Windows Vista: Security Through Endless Warning Dialogs

Paul Thurrott's scathing article Where Vista Fails highlights my biggest concern with Windows Vista:

This is a companion discussion topic for the original blog entry at:

I think that the approach the KDE environment uses with makes a lot of sense: if I attempt to do something “administer-y” as you put it, I get a popup requesting the admin credentials. Those credentials will work until I stop doing “administer-y” things for long enough, at which point the credentials are invalidated and they will be requested again.

Generally speaking, that means I need to supply rights two or three times a day at most.

The problem on Microsoft’s side is the fact that they got so much criticism of the “default insecure” setup that they are swinging way the other direction to try to appease the critics. You can see the same thinking with the Microsoft Command Shell beta. You install it, and when you launch it for the first time, it asks if it can load the required assemblies. Being that not loading them will result in a completely useless endeavor, I fail to see how the installer shouldn’t register the main assemblies as loadable.

In the build of Vista that we have, this setting has changed names a bit.

It’s still in

Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options

but the names of the keys are all under

User Account Control: Run All Administrators In Admin Approval Mode

Set this to “Disable”. You do not need to log out for this to take effect in my testing, but again, this is a later build of Vista than Rick had.

All the “User Account Control” settings in this area mitigate the above complaints and are worth investigating. The real question is, what will the default values be for those settings?


LOL. Now it’s even funnier. Not sure if that was intentional or not, but… :wink:

Perhaps this feature is targeted at upgraders - since most people already run as admin, defaulting to “Admin as user” effectively downgrades people to regular users by default( but without mucking with the user account). Definitely annoying, though.

This is the first thing I thought of:

The default answer to every dialog box is "Cancel"

thing is, its called the CYA way to do it. If microsoft leaves it up to the user. When they let malware install, its their own fault, not the OS’s. Right now, there is nothing, so its the OS’s fault. MS learned their lesson, and is putting the owness back on the end users.

Lock everything down by default, let the end users configure, and if they get bitten, it was by their choice.

“…I get a popup requesting the admin credentials…”

People would find a way to bitch about that too. They would claim that it is a security risk because malware could pose as the security prompt and steal the user’s administrative user name and password.

MS can’t win. People will always find a way to bitch about anything they do. Just like Windows XP, two years from now the bitching will subside as everyone finds that all the new stuff really isn’t as big of a deal as they thought in the beginning.

Does the “run as” command still work on Windows Vista? Could you set up a “true Administrator” using the hack Rick S. detailed, log in under a normal user account, and “run as” the true administrator account when you need to do something administer-ey?

Could you set up a “true Administrator” using the hack Rick S. detailed, log in under a normal user account, and “run as” the true administrator account when you need to do something administer-ey?

Absolutely-- this is the default for a standard User account. I don’t think it’s as smart as what Wesley described (first comment) but you get your choice of an in-place one time admin login popup, or a dialog that says “you must be an administrator, etc”.

The way Vista handles User permissions is fine, or at the very least, no worse than the way it’s handled today in OS X. It’s the “let’s silently downgrade Administrators to Users by default” part that is problematic.

If microsoft leaves it up to the user. When they let malware install, its their own fault, not the OS’s

That’s true. If users want something bad enough they will click through any number of prompts and passwords to get it, eg, the Dancing Bunny Problem:

Ultimately you can’t solve this problem with technology alone; it takes education:

I can understand why security can be defficult to implement, and I most certainly will not try to show myself as a security expert… but I dont understand why the user interaction has to be so defficult.

Just take something small like the “you need to reboot your system” popup, that shows in case of a new installed application or some windows update. It is ofcause irritating that I need to restart at all… but it is nice to know. I can choose “restart later” or “restart now”. But I am in the middle of something and I click the “restart later”. But 2-3 minutes later it pop’s up again… and again … bah! The best thing is if I am sitting with a machine where I dont have access to restart, then it still pops up all the time, takes the focus away from my active application.

That would be like my car would pull over to the side and stop driving because I only had short amount of gas left or needed to change my oil.

Maybe Microsoft is just trying to re-use some of their Microsoft Bob code ;-). Wouldn’t want all that hard work going to waste.

Or maybe it is just aerobics for geeks. How many calories do you think you burn up with all the extra mouseclicks?

On the February CTP there was one more problem, that I don’t know if later will be risky. Now in XP, an administrator account with no password, can’t be accessed from a user account (for example, using runas, etc.). But now you can, you can give an admin permisson without even entering a password, and maybe this could be risky and let all kind of badnameware install by itself…

I use XP on a LUA account, and I’m happy with it, although you need some tricks found on Aaron Margosis’ blog to make your life easier.

They are just trying to follow the unix world’s idea of security. Sadly “File operation” isn’t too helpful to let me decide. Worse, most people I know click ANY ok button they see just to avoid reading, so yes, this will ultimately be pointless security that results in rapid fire clicking without thought.

Speaking of useless security, can we assume that since the word to post here is orange that I will ALWAYS type orange, and as such, you can just remove the requirement, and we can have the same level of security that typing the word orange provided without all the bother of typing?

Regarding the “orange” thing. I’m sure it was a quick to implement way to avoid automated comment spam. Yes, it only takes one real person to realize it doesn’t change and to modify the script, but spammers tend to pull less energy into things like that.

This reminds me of a feature in Lotus Notes called Execution Control List (ECL). It pops up a dialog whenever some piece of “untrusted” code attempts to perform a privileged operation. Unfortunately the typical Lotus Notes user will see these pop-ups frequently. And with very little information about what’s going on. Users tend to just click “Trust Signer” and get on with their life – and that includes trusting unsigned code.

Why does Security UI have to suck so much?

Holy shizz! It’s fantastically unbelievable that for all their mountainous resources, MS can’t find people who know anything at all about elegance and usability. I guess all those people already have jobs at Apple. [pun intended]

I like the KDE style solution. As for making sure other programs can’t mimick it, there are plenty of solutions around that. The windows login provides a couple already.
I heard a comical story of it popping up with a security dialog when you tried to create a shortcut on the desktop.