Details on Refining Vista's User Control

borgboy writes "Windows Vista has gotten a lot of negative press recently following the release of the latest beta, especially regarding excessive prompting for privilege escalation for seemingly common activities. On his blog, Steve Hiskey, the Lead Program Manager for User Account Control in the Windows Security Core group, details what the issues with the excessive prompting are, what the design goals of the feature are, and how they plan to achieve them. Briefly - they know the excessive prompting is a royal pain, they know that have to reduce it to an absolute minimum to be both productive AND an effective security risk mitigation measure, and they want as much feedback as they can get on the beta."

malware safeguards

As a result, Windows cannot tell if YOU launched the application or if malware launched the application.

So what's to stop malware from affirming the prompt? It isn't even a hurdle.

Re:malware safeguards

the prompt appears on a sparate desktop, it's HWND isn't retrievable by any application, and the regular keyboard message pumping mechanism is bypassed.

unfortunately, this breaks the brilliant synergy2 [sourceforge.net] tool temporarily...

Here's how to delete a file on Windows Vista

Just a few clicks away
http://www.flickr.com/photo_zoom.gne?id=151250154& size=o [flickr.com]

SAme as in OSXs early days

Mac uses have gotten used to the authorization of petty procedures by now but it was a real nuisance in the beginning, some five years ago. Software developers have gotten used to it also and have written better installers that don't require multiple instances of authorization, or any at all, installers that installs in non restricted areas and so forth. I think these issues will pass with time for Vista users too. In the mean time, they really shoud take joy in the fact that malware will be increasingly scarce on the platform.

Re:SAme as in OSXs early days

No, this isn't even close to be the same. Vista asks you for confirmation of nearly everything you can possible do on the computer. At no point did OS X do this. While *installation* of applications have always asked for confirmation, and access to your Keychain has also, pretty much nothing else does. Vista, on the other hand, is about a gnat's hair away from asking you to confirm "Did you really want to click?"

I've used the beta. It's awful. The usability of the file "explorer" is atrociously convoluded. It makes it even more complicated to know what's going on that XP did. And, to keep this on topic-- the security measures are astoundingly invasive. Vista seemingly asks you to confirm the same type of function, triggered in the same way, but by different applications. Look, if I want port 80 HTTP requests to go through, I want them to go through all the frickin' time. Don't make me repeat myself. (Yes, this is only an example but it's indicative of the process you'll go through time and time again.)

Maybe it's the horrible presentation of the dialogs that does it? They offer ZERO information about what *application* (in English instead of seemingly random strings of letters and numbers!!!!) wants your attention. It also offers no real understanding of what is being asked of you. Microsoft, for all they did correctly with the xbox 360 interface, needs to learn how to design a dialog. Here's a fine example:

I open a jpeg file or some other seemingly harmless thing. I get a security alert box that unnecessarily shares the shit out of me with it's inappropriate use of iconography. It says something incomprehensible like this:

Application gobbleygook.exe is attempting to access suckit.dll. Do you want to want to allow this? (This is considered a minor threat.)

Oh. Great. So some EXE with a name I don't recognize wants access to a DLL (what's that-- hahaha?) that I also don't recognize. Now that I'm completely lost, Windows tells me this is not that much of a threat and I can probably click "allow" for the application I don't know to open the dll I don't know to do some task that I have no clue to what it's purpose is. Super.

I'm trying to make a point by being a bit funny about this-- but Microsoft really needs MAJOR improvement to this process. First, don't assume everything is a threat and scare a user into confirming something that is not needed. Second, improve the presentation. Third, figure out how to discen between Malware and your own software!

Re:SAme as in OSXs early days

Well, Apple required everyone to rebuild their applications for OS X, and when they did so, they fixed all the stupid single-user assumptions. Which is great so long as your apps were ported to OS X.

Windows, on the other hand, has hundreds of thousands of apps that expect to be administrator. The software companies don't want to fix them, and Microsoft doesn't want to break them.

So MS defined a middle ground -- annoying prompts which you can't get rid of. Since there isn't a special security level which hides the prompts. presumably people will complain to the software authors and the software authors will fix the apps. And if they don't fix the apps, at least the programs will still run.

Considering

That every new iteration of Windows I've used I have hated more than previous, I doubt that any amount of refinement is going to keep me from hating Vista. But we'll see.

Of course if the j-o-b foists it on us anyway, at least there will be the necessary hardware upgrade at long last...

Re:Considering

I kind of disagree. For me, it was more of a parabola. I hated Windows 3.1, hated 95 less, 98 even less, 98SE I had contempt for, and then the peak is Windows 2000, which was the most Stable and least-resource hungry. Then ME and XP were released... XP maintains some of the stability but they wonked up a ton of little things. And it looks like Vista is just stacking more 'stuff' on top to annoy me.

I think why I liked 2000 so much was that it was NT done right, a well written and stable OS without a lot of clutter. I think that if Vista really was a new OS, not just enhancements to their existing codebase, then we'd be okay with it.

I think we'll have a 2000-like resurgence in a good Windows when a Windows OS is released as a managed code OS. until then I'll keep dreaming.

It's Still In Beta Folks!

Tough crowd here at Slashdot. We all know it's going to suck, but at least let them release it first before you criticize. Seriously though, it is just a beta and not the end result. They're looking for feedback to make improvements and thats a good thing.

http://religiousfreaks.com/ [religiousfreaks.com]

Re:It's Still In Beta Folks!

Yes, it's a tough crowd here at Slashdot.

Some people here still expect beta to mean beta, which is conventionally intended to identify bugs in an otherwise stable product. A beta release is not, as you suggest, an invitation to change the feature set, though that has never prevented Microsoft from bending the rules at its convenience.

To be charitable, I can imagine that with this Vista beta, the codebase might indeed be as stable as what we ordinarily expect from a beta release, and so what we're looking at now is just a matter of tuning the configuration parameters so that it prompts at the right thresholds. And, on the principle of security by default, the system will initially tend toward maximum prompting. However, thinking more soberly, a secure system will have fully addressed these issues at the design level, and prompting will not be excessive but appropriate and meaningful. If it's not, that's a clear sign that the design has deeper problems than can be fixed just by changing the prompting parameters. Pardon my cynicism, but in my experience, that would be entirely typical of Microsoft.

Definition of beta at: Wikipedia [wikipedia.org].

For usability see: Whitten and Tygar [usenix.org].

Re:It's Still In Beta Folks!

Yes, it's a tough crowd here at Slashdot.

You give yourself too much credit. Slashdot's not a tough crowd at all. Slashdotters generally hate Microsoft, that's all. Those companies that Slashdot favors can put out utter crap and get unqualified praise from slashdotters.

Re:It's Still In Beta Folks!

I don't think posting "lololololol!!!1! M$ suX0rz, Linux r0ck0rz!!!111!!" to slashdot counts as feedback.

su - ?

I just read this article last night and remember reading about having to keep entering the admin password.

Why can't they set it up so when you open control panel, you have to enter the root password (like opening yast as a non-root user in suse and the like) and then you're essentially su'd until you close control panel, or I suppose you could time it out, so after 10 minutes even if the CP is open, you will have to re-enter the password if you click on a little icon in there.

From reading the article, I did follow the link to the article, putting in your password that many times will drive someone insane.

Market Forces?

Reminds me of talking cars. Users ask for an easy to use operating system without it getting in the way. Users complain about security issues. Users ask for a more secure operating system. Users complain about the OS getting in the way. Microsoft's response? You can't have your cake and eat it too. It sounds to me like their security implementation isn't half assed and that they realize that the closest you get to a totally secure machine is one that isn't turned on and has never been used. Their implementation therefore is going to cause some "Yes You Can Do That" "yes" "yes" "yes you can" headaches.

The prompting is not annoying

It's the greatest feature in vista.

This ensures ALL users and majority of services are running UNPRIVILEGED, which means viruses/malware/etc can't do jack shit to the system.

