[Infowarrior] - Microsoft Exec: UAC Designed To 'Annoy Users'

Fri Apr 11 18:47:25 UTC 2008

Microsoft Exec: UAC Designed To 'Annoy Users'

By Kevin McLaughlin, ChannelWeb
3:12 PM EDT Thu. Apr. 10, 2008

http://www.crn.com/software/207100934?cid=CRNFeed

The User Account Control in Windows Vista improves security by reducing
application privileges from administrative to standard levels, but UAC has
been widely criticized for the nagging alerts it generates. According to
oneMicrosoft (NSDQ: MSFT) executive, the annoyance factor was actually part
of the plan.

In a Thursday presentation at RSA 2008 in San Francisco, David Cross, a
product unit manager at Microsoft who was part of the team that developed
UAC, admitted that Microsoft's strategy with UAC was to irritate users and
ISVs in order to get them to change their behavior.

"The reason we put UAC into the platform was to annoy users. I'm serious,"
said Cross.

Microsoft not only wanted to get users to stop running as administrators,
which exacerbates the effects of attacks, but also wanted to convince ISVs
to stop building applications that require administrative privileges to
install and run, Cross explained.

"We needed to change the ecosystem, and we needed a heavy hammer to do it,"
Cross said.

Keith Meisner, senior systems engineer at AppTech, a Tacoma, Wash.-based
solution provider, says UAC has helped Microsoft improve end users' overall
security posture.

"Many of the situations we deal with have to do with users being uninformed
about threats on the Internet," said Meisner. "Are there some annoyances
with UAC? Yes, but advanced users know how to get around them."

But while UAC is good for overall security, it does present logistical
issues, said Steve Snider, president of Cadre Information Security, a
Cincinnati-based solution provider. "For people working in an office, close
to IT, it's not a problem, but when you have a very mobile workforce, and
you have to load and update applications, that's when it becomes more of an
issue," he said.

As a result of UAC, software vendors have changed their approach to
developing software, to the point where fewer applications and tasks are
triggering alerts, said Cross. "Most users, on a daily basis, actually have
zero UAC prompts," he said.

Cross also disputed the popular notion that many frustrated users have
decided to shut off UAC alerts entirely. He cited internal Microsoft
research that shows 88 percent of all Vista users operate with UAC turned
on, and 66 percent of sessions have no prompts, and number he says will
continue to grow over time.

"UAC is not a perfect security boundary, but it [has helped us] move from
'zero click' exploits to 'one click' defense," said Cross.