Print 107 comment(s) - last by weskurtz0081.. on Nov 11 at 8:55 AM

Windows 7 may be more secure, but its UAC is less functional than Windows Vista's, according to a recent security study. The study suggests that only antivirus protection can properly protect Windows 7.  (Source: Switched)
Antivirus protection still necessary, says firm

One of the most unpopular features of Windows Vista among casual users was the User Account Control (UAC).  Ironically, while the UAC provoked irate comments from these users, like "why is my computer asking me to approve everything", the feature was one of the most appreciated features by power users as it gave them much more control over their security and ability to prevent inappropriate actions.

With Windows 7, Microsoft pledged to go the OS X route on this topic, tuning down the UAC's warnings to a lesser level.  Many security firms complained about this approach and Microsoft relented slightly, restoring some of the UAC's warnings, in particular a warning about the disabling the UAC altogether (experts showed that attackers could disable the UAC without prompting the user in early builds of Windows 7).

While these changes helped make Windows 7's release edition more secure than the test builds, the UAC's default setting is still neutered compare to Vista's robust solution, indicates Sophos Senior Security Adviser Chester Wisniewski.  He's just completed a study of attacking Windows 7 with malware and seeing how the new UAC responds.

Of the ten pieces of malware tested, Windows 7 wouldn't install two of them.  Of the remaining eight only one generated a UAC warning, allowing the user to disallow its installation.

Microsoft officials, though, minimized the test, saying the UAC just isn't that important a security feature anymore.  They point to Windows 7's improved memory protections and Microsoft free Security Essentials antivirus suite as two critical tools that can be used to fight infection, in addition to the UAC. 

States a Microsoft spokesperson, "Windows 7 is built upon the security platform of Windows Vista, which included a defense-in-depth approach to help protect customers from malware; this includes features like Security Development Lifecycle (SDL), User Account Control (UAC), Kernel Patch Protection, Windows Service Hardening, Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP)."

"Windows 7 retains all of the development processes, including going through the Security Development Lifecycle, and technologies that made Windows Vista the most secure Windows operating system ever released," the spokesperson added. "Coupled with Internet Explorer 8—which includes added malware protection with its SmartScreen Filter—and Microsoft Security Essentials, Windows 7 provides flexible security protection against malware and intrusions."

While he understands that with other supplemental protections Windows 7 will likely be safe, Mr. Wisniewski seems mildly disapproving of defaulting the UAC to reduced functionality.  After all, users of Windows Vista may be lulled into a false sense of security expecting prompts to save them from malware.  Ultimately, though, there's little that can be done to convince Microsoft to change this, though, and he concludes, "Lesson learned? You still need to run antivirus [protection] on Windows 7."

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Flawed Methodology
By Iaiken on 11/5/2009 2:33:58 PM , Rating: 5
Let's not forget that for extra stupid users that will run just about anything you send them, you an always raise the UAC alert levels to be just as annoying as Vista. It's this neat little slider under ControlPanel>UAC that even a retarded monkey could use.

RE: Flawed Methodology
By lightfoot on 11/5/2009 2:57:42 PM , Rating: 3
The problem is that the retarded monkeys turn off the UAC because they don't like being prompted when they are trying to run malware. You can put a safety on a gun, but it won't stop you from shooting yourself in the foot if that's where you're aiming.

RE: Flawed Methodology
By StevoLincolnite on 11/5/2009 9:38:53 PM , Rating: 3
I think it's a case of "Your damned if you do, and your damned if you don't". - One of the biggest issues people had with Vista was UAC, Microsoft tones it down... And now one of the biggest Issues is the lack of UAC.

Unfortunately Microsoft can't please everyone it seems.

RE: Flawed Methodology
By Reclaimer77 on 11/5/2009 9:57:04 PM , Rating: 4
And now one of the biggest Issues is the lack of UAC.

No it's not.

RE: Flawed Methodology
By StevoLincolnite on 11/5/09, Rating: 0
RE: Flawed Methodology
By DominionSeraph on 11/6/09, Rating: 0
RE: Flawed Methodology
By damianrobertjones on 11/6/2009 6:27:05 AM , Rating: 2
As most people run as admin, which in itself is very silly, the point of UAC is to stop un-authorised installing/launching/access to the system and it's sections. Supposedly, when a web app tries to install, UAC should appear and warn you about this action.

Something trying to access the management section, UAC prompt. It's simply another level of protection that people turn off. Damned if they do, Damned if they don't

UAC does serve a purpose. At least try to add more than 'no it's not'.

RE: Flawed Methodology
By wallijonn on 11/9/2009 1:39:18 PM , Rating: 2
As most people run as admin, which in itself is very silly, the point of UAC is to stop un-authorised installing/launching/access to the system and it's sections.

