Microsofts Plea: Dont Turn Off User Account Control

A senior Microsoft security guru is begging Windows Vista beta testers to keep the User Account Control feature enabled to help the company diagnose application compatibility problems.

A Microsoft security guru is pleading with Windows Vista beta testers to not turn off the User Account Control feature, regardless of how annoying it is.

Jesper Johansson, a senior security strategist in the Security Technology Unit at Microsoft, admits that the current implementation of UAC presents too many privilege escalation pop-up prompts, but he insists there is a method to the apparent madness.

"Unless we get feedback on what works and what does not, we cant fix it. If you disable critical technologies that we are trying to get to work, we cant fix them," Johansson said in a blog entry. "That means that, yes, some things will be annoying and not work quite right in the final release, unless people work with us to fix them," he added.

With UAC, formerly called LUA (Limited User Account), Microsoft believes it has significantly changed the malware threat landscape by limiting the way malicious code runs on the operating system.

By default, current versions of Windows configure most user accounts as a member of the administrator group, giving users all system privileges and capabilities. This allows users to install and configure applications and make system changes, but it presents a serious security risk because malware writers could take complete control of an exploited system.

In Windows Vista, UAC will separate standard user privileges and activities from those that require administrator access, a modification aimed at thwarting virus, spyware, Trojan and rootkit attacks.

However, in its current implementation, UAC requires that users click on multiple security prompts before carrying out some of the most basic computer tasks.

Faced with the reality that Vista beta testers are turning off the UAC feature in frustration, Johansson is pleading for some support. He explained that Microsoft is using crash dumps from the OCA (online crash analysis) error reporting tool to pinpoint legacy applications and other programs that are not UAC-compatible.

/zimages/6/28571.gifMicrosofts transformation from laughingstock to industry heavyweight in the IT security sector is beginning to bear fruit. Click here to read more.

"UAC allows us to quickly spot all the broken apps out there so that we can either shim them to run as nonadmins or get them fixed. This latter is at the same time the most subtle and arguably most important of the things UAC does. It is also in many cases the most obvious, and the reason many people want to turn UAC off," Johansson said.

"By doing so, they allow applications with fundamental design flaws to still work, reducing the pressure to actually fix those applications so they work as nonprivileged users, as most of them should. None of this will work unless Vista users actually keep UAC enabled." he added.

"Going out with statements like this is the worst feature ever and I already disabled it and will never re-enable it based on unfinished beta code is simply silly. Why not instead realize that allowing people to run as a nonadmin is one of the most important things that can be done when it comes to protecting your system, and that it wont happen if the only people trying to get it done are a few program managers at Microsoft?" Johansson argued.

"If you find prompts that are absolutely egregious and need to go, send us feedback on that. We need to know," he added.

In future beta versions of Vista, Microsoft plans to make tweaks that will also apply application compatibility fixes, called "shims," for applications that need help running as Standard User.

At the recent TechEd conference in Boston, Microsoft security chief Ben Fathi told eWEEK the company is also considering automatic shimming for legacy applications that may never be changed to work with the default UAC settings. "There are line-of-business applications that will never work with UAC for a variety of reasons. Maybe they dont have the source code anymore or the person that wrote that code is gone. There are hundreds of these applications out there," Fathi said.

In addition to UAC, some of the main security features in Vista include ASLR (Address Space Layout Randomization), Windows Service Hardening, mitigating buffer overruns with hardware protection, kernel patch protection, and mandatory driver signing. Vista will also include network access protection, easier smart card deployments, and various technologies to protect against malware and hacker intrusions.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.