Security Features vs. Convenience

One of the most basic conundrums in computer security is the constant trade-off between security and usability.  At the end of the day, if security is too complicated to use, then it simply won't be used.  Even if a feature offers a good level of security protections, if it is complicated or has poor usability it will likely be disabled by the end-user or network administrator, which doesn't benefit anyone.  The same issue with safety and security exists in the physical world.  I remember when car alarms were first available (as an aftermarket product) -- you had to remember to set the alarm after you locked your car and half the time people forgot.  Today, many cars come with alarms from the factory and the task of setting the alarm is usually just part of locking the car -- and as a result, alarms get set.

When we set off to make sure that Windows Vista was the most secure version of Windows ever, we had to create security capabilities that we could enable by default and be usable enough to be left on when the system was deployed.  There is clearly a balance here because if we lock the system down too tightly, then we risk the majority of customers turning key features off, or even worse, staying on older versions of Windows and thus not realizing the great security benefits of the new system.  It's a great irony when you realize that one of the risks of adding more security in the name of making people safer is that users might stay on older  versions that, in some ways, appear easier to use but are much less secure than the new system.

While we greatly improved the security of Windows Vista and we believe it is the best system available, I have always been clear that the system is neither fool-proof nor unbreakable -- no software I have seen from anyone is.  Moreover, there are defense-in-depth security capabilities that some may mistakenly believe are impenetrable security boundaries, when they are not.  This was the hard balance that we dealt with:  How many applications would be impacted with a harder security boundary and how many users might turn off a security feature if the usability was perceived to be worse?

One great illustration of this challenge in Windows Vista is User Account Control (UAC).  In the simplest terms, you can think of UAC as "standard user that works" or "non-administrative user that can actually do things."  Prior to Windows Vista, there were key scenarios that were important to a standard (non-administrator) user that couldn't be completed as a standard user.  So to do things like change the local time zone on the system or many other things, you had to have local administrator privileges.  As a result, almost everyone used a logon account that was a member of the local administrators group -- the secondary effect being that most software developers (including at Microsoft) developed their software assuming that the user would be an administrator.  There were indeed some corporate customers that deployed their environments with their users as standard user, but this was typically an expensive task, and often with some loss of functionality.

So for Windows Vista, the primary goal of User Account Control was to help protect users from inadvertently doing things that require administrative privileges whether that privileged function was initiated by either malware or the user.  Remember that prior to Windows Vista, when the user was logged on as an administrator, they (and typically all software) basically had full run of the system with the ability to override any local security checks.  To achieve our goals for Windows Vista, we not only had to make standard user work well for an end-user who just wanted to get their work done, but also to protect someone who really needed to be an administrator from accidently doing something bad.  The primary goal was to protect the system from both people with malicious intent and users who might inadvertently perform administrative tasks without knowing the full consequences of the task.

To do this, we had to go through the various system tasks that users perform and for each one ask the question:  "should the user have to be an administrator to complete this task?"  What we found was that in Windows XP there were many cases where we required the administrative privilege if the user was making a change that impacted the entire system (rather than just their user account).  We subsequently learned that this was too broad a distinction and in fact, with some common sense rules, we could protect the system while still making it usable.  We also found that there were many cases in previous versions of Windows where we had lumped things together when instead only part of the task really should have required the user to be an administrator.  For example, in Windows XP you had to be an administrator in order to change the time or the time zone of the system. The reason that time functions are usually restricted is that you can do some pretty sneaky things if you can change the system time -- like trick system logs or backdate emails.  But as it turns out, changing the time zone of the machine so that a business traveler based on the West Coast goes to their meetings at the right time when they are visiting New York really doesn’t need to be protected -- so in Windows Vista, we split that out and now allow a standard user to change the time zone.

As a result of this work, in Windows Vista you will find that once you get beyond the setup phase on most systems, you can work just fine as a standard user.  The problem was what to do when the user needs to complete a task that does require the administrator privilege.  To address this need, we created a new capability in Windows Vista so that when a standard user tries to do something that requires the administrator privilege, the system prompts the user to have an administrator authorize the task by entering their credentials (or confirm the task if you are an administrator).

