DigitMemo.com

So over the passing months, the UAC prompt has gone from nice idea (as it was advised) to “not the best solution” to something that admins may actually have to find a way to work around.

The latest version of a well-reviewed third-party security policy enhancement system for Windows Vista claims to solve what its manufacturer characterizes as “not a secure solution” to a critical problem Windows historically had with administrator privileges on programs. But in the announcement of the upgrade earlier this week, a key Microsoft product manager is quoted as having acknowledged Vista’s own take on the solution was not quite enough, effectively reversing his company’s stand on User Account Control.

The product is BeyondTrust Privilege Manager 3.5, and its key new feature is the ability to run Vista’s UAC transparently without prompting the user for privilege elevation. In Monday’s press release, Microsoft director of client security product management Austin Wilson is quoted as not only endorsing the product, but appearing to agree with BeyondTrust’s key contention: that the UAC prompts were not only a nag but an insecure solution in itself.

“Microsoft recognizes that to help create a secure, auditable and compliant enterprise environment all users should be Standard Users and ideally not have administrative privileges or access to administrator passwords,” the press release quotes Austin as saying. “BeyondTrust Privilege Manager helps corporations that need to allow standard users to run applications that require administrative privileges on Windows Vista with UAC enabled without any prompts or input required from the user.”

In order to disable any keyloggers that may be lurking in the background, when Vista puts up a UAC prompt, it engages what Microsoft calls secure desktop mode. There, all other processes including many core operating system functions are suspended - which would suspend Trojans as well - while the user is prompted to click on “Continue” or to enter the admin password. Full disclosure: I myself endorsed this methodology in an article I wrote in November 2006 for InformIT, where I describe in full how UAC works and why I believe it’s an effective security tool.

At the time the security prompt was first introduced in Vista betas last year, Microsoft began preparing the public for what it anticipated would be some serious concerns. A guide for Windows trainers in the workplace published last September by Microsoft tried to prepare them for the possible backlash: “Rapidly clicking through messages is a natural activity for most of us,” it read.

“The UAC (User Account Control) feature of Windows Vista provides much tighter security than previous versions of Windows: It requires users to confirm some actions that are potential security risks, and does not allow some actions at all for standard users. Much research has gone into the phrasing of security messages so that they are easy to understand, and the shield icon helps information workers anticipate when authorization is needed. However, getting information workers to read each security message before they click is an ongoing challenge.”

Since that time, surprisingly, some of Microsoft’s own spokespeople have actually been visibly candid about their impressions of UAC, perhaps partly to help appear sympathetic to the customer, but also because they don’t believe themselves that UAC and its “over-the-shoulder” (OTS) prompting method is the best solution to the account privileges problem.

Last June, Microsoft key security engineer Mark Russinovich wrote for TechNet magazine, “Even though elevation dialogs appear on a separate secure desktop, users have no way by default of verifying that they are viewing a legitimate dialog and not one presented by malware. That isn’t an issue for [administrator account mode] because malware can’t gain administrative rights with a faked Consent dialog, but malware could wait for a standard user’s OTS elevation, intercept it, and use a Trojan horse dialog to capture administrator credentials. With those credentials they can gain access to the administrator’s account and infect it. For this reason, OTS elevations are strongly discouraged in corporate environments.”

This leads us back to last week’s press release from BeyondTrust, which paints a picture of the OTS prompting system as a security hole in itself: “Distributing administrator passwords to standard users is not a secure solution,” BeyondTrust writes. “It places the security decision of which applications to elevate in the hands of the user instead of a network administrator. Additionally, these credentials can enable users to circumvent security policies, make ill-advised system changes, and run or install applications as an administrator.”

So perhaps the clearest indicator to date of Microsoft’s new willingness to bend to its customers’ logic comes from its client security product manager, Austin Wilson. “I am pleased to see third-party security vendors such as BeyondTrust improve what is already our most secure business client OS, Windows Vista,” Wilson continues in support of BeyondTrust’s new upgrade. “The combination of elevating approved applications transparently with Privilege Manager and running UAC in no prompt mode with Internet Explorer in protected mode provides a best-of-breed solution to the least privilege problem.”

Source: betanews