarily accessible from user
interaction, then possibly exposed to automation, then later there
would be exposure to "remote administration" via network.

Often the end-point functionality would be reproduced depending on
method of access - interactive, code or network - making it quite easy
to block any one of these.

By the time you get to XP and Vista, the way of initiating an action
may be completely unlinked from the actions themselves. If you
capture an attempt to do something at the point that the action is
called, it may be impossible to deduce whether this was initiated
interactively, via code, or via network.

And remember; to be malware-safe, the above deduction has to be
unspoofably accurate.

That's one of the reasons UAC "stops the clock" with a modal dialog
box, greyed screen, and reset display state - to protect against faux
mouse clicks or keystrokes that might automate the "user" response.


The point of all the above is that the way UAC operates may make it
impossible to deduce whether the alerted operation was initiated via
user interaction, code automation, or network "administration".

-------------------- ----- ---- --- -- - - - -

Tip Of The Day:
To disable the 'Tip of the Day' feature...

 

[Adam Albright]

The point of all the above is that the way UAC operates may make it
impossible to deduce whether the alerted operation was initiated via
user interaction, code automation, or network "administration".

Take it back to the logical conclusion. Microsoft has waved the white
flag of surrender and now admits all prior versions of Windows were
major security risks and much of that was due to how Windows was
written including how many Microsoft developers, including those
inside Microsoft wrote applications. They further admit by deploying
UAC, they can't fix Windows to make it safer so they tossed the ball
in the user's court by flashing a simplistic warning; the UAC nag
screens.

The real solution would be to rebuild Windows from the grown up, 100%
redo and make it secure that way. That of course would cause a huge
chunk of their customers to run away screaming since little if any
current hardware or software would work in such a totally new from the
ground up radically different Windows. So Microsoft was stuck between
a rock and a hard place and picked UAC as a "solution". All UAC really
does is create the illusion of security in most situtations because we
all know 9 times out of 10 once a user, any user starts out to do
something, some nag screen he can click through isn't going to stop
him from doing what he planned to do in the first place.

 

[cquirke (MVP Windows shell/user)]

Take it back to the logical conclusion. Microsoft has waved the white
flag of surrender and now admits all prior versions of Windows were
major security risks and much of that was due to how Windows was
written including how many Microsoft developers, including those
inside Microsoft wrote applications. They further admit by deploying
UAC, they can't fix Windows to make it safer so they tossed the ball
in the user's court by flashing a simplistic warning; the UAC nag
screens.

Not really, no - IOW, the detail's different.

UAC is the consequence of trying to force a complex and inappropriate
security model derived for corporate use (NT) into consumerland, and
having the model largely ignored by users and developers alike.

Users (myself included) weren't interested in pretending to be
different employees with different job descriptions when using the
same PC that they own, and should have full access to.

The way that user accounts were initially presented to consumers in XP
"Gold" was arrogant; if you dropped rights to anything less than Admin
on an account, all settings for that account fell back to MS
duhfaults. The arrogance is expecting us to find these acceptable!

So users just carried on with one Admin user account, and as a result,
developers for this market (who were largely trasitioning to XP from
Win9x, just as wqe users were) saw no reason to bother with all this
"limited user rights" malarky either.

In short, consumerland flat out rejected MS's security model, which
meant that much of what had been designed in as "security" was simply
not operating in consumerland. All those "mitigations" like "a
malware would only have user rights, so if the user wasn't running as
admin, all malware could do would be trash your data" didn't apply


What UAC attempts to do, is bring the notional advantages of not
running as admin, to folks who are in fact ruinning as admin.

The idea is that developers can avoid user-annoying UAC prompts if
they write their software to be compatible with reduced user account
rights. The hops is that this time round, developers will do so,
given they've sat on their ass through 5 solid years of XP, so that at
the start of Vista, we're no better off that we were 5 years ago.

The real solution would be to rebuild Windows from the grown up, 100%
redo and make it secure that way.

Those are the dice that Netcape rolled with Gekko, when they decided
to drop the existing code base and start from scratch - and it nearly
killed them. The new netscape was late and buggy, and they've been
eclipsed by Firefox since. If that happens with a stand-alone web
browser, imagine how a full OS would spin out of control?

That of course would cause a huge chunk of their customers to run
away screaming since little if any current hardware or software would
work in such a totally new from the ground up radically different Windows.