When we first designed this functionality in Windows Vista, we required that the user enter the CONTROL-ALT-DELETE (C-A-D) sequence (known as a secure attention sequence due to its capability to resist interception) prior to prompting the administrator for their username and password.  The reason for this functionality was that entering this sequence is the only way for the user to know for sure that it is really the system (and not some phishing exploit) asking for your credentials -- in much the same way that you never want to give personal information to someone who calls your house claiming to be your bank:  You only want to give your password to the system when you know for sure that it's the system asking for it.  So just like you only give your bank information if you called them yourself (so you know it's them), C-A-D is the high-assurance way to interact with the system directly and know with confidence it is the system on the other end.  When the user hit the C-A-D sequence, we brought up the Secure Desktop, a restricted mode where only the system can run, and then asked the user for their credentials from that desktop.  The benefit of the secure desktop is that it is more difficult for malware to run in that context, and the user knows that they are on the Secure Desktop because the running applications are grayed out in the background, highlighting the dialog box running on the secure desktop.

When we conducted usability testing, we quickly learned two things:  The first was that that the system asked for permission way too frequently; and the second was that C-A-D was confusing to most users, especially home users, most of whom associate C-A-D with bringing up the Task Manager.  To address the first issue, we examined the system and carefully analyzed each situation to make sure that we were only asking for permission when it was really necessary.  We also worked with application vendors to make sure that they do not require elevation to administrators except when it is really necessary.  We looked at cases where an application tried to elevate to administrator mode when it wasn't really necessary and created compatibility updates that made the application think they were elevating without actually evaluating them, thus eliminating an elevation prompt.

The second issue was more difficult to address, since C-A-D is really the only way to make sure that you aren't being spoofed by malware.   With that said, at the end of the day, we came to the conclusion that if we did not eliminate the need to hit C-A-D, then most users would likely just run as an administrator all the time, which was more of a security risk than the potential risk of a credential spoof.  While C-A-D was disabled by default, we still ask for consent on the secure desktop so that the user knows that this is a special request from the system.  In the end, while we left the C-A-D integration with UAC in the system, we disabled it by default.  If a user wants to require the C-A-D sequence for UAC elevations, they can easily turn it on via group or local policy.  Network administrators can also mandate C-A-D for UAC elevations via group policy.  So, if you want to be more secure than the Windows Vista default, just turn on C-A-D for UAC elevations.

GP Editor

Note that UAC may not help you if you already have malware on your machine -- one more reason why we view it as a defense-in-depth security feature and not a hard boundary.

As I discussed above, we also wanted to allow users who wanted to be a local administrator to have that flexibility, but at the same time be safer than Windows XP.  To do this, we created a mode of UAC called admin approval mode.  In this mode (which is on by default for all members of the local administrators group), every user with administrator privileges runs normally as a standard user; but when an application or the system needs to do something that requires administrator permissions, the user is prompted to approve the task explicitly.  Unlike the "super user on" function from UNIX that leaves the process elevated until the user explicitly turns it off, admin approval mode enables administrator privileges for just the task that was approved, automatically returning the user to standard user when the task is completed.

However, it should be noted that this functionality is primarily a convenience feature for administrators and not an explicit security boundary between processes that can be absolutely isolated.  If an administrator performs multiple tasks on the same desktop, then malware may potentially be able to inject or interfere with an elevated process from a non-elevated process.  Thus, the most secure configuration for Windows Vista is to run processes in two separate accounts, with only administrator tasks performed using an administrator account and all other tasks performed under the standard user account.