This is great - try going to c:\windows and creating a file there or a new folder. Boom, UAC dialog. Why? Because normal users don't need to do anythign in C:\windows! But, you say, what about when apps are installed? Well, I went and installed Office 2007 Beta2.
The privilege dialog came up TWICE. Once at beginning install and another time a few seconds later. That wasn't much bother at all. And now I can go back to running it as a unprivileged user.

When vista final is released, it will be the most secure windows release to date.

It's all about the registry

Anytime you install a program, it has to change the registry. You want to see a video encoded in a new format? Ah, you have to register the format and the codec - and there ya go, you have to change the registry. You want to associate a new filetype with a program? There ya go, you have to change the registry.

Sometimes I wonder - rootkits use stealth techniques to intercept registry calls. Why doesn't microsoft use the same rootkit approach to "cage" the registry into the directories used by the programs you install, and let the programs only use their caged registry? That way programs would only need access to their own caged directory and maybe a temporary or data directory.

IMHO, the registry was the worst idea Microsoft could have come up with.

getting there...

beta 2 is much better than previous CTPs which were almost unusable - I had to turn off UAC to preserve what's left of my hair.

there's still some core OS UI that's not UAC-enabled, though. for example, you can't fully configure network connection settings without running running explorer.exe elevated.

Wow. All this time, and it's more of the same.

The issue here is extensibility of Windows. Windows prides itself it on being pluggable and extendable. For example, to facilitate the accessibility extensions, Windows needs to be able to send keystrokes on the user's behalf so that a Windows user can talk to an input device and have that be translated into keystrokes that drive a dialog or type an email message. This also allows interesting and useful scenarios such as "show me how" buttons inside help dialogs.

However, that means that malware, running as a Standard User, can download an administrative application, and send keystrokes through Windows to simulate the user invoking the application. As a result, Windows cannot tell if YOU launched the application or if malware launched the application.

So they're *still* designing insecurity into the system because they place a higher priority on the "extensibility" that lets applications do things the user isn't expecting them to do.

Once that is true, we can then move to educating the users to know that "good" elevations are ones that they initiated and "bad" elevations are ones that suddenly appear without their explicit action.

And they're still relying on Grandma logged into her AOL account as the last line of defense.

Have they learned nothing?

Sorry, that was rhetorical.

Easy fix

One solution is for developers to write applications that don't need to be installed, nor run as, the Administrator user. Of course, that is if Vista was designed to allow applications to run properly as non-admin.

Whose computer is it, anyway?

I read the article's justifications. And I don't doubt that the number of elevation prompts seen in 'normal' usage will decrease as the betas roll on, to a number that most people will just learn to live with.

But I can't shake the feeling that their idea of increased security is, "WE decide, case by case, what operations are safe for you to do on your computer." Especially with sentences like this: "The hope here is that the user won't need to launch many administrative applications." Or, "Why can't my child run the anti-virus checker?" "They're not supposed to."

Sounds to me like by the time Vista goes gold, Microsoft will have successfully determined what set of operations we should be allowed to do with our computers to make the system somewhat usable by MOST users, MOST of the time.

Does that sound scary to anybody else? PC's with Microsoft OS's are becoming more and more like appliances with just a fixed set of day-in, day-out tasks, e.g. media center, gaming box, office productivity tool.

Fine, then. If that's all people want, I guess they should have an OS that conditions them not to do stupid things. The good result of this might be that Microsoft OS's will be even less desirable for people who still want to use a PC as a tool for exploration, research, and hacking. The bad result will be that, if M$ stays ubiquitous, fewer and fewer young people will even realize that that's what PC's at their best can be.

Is Indexing a Security Breech?

A big feature touted in Vista is the Instant Search feature. Will it become a new security hole?

If it can search and index file contents, then it has full access to my data. If access to that index or search feature is insecure then it's taking control of my data out of my hands and giving it freely to others. Why should applications need to access files that I created but which I haven't explicitly opened for their use?

Will the security be in place in both the API and data storage files so that instant search won't just become a new way for malware to quickly focus on the data it wants (e.g. Credit Card or Social Security Numbers)?

Security Rope-A-Dope

While Microsoft has everyone screaming bloody murder about all these security prompts - keep this in mind: It's probably an intentional distraction.

Very few folks seem to be analyzing and criticizing the other 99% of this operating system. Keep focusing on this security-prompt-red-herring, and we'll fail to uncover the real turds before it's too late.

Don't prompt each time

The point of UAC is to make sure the user has to authorize any actions that need administrative privileges. So address the authorization instead of the actions. Do what my Debian box does when programs need root privileges. When I run a program like that from my normal user account, a wrapper prompts me to enter the root password or abort the operation. If I enter the password and it's correct, root credentials are added to my keyring temporarily and the program can run as root. As long as those credentials are on my keyring, any other programs that need root access can run without prompting. If the credentials remain unused for more than a short time, they're removed from my keyring and any programs after that that need root privs will cause a prompt again. This makes sure I have to manually authorize root access, but that I don't have to keep answering repetitive prompts. It doesn't require any fancy tuning of which actions prompt and which don't, at most it only needs tuning of how long root credentials remain on the keyring which is a lot simpler.

Typical Microsoft, crafting the most complicated solution to the problem.

I will handle it just the way...

I used to deal with UAC before [bungie.org]. :)

Metaphor for the NSA?

Does anyone else see this as being a metaphor for (or at least, highly parallel to) the huge beaurocracy of the NSA: an organization designed to have the appearance of being "tough on security", but actually being costly and inconvenient while affecting real security very little?

this crowd is ridiculous

i have dealt with some difficult customers, but this slashdot crowd right now is just utterly ridiculous. there are a few that are willing to go against the grain and give vista a chance before dismissing it entirely, but the vast majority of the slashdotters lately are as close-minded and biased as any group i have ever seen. if MS adds a feature that you all love from another OS or application, they are copying. if they don't add it, they are behind the times. if MS tries to beef up security, they are doing too little too late, and it probably won't be effective anyway. if they don't try to beef up security... well i think you know what you all think of that. if MS releases a patch for IE, it is yet more proof that their software was flawed in the first place. if they don't release the patch, they are too slow to react to security threats, and are failing their users. this is the best one, and it happened just like this, a few posts up... if they open up to a beta group and ask for suggestions, they are skimping out on doing actual work and getting us, the computer elite, to do their design for them. if they don't open up to a beta and take suggestions, they are ignoring their users. i could go on, but i think you catch the drift. i get it, you guys hate MS. i thought this was a forum for open-minded people to share ideas and learn from each other, but if you want to just sit around and play target practice on a company that you have decided a long time ago that you will hate for life, then i might just have to give up on getting any more actual insight from reading the comments on slashdot, particularly on MS related stories.

Re:this crowd is ridiculous

LOL
Your post is spot-on, but what do you expect from a site that uses a broken windows icon for Windows stories and a Gates-Borg icon for Microsoft stories? These are the only topics on this site whose icons contain editorial spin of any kind (and that spin is derragatory, of course). This site really doesn't have any credibility whatsoever when it comes to Microsoft stories. Sad, but true.

Re:this crowd is ridiculous

i have dealt with some difficult customers, but this slashdot crowd right now is just utterly ridiculous. there are a few that are willing to go against the grain and give vista a chance before dismissing it entirely, but the vast majority of the slashdotters lately are as close-minded and biased as any group i have ever seen.

What exactly do you think all these Vista articles are about? They are discussions of what MS has done, what they have right and what they've screwed up. If you see a preponderance of what they got wrong, well that is partly human nature and it is partly because MS has gotten a lot wrong lately and not so much right.

if MS adds a feature that you all love from another OS or application, they are copying. if they don't add it, they are behind the times.

Both of the above are true. Are you implying copying is a bad thing?

if MS tries to beef up security, they are doing too little too late, and it probably won't be effective anyway.

