4sysops - Want to see the guys who are responsible for Vista’s UAC (User Account Control)?

Over at Channel9 they have a video showing Jon Schwartz, UAC Architect, and Chris Corio, UAC Technical Program Manager, defending UAC. It takes time to watch it because it lasts more than one hour. This is obviously a reaction of the harsh critic they got for UAC. Jon Schwartz makes an uneasy impression to me. In my view, their arguments are not really convincing, especially if you compare UAC to better solutions like su/sudo under Linux.

The arguments they often cited have to do with the fact that it is common practice under Windows to work with admin rights. I suppose, there are only few admins out there who wouldn’t admit that this is not a good a thing.

In our organization, our users only got standard user rights since we deployed Windows NT 4.0. Our students even have to make do with less than this. They are not allowed to change any settings on the PCs. So, distinguishing between standard users and admins was already doable with NT in most cases.

The other problem is that most sys admins tend to logon on their PCs with admin rights. First of all, what is an admin doing when he is at work? Yeah, it is an easy question. He is working as an admin, of course. So, why shouldn’t he logon as admin in the first place when he is doing admin work?

Now, you might object that he is often doing things like reading mails, accessing the web, etc. where he doesn’t need admin rights. It is, of course, more secure if you do these things only with standard user rights. My point is, however, that UAC is not a good solution to this problem. Why didn’t Microsoft just adopt the Unix/Linux solution?

Under Linux you have this nice su command which allows you to switch easily to an account having root privileges. Most important here is that you have to authenticate again with the root password. In Vista, you just have to click “continue”. I seriously doubt that this will really increase security.

Under Linux, after you are done with your work as root you can easily switch back to your standard user account. If you want to do enable or disable Vista’s UAC, you have to reboot! Now which solution is more convenient and which is one is more secure?

You could also compare UAC with sudo. Sudo is a much more sophisticated tool, though. For example, you can configure what kind of tools you are allowed to start with root privileges without any hassle. UAC doesn’t have anything like this.

Thus, just arguing that UAC is necessary to better separate admin tasks from standard user stuff is not really a good defense. The only positive thing about UAC is that now developers of third party software will be more sensitive to this issue. We can only hope that the next version of UAC will be as secure and convenient as su/sudo under Linux.

Leave a Comment | Subscribe RSS | Newsletter |