Put it this way: If you think that Vista is large, slow, demanding a
high hardware specification, late to market, and beset with
compatibility issues... your approach would blow these out even more.

So Microsoft was stuck between a rock and a hard place and
picked UAC as a "solution".

Vista isn't just XP + UAC. UAC is just one particular component of
the solution set, and is actually a part of the compatibility
subsystem - which means it is destined to play a shrinking role in
daily life as the Vista platform matures.

It is a bridging technology, in other words... something like the PnP
wrapper for non-PnP ISA cards that gave PnP so much grief back in the
days of Win95's first release. Do we care whether ISA cards work with
PnP today? No. So should UAC be largely irrelevant by 2010.

All UAC really does is create the illusion of security in most situtations
because we all know 9 times out of 10 once a user, any user starts
out to do something, some nag screen he can click through isn't
going to stop him from doing what he planned to do in the first place.

They key here is "when the user starts out to do something". UAC is
there to catch things other than the user, that attempt to initiate
actions that the user had no intention of doing.

Yep, it will be Darwin take the hindmost", but no more so than "don't
open attachments even if from 'someone you know' unless certain they
are safe and a human sender really meant to send them".

I see UAC as annoying (especially when trying to clean up the AllUsers
Start Menu) but I welcome any attept to put the user in control of
processes automated by software, web sites, "content", etc. as a step
in the right direction, and a long overdue one at that.

--------------- ---- --- -- - - - -

Saws are too hard to use.
Be easier to use!

 

[Jimmy Brush]

Like everytime time you turn the water on at your bathroom sink a neon
sign would flash saying don't forget to use soap then another one that
said dry hands afterwards and oh... don't forget to hang up the towel
and another sign over the toilet reminding you to put seat down. ;-)

You still see UAC as a nag screen, as evidented by your analogy.

UAC doesn't care if you "use soap" or not. It only cares that IF YOU DECIDE
to use soap, that YOU are the one wanting to use the soap, and not some
malicious program that is using soap without your knowledge.

And I do very much hate it when malicious programs use soap without my
knowledge!

That's the biggest design flaw. Prompts get ignored if they happen for
operations you do constantly. Its like crying wolf, people just ignore
it after awhile, so it's purpose is severely muted if not outright
defeated.

Again, I disagree here, for the same reason that I mentioned earlier - when
I am not expecting a UAC prompt to happen (I did not initiate an action), I
notice it and stop it. When I do expect a UAC prompt to happen (I *did*
initiate the action), then I allow it to happen much more quickly and
easily.

This is what UAC is designed to do - to ascertain whether I started an
action or not. Nothing else. So, it works as expected, at least for me .

Vista should be smart enough to ONLY come up when something unexpected
happens.

If Vista could do this, then there would be NO POINT of prompting at all.
There would be no prompt.

The very reason that the prompt exists is because this is not possible.

The *only* thing the prompt does is determine whether you want something to
happen or not. It doesn't care (or even know) what exactly you are doing, it
is just making sure that you want it to happen.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Jimmy Brush]

Do you know if UAC does have a learning curve -- after NN accesses it

will stop asking -- or will it go on flagging forever?

Forever.

UAC picks up on whether you are wanting a certain program to run elevated or
not. That is really the only thing it does, and it has to ask you every time
in order for this to be effective.

I ask partly because before replying to your message I thought I'd
better check the wording that comes up and it took me quite a few tries
on desktop icons that I reckoned predated VISTA and should be flagged as
non-conformist.


That's what I see as the progression that is inevitable, and so
defeating the UAC

Again, since UAC is only determining whether *YOU* initiated an
administrative action, I don't see this happening.

If I expect a prompt, it is because I initiated an action. UAC is designed
to determine if I initiated an action, and so this works out.

But, if I do NOT expect a prompt, then I did NOT intiate an action, and so
will analyze the prompt and be much more likely to click cancel.

Now, there is the possibility of a malware throwing up a UAC prompt for
itself when the user is expecting to see one for something else. This DOES
become a problem if the user stops reading UAC prompts for actions that they
expect will throw a UAC prompt, and is something that I worry about.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Hugh Wyn Griffith]

Oh well -- Nobody's perfect <g>

 

[Hugh Wyn Griffith]

UAC doesn't care if you "use soap" or not. It only cares that IF YOU DECIDE 
to use soap, that YOU are the one wanting to use the soap, and not some 
malicious program that is using soap without your knowledge.