And seeing how XPHome defaults to admin rights for all accounts created, the problem still lies with MS. Many people don't know what to do with Restricted or Limited accounts. So they just create another account, which has Admin rights by default, and get back onto the Internet. Installing Firewalls don't help either since they'll just get the same type of Vista UAC prompts. Eventually they disable all Internet access and end up calling me...

RE: Flawed Methodology
By StevoLincolnite on 11/6/2009 9:33:27 AM , Rating: 2
nd that purpose would be...? Please say, "Security." I do so much like laughing at fools.

Well it's obviously not to assist in rendering Direct 3D based games is it now? What else would it be for?

In essence the greatest cause of computer issues was because of the person using it, which has been true for decades, the UAC was supposed to be a "Cure" for the ailment, which unfortunately ticked allot of people off with it's annoying prompts.

The idea of UAC was to stop:

* Malicious Programs from executing without a users consent.
* To verify your actions, so you can reverse what may be a potentially catastrophic mistake.
* So you aware on what is going on in the back ground of your system.

I think that pretty much falls under "Security" which UAC achieves, like it or not.

RE: Flawed Methodology
By DominionSeraph on 11/6/2009 9:01:33 PM , Rating: 2
Ahhh... typical American consumer egotism, thinking that everything is engineered to directly cater to you.

The purpose of UAC is to socially engineer towards the use of limited user accounts.

Prior to Vista, everyone ran as Admin. They had to, because their programs didn't work under limited user access, and programmers kept programming for system area access because everyone ran as admin.
Cute little self-supporting structure there.

With Microsoft's use of limited access tokens with UAC elevation in Vista's administrator account, programmers could no longer presume admin access. To make a program that would work without constant UAC nags, they had to design programs that would behave under a limited user account, just like Microsoft had been telling them to do for the last decade.
They now do this, which makes actually running as a limited user a valid option.

The security is in the limited user account. UAC just nags it into viability.

So you see, UAC was never meant to secure the inherenly unsecure admin account. Microsoft isn't weighing usability against administrator account protection, they're weighing usability against programmer coercion. Windows 7 increases usability while maintaining the same degree of pressure on programmers to program in alignment with the security model of limited access users.

The decrease to security in user-initiated actions in the administrator account is a meaningless aside, as the administrator account is not meant to protect the user from himself.
Limited accounts are there to protect the system from idiots running, "format.bat." The administrator account, however, is the place you're supposed to be able to run it.

RE: Flawed Methodology
By neogrin on 11/6/2009 10:55:36 AM , Rating: 2
No it's not.

Shush, the adults are talking.

RE: Flawed Methodology
By Reclaimer77 on 11/5/09, Rating: 0
RE: Flawed Methodology
By The0ne on 11/5/2009 3:03:21 PM , Rating: 4
Max level for UAC in Win7 is much less annoying than Vista. I usually have it off as I am picky on what I install but have been using it at max and have been pretty satisfied with the prompts. I'm keeping it at max unless it really does becoming annoying, which I doubt.

RE: Flawed Methodology
By Sulphademus on 11/5/2009 3:36:03 PM , Rating: 5
I upped my UAC to max and upped it to max on the PC Im building for my bro. Vista UAC has been fantastic in a corporate environment (prevented so much stupid crap!).

I'd like for them to do a full test with whatever crapware they wish and compare the results between XP SP3, Vista SP2 w/ UAC, Vista SP2 w/o UAC, and Win7 at all 4 levels of UAC. THEN tell me numbers!

RE: Flawed Methodology
By Souka on 11/5/2009 6:06:47 PM , Rating: 2
in my last two jobs, UAC is disabled in Vista...and Win7 RCs.

No need really... users are only given "USER" level authority on the system. If they need an app, they request it and it gets pushed to their system.

Standard apps they can simply selected from the published apps (via control panel or sharepoint site).. Non standard apps we have a process for that also.

Number of virus outbreaks at my last two companies... zero
Number of users corrupting their
Number of support/IT related calls...very few

I'm now at a company that runs XP, Vista, and now Win7... most users have admin authority on their boxes.

Wouldn't ya know it.. we have over 3x the support personel, and the IT dept. spends it time putting out fires instead of working on real projects for company growth...

Glad I don't have to deal with it...but hate having my projects put on hold because they're so busy on things that could be avoided...

Ugh...sorry....long day.... anyhow.. UAC? Hmm... no matter how good the programming is, I'm sure there's a way for a person like my parents to say "sure, go ahead and install!"


RE: Flawed Methodology
By Master Kenobi on 11/5/2009 10:26:10 PM , Rating: 5
Yes, I have noticed overwhelmingly that companies that choose to give end users admin level functionality locally end up with a massive increase in problems and support calls related to those problems. It's a never ending stream of brush fires.

RE: Flawed Methodology
By FITCamaro on 11/8/2009 12:30:35 PM , Rating: 2
I agree. It is extremely annoying to have to call IT when you need a tool. Especially since companies are cutting back on local support staff and going to remote administration.

RE: Flawed Methodology
By mark3450 on 11/6/2009 11:45:47 AM , Rating: 4

Number of virus outbreaks at my last two companies... zero
Number of users corrupting their
Number of support/IT related calls...very few

This may be true, but it doesn't necessarily mean your doing a good job. This is classic IT mentality. The purpose of IT is not to minimize the number of computer issues, it's to maximize the productivity of the employees using those computers. You may very well be doing that as well, but it doesn't follow from these results. You can simply remove all the power cords from the computers and get the same result.

RE: Flawed Methodology
By Cerin218 on 11/6/2009 5:11:22 PM , Rating: 1
Umm hello, you can maximize productivity of the user when the user isn't sitting at their desk twiddling their thumbs because they clicked on that UPS tracking number email and installed the .exe contained in there even while questioning the origin of that email to themselves, and as the IT staff you are now working to remove that virus from their computer before it infects other users or your server.
You are obviously not an IT person. If you can prevent problems, they do not become problems, and as stated it allows you to focus your attention on other products that may in fact, increase productivity.
Think before you speak.

RE: Flawed Methodology
By mark3450 on 11/7/2009 12:07:32 AM , Rating: 3
No I am not an IT person, however I do know computers and the shortcomings of IT mentality. Yes having some bozo infect his computer with a virus isn't good for productivity, but locking out users from admin causes it's own problems for productivity you so blistfully ignore.

Simple example, say I have a scientific paper in PDF I need to read, but it requires an updated version of adobe reading to view. With admin privliges it takes 5 minuites to get the new reader, without it's a major headache to get IT to install one for you. The difference in productivity is huge.

What I'm calling IT mentality is this thought process that the only goal is to minmizing the number of problems. The goal is to maximize productivity and that's not the same. Yes problems like viruses reduce productivity, but so do draconic IT measures like denying users admin privliges.

RE: Flawed Methodology
By DominionSeraph on 11/7/09, Rating: 0
RE: Flawed Methodology
By Alexstarfire on 11/7/2009 5:50:32 AM , Rating: 2
If IT is doing their job properly it shouldn't take much longer than doing it by yourself. That is of course assuming that the end user actually knows how to do it by themselves... of which many times I highly doubt.

RE: Flawed Methodology
By damianrobertjones on 11/8/2009 9:27:24 AM , Rating: 2
The moment you give users the rights to install, your days are numbered. Users are... to put it bluntly, thick. Really, really thick. You can train, state, send them FIFTY DAMN emails and they STILL won't take a blind bit of notice.

P.s. Adobe acrobat? Why? Foxit reader. With apps think quick and easy instead of bloated and slow.

P.P.s Admins can remotely update hundreds upon hundreds of pcs without even leaving their desk. You're not an it person so please try not to think like a user who 'wants' everything. :)

RE: Flawed Methodology
By mark3450 on 11/9/2009 5:04:12 PM , Rating: 2
Users are... to put it bluntly, thick. Really, really thick.

Yes some users are thick, but many are not. I know folks in IT can give endless examples of how clueless users are, but users can also give examples of how IT policies like locking out admin destroys their productivity. Obviously it's easier on IT to lock down admin, but quite honestly it's IT's job to make life easy for the user not the other way around.

RE: Flawed Methodology
By Cerin218 on 11/6/2009 5:15:25 PM , Rating: 2
That's what my father does. He doesn't read any windows, just clicks until it does what he wants it to do. My favorite is the last time his computer was infected and I asked him what happened. He told me a computer program wanted to install but he didn't know what the program was and it told him that it needed to shut off his antivirus in order to do so. So he said great and installed an unidentified program that subverted the security and didn't know what happened, only that his computer didn't work now.

UAC is only as smart as the person using it. Of course if you are smart enough to use it, you are smart enough not to need it. Kind of an odd little catch.

"I mean, if you wanna break down someone's door, why don't you start with AT&T, for God sakes? They make your amazing phone unusable as a phone!" -- Jon Stewart on Apple and the iPhone

Most Popular ArticlesTop 5 Smart Watches
July 21, 2016, 11:48 PM
Free Windows 10 offer ends July 29th, 2016: 10 Reasons to Upgrade Immediately
July 22, 2016, 9:19 PM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki