Microsoft’s Controversial UAC Spawns Alternatives - Software Development Times On The Web

Microsoft’s Controversial UAC Spawns Alternatives
By David Worthington

April 1, 2007 — Microsoft says that Windows Vista is the most secure version of Windows yet. That claim may have some teeth: The company has built in a bevy of new technologies to harden Windows. One of them, the Windows Vista UAC (User Account Control), is sparking debate about just how sharp those teeth are.

Past versions of Windows gave users administrative-level rights by default, but Windows Vista’s UAC requires users to run with a standard-level user access token. Applications, components and processes that require elevated privileges cause Windows to notify users that administrative authorization is necessary, who must then supply appropriate credentials or stop what they are doing.

Microsoft designed UAC as a failsafe, to limit the damage malicious software can cause to a system, and is uniform across every Windows Vista version. But does UAC make sense in a business environment?

THE PRIVILEGED MANY
Although Microsoft added restricted-access accounts in 1997’s Windows NT, some internal and shrink-wrapped enterprise applications still require elevated privileges to run correctly on Windows, because they were engineered under the assumption that all users had administrator access to the desktop. If an application does not have the privileges it requires for a task, it can stop dead in its tracks.

As it stands today, some IT administrators must hand over local control of the desktop to all users—including limited users—to make applications work. Users with higher privileges can modify system settings, install incompliant applications, and are more vulnerable to malware.

ENTERPRISE READY?
John Moyer, president of BeyondTrust, believes that UAC is unacceptable for the enterprise because it is not policy-based, allows the user too much trust, and runs afoul of least-privilege computing. “Essentially UAC has failed to meet the needs of the enterprise—even restricted users would need administrative credentials. From where we sit, it is a very good solution for the home users. They own the machine and can make those decisions.”

BeyondTrust CTO Marco Peretti chimed in, arguing that it does not make sense for UAC to be the same on all versions of Windows Vista. “Microsoft had to make a choice, and they chose to protect home users over corporate customers,” said Peretti.

A Microsoft spokesperson said that none of the security features in Windows Vista is intended as a “silver bullet” solution to computer security. The spokesperson suggested that Microsoft’s “defense in depth” approach makes Windows Vista more difficult to attack and secure than prior versions of Windows.

Although Microsoft has the technology to keep users in restrictive groups while creating exceptions for applications that require more privileges, it’s not yet integrated with Windows. It acquired two competing solution providers of business-oriented policy-based privilege escalation software in 2006: Desktop Standard and Winternals.

Desktop Standard’s PolicyMaker Application Security and Winternals Software Protection Manager permitted administrators to elevate a specific application or process’ security token according to the user type, group or computer. Microsoft has not shipped any of the products it acquired individually or as part of Windows.

Desktop Standard’s founders walked away from the acquisition with their PolicyMaker Application Security software and became BeyondTrust. Microsoft transformed Desktop Standard’s GPOVault Enterprise software into Microsoft Advanced Group Policy Management and has included it in the Desktop Optimization Pack for Software Assurance.

Michael Cherry, an analyst with research firm Directions on Microsoft, noted in an e-mail that as a general rule of thumb, “Microsoft only brings forward products from an acquisition that match its product plans.”

A COTTAGE INDUSTRY
BeyondTrust’s PolicyMaker is an extension to group policy that implements exemptions for applications requiring administrative-level privileges, while keeping users in the same restricted security context. It is managed through the Microsoft Management Console.

There are rule types for application and ActiveX controls, and network shares for deploying licensed packages. It is centrally managed and transparent to the user, supporting Windows 2000, Windows XP and Windows Vista, on both 32- and 64-bit systems.

BeyondTrust isn’t the only vendor bringing policy-based least-privilege management solutions to the table. Xeriton is selling software targeting the masses: home users and small and midsized businesses that have standardized on Windows 2000 or Windows XP and have not yet adopted Windows Vista.

Xeriton’s WindowsZones modifies security tokens for processes and strips processes of privileges that the process would normally inherit from the user account. Application profiles may also be modified without running the applications.

This approach avoids application compatibility issues that may arise out of Windows Vista’s use of limited user accounts. It is also necessary because of the way that Microsoft implemented the user account system in Windows XP, said Allen Nieman, vice president of business development at Xeriton.

“Microsoft wants people to go to Vista to get UAC; they don’t want to publish a similar User Account Control application. They don’t want to put new technology in an old operating system,” said Nieman.

EMAIL THIS ARTICLE

SEND FEEDBACK