I'd change your analogy slightly since what you write above is what is
infuriating especially when it also comes up when VISTA prompts you to do
something and then asks you if you want to. (I know it is still playing safe)

 

[Adam Albright]

Again, I disagree here, for the same reason that I mentioned earlier - when
I am not expecting a UAC prompt to happen (I did not initiate an action), I
notice it and stop it. When I do expect a UAC prompt to happen (I *did*
initiate the action), then I allow it to happen much more quickly and
easily.

This is what UAC is designed to do - to ascertain whether I started an
action or not. Nothing else. So, it works as expected, at least for me .


If Vista could do this, then there would be NO POINT of prompting at all.
There would be no prompt.

The very reason that the prompt exists is because this is not possible.

The *only* thing the prompt does is determine whether you want something to
happen or not. It doesn't care (or even know) what exactly you are doing, it
is just making sure that you want it to happen.

Then you not only disagree with me, you also disagree with the two
principle Microsoft engineeers that wrote UAC. View their 64 minute
interview on channel 9 and Learn.

 

[Swampthing]

--
Thanks from C-Swampthing.

I hate to say so MS, but your average joe, the person you are making UAC
for, is going
to do exactly what they are doing, that is turning UAC off.
Example, my mother is your basic Internet User. She just graduated from AOL
to
a normal broadband connection after me telling her for years how much better
broadband would be for her. She bought a PC that had Vista Home Premium on
it.
Suddenly dial-up became a major pain in the butt because Vista is geared
more toward a constant net connection. No problem there, I agree.
However, 2 days later she calls me up and asks me to put Windows XP back on
her computer.
When I ask her why, the response " I'm sick of the computer asking me
questions every 5 seconds. It didn't do it before. I have an anti-virus, a
firewall, and a anti-spyware program running. Why do I have to OK every
single thing I do?"
I tried explaining the benefits, but she would hear none of it. She has been
told by the Norton's and the AdAware's of the world that as long as she runs
their programs and practices safe netting that she is ok. So it was either
turn UAC off or install Windows XP for her, she was that serious.
And to be honest, I understand how she feels. In 5 years she has never had a
virus, has only had very light malware (Which SpyBot SD quickly removed),
and has nothing of hi-value on her PC for a hacker to have much interest in
other than family photo's of the dog etc.
My point being is that the average user who buys Windows HOME versions are
not going to WANT this elevated security, and as soon as they find a way to
remove it, they will.
MS should have made UAC a Business / Enterprise feature and left the
standard user and admin feature set of XP for the Home licenses of Vista.
I build PC's for a living so I know the problems that John Q Public can make
for their selves on a PC on the net with no protection. But simple education
and running the big 3 (Anti-virus, Anti-spyware and Firewalls) should be
more than enough to protect them. Now if they are stupid enough to store all
their financial information or work related trade secrets and not have the
"the big 3" then they certainly aren't going to tolerate UAC.



--
Thank you,
JD Wohlever

Techware Grafx
techware(dash)grafx(at)hotmail(dot)com

 

[David P.]

Have you tried TweakUAC. It suppresses the UAC prompts but leave the
underpinnings of the protection UAC provides intact.

 

[Chuck Walbourn [MSFT]]

Actually, UAC elevation is explicitly discouraged for Business and
Enterprise settings. Only home users should really be mixing up admin and
standard user tasks, with the majority of their daily work done as a
standard user. Businesses should have most of their users always running as
Standard Users and only have special admin accounts have admin rights.

Most of the pain of UAC goes away when applications are updated to work
correctly without demanding full admin rights (which they really do not need
99% of the time, and the 1% they do need can be done other ways). This is
obviously a long-term investment, but until UAC was on by default most
application writers would continue to ignore the inherent security risks and
not support the more secure mode (see Windows XP LUA). The Windows logo
programs are pushing vendors and applications to get updated, and over time
more of them will be. UAC elevation is still around to get old stuff to work
as needed.

There are things that can be done to the Windows shell experience to make
UAC easier, some of which were done in SP1, but mostly it's user habit and
lack of understanding that would cause a UAC elevation prompt to come up
"every 5 seconds". That's not to say teaching non-technical people technical
skills isn't difficult.