When we first designed admin approval mode as part of UAC, the default was to require the user to type in their password.  (This was in addition to the CONTROL-ALT-DELETE (C-A-D) sequence I discussed above.)  The feedback from usability testing here was the same -- essentially, users felt that having to type in their password for each elevation was too complex, as was having to hit C-A-D prior to provide consent.  Again, the risk of having this complex (although more stringent) UI was that some customers might simply turn off admin approval mode and then use administrative rights without any protection or warning.  Clearly the security risk with admin approval mode off was greater than the risk of the system being spoofed.  So, although this is not foolproof, if someone is going to run in admin approval mode, it is clearly much better than Windows XP.  In the end, while it's possible to require a password in admin approval mode, it is not required by default.  It can be enabled by an end-user or set by a network administrator using group policy.  See below.

LP Editor

Another great example of convenience vs. security is our strategy on enabling Data Execution Prevention (DEP) in Windows Vista.  In simple terms, DEP treats data as data and code as code, and then blocks execution of any data content.  The benefit of this is that if there is a vulnerability in the system (or in an application) that allows a data buffer to be overrun, with DEP enabled, it is harder for the attack to execute the malicious code that was placed in the data buffer -- thus blocking the attack.  DEP is turned on by default for the kernel and it is a great way of protecting other parts of the system (like Internet Explorer) and applications from buffer overruns.  Here is the problem:  it turns out that there are some third-party add-ons that generate code dynamically and store the code in the data region (sometimes referred to as "jitting"), and there is no method for DEP to distinguish between these add-ons and malware.  So you either have more security or potential application compatibility issues.

Here is the default for Windows Vista.

DEP 1

Note that you can turn on DEP for all programs and services if you want.  This is clearly a more secure state, but it could create some application compatibility issues.  I certainly recommend that businesses test to see if they can use DEP for all programs and services.  In some cases it might be possible; in others it won't be (yet).  There’s that tradeoff again!

Internet Explorer was a particularly difficult case because we certainly wanted IE to benefit from the protection afforded by DEP.  But prior to the Windows Vista release there were compatibility issues with several well known third-party IE add-ons, so by default we could not enable IE to run with DE.  It turns out that there are two pieces of good news here.  The first is that it is possible for dynamically generated ("jitted") code to be DEP-compatible -- it just takes a few lines of new code (and an upgrade to the new code).  We expect most third parties to update their add-ons to support this.  The second piece of good news is that Adobe, whose Acrobat and Flash Player add-ins were previously incompatible with DEP, has updated their software to be compatible with DEP.  (Be sure to get these updates.)

So although it is not the default today, you can turn on DEP for IE for the additional protection.  Michael Howard wrote a great blog post on how to enable DEP in Internet Explorer 7 on Windows Vista.

DEP 2

I personally have enabled IE to use DEP on all my Windows Vista PCs and I would recommend that you do also if you want the added security.  (Again, be sure to get the Windows Vista updates from Adobe.)  I won't promise that all sites will work, but in my typical usage pattern everything works fine.  Over time, as we work with more third parties to make their software DEP-compliant, I expect we will be able to turn on DEP by default for everything.

While we have configured the system to balance usability and security, as I noted above, we've also made it possible for home users and network administrators to make the system even more secure by enabling the features that we ended up turning off by default -- something that wasn't possible on previous versions of Windows.  So what's my advice?  I tend to think of this in terms of a good, better and best approach for both home users and enterprise customers.

For home users:

  • Good strategy:  Make the first user account a parental account (even on a kid's machine) and protect it with a good password -- by default, this first account is in the local administrators group with administrator approval mode enabled.  Subsequent user accounts -- especially for kids -- should be standard users.  If a standard user (for example, a child) encounters the need to complete an admin task, the administrator (for example, mom or dad) can enter the proper credentials to complete the task.  With the advent of fingerprint readers on most laptops, this may be as simple as swiping a finger.  You should also use the Parental Controls feature in Windows Vista to help protect and restrict any accounts that kids use.
  • Better strategy:  In addition to the steps for "good strategy," also require the password to be entered when an administrator elevates themselves to complete a task using admin approval mode.  This makes it harder to spoof the system and also makes it extremely difficult for an unauthorized person to complete an admin task on a PC that is left unattended.  By default, Windows Vista will lock the desktop after inactivity (if you leave the machine), and if you have a password, then it will be required to unlock the system -- one more reason why we recommend that you have a password on accounts in the administrator group.  You may want to adjust the period of inactivity to be shorter if necessary.  I also recommend that you enable DEP for Internet Explorer.  In most cases, if you get the latest add-ins from Adobe, you will likely not have too many problems.  If you do, it's easy to turn it back off if necessary.
  • Best strategy:  If you are extremely concerned about security, then in addition to "better strategy," also require the C-A-D sequence for consent to complete admin tasks.  This will provide additional protection to the system when an administrator is elevating him or herself using admin approval mode and also when a standard user needs consent from an administrator.

