Safety != Security. Seriously.

[sebastian.palm]

I've been using Vista for eighteen months now, (since just after RTM,
actually), and while I was initially enthused with the new security
features promised in Vista, I've gotten pretty much disillusioned with
them. Because I think Microsoft somehow failed to understand something
terribly fundamental to userdom - the fact that Safety does NOT equal
Security, in the world of computer users...

In their own way, Windows NT and Windows 2000 were the most secure
versions of Windows there ever was, with regards to ths operating
system's security from the average *user*. Provided the operator could
follow a simple instruction: "Don't use an administrator account as a
day-to-day account", there was little he could do to truly screw stuff
up. Sure, having to log in as an "unsafe" administrator every so often
to take care of the stuff that needed privileged access was a chore,
but at least it was secure...

What Microsoft did in XP is IMO completely unfathomable - giving
J.Random XP installer, and his whole family, administrator privileges
by default. How many do you think bothered going back and changing the
access level of the regular user accounts back to User level?
Especially once XP software routinely started *assuming* it had Admin-
level privileges? Not too damned many... Thus you had most users
running "unsafe" accounts, which is pretty insecure.

I truly thought Vista would change things back, but sadly Microsoft
didn't decide on this - Vista still defaults to making the first user
an Administrator by default, and software vendors keep assuming
administrator privileges. Which, coupled with UAC, intended to provide
"safety" for administrator-level accounts, destroys security. Because
while users are now "safe" behind UAC access prompts, they can still
do anything they damned well please, or the apps they allow to run
because they no longer bother to read the annoying prompts can.
*Sigh*.

Contrast this with Linux, if you please. On most of the distributions
I've tried, the administrator account (root) is so powerful, and so
unsafe (no prompts!) that it takes even the most die-hard wannabe
poweruser all of one mistake to decide he won't ever want to be logged
in as "root" if it can be at all avoided; yet that same power is still
available at the admin's fingertips from whereever just by using the
su command. Doing it this way means a user must decide in advance to
want too use enhanced privileges - it's not, as with UAC, a matter of
reacting to an app that wants something.

IMO, the better solution for windows account security in Vista would
have been to ditch UAC entirely, and default accounts to user level -
and putting the administrator account somewhere accessible without
jumping through hoops... (beyond supplying the password, that is)

You may now all jump on me for posting something has already heard and
agreed/disagreed with.

SP

 

[Mark]

If you had said, IMHO instead of IMO, I'd have left you alone.
Otherwise, I agree with you on defaulting account to User only and Admin is
only available if the User wants to be in Admin. This would then force the
vendors to supply programs that meet the existing security levels instead of
the vendor simply tell the User to Allow Admin functionality.

The current method is useless to the "typical" home user as vendors and
malcontents simply continue to ignore the requirements knowing it's easier
to get the User to click Continue with their non-passworded "limited" Admin
accounts.

 

[sebastian.palm]

If you had said, IMHO instead of IMO, I'd have left you alone.

Claiming humility would be dishonest - it's decidedly not one of my
stronger virtues...

Otherwise, I agree with you on defaulting account to User only and Admin is
only available if the User wants to be in Admin. This would then force the
vendors to supply programs that meet the existing security levels instead of
the vendor simply tell the User to Allow Admin functionality.

Exactly. One of the things I just can't understand about XP and later
is why they made it so you basically have to cripple one of its best
features in order to get to the Administrator account (you need to
turn off fast user switching to get a regular log-in prompt from which
you can manually type in the administrator account name - if there's a
way of adding the Administrator to the normal menu, it's buried
someplace where I've yet to find it after six years of sporadic
looking :-\)

The current method is useless to the "typical" home user as vendors and
malcontents simply continue to ignore the requirements knowing it's easier
to get the User to click Continue with their non-passworded "limited" Admin
accounts.

I kind of wish UAC had been designed more like a firewall - protect
each admin privilege individually, keep track of user-level
applications that request them, allow the user to semi-permanently
allow each privilege to apps that are deemed trusted as they're
requested. You'd get a bunch of prompts while performing initial
configuration of the system, but once you're done with that, anything
new will be cause for concern, rather than routine approval. Also, as
is, once UAC elevates a process, it gets all the rights in one go if I
understand correctly. There's no way of telling if the application you
just approved really does only what it says it does. How do you know
it's not a keylogger in disguise?

Let's put it this way: An administrator is like a superbike. A user
account is like a bicycle. UAC is a set of training wheels. Anyone who
should feel comfortable with a superbike will find training wheels to
be an annoyance at best, and anyone who *isn't* comfortable on a
superbike won't really be any safer with them. (And anyone who thinks
they'll be safer on a superbike if it has training wheels really
shouldn't be let anywhere near one...)

(Someone compress that into a four-line sig for me, and I'll be
eternally grateful...

SP

 

[Susan Bradley]

Baby steps.

It took 13 years to get Quickbooks to stop coding for admin. Rome was
not built in a day.

 

[James R. Gentile]

*Lots* of people are complaining that they have to hit yes/no, there'd be
even more complaints and hate
directed at vista if users had no ability at all to use their poorly written
legacy software or had to enter a password.
Besides, you can enter a 0 length password and just click OK as soon as the
password dialog pops up, how
is that different than yes/no? That's what just about any fool who 'clicks
OK to everything' would do that you claim
is such a big problem (without statistics to prove your point, which
completely doesn't surprise me after years of reading 'complaints' about
MS). I suppose your response would be "then make the password minimum 8
characters" but one shoe does not fit all and people should have a choice in
such things because a lot of them know what they are
doing when they choose no password or to have UAC just present a yes/no. I
agree with MS that this group of people should not be unduly inconvenienced.
IMHO.

 

[Mark]

I read your post five times and still have no clue what you said.

But, here's my simple comparison:
If a virus scanner asked you for every file it scanned whether it was a
virus or not, would you use this program?

I am of the group that would rather never hear from a firewall, anti-virus
or other protection scheme unless it found something to be concerned about.
It either works, or it doesn't. If it doesn't know how to do it's job
without me answering it every time I want to install a file, then it's
worthless. This is the category of about 90% of the protection schemes out
there. They provide multitudes of messages for two reasons:

1. We don't know how to protect you because it's too hard, so you decide and
relieve us of the responsibility, or
2. Look! We are doing our job, don't you agree... press Continue.

Those that are silent provide about 95% effectiveness and some of them are
free. The other 5% will always be the User. So why waste my time with
prompts that don't protect anything? If you don't practice safe hex, you
probably don't pay attention to the warnings anyway, nor understand them.

Either get rid of them, or force the vendors to comply. The current method
is not forcing compliance, even on x64 machines, and MS is about to make it
easier on them with SP1.