Microsoft Caves, Will Change UAC In Windows 7 249
CWmike writes "Reacting to intense criticism of an important security feature in Windows 7 (which we discussed a few days back), Microsoft today said it will change the behavior of User Account Control in Windows 7's release candidate. In a blog post, two Microsoft executives responsible for Windows development, John DeVaan and Steven Sinofsky, said 'We are going to deliver two changes to the Release Candidate that we'll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. Second, changing the level of the UAC will also prompt for confirmation.' They said the changes were prompted by feedback from users, including comments on an earlier post Thursday by DeVaan in which he defended the modifications Microsoft made to UAC in Windows 7."
Intense? (Score:5, Insightful)
Intense criticism? Define "intense."
Isn't this how it's supposed to work? Release pre-production code to the community. Listen to comments. Respond to comments as appropriate.
Now define "over the top."
The entire concept is broken (Score:5, Insightful)
Caves? (Score:5, Insightful)
This is hardly "caving". Microsoft was alerted to a security issue, and they're fixing it. How did this get spun into an anti-microsoft story?
Did I miss some story where Microsoft said they absolutely refused to fix the problem, but now a few days later they're giving in and fixing it?
Re:Caves? (Score:5, Insightful)
Re:Caves? (Score:3, Insightful)
This is slashdot. Nuff said.
Re:I had a little glimmer of hope (Score:5, Insightful)
When I read the headline...that they were going to implement proper user account permissions (a la UNIX) so UAC wouldn't be needed. Alas, I was disappointed.
By that you mean "put password in everytime you need to elevate?". UAC does that if you're not an admin. If you are, because you're not really an admin, it just confirms you want to...if the app is digitally signed; if not, it give you a big scary warning box you actually have to read.
Still missing... (Score:4, Insightful)
the one thing that will make me consider not turning it off. A "do not ask again for this application" checkbox.
Come on. Every firewall/HIPS system I can remember trying the past decade or so has an option to remember the answer.
This obviously won't work for settings, but for when starting an application? God, it's so needed.
Re:windows users are STILL more tolerant than ME (Score:3, Insightful)
"I can't believe that if the OS is engineered properly if there would be any reason for it with ANY frequency"
Yes, but this is Windows, which has been so poorly engineered for so long that roughly 97% of applications expect to be run as Admin; and thanks to the delights of 'backwards compatibility', Joe Sixpack will be running many of those applications for many years to come (heck, I have a copy of Word from the Windows 3.1 era on my Windows PC because I had to open old Word files and current versions wouldn't read the old format).
Re:windows users are STILL more tolerant than ME (Score:5, Insightful)
but this is Windows, which has been so poorly engineered for so long that roughly 97% of applications expect to be run as Admin; and thanks to the delights of 'backwards compatibility'
ya, but wasn't that what Vista was all about? Causing 80% of the existing windows apps to spontaneously combust and force the developers once and for all to fix their crap? What happened to that? (guessing... public outcry from the users and lazy devs pointing at MS as the blame) I thought that was the reason that Windows7 was going to make an even more solid, committed attempt to force the developers to adopt good coding practice. MS can't just continue to roll over on this issue.
Re:Caves? (Score:4, Insightful)
A true slashdot user believes all these things
1) The flaw in XP was that everyone run as admin. Unix's system of running as a limited user and doing a privilege escalation via sudo each time you do something that requires admin rights.
2) The flaw in Vista was UAC, where you do a privilege escalation each time you do something that requires admin rights.
3) The first Windows 7 beta had a flaw where it was possible for malware to disable UAC programatically and thus bypass it.
4) Microsoft have 'caved' and changed UAC in the Windows 7 release candidate.
and he believes them simultaneously too.
Re:I had a little glimmer of hope (Score:2, Insightful)
Proper user account permissions? Like the ACL system that Windows has had for more than a decade? The one that's more granular than what you can get on Linux? I guess Linux needs to ditch sudo and get real "user account permissions" too?