For business deployments:

  • Good strategy:  The most basic step is to require all users who need administrator privileges for their roles or application compatibility requirements to run with admin approval mode enabled (which is the default).  This provides a good transition to standard user, but provides a little leeway through the transition.  (Note that I personally strongly encourage businesses to move to a "better" or "best" strategy instead of staying at a "good" strategy.
  • Better strategy:  Require all (or most) users to be standard user.  Many customers should move their end-users to standard user over time.  When elevation must occur, require C-A-D before the administrator enters their credentials to complete a task.  Also require administrators to enter their credentials in admin approval mode.  As in the home user case, I also recommend that you enable DEP for IE, provided the appropriate testing is done before doing this.  If you have internally-developed add-ons that don't work with DEP, consider updating them to make them compatible.
  • Best strategy:  In addition to having most users run as standard users with C-A-D and passwords required for administrators using admin approval mode, do not allow over-the-shoulder elevations for end-users on the theory that any tasks that require local elevations (such as software installs or configuration changes) could be completed more securely using centralized management including group policy.  For changes that must happen locally, the administrator can log on to a separate session (either at the system or remotely using Remote Desktop).

The true test of how secure any system will be in practice has as much to do with how it is deployed as it does with its architecture and code quality.  And how the system is deployed has a lot to do with usability and convenience.  (If you don’t lock your doors at night because it is too much of a hassle, the locks don't offer much security.)  Our goal is that the most generally applicable security configuration (remember, this is a combination of architecture, code quality and usability) is deployed by default.  We sometimes use defense-in-depth approaches when designing security measures instead of hard boundaries for this reason.  We also know that there are certain customers who, even with a deep understanding of the usability issues, may choose to enable a more locked down system than we could ever ship by default.  For these people, we provide great flexibility to turn on even more protections.  What makes this even more complex is that given how broadly a product like Windows Vista will be used, some people may try to create sensationalist headlines by calling out some apparent "weakness."  Before they do, it is important to remember that the design was more likely a deliberate design choice that was balancing some other factor such as usability or application compatibility, rather than an oversight.

jim

Tags: , , ,

Comments

  1. Hornet
    Posted on: February 03, 2007 at 6:25PM  

    I have to say I'm more than a little disappointed that Microsoft's own virus protection does not work on its new 64-bit OS.  Especially since security is suppose to be a major feature of Vista.  You guys really pooched this one.  When will OneCare be available for 64 bit users?

  2. PlayerTwo
    Posted on: February 25, 2007 at 12:31PM  

    If vista is so secure y do i still need an anti-virus? the other popular OS does not require an anti-virus?

  3. musicmandj
    Posted on: July 27, 2007 at 10:55AM  

    Hi, I am having a problem with Windows Vista security it seems. I am on a network with server 2000. We only have 1 vista comp which is a new laptop and this is the only computer giving the problem. Whenever the vista workstation gets logged out of, the server account locks whenever the account logs back in when it tries to connect to the server. I have to then go and unlock the account in active directory twice, then it is able to connect again. This happens every time we restart. The network info is static and similar to all other computers and the windows firewall was shut off to test the issue. We are on a workgroup, not a domain.   So far no luck, could you please help?

    Thanks a lot!

