UAC Changes and Windows 7 Security
What Microsoft's changes to user account control mean for the enterprise
One particularly annoying feature of Windows Vista is the seemingly constant pop-ups from the user account control (UAC) feature. Though designed to prevent security-related problems, users ended up turning the feature off, thus defeating its purpose.
Microsoft has changed the UAC interface and behavior. To learn more about these changes, we asked Eric Voskuil, chief technology officer at BeyondTrust. Eric explains what the changes are and how they will affect the enterprise.
Enterprise Systems: What is user account control and why was it introduced in Windows Vista?
Eric Voskuil: Microsoft introduced UAC in Windows Vista to reduce the frequency that users run with administrative privileges, thereby limiting the ability of malware to install on desktop systems. Despite its good intentions, Vista’s UAC was widely criticized due to its frequent user prompting, as well as application compatibility issues for standard users.
In the new Windows 7 operating system, there has been talk of changes to UAC. Can you describe these changes and explain the benefits to users?
In response to the feedback that users were forced to respond to too many prompts in Windows Vista, the new operating system introduces a new approach to UAC, providing a four-position “slider” feature to control how often UAC pop-ups occur.
Although these changes to Windows 7’s UAC benefit the home user market, enterprises must recognize that the new slider feature can only be applied to users logged in as administrators and may increase security risks. Further, Windows 7 introduces no new features to solve the application compatibility issues experienced by standard users in previous versions of the operating system.
Much criticism of UAC in Windows Vista was that it was too restrictive -- that it was popping up all the time. What is the default setting for UAC in Windows 7? Do you recommend that this setting should be left as is?
I do not recommend that any user log in with administrator rights and leave the default setting as is. To reduce user account control prompting, Microsoft changed the default configuration of user accounts such that any malware that exploits remote code execution vulnerabilities can, in fact, take control of the computer. In other words, malware can gain control of a computer without the user's knowledge.
What impact will these changes have on users of the new operating system (OS)?
The new UAC default setting was intended to reduce prompting by permitting Windows executables to automatically run with administrative privileges. However, it's only a matter of time before malware is directly targeted at this security gap, which will likely come once Windows 7 is more prevalent. We have already seen proof of concept exploits such as the one created by Long Zheng (read Zheng's report here).
What are the implications of UAC in Windows 7 to enterprise security?
For enterprises, there is little benefit to the changes to user account control in Windows 7. Windows 7 introduces cosmetic changes to reduce the prompts that plagued Vista, but it does nothing to fix the underlying productivity and usability problems for standard users, which is the preferred and most secure configuration for a growing number of organizations. Enterprises must recognize that Windows 7’s UAC slider puts end users in charge of the security decision of what to run with administrative privileges, which is essentially an invitation for malicious users, hackers, and malware.
I've read that UAC in Windows 7 will remove the need for users to run with administrator privileges. Is this accurate?
Rumors and suggestions have led enterprises to think that UAC in Windows 7 will fix all the issues that were raised in Vista and remove the need for users to run with administrative privileges. Unfortunately, this is not the case.
What type of threat does a user with administrative privileges pose to the enterprise?
When users log in with administrator rights, they have complete control over the computer. For example, administrator rights can be used to change security settings on the firewall, turn off antivirus solutions, or install unauthorized software. Additionally, users with administrator rights are a gateway for malware and will be far more expensive and time consuming to support. Most malware and spyware requires administrator rights in order to install.
How does UAC impact users’ ability to do their jobs? In Windows Vista, enterprises were advised to set up end users as standard users, without administrative rights. Is that your recommendation for Windows 7 as well?
I recommend all end users be set up as standard users. Just as in Vista, when a standard user logs into Windows 7 and encounters something that requires administrator privileges, they will be prompted to provide log-in information for an administrator account. However, I recommend setting UAC to no prompt mode, which will prevent the standard users from being asked for administrator credentials, which they do not have. If a standard user still needs to perform an action that requires elevated privileges, a company should use other products to ensure that the user can still perform the necessary task.
Are there any issues specific to compliance that enterprises should be aware of as they look to migrate to or adopt Windows 7?
The Federal Desktop Core Configuration (FDCC) mandate requires government agencies to ensure that federal users do not log in to their Windows XP or Vista computers with administrator rights. It only appears to be a matter of time before this mandate is extended to include Windows 7. Administrator rights must be restricted to ensure that users do not change the mandated standard security configurations.
Additionally, any system operating with administrative privileges is at high risk of being exploited by malware and malicious users.
What is BeyondTrust's connection to UAC?
BeyondTrust Privilege Manager solves UAC’s biggest issue and enables organizations to remove administrator rights and still allow users to run all required applications without any prompts. It does so by allowing network administrators to attach permission levels to Windows applications and processes; users can run all authorized applications without administrator rights.
Companies can create rules that define what a standard user can do with administrative privileges, allowing them to discretely control when administrative privileges can be used by different groups of users.