Microsoft plans to make several significant tweaks to the next beta of Windows Vista to make a key security feature less annoying to users.
In response to widespread criticisms that the implementation of the UAC (User Account Control) feature triggers too many privilege elevation prompt pop-ups, the software maker will make changes in Windows Vista RC1 (Release Candidate 1).
By default, current versions of Windows configure most user accounts as a member of the administrator group, giving users all system privileges and capabilities. This allows users to install and configure applications and make system changes, but it presents a serious security risk because malware writers could take complete control of an exploited system.
With the UAC feature, formerly known as LUA (Limited User Account), Vista separates standard user privileges and activities from those that require administrator access, reducing vulnerability to hacker attacks.
However, in its current form, the feature requires that users click on multiple security prompts before carrying out some basic computer tasks.
“There are simply too many elevations,” said Steve Hiskey, lead program manager for User Account Control in Microsofts Windows Security Core group, in a blog entry announcing the plans.
In Windows Vista RC1, Hiskey said, Microsoft will make changes in the operating system to create safe scenarios for the Standard User account to accomplish tasks that used to require a privilege elevation prompt. It will also apply application compatibility fixes, called “shims,” for applications that need help running as Standard User.
Hiskey said Microsoft will also work with ISVs to update the applications that cant be shimmed and to design the future applications so that the next generation of apps run well under Standard User privileges.
One specific change outlined by Hiskey will allow a Standard User to “go get and install all critical updates” without being prompted to elevate privileges.
“The Admin and the Standard User could install updates and shutdown in Beta 2, but they were not allowed to get them now without an elevation prompt. We didnt open up the Windows Update Service to be generically driven by a Standard User application to do this. For example, there will still be an elevation dialog to remove an update or to take update #1 and #3, but not update #2,” Hiskey said.
“We are also going through the OS and modifying functionality to take a non-elevating default. For example, in the case of the Public vs. Private network choice, the default choice will become Public to save an elevation,” he said.
“In Windows Vista RC1, Microsoft is going through the operating system point by point on each elevation to make a determination if the elevation is a bad elevation where we think the Standard User can safely accomplish the task. You should see significant improvement in RC1 in the number of elevations that you see,” Hiskey said.
In the end, Microsoft wants Vista users to “rarely see an elevation prompt,” or at least to fully understand why a privilege elevation prompt was triggered, he said, and after the initial setup, home users ” should only see OS elevation prompts when they do something that changes the system,” Hiskey said.
Based on beta testing feedback, Microsoft also expects to remove the consent prompt for administrators when deleting icons on the public desktop, he said.
The changes follow a scathing report from Yankee Group analyst Andrew Jaquith that the Vista UAC implementation will be “particularly problematic” for users.
“[Early] independent reports and notes from the blogosphere suggest that Microsofts own Money program—as well as the anti-virus packages from Symantec and McAfee—are incompatible with UAC and will need to be rewritten,” Jaquith said.
“[My] testing of the December Community Technology Preview (CTP) build of Vista revealed that although the new security system shows promise, it is far too chatty and annoying for everyday use,” he added, noting that UAC blocks ordinary users from running the SafeDocs backup program that ships with Vista.
“Even simple tasks such as opening Control Panel applets required administrator credentials or consent,” Jaquith said, citing a complaint from a beta tester that UAC was “probably the most annoying thing ever invented…”
In short, Microsofts mission is to use UAC to make user accounts with admin privileges safer by limiting access to sensitive system resources and functions by default, and by prompting for approval when performing admin tasks that require greater privileges. Now, it must get the balance between annoyance and security just right.