    Rob S

    leamingtontechsource@hotmail.com

  4. alcrab
    Posted on: September 23, 2007 at 10:08PM  

    I've have a friend who bought a new computer with the vista program installed. Not knowing that you have to upgrade to another system.Why?  Why should a person buy a computer with his hard earned money - get it home - plug it in and finially realize after talking with friends that you have to spend nearly $200.00 to upgrade to premium, just becuase Microsoft failed to inform the public of this .

    I would think that when you bought a computer ( like in the old days) it would be functional. There should be a way to upgrade to a more functional program without having to spend hundreds of hundreds of dollars.

    Are we ( the general public) that gullible to think that a company can survive with these tactics? I think not!!! Hello congressman.

  5. nia5792
    Posted on: September 29, 2007 at 9:45AM  

    This is a major security issue that would potentially allow a password changed due to it being breached back into the system again. That happened to me when, I suspected that my daughter discovered my administrator privileged password, I changed it to a new password. Later, I created a new account for my son, which never existed before. He somehow crashed the Vista OS and his account got deleted, albeit my daughters account created using the old administrator privileged password stayed intact. When I tried to log on to create a new account for my son, I was unable to log on with my new administrator privileged password. I was baffled when my repeated attempts using that new administrator privileged password that I used dozens of times refused to log me on. Then, I scratched my head in disbelief, slowly but surely it dawned on me that I should try my old administrator privileged password. Eureka!! It worked. If I had forgotten that old password I would have lost my account on that Vista.. This Vista has many bugs crawling all in it. Us poor MS guinea pigs, we are paying MS for Vista only to find bugs in their big time commercial product, we should receive some type of stipend just like the big shot developers and engineers being paid to find bugs in MS’ Vista. Una Vista Muy Malo?? Mi Cabrone, Que Pasa?

  6. Zybermark
    Posted on: February 19, 2008 at 9:58PM  

    I love Vista! The tradeoff made with UAC is very acceptable to me, and allowing customizations through policy is just the icing on the cake!

    Great job guys! Thanks for helping us be a little safer.

  7. beedude
    Posted on: July 12, 2008 at 7:51PM  

    I bought a Vista system 9 months ago. I found the security too extreme as I'm not even able to set up a network using Vista Home system. Plus, I'm a Adobe user and I'm disappointed that Vista is not compatible. I also discovered that Vista doesn not support 5.1 or 7.1 surround. I'm not sure if the security issues are at play, but Vista (and by extention Windows Home Meda) make for a poor media system. Unfortuatly, I'm buying a Mac so I can have a real multi media system.

  8. Meriwether
    Posted on: November 04, 2008 at 12:20PM  

    informative post, keep it up.,

  9. J.Allyn
    Posted on: January 19, 2009 at 7:36PM  

    Check out this site for more resources on the security features of Windows Vista.

    www.microsoft.com/.../technetvista.aspx

  • Page:
  • 1
  • 2
  • 3

Trackbacks

  1. Posted by: Robert McLaws: Windows Vista Edition on January 24, 2007 at 2:17AM

    If there was any blog post that Jim needed to make, it was this one . In Jim's longest post to date,

  2. Posted by: PuntoRete on January 24, 2007 at 4:32AM
  3. Posted by: Michael Howard's Web Log on January 24, 2007 at 1:19PM

    Jim Allchin has a great blog post about some of the design issues we went through and tradeoffs we made

  4. Posted by: Robert Burke's Weblog on January 24, 2007 at 3:42PM

    This is excellent explanation and commentary by Jim Allchin on some of Vista's new security features

  5. Posted by: Chris Szurgot's Blog on January 24, 2007 at 5:09PM
  6. Posted by: Robert Hensing's Blog on January 25, 2007 at 9:44AM

    Jim Allchin in his longest blog post to date explains the security trade-off's we had to tackle with

  7. Posted by: David Ziembicki on Infrastructure Architecture on January 25, 2007 at 11:38AM

    Jim Allchin has a great post over on the Vista Team's blog about the tradeoffs and choices made in terms

  8. Posted by: Roger's Security Blog on January 25, 2007 at 4:09PM

    With 4 days to go until Windows Vista General Availability launch, Jim Alchin wrote a pretty interesting

  9. Posted by: Microsoft Switzerland Security Blog on January 26, 2007 at 9:24AM

    "One of the most basic conundrums in computer security is the constant trade-off between security and

  10. Posted by: E-Bitz - SBS MVP the Official Blog of the SBS "Diva" on January 27, 2007 at 2:36AM

    Vista is at 10:30 a.m.....but not at noon where it was earlier in the beta ... what am I talking about?