What!?! This is a discussion about such a security feature, and one that a lot of people are having problems with, which MS acknowledges and has asked for feedback on. So you think discussing why it has problems is somehow biased? Facts aren't biased, your opinions of them might be. MS implemented more strongly user level security, something other OS's have had for a long time. A lot of it, they have done less well than other OS's which is what is causing a lot of the problems. The alerts are too frequent due to architectural decisions and some poor decisions in the implementation. The UI is terrible and a huge hole in this security. Pointing this out is a good thing and it lets MS know where to start fixing things.

if MS releases a patch for IE, it is yet more proof that their software was flawed in the first place. if they don't release the patch, they are too slow to react to security threats, and are failing their users.

There is a right way to handle vulnerabilities and exploits, but MS neglects it in favor of the most profitable way. They deserve to be taken to task for that.

f they open up to a beta group and ask for suggestions, they are skimping out on doing actual work and getting us, the computer elite, to do their design for them. if they don't open up to a beta and take suggestions, they are ignoring their users.

They certainly should ask for suggestions, but at the same time, due to some of their very unethical business practices, a lot of people would rather not help them. Where's the conflict?

i could go on, but i think you catch the drift.

I do indeed. You claim people here are close minded, but all of your complaints amount to people stating facts as they see them and having different opinions. That sounds like the opposite of close minded to me.

i get it, you guys hate MS.

Most people who love computers have a strong dislike for MS. They have single-handedly done more damage to the industry than anyone would have thought possible. People in the industry see that and are forced to deal with the consequences. That has nothing to do with this discussion of how they implemented a feature, other than whether or not some people are willing to provide them with helpful feedback. If you want to take issue with someone's opinion here, go ahead, but actually address one. Don't whine that people don't have the same opinions as you, or they have unspecified things to say that you don't like.

i thought this was a forum for open-minded people to share ideas and learn from each other, but if you want to just sit around and play target practice on a company that you have decided a long time ago that you will hate for life, then i might just have to give up on getting any more actual insight from reading the comments on slashdot, particularly on MS related stories.

Since you don't seem to have any insightful or even useful opinions about the discussion, maybe we'd all prefer it if you did ta

Microsoft Beta's

I know Vista is in Beta but when I beta tested Windows 2000, there were alot of bugs in that beta.
I emailed Microsoft with problems with Windows 2000. It was a really nice, long email.
They sent me a nice email back saying that they will look into the problems that I had found out,
And guess what they never fixed them. The same issues were in the final release that were in the beta.

 

the Lead "Program Manager"

the Lead Program Manager

Program Manager? I thought we got rid of that thing after 3.11?
Well, I think I've heard enough.

I think I know why there are so many

In Windows, even simple actions require accessing TONS of DLLs. I imagine that MS simply set up Vista to ask for "authorization" EVERY TIME a "privileged" DLL needs to be accessed. Obviously, that gets out of control.

They need to figure out a way to make it so that you authorize certain ACTIVITIES, instead of every individual executable that activity requires.

Of course, that's damn hard, because of the way Windows is designed.

Personally, I don't find the dialogs that bad, and if it can keep people from doing STUPID stuff, I'm all for it.

silent elevation

From the blog:

The problem with marking Windows binaries to "silently elevate" is that we feel it will lead to "worms" or self propagating malware.

Marking "silent elevator" should require administrative privilege, so what's the problem?

Unix has this for years, that is called "setuid root". This is extremely useful.

Also, it's very easy to have a knob to allow all signed applications to do silent elevation. Much cleaner than developing hacky shims.

Is it wrong to WANT Vista to suck?

I don't want Vista to succeed. I like that when people use GNU/Linux, they're reminded that it feels good to share and collaborate. I like that it also makes people start questioning patents, excessive copyright, fair use circumventions, etc. So even if people end up liking Vista, that would feel like a step backward for me because it moves people further away from open-source software.

I wonder when I became an idealist...

Giving it a chance..

I'm all for giving Vista a chance. I'm one of the people that think if there were no such thing as dishonest people, and no such thing as viruses, most Windows OS's would be superior to most of what's out there. I know, that's dangerous to say on Slashbill, err, I mean Slashdot, but there it is.

At the risk of sounding like a broken record, I really really wish people would stop acting like the beta is finished code, and complaining about it. A simple "Sheesh, I hope they change / fix that!" turns into " Omfg look at that crap they put in there! were all doomed!"

