backtop


Print 107 comment(s) - last by weskurtz0081.. on Nov 11 at 8:55 AM


Windows 7 may be more secure, but its UAC is less functional than Windows Vista's, according to a recent security study. The study suggests that only antivirus protection can properly protect Windows 7.  (Source: Switched)
Antivirus protection still necessary, says firm

One of the most unpopular features of Windows Vista among casual users was the User Account Control (UAC).  Ironically, while the UAC provoked irate comments from these users, like "why is my computer asking me to approve everything", the feature was one of the most appreciated features by power users as it gave them much more control over their security and ability to prevent inappropriate actions.

With Windows 7, Microsoft pledged to go the OS X route on this topic, tuning down the UAC's warnings to a lesser level.  Many security firms complained about this approach and Microsoft relented slightly, restoring some of the UAC's warnings, in particular a warning about the disabling the UAC altogether (experts showed that attackers could disable the UAC without prompting the user in early builds of Windows 7).

While these changes helped make Windows 7's release edition more secure than the test builds, the UAC's default setting is still neutered compare to Vista's robust solution, indicates Sophos Senior Security Adviser Chester Wisniewski.  He's just completed a study of attacking Windows 7 with malware and seeing how the new UAC responds.

Of the ten pieces of malware tested, Windows 7 wouldn't install two of them.  Of the remaining eight only one generated a UAC warning, allowing the user to disallow its installation.

Microsoft officials, though, minimized the test, saying the UAC just isn't that important a security feature anymore.  They point to Windows 7's improved memory protections and Microsoft free Security Essentials antivirus suite as two critical tools that can be used to fight infection, in addition to the UAC. 

States a Microsoft spokesperson, "Windows 7 is built upon the security platform of Windows Vista, which included a defense-in-depth approach to help protect customers from malware; this includes features like Security Development Lifecycle (SDL), User Account Control (UAC), Kernel Patch Protection, Windows Service Hardening, Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP)."

"Windows 7 retains all of the development processes, including going through the Security Development Lifecycle, and technologies that made Windows Vista the most secure Windows operating system ever released," the spokesperson added. "Coupled with Internet Explorer 8—which includes added malware protection with its SmartScreen Filter—and Microsoft Security Essentials, Windows 7 provides flexible security protection against malware and intrusions."

While he understands that with other supplemental protections Windows 7 will likely be safe, Mr. Wisniewski seems mildly disapproving of defaulting the UAC to reduced functionality.  After all, users of Windows Vista may be lulled into a false sense of security expecting prompts to save them from malware.  Ultimately, though, there's little that can be done to convince Microsoft to change this, though, and he concludes, "Lesson learned? You still need to run antivirus [protection] on Windows 7."



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Flawed Methodology
By The0ne on 11/5/2009 3:03:21 PM , Rating: 4
Max level for UAC in Win7 is much less annoying than Vista. I usually have it off as I am picky on what I install but have been using it at max and have been pretty satisfied with the prompts. I'm keeping it at max unless it really does becoming annoying, which I doubt.


RE: Flawed Methodology
By Sulphademus on 11/5/2009 3:36:03 PM , Rating: 5
I upped my UAC to max and upped it to max on the PC Im building for my bro. Vista UAC has been fantastic in a corporate environment (prevented so much stupid crap!).

I'd like for them to do a full test with whatever crapware they wish and compare the results between XP SP3, Vista SP2 w/ UAC, Vista SP2 w/o UAC, and Win7 at all 4 levels of UAC. THEN tell me numbers!


RE: Flawed Methodology
By Souka on 11/5/2009 6:06:47 PM , Rating: 2
in my last two jobs, UAC is disabled in Vista...and Win7 RCs.

No need really... users are only given "USER" level authority on the system. If they need an app, they request it and it gets pushed to their system.

Standard apps they can simply selected from the published apps (via control panel or sharepoint site).. Non standard apps we have a process for that also.

Number of virus outbreaks at my last two companies... zero
Number of users corrupting their systems...zero
Number of support/IT related calls...very few

I'm now at a company that runs XP, Vista, and now Win7... most users have admin authority on their boxes.

Wouldn't ya know it.. we have over 3x the support personel, and the IT dept. spends it time putting out fires instead of working on real projects for company growth...

Glad I don't have to deal with it...but hate having my projects put on hold because they're so busy on things that could be avoided...

Ugh...sorry....long day.... anyhow.. UAC? Hmm... no matter how good the programming is, I'm sure there's a way for a person like my parents to say "sure, go ahead and install!"