  11. Posted by: The Security Wizard on February 08, 2007 at 7:39AM

    Jim Allchin writes in the Windowsvistablog.com about o ne of the most basic conundrums in computer security

  12. Posted by: Mark's Blog on February 12, 2007 at 8:58AM

    I introduced the -l switch to PsExec about a year and a half ago as an easy way to execute processes

  13. Posted by: Blog Team TechNet Italia on February 16, 2007 at 7:55AM

    Ciao a tutti. Dopo qualche giorno passato a Seattle ad imparare cose nuove ritorno per segnalarvi alcuni

  14. Posted by: Robert Burke's Weblog on February 20, 2007 at 9:06AM

    [Default] Spotlight on: Windows Vista Innovate on Windows Vista Innovate on Windows Vista helps fast-track

  15. Posted by: Segurança na Microsoft on February 22, 2007 at 10:09AM

    "Fronteira de segurança" (ou security boundary ) é alguma barreira pela qual código ou acesso não podem

  16. Posted by: Segurança na Microsoft on February 22, 2007 at 10:10AM

    "Fronteira de segurança" (ou security boundary ) é alguma barreira pela qual código ou acesso não podem

  17. Posted by: 盆盆的博客 on February 25, 2007 at 9:36PM

    首先祝大家新年快乐!本文是Mark Russinovich最新的博客文章,由盆盆所翻译。不过并不是泛泛地进行翻译,为了加深大家对文章的理解,盆盆还特地加注了自己对内容的理解和难点注释。从本文我们可以看出,不管是UAC、IE保护模式、完整性级别,都没有定义安全边界,黑客们还是可以制造出针对Windows Vista的病毒,只是迟早的问题。不过正如Mark所说的,有总比没有好,可以让用户和应用软件走入一个标准用户的时代。

  18. Posted by: Mark's Blog on March 06, 2007 at 2:05PM

    I introduced the -l switch to PsExec about a year and a half ago as an easy way to execute processes

  19. Posted by: Mes ramblings du travail on March 26, 2007 at 3:44PM

    Ca fait longtemps que je voulais faire un petit billet sur UAC. Mi-janvier, je pensais (naïf) que tout

  20. Posted by: zyrtec 10mg antihistamine tablets on October 07, 2007 at 1:02PM

    zyrtec 10mg antihistamine tablets

  21. Posted by: zyrtec dosage children on October 07, 2007 at 1:35PM

    zyrtec dosage children

  22. Posted by: ultracet narcotic on October 08, 2007 at 6:21AM

    ultracet narcotic

  23. Posted by: PowerShell Team Blog on September 30, 2008 at 2:12PM

    One of most common issues we face with PowerShell comes from users or ISVs misunderstanding PowerShell’s

  24. Posted by: Microsoft non corregger?? i problemi di sicurezza di Windows 7 « Guiodic Blog on June 18, 2009 at 7:14PM

    Pingback from  Microsoft non corregger?? i problemi di sicurezza di Windows 7 « Guiodic Blog

  25. Posted by: Windows 7 UAC security thoughts « BurgerMinds on June 29, 2009 at 4:00PM

    Pingback from  Windows 7 UAC security thoughts « BurgerMinds

  26. Posted by: Inside Windows 7 User Account Control « Vangelis Solutions Intranet on October 16, 2009 at 11:11AM

    Pingback from  Inside Windows 7 User Account Control « Vangelis Solutions Intranet

Recent Posts

Tags

View more
© Copyright 2009 Microsoft Corporation. All Rights Reserved.   |   Privacy Statement