Details on Refining Vista's User Control

borgboy writes "Windows Vista has gotten a lot of negative press recently following the release of the latest beta, especially regarding excessive prompting for privilege escalation for seemingly common activities. On his blog, Steve Hiskey, the Lead Program Manager for User Account Control in the Windows Security Core group, details what the issues with the excessive prompting are, what the design goals of the feature are, and how they plan to achieve them. Briefly - they know the excessive prompting is a royal pain, they know that have to reduce it to an absolute minimum to be both productive AND an effective security risk mitigation measure, and they want as much feedback as they can get on the beta."

Re:SAme as in OSXs early days

[plasmacutter]

I am a mac user, and have been using it since osX's early days, and the tasks they request authorization for are not "petty".

on the other hand, I have gotten those prompts in osX for microsoft and real built applications which were trying to do things which they had no business doing.

all the open source players i have installed on osX (I have 2 or 3) have never required root authorization for anything, yet wmp and real wanted to access my root files, why? This hints at how invasive the programs are, what are they doing monkeying around at that level on my system.

The user prompting you are seeing in windows is not necessarily excessive, it may arise from genuine security concerns because of how invasive microsoft is to their users, as reported in previous years consistently with hidden logs, spyware bundling, and surruptitious installation of DRM modules. (I have office 2004 on my mac, was prompted for a root pass, and immediately hunted down where the change was.. it turns out it snuck a drm bundle into my web browser!)

Re:Here's how to delete a file on Windows Vista

[deficite]

Perhaps that'll annoy people enough not to delete the system icons. I used to get so mad when I used the family computer and my dad would delete an icon for something on his account and it got deleted on mine too. Another thing about shortcuts I hate: some applications only install them for the account you installed the program with. I had to make shortcuts by hand for every account on the machine or manually copy the shortcut to the shared shortcuts.

Re:There you go again

[Tim C]

How about if you add something extra to make sure no "malware" lands up on my system? Can you do that?

In a word, no. How is the OS supposed to know that that cute little systray weather forecast app you downloaded and installed is actually a trojan?

As long as a user can download and install/run software, the system is vulnerable, and there's nothing it can do about it.

Easy fix

[Anonymous Coward]

One solution is for developers to write applications that don't need to be installed, nor run as, the Administrator user. Of course, that is if Vista was designed to allow applications to run properly as non-admin.

Huge Difference

[astrosmash]

This kind of security model has always been present in OS X, and other various unix-like flavors, so applications written for these operating systems have always expected to explicitly request super-user authorization before doing any system-level configuration.

The situation on Windows is completely different. Microsoft is retrofitting Windows with this security model, but it must still support the vast catalog of existing software that was written assuming the traditional Windows security model. So, instead of an application or installer explicitly requesting authorization, Windows watches all processes for what amounts to security violations, halts the process and prompts the user for elevation. And now they're talking about writing shims for specific problematic applications. Yikes!

To call this over-engineering is an understatement, to say the least, but what else can they do? The value of Windows has always been in its backward compatibility, and Microsoft cannot give that up without risking their dominance in the market. But this is precisely why OS X has surpassed Windows in terms of the rate of development within the last few years (also an understatement).

Re: click delete, CONFIRM delete?

[mpapet]

My gut feeling is this is another Microsoftie doing damage control.

the optimal number of steps
Is one. Just one. On my kde desktop, I right-click the icon, select delete. Apple's desktop is similar.

In both instances, there's a robust security model underneath my desktop that does not require an extra "are you sure?" button on my desktop to work right.

Re: click delete, CONFIRM delete?

[fickerra]

While your view is correct, there are some reasons why a confirmation-on-delete can still be beneficial, especially for novice users.

Say a novice user (think grandma) is trying to click on Rename and accidently hits delete without evening noticing that delete was an option. If the shortcut disappears, they would be thoroughly confused. They would not know to look in the recycle bin.

Also, remember, this confirmation *can* be turned off in Vista (just like in XP.) So, you can have it the way you like it if you decide to use Vista. However, I support the decision to default this feature to on.

Security Hole == Windows Message Pump

[cheezit]

What everyone seems to miss is that the fundamental flaw, which the blog author alludes to, is Microsoft's desire to allow applications to masquerade as the user and send messages via the Windows message pump (via SendMessage() etc).

The real flaw is that MS is maintaining a design decision that was made back in the days of Win3.1: there shall be one method for structured message passing (the message pump) which will cover user input, application IPC, system notifications, clipboard copying, window redraw requests, etc. This message pump is built into the core threading model for the OS (many other windowing systems have this too, it isn't just Windows).

Since there is only one front door, user input uses the same facility as everything else, and it becomes impossible to tell if the user pressed the "A" key or if an application sent a KEYPRESS message.

One solution is to have OS-enforced segregation between these types of input, and force multiple input channels. The mouse and keyboard (and other legitimate devices) get to use the "user input" channel, and other apps get to use a different channel.

But Microsoft doesn't want to do this because they want to enable Bob-style guided interactions with applications, where the target application can be automated/scripted without its knowledge. Changing this also has huge backward-compatibility issues---basically anything built for pre-Vista windows must be modified and rebuilt.

So MS is talking security, but this is a case where market footprint and backward compatibility are fighting with security---and ease of use is caught in the crossfire. A first for MS.

Re:Here's how to delete a file on Windows Vista

[Firehed]

Anyone else think it a bit odd that it says "You don't have permission to delete this" (step 4) followed by the prompt to go ahead and do it anyways? Well, I suppose that's how life works - I wonder if Vista will arrest me a short while later?

Re: click delete, CONFIRM delete?

[mrchaotica]

What it ought to do is pop up one of those little non-modal balloon help things from the recycle bin the first couple of times, telling the user that the file was just moved there (as opposed to a modal dialog telling the user that the file is about to be moved there).