:)


RE: Flawed Methodology
By Master Kenobi (blog) on 11/5/2009 10:26:10 PM , Rating: 5
Yes, I have noticed overwhelmingly that companies that choose to give end users admin level functionality locally end up with a massive increase in problems and support calls related to those problems. It's a never ending stream of brush fires.


RE: Flawed Methodology
By FITCamaro on 11/8/2009 12:30:35 PM , Rating: 2
I agree. It is extremely annoying to have to call IT when you need a tool. Especially since companies are cutting back on local support staff and going to remote administration.


RE: Flawed Methodology
By mark3450 on 11/6/2009 11:45:47 AM , Rating: 4
quote:

Number of virus outbreaks at my last two companies... zero
Number of users corrupting their systems...zero
Number of support/IT related calls...very few


This may be true, but it doesn't necessarily mean your doing a good job. This is classic IT mentality. The purpose of IT is not to minimize the number of computer issues, it's to maximize the productivity of the employees using those computers. You may very well be doing that as well, but it doesn't follow from these results. You can simply remove all the power cords from the computers and get the same result.


RE: Flawed Methodology
By Cerin218 on 11/6/2009 5:11:22 PM , Rating: 1
Umm hello, you can maximize productivity of the user when the user isn't sitting at their desk twiddling their thumbs because they clicked on that UPS tracking number email and installed the .exe contained in there even while questioning the origin of that email to themselves, and as the IT staff you are now working to remove that virus from their computer before it infects other users or your server.
You are obviously not an IT person. If you can prevent problems, they do not become problems, and as stated it allows you to focus your attention on other products that may in fact, increase productivity.
Think before you speak.


RE: Flawed Methodology
By mark3450 on 11/7/2009 12:07:32 AM , Rating: 3
No I am not an IT person, however I do know computers and the shortcomings of IT mentality. Yes having some bozo infect his computer with a virus isn't good for productivity, but locking out users from admin causes it's own problems for productivity you so blistfully ignore.

Simple example, say I have a scientific paper in PDF I need to read, but it requires an updated version of adobe reading to view. With admin privliges it takes 5 minuites to get the new reader, without it's a major headache to get IT to install one for you. The difference in productivity is huge.

What I'm calling IT mentality is this thought process that the only goal is to minmizing the number of problems. The goal is to maximize productivity and that's not the same. Yes problems like viruses reduce productivity, but so do draconic IT measures like denying users admin privliges.


RE: Flawed Methodology
By DominionSeraph on 11/7/09, Rating: 0
RE: Flawed Methodology
By Alexstarfire on 11/7/2009 5:50:32 AM , Rating: 2
If IT is doing their job properly it shouldn't take much longer than doing it by yourself. That is of course assuming that the end user actually knows how to do it by themselves... of which many times I highly doubt.


RE: Flawed Methodology
By damianrobertjones on 11/8/2009 9:27:24 AM , Rating: 2
The moment you give users the rights to install, your days are numbered. Users are... to put it bluntly, thick. Really, really thick. You can train, state, send them FIFTY DAMN emails and they STILL won't take a blind bit of notice.

P.s. Adobe acrobat? Why? Foxit reader. With apps think quick and easy instead of bloated and slow.

P.P.s Admins can remotely update hundreds upon hundreds of pcs without even leaving their desk. You're not an it person so please try not to think like a user who 'wants' everything. :)


RE: Flawed Methodology
By mark3450 on 11/9/2009 5:04:12 PM , Rating: 2
quote:
Users are... to put it bluntly, thick. Really, really thick.


Yes some users are thick, but many are not. I know folks in IT can give endless examples of how clueless users are, but users can also give examples of how IT policies like locking out admin destroys their productivity. Obviously it's easier on IT to lock down admin, but quite honestly it's IT's job to make life easy for the user not the other way around.


RE: Flawed Methodology
By Cerin218 on 11/6/2009 5:15:25 PM , Rating: 2
That's what my father does. He doesn't read any windows, just clicks until it does what he wants it to do. My favorite is the last time his computer was infected and I asked him what happened. He told me a computer program wanted to install but he didn't know what the program was and it told him that it needed to shut off his antivirus in order to do so. So he said great and installed an unidentified program that subverted the security and didn't know what happened, only that his computer didn't work now.

UAC is only as smart as the person using it. Of course if you are smart enough to use it, you are smart enough not to need it. Kind of an odd little catch.


"When an individual makes a copy of a song for himself, I suppose we can say he stole a song." -- Sony BMG attorney Jennifer Pariser














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki