One of the perks of my job is that I have to stay ahead of the game when it comes to the technical aspects of computer operation, which usually means beta testing new OSes. So over the last couple of days, I've been playing with the RC1 release of Vista. From what I've seen so far, however, I have come to a simple conclusion.
User Access Control in it's current and default setting is absolutely useless.
I don't know what Microsoft is thinking here, maybe it's going to change down the line after release, but as it stands right now, it's useless, and here's why.
First off, when you first install Vista, it asks you to set a password for the administrator account, Which is so far better than WinXP, but that's it. That account is your primary account. It doesn't force or even encourage you at install to create a user account and run that as your main account like most Unixes do. In other words, it creates accounts just like XP with a slight difference in what the administrator account can do to the PC so it's slightly better than XP. This of course is a bad thing. But it gets worse.
To expand the above, that "Administrator" account isn't really an Administrator account. It's more like a "Super Power User" account (probably since it is your default account after all). This so called admin account can do a lot of things a real admin can do, but there are a lot of things it cant, such as releasing an IP Address using ipconfig. This restriction is in the right direction when it comes to how the default account should respond but they shouldn't be doing this to the only account that can possibly recover from a bad situation. If a PC gets infected with something that is Deep Penetrating, your going to have a really bad day trying to clean it out with this account's access level.
Second, They did adopt a deep penetration stopgap like the Unixes, and anything you run that can adversely affect your machine is protected similar to Unixes root access prompt, but with one major flaw: No Password Prompt on the default administrator account! I can understand if the account didn't have a password but it should damn well prompt you if you have one set. Now, it does prompt the administrator password if you are running a user account, but let's face it, most users are going to use whatever Vista defaults to, and as of today, it's this neutered administrator account. I've said in the past (read my "Mythbusting Computer Security" journal entry) that I believe that the password prompt is useless since an Idiot user will just put it in and deep infect themselves anyway, and I still stand behind that, but there are three reasons why these dialogs work relatively well in UNIX:
1) The frequency of the prompt itself. When it comes up in Unix, you Know it's something big because you don't see it that often unless your installing something or messing around with system settings. In Vista Simply copying files from your profile to your Spare drive can get you this dialog, Although RC1 is light years ahead of Beta 2 in this regard.
2) A Threatening presence. Your using your computer when out of the blue this box shows up wanting an Admin password for this program to do it's thing. This forces people to 1) read the dialog and 2) think; since they need to conjure up their password. This will never protect a computer from a stupid user, but that simple pause will make cautious people second guess their judgement. When you have a simple yes/no prompt, a user will get so indoctrinated with the prompt that they will simply say yes no matter what they are running. Don't believe me? how fast can you click on "yes to all" when you're copying files into an already existing folder? Do you even read the dialog anymore? Did you realize you could be overwriting newer documents with older revisions of the same document?
3) Protect the system from other people messing with your computer if you happen to be away from your desk, since they would have to know your log in password in order to screw things up.
So, basically, if you want to know how Vista feels and you don't have access to the Beta, simply download service pack 2 and install it, download a program, and run it. That security dialog you see is basically UAC for the administrator, albeit with a little less graphic flair and frequency. Now imagine seeing that dialog dim the whole screen and pop up when you click on anything in the control panel and you got the Vista Experience.
What can be done to fix it? For starters, Make the Administrator account a Real Administrator, not a "super power user" with administrator as the user name, and force a password for the account. Second, the User's default account should be a "user" or "Power User" account and anything you do that needs UAC approval would require the administrator password. This would work exactly like the Unixes work and would stop most of the problem's I've mentioned here.
Actually XP does something similar to this at initial install. When you initially install XP, there's the administrator account and a "Your Name" account. the problem with XP is that the "Your Name" account is a full blown administrator. All they needed to do was force you to set a password for the administrator account and make that "Your Name" account a "user" or "power user" instead of a full blown "administrator". That would have fixed most of the security problems in XP right there. This coupled with Vista's UAC's permission elevation would have been Ideal.
Update 10/8/06: RC2 has come out and there are some minor changes. For one, it looks like they have gone back to a model similar to XP. Instead of having the "Super Power User" Account called "Administrator", they have decided to go back to the "Your Name" system that XP Uses. My guess is that testers didn't like their own account being called Administrator and MS wanted to do more account Salting for extra protection. (Not like a malicious program couldn't get the account location anyway from a variable) However, that appears to be the only change. It also still has the same prompting characteristics as RC1 using "Adminstrator", so this article is still relevalent. I didn't test to see if the true Administrator account is accessable in any form, but I do know that it doesn't ask for a password for "Administrator" anymore. Hopefully it's truly blocked from being used in normal mode.