Skip to navigation
   
Simon Bisson & Mary Branscombe's Blog
RSS

Security: the impossible juggling act for Windows 7

By Simon Bisson & Mary Branscombe in Editorial

Posted in Windows Vista, operating systems, Windows, Security, Internet, Microsoft on December 30, 2008 at 4:59 pm

Permalink | Author Profile

You want Windows to be secure; but are you prepared to use it if it is? 

The big advances in Vista weren’t just the architectural changes that made for driver and application incompatibilities as the software vendors played chicken with Microsoft (or to be seasonal, pantomime dames: We’re finally going to launch Vista/Oh no you’re not!/Oh yes we are…). There are major security improvements,  from the low-rights protected mode that browsers other than IE7 are finally taking advantage of to address space randomization - which isn’t perfect protection according to security expert and ex-Microsoftie Jesper Johanssen, but still gives you a one in 256 chance of getting infected by a Trojan rather than a hundred percent chance. And then there’s UAC - and the real problem.

UAC is far and away the most maligned feature of Vista. Microsoft’s Steven Sinosfky is only half joking when he compares it to Clippy: “the end user view of compatibility was the UAC prompt that was so famous I thought for a few moments it would surpass the fame of Clippy - and I’m now associated with both of those personally.” UAC is infamous but it’s widely used for something that’s supposed to be so hated - it was on in 88% of all user sessions in Vista by last April and probably rather more by now.

And it might be hard to believe as the screen goes dark yet again, but 66% of all Windows sessions have no UAC prompts at all and Vista SP1 will bring that down further because fewer tasks require an elevation prompt. When Vista came out, 80% of the prompts were caused by just ten apps (a mix of tools in Windows, Microsoft apps and third-party software). UAC is achieving its real aim, which is to get more software to work when you run as standard user. If you’re logged in as admin, you’re turning off almost every security option there is; according to David Cross, who made a name for himself by telling attendees at the RSA conference that Microsoft put in UAC to annoy users so much that software developers would do the work to make apps run in user mode, “almost half of vulnerabilities have a reduced impact because you’re running as standard user”.

But in Windows 7 you might not see any prompts at all, because Microsoft’s response to the UAC complaints has been to introduce a slider that allows silent elevation; that’s a nice graphical interface that makes the seven GPOs you could already use to control UAC much more accessible. But how does that make you more secure?

If you want to be 100% secure, you need to turn your PC off, unplug it and never use it again. Disconnect it from the Internet and don’t plug in any peripherals and you only have to worry about someone stealing your snail mail. It’s not very convenient, of course… and UAC did have an element of a toddler tugging at your sleeve and asking you ‘why?’ all the time. What people who think UAC is too much like hard work really want is the psychic computer; it should know when I want to install software, when I want to do updates and whether the link I’ve clicked on is legitimate, all without bothering me or tracking what I do.  Security either needs to make dangerous things harder, or to make users more careful. How much inconvenience are you prepared to put up with to avoid getting hacked? If Windows 7 avoided Vista’s other flaws but had the same level of UAC prompts, would you be complaining?

Mary

12345
Rated: 100% (1 votes)
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments

Pingback by WindowsObserver.com » Blog Archive » Windows 7 (Seven) Google Alerts for 30 December 2008 - December 31, 2008 on 12:59 am

[…] Security: the impossible juggling act for Windows 7 IT PRO - London,England,UK But in Windows 7 you might not see any prompts at all, because Microsoft’s response to the UAC complaints has been to introduce a slider that allows silent … See all stories on this topic […]

