Vista: UAC could have been much better

2007-05-02T06:48:00-04:00

Microsoft Windows has, until now, required that the logged on user have ‘Administrator’ privileges to be able to do anything useful. This wide-open approach has become the bane of our lives because it is directly responsible for the proliferation of viruses on so many millions of computers. To be secure, a computer needs to be locked down by default. There are many examples of companies who do successfully operate locked-down Windows desktops, but to run anything more than Microsoft Office usually requires special privileges. To run as a ‘normal’ user on Windows XP on your Home PC is nothing short of a nightmare.

There are plenty of reasons for this. Mostly, it is that badly written software tries to modify files in “Program Files” or “Windows”. It is also because if you want to change basic system settings, you often need to be administrator. This last point isn’t really a failure, it’s just a frustration because in Windows your account is either one or the other – you can’t temporarily switch.

Not, at least, until Vista came along.

Vista introduces a feature called User Account Control. It is similar to a feature that is available on Unix called ‘sudo’.

Sudo has been around for a long time, and it works beautifully. In normal operation, your unix logon has ‘normal’ privileges – a virus, if you were to ‘catch’ one could not inflitrate your system beyond your own files (admitedly, that might be bad enough, but at least the virus wouldn’t have total control over your PC, to be able to send Spam and so on at will). When you want to do something that requires special access, you run the sudo command, enter your password, and then, for the brief period of that command, you have full control.

Microsoft being Microsoft invented their own method of achieving the same effect for Vista that doesn’t quite work the same as sudo. It is sudo, but it is sudo done badly.

With Vista, every single operation that requires administrator privileges – such as browsing a ‘protected’ folder (which isn’t actually a privielged function at all because by rights you have read access to those files, but that’s a different matter) causes a pop-up window to appear.

This pop-up window demands your IMMEDIATE attention. It even goes so far as to ‘dim’ the rest of your desktop, to let you know that you can forget whatever you were doing until you give it the attention it craves. It also flashes the screen.

That wouldn’t be so bad, if it then remembered that you had given it permission for the next 15 minutes, say, and let you perform whatever administrative tasks you need to perform. It doesn’t work that way. Every single ‘protected’ folder, every single administrative task requires this same break of flow. It was designed by someone (most likely a commitee) who certainly do not ‘get it’.

I found that after one week of Vista that I could no longer bear to keep on being interrupted by UAC, and turned it off. Maybe I found it more annoying than the ‘average’ user because I am a developer and the design of Visual Studio 2005 requires that it be run with adminsitrator privileges. However, even for normal tasks I still found it incredibly annoying, and I suspect that many, many people will simply turn it off.

Furthermore, I don’t see how it will actually help fix the problem of viruses and malware infecting ordinary users – they, quite often, have intentionally downloaded and run some kind of ‘bait’, maybe a collection of free smileys to brighten their day, and because they have intentionally set out to run the programme they will quite likely breeze past any alerts or warnings that appear, thus nullifying the potential benefit. That is just a supposition.

I personally think that Microsoft should have tried to implement sudo like security in their operating system. I believe that UAC is a half measure that frustrates in the extreme, and there is no excuse for frustrating software in our enlightened age of design.

Comment on Vista: UAC could have been much better by Floyd Price

2007-05-02T08:58:59-04:00

Switch to MAC OSX, Apple really have nailed this issue. ;-)

Arctus Blog: Vista: UAC could have been much better

Vista: UAC could have been much better

Comment on Vista: UAC could have been much better by Floyd Price