I don't see what you're getting at here: UAC fills almost the same role as sudo on a Linux system. Okay, I admit - it's a little different "under the hood" from the way sudo works under Ubuntu, but it legitimately works, and Microsoft actually did sit down and think this one through. For example, instead of asking to elevate for every piece of software that does terrible crap like writing into the Program Files directory, it just virtualizes that file system operation into a folder in your user account. Doesn't even ask to elevate. It does kinda cause problems when files don't end up where you expected them to, but most users never notice and it's actually a very nice way to deal with developers who refuse to follow the rules. Thanks to nice things like that, I generally only get prompted for elevation when I install new software or legitimately need access to a restricted directory, which is exactly the way it should be.
Don't misunderstand me here - there's plenty of things wrong with Vista. UAC and the NT security model weren't one of them, though. UAC was a step towards a sane default of limited users instead of having everyone run as an administrator. Defaulting everyone to admin is one of those bad decisions Microsoft made and we've been paying for ever since. Windows needs UAC, and it's the main reason I use Vista on my home box.
Try this: enable Vista's Administrator account (it's disabled by default), give it a password, then make your user account a "Limited User." What happens when it asks to elevate? Yep, a password prompt instead of the regular UAC. It's not technically sudo but it's the same effect and it works extremely well.
Re:changing 6 with half-a-dozen (Score:1, Insightful)
Re:I had a little glimmer of hope (Score:2, Insightful)
As I put it in another post (http://it.slashdot.org/comments.pl?sid=1118669&cid=26751749 [slashdot.org]), SELinux is not just a user access control (UAC) system. The NSA didn't build it "to address this" as you said. Instead, they built it to implement a much wider range of ideas e.g. role-based access control and security context/type management.
I'm not familiar with the Windows Vista UAC so I can't make reasonable comparison between it and SELinux. However, if they are designed for different jobs, then we are really comparing apples and oranges.
Re:To be fair about Vista (can you do it, /.?) (Score:4, Insightful)
It's my business where I install the OS. It will only be on one computer at a time, but if I pay the money, the OS goes where I decide when it suits me to reinstall, without a penalty to ME.
I agree completely. I always get modded as a troll, but forced activation really is one of the things that keeps me from using Windows Vista. Every product that I've used that has activation has, at some point or another, made it needlessly difficult for me to do something legitimate. I just refuse to deal with that stuff anymore.
I have enough problems with software working properly without the developers embedding kill-switches in their software.
Re:I had a little glimmer of hope (Score:3, Insightful)
proper user account permissions (a la UNIX)
You mean "me, us, anybody" permissions? Windows account security is both more sophisticated and more granular. The problem is not with user account permissions, but with the out-of-the-box defaults. On this one, Microsoft can't win. If they do something that's appropriate for the average home user (a breed of cat most of /. can't even imagine), power users and tech writers get all over their case.
In the enterprise environment, the degree of user lockdown is easily adjusted on a per-user basis and runas (Windows' sudo -u) is available for exceptions.
Re:I had a little glimmer of hope (Score:3, Insightful)
The right approach is to ask, "In our situation, what do we need the software to do?"
Re:Still missing... (Score:3, Insightful)
Why should any application need that checkbox?
No application should be asking for privileges that much, unless it accesses special hardware (easy example: something akin to WireShark). A normal application (like FireFox) shouldn't need to ask for permission all the time. If it does, it probably has a design flaw.
If you grant full permissions in the way you are suggesting be made possible, then if a new version of the application alters it's functionality (or some time-bomb kicks in) then it can do things you didn't authorize (like erase other programs) because it was given blanket authorization by you so you wouldn't be nagged about some stupid thing it was doing (like changing your wallpaper).
You want the "always" button to be more granular? So now I have to check 5 different "always" boxes on 5 different prompts so some poorly written application won't bug me... until I use some new function and it asks for a 6th time. Having the "always" box not mean "always for everything" will confuse a great many users.
Well written programs don't have this problem. I've been using OS X for years and the only two applications that prompt me on any kind of regular basis are Software Update (which has to touch all sorts of software and the system software, I'm going to include MS's Office Update in here too) and the Installer used by some applications (because they may need to install libraries or check for other installed software). User space applications almost never trigger these questions. They don't NEED to.
Re:To be fair about Vista (can you do it, /.?) (Score:3, Insightful)
"NO you do not want to write into program files. UNLESS you are an installer. Period."
Personally, I like to think of myself as a continuously modified script, running a bio-mechanical machine.
Far more often than not (nearly always) you do not want applications to write into the ./Program Files/. folder, however, I am not a program, and I need to write to various (program files) folders for many reasons, what if I need to install a plug-in that does not have an installer, perhaps a file got corrupted, and I need to edit it, or maybe I am just bored and/or curious and feel like poking around, it is "My Computer" which includes every file and folder contained on any of its hard drives, I am not renting it from the OS, or the applications on it.
Although, you generally do not want your average e-mail checking user to be able to do those things, not because it is some mysterious taboo, but because they will generally fuck it up and not know how to fix it, but even then, if it is their personal/home use computer, they should still be able to do so, given enough dialogs/warnings... trial, error, money spent, they'l learn, but never completely locked out.
Re:I had a little glimmer of hope (Score:2, Insightful)
Sounds like Group Policy Objects in Windows (running in a Domain).
If it sounds like it, I hope you haven't done much administrating Domains recently.
But maybe you're right, so... how can I create a GPO object that gives the following MAC profile to any instance of Firefox, started by any user:
- disallow connecting to ports other than 80 and 443
- disallow reading files in the User's home directory
- allow reading and writing files in %AppData%\Firefox, but not reading anything else in %AppData%
- allow writing files to %TEMP%, but allow reading only of the files created by Firefox itself
Re:I had a little glimmer of hope (Score:3, Insightful)
Yup, SELinux is designed to allow government computers to process data of different classification levels, without causing all data to adopt the highest level.
For example, if you copy a confidential file onto an ordinary secret machine, that file then becomes secret. If SELinux is implemented, then a machine can be designed to process both confidential and secret data, without all confidential data becoming secret. However, setting something like this up and getting it certified by the NSA is a friggen huge PITA.
Re:The entire concept is broken (Score:3, Insightful)
The argument also exists that they should tell the user what's going on rather than silently redirect stuff.
Tell me the program's broken, tell me there's a problem, block writes to PFs, whatever. Don't just silently squirrel stuff away somewhere else and then show different users different versions of the same file...
Just wrong.
Re:I had a little glimmer of hope (Score:2, Insightful)
OP said:
You're aware the access controls of the Windows NT line is MORE fine grained than UNIX, right?
indicating that more fine grained controls via ACLs etc is better than the ugo model that standard unix uses.
I'm merely pointing out that this is a beyond stupid argument, since Microsoft often claims that the registry is far better than /etc config files, and we all know how fucked up the registry can be. Here's an article on why Microsoft thinks the registry is better than /etc config files: http://www.theregister.co.uk/2002/11/21/ms_paper_touts_unix/ [theregister.co.uk]
And for the morons who keep harping on SELinux, you either have not implemented this in production, so, stfu, or you're paid too much to screw around on slashdot, so go troll somewhere else. For the rest of us, selinux is a damned pain in the ass, and no sane person touches it.
Re:UAC is useful (Score:3, Insightful)
While many may scoff at UAC, it does do something very well. It foists responsibility on the user. While this may not be the nicest thing to do, it enforces perhaps the most difficult ideal. That being of awareness of security.
I challenge you with the claim that you understand neither users, nor security.
Or, to bring up a car analogy, UAC is like asking the user for tire pressure, the mixture rate of gas and air, and the precise timings of ignition in order to drive a car. Then telling drivers they're stupid fucks because most of the cars on the streets stutter around or burn up.
Security education is an utter and total failure and most serious security professionals have long moved away from it. Today we train security awareness, which is a lot simpler and more basic, or on the car anology: We teach people to call the garage when any red lights flash.
And no, UAC isn't a red light. It doesn't indicate that something is wrong, it asks the user if something is wrong, and most of the times while the user clicks on "no, go on" what he really means is "how should I know? shut the fuck up already and let me work.".