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

insert SIM innovation cisco Magny-Cours gabriola history lawsuit international roaming turing Opsware EMC Nuance ANR relocation telecoms ec2 ADFS 2.0 moblin EEE workflow Google Sets eu licensing Wimbledon web AMD docking station office ribbon RIA Bill Gates screen legislation desktop. PC credit crunch dual boot security MacWorld 2008 power saving Dell radeon Xobni green IT Trampoline HTML 5 tennis Delphi design thin client IM Jeff Jones Protected View applications beta test Windows 7 vs Windows Vista pre-boot images MWC BBC future in review Linux RBL old software beta CPU hacking database ATI Tom Hogan OQO Windows Server malware Toshiba Portege R500 teched vulnerabilities 2009 Qualcomm IDF Tripit calit2 culture green printing performance infrastructure Location html DLP london Windows Server 2008 Large Hadron Collider cracking windows 7 privacy utility emulator Fire Eagle high performance computing control panel instant messaging oracle goview safend nvision08 anti-trust Eee PC venture capital T-Mobile support webkit october Bill Cheswick robot netbook task bar switch todo list Mercury open christmas cold fusion business intelligence hardware LHC Embarcadero bombe competition Ruby windows mash-up IT value Active Directory thermo power cuts power Vista WEI education VSSAdmin mobile ofcom network O2 SP1 social networking flex BitLocker Trend Micro bea Sony software Asus biometrics conference mythbusters patent uninstall target development wildfire fonts 2.0 machine learning exabytes Hp 2710p server sprawl ultraportable accessories mobile network atom battery life disk winhec2008 community mysql connectivity Corsair T9 hyper-v parallel computing Barracuda futura information rights management information cards Skyfire routing CTO Internet Explorer 8 office politics bug ubuntu microsoft security essentials navigation security paradox SSD 3G data centre transformation greenplum NAS Windows Live gamer phone management media center Tombstone Objects business continuity ucsd virus DisplayLink application compatibility macbook clean install quiz analytics installer citrix TechEd 2008 virtual desktop firewall screencam Java Girl Geek Dinners MING Dopplr MIX media g-1 Wyse DOS g-2 Internet Explorer wubi enterprise MIX08 electricity price people magic camera mapping cellcrypt Greasemoneky trends GPU hold music Seagate claims icons CIO Gears mobile working d2c disaster recovery Netscan cam GPL geek tourism browser etech national museum of computing virtualisation SBS developer MacBook Air processors private cloud drivers outlook Internet hard drive ClipMate hierarchical temporal memory IT transformation identitity DSL BlackBerry Adobe bbc iplayer mobility Credentica wifi display Web 2.0 Safari mms 2009 hibernation meaning traffic Mark Hurd MAX co-processor FUD direct access voice Acrobat Pro HSPA p2v timezones codec gaming TSA data tariff Firefox TouchSmart management semiotics backhaul QWERTY open source Apple Jeff Hawkins Pal terabytes flash Hugh Thompson Bing flash drive SapphireSteel smartphone cables .NET Crossfader amherst mobile Linux Mozilla congestion charge xT9 macro NGSCB setup 965 offload fingerprint gameboard patch Tuesday 64-bit mobile broadband AuthenTec public cloud Tim Berners-Lee pen computing Intel troubleshooting CUDA visualisation it pro collaboration ikea geneva Previous Versions spam cosmic rays Quest Treo Pro networks iPass Express Gate hdmi annotation ruggedized yahoo IBM sun Visual Studio natural interface user experience business optical interconnects benchmark numbers mscape exchange web 2.0 expo spam fighting anti-virus Tablet PC mobile monitor accelerator netiquette Chrome RAZR server SMB 2 WWW Windows Mobile HSDPA advertising amazon Clear RX pgp regulations Palm iPhone IO phone settings enterprise architecture evernote transcoding Motorola training hp microsoft research tablet Live Mesh migration Ruby On Rails rtm moscow politics maps project system management WPF RIM service oriented enterprise streaming media RSS search Secunia tele atlas Xen bugs network aws ipv6 Facebook remove back voice recognition Loki fingerprint scanner Google IO IT policy how do I get the back off? Enterprise 2.0 OpenID BT utilities Ask.com BES IIW2008b user interface toshiba augmented reality Palladium business technology optimisation lockdown whitelist mobile data tariffs police wave ports identity metasystem Istanbul case Gartner regulation cloud conferences HP downturn power supply multiple monitors context city data centre identity theft designer social engineering security theatre apps Google Spreadsheets consolidation rich client productivity CES anti-patterns rc appzero fibre SKU CERN lost server demo data loss prevention Mini-Note secure OEM Beacon Itanium dual display cloud service google online applications adfs encryption Mono i-mate Netscape Microsoft Tablet Kiosk isps wes upgrade wireless USB system center Ray Ozzie IT automation information Frauenhofer UMPC search keyboard WinHEC M&A Moonlight DOSBox demo09 active digitiser mainframe verdana MRDA geocaching deborah adler Google ontier ipsec Reqall GPS isp catalyst HMT HTC installation OFCOM Numenta bolt NVIDIA Volume Shadow Copy fire Vodafone O'Reilly vmware merger twitter laptop Verbatim Lenovo deperimeterization bletchley park legacy microsoft research bandwidth Opera LiveID market share Smartbook distributed computing cloud computing ballmerbot windows server 2008 r2 ProCurve AIR data loss CardSpace office 2010 pixetell video Opteron appstore RSA 2008 interoperability usb android NexT no signal logitech Silverlight storage acquisitions forensics netbooks colossus geotagging AskEraser email disk space Nokia dvi web2expo Salesforce navteq griffin business model fault business technology automation Trolltech data
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement