Microsoft: UAC approach is so good, other OSes should follow suit

I constantly amaze my technology pundit pals by regaling them with tales of my use of Windows Vista. "I dunno, it doesn't crash for me"—puts them into shock. "Actually, it boots faster than XP did, for me"—jaws hang wide open. But the real kicker is when I admit that I haven't spent the two minutes it takes to disable User Account Control (UAC). It just doesn't bother me much. Apparently this is akin to pouring gasoline all over yourself and striking a match—and not minding it. Or so I'm told.

Of course, that's not to say that I like UAC's prompts. I find it somewhat annoying, but it's nowhere near as annoying as some other interface flaws in Vista, like the inconsistent use of the Back/Forward navigation buttons and the lack of "OK" and "Apply" on many Control Panel apps. But I'm not kidding myself: plenty of early Vista adopters loathe the feature.

Microsoft doesn't, however. The company says that UAC and the approach it embodies is really the direction that all operating systems should be headed in, but to understand that argument, one must first understand what Microsoft means.

Microsoft's Mark Russinovich has made it clear that the company does not view UAC as a "security boundary." I wrote about this earlier, but one major point worth repeating is that UAC encourages developers (including black hats) to try and accomplish more without elevating permissions. Why? Because the goal should be to avoid tripping UAC except for operations that truly need elevated privileges, which frankly something like changing Mozy backup settings should not require (but currently does).

Peter Watson, Microsoft Australia's chief security advisor, gave a video interview to Builder AU in which he explained why other operating system developers should be paying attention to Microsoft's approach.

Ars Video

"There has been a lot of misunderstanding in the market around User Account Control (UAC) and how the function actually works. If you look at it from an architectural direction, User Account Control is a great idea and strategically a direction that all operating systems and all technologies should be heading down," Watson said.

"Various application providers in the market are coming to terms... recognizing that it's much more effective to run applications and have actual users running on systems as standard users as opposed to system administrator," he said. "Why should I be letting my normal user be running as system administrator?" he asked.

Watson's view is that application developers need to be rejiggering their apps so they don't trip UAC unnecessarily. What UAC's constant prompts show right now is that many applications are not ideally designed, Watson suggests.

Microsoft has designed UAC so that it detects pre-Vista setup routines and interrupts them. Microsoft's ideal scenario is one in which older installation routines trip UAC, as well as any significant change to the operating system. What I didn't know is that application developers can actually design install routines around UAC, so that it's not tripped. (The article linked there is loaded with great information, and I thank the Windows team member who passed that on to me.)

The most controversial aspect of Watson's comments all center around the idea that Microsoft is a leader with UAC, and that other OSes should follow suit. UAC is a cousin of myriad "superuser" process elevation strategies, which Mac OS X and all flavors of Linux already enjoy. The fact is that Microsoft is late to the party with their Microsoftized version of sudo. That's really what UAC is, after all: sudo with a fancy display mechanism (to make it hard to spoof) and extra monitoring to pick up on "suspicious" behavior.

Where UAC is different—and also where I think many power users would completely freak out—is in its mistrust for full Administrators. While your average Linux distro will allow you to run as root and give you complete control without prompts (Ubuntu's default settings excepted, of course), Vista's UAC still prompts Administrator users as though they're not admins. There are some users who feel as though being an Admin should mean no interruptions or calls for authentication from the OS, but Microsoft's message seems to be this: the days of the mighty Administrator should come to an end. In Microsoft's vision, any and all "Admin activity" should be flagged as such and prompted for verification.

This is a new revelation for the company, but let's not kid ourselves: this general approach to process elevation is older than Windows itself.