I really need to stop trying to play the devil's advocate around here, fucking holier then thou zealots are going to kill my karma.

Is Microsoft going too far?

Why on earth would any sane person knowingly allow a computer program to impersonate themselves or others? My gut feeling is that MS and other software mfg want more control of MY and YOUR computer without us knowing it. It wouldn't surprise me if elements of the Vista allow MS to search your computer for bogus copies of MS software and software from other companies without us knowing it. MS could sell this service to other companies (i.e. music industry, publishing industry with e-books). And how about marketing companies want to know your buying habits. Remember that the OS has unrestricted to your drives - and the Internet. This becomes a serious concern as more home users become hard wired to the Internet 24/7 with fixed IPs. Think about it. Why would a home user need all this sophistication? And forget about worrying about a family member (i.e. kids) updating windows. Most family members who are online have their own PC - $700 is all it cost and no one has to fight for a turn on the Internet.

Security Hole == Windows Message Pump

What everyone seems to miss is that the fundamental flaw, which the blog author alludes to, is Microsoft's desire to allow applications to masquerade as the user and send messages via the Windows message pump (via SendMessage() etc).

The real flaw is that MS is maintaining a design decision that was made back in the days of Win3.1: there shall be one method for structured message passing (the message pump) which will cover user input, application IPC, system notifications, clipboard copying, window redraw requests, etc. This message pump is built into the core threading model for the OS (many other windowing systems have this too, it isn't just Windows).

Since there is only one front door, user input uses the same facility as everything else, and it becomes impossible to tell if the user pressed the "A" key or if an application sent a KEYPRESS message.

One solution is to have OS-enforced segregation between these types of input, and force multiple input channels. The mouse and keyboard (and other legitimate devices) get to use the "user input" channel, and other apps get to use a different channel.

But Microsoft doesn't want to do this because they want to enable Bob-style guided interactions with applications, where the target application can be automated/scripted without its knowledge. Changing this also has huge backward-compatibility issues---basically anything built for pre-Vista windows must be modified and rebuilt.

So MS is talking security, but this is a case where market footprint and backward compatibility are fighting with security---and ease of use is caught in the crossfire. A first for MS.

Wrong way about to solve the problem

What we need is not 100 dialogs verifying if we really really really want to delete or execute something. What is needed here is an internationally recognized license to operate a computer. That is right, a license to operate a computer, just like we need licenses to operate a vehicle. Damage done by improper use of a computer nowadays is pretty extensive. A license would filter out part of the core problem allowing them to focus on fixing the other part, making the actual OS secure and not just slapping these dialog hacks. I'm only half joking.

I remember when *NIX had this prob. (NOT)

FtTP (From the Third Paragraph):

Therefore, I would like to take a moment and discuss the issue and give some details on what we are going to combat the problem.

Where do want microsoft me drag today? [catb.org]

This guy is clearly cracking under the pressure. I never understood people like that. Steve, if you read this, just tell Gates he is a Fscking crook and a moron in front of a room full of people and stroll out proudly. Every gasp you hear will be a gasp of respect.

SUDO

Hang on, Isn't this place over-ran by Linux fanboys? Isn't this just the windows version of 'SUDO'? I run Fedora and it often prompts me for the root passwd to do things. How is this different?

Beats running as non-admin on XP

What they are doing beats running as non-admin on Windows XP. Which is basically the only way to be secure as the Windows core was engineered correctly while the apps were not.

Most Microsoft apps actually run correctly when you are not an admin because Microsoft sells to large companies which are mostly locked down, but 3rd party apps are horrible. There's no way a regular user could set up all his apps to run as that involves a lot of command line fun with CACLS on XP Home.

The part of Windows that was not designed correctly is the All Users account. If you install an app that's supposed to be available to all users then, for example, it's desktop icon is installed in the All Users/Desktop dir instead of being added to each user's Desktop dir. And to change anything for All Users you need admin priviledges, which is why Windows requires priviledge escalation for simple tasks like removing an icon from your desktop.

Dejan

Crap it may be but linux...

Im probably inviting a lynching from the zealots but... Lin