Microsoft: Vista Paved the Way for Secure Windows
Despite being widely derided (even by Microsoft executives), the Vista OS was instrumental in finally bringing to the world a secure version of Windows, at least if a presentation by a Microsoft security expert at the Usenix Security Symposium, being held this week in Washington, D.C, is any indication.
And it was the most widely hated feature of Vista -- User Access Control (UAC) -- that can take the credit.
It was all the users complaining about the annoying UAC pop-up boxes that finally spurred many application developers to rewrite their programs, explained Crispin Cowan, a Microsoft senior program manager for the Windows core security team.
These programs were rewritten so that they did not require full administrative privileges to run, which, in turn, cut down on the UAC boxes and allowed users to slowly grow more comfortable running in more limited, but safer, user modes.
"The purpose of UAC was to move applications away from using administrative privileges. Its job was to spank programs that used administrator that don't need to," Cowan said.
UAC, in effect, caused a "massive decimation of the population of ill-behaved [Windows] programs," he said. "The number of programs asking for admin rights dropped precipitously."
Cowan's talk was an extended argument on why Windows 7 is as secure as Unix variants such as Linux. And this security parity came about, in his view, in large part thanks to the fact that Windows Vista was the first desktop version of Windows to not, by default, give each user account full administrative privileges.
Windows' reputation for lousy security has been fully deserved, Cowan admitted. Even today, the most widely used version of Windows is Windows XP, which was built in 2001, and lacks most of the security provisions needed for today's environments (though Service Pack 2 added a lot of security features, he said).
Early versions of the Windows OS stressed usability over security, as well as interoperability among different programs, Cowan said. As a result, Windows allowed every user to have full control over the machine, in effect giving each user account full administrative control over a machine.
"If you are running as administrator, security is fairly hopeless," he said. Unfettered administrative rights is what allowed malware and viruses to take control of computers.
Beginning in 2002, however, Microsoft started making security an essential part of software development. As a result, the then next version of Windows, Vista, featured a total separation between what a user can do on a machine and what an administrator can do, a separation that has always been enforced on Unix distributions.
This separation, enforced by UAC, limits the damage that a user can do to a machine.
UAC could be seen as the Windows equivalent to the Unix sudo command, Cowan explained. Sudo allows a user to execute privilege tasks only after supplying an administrator, or root, password. Some Linux distributions, such as Ubuntu, do away, at least out of the box, with root accounts altogether, relying entirely on sudo.
Many users chafed at using UAC, however. Every time a program would require full administrative rights to run, a UAC box would pop up on the screen, asking the user for permission.
The annoyance of UAC actually proved to be beneficial over the long run, Cowan explained, because it reduced the number of applications that required administrative rights.
In many cases, programs did not need administrative permissions at all. Many Windows programs were designed to write their configuration data to the system registry, when it could as just as easily be stored in user folders.
Over time, application developers got the message from all the user complaints. Using anonymous telemetry data, Microsoft estimated that the number of Windows applications that required user access dropped from approximately 900,000 to 180,000.
While Vista got the bad reputation for user-hostility, Windows 7 made UAC more user friendly without relaxing the strict divide between user and administrator. This OS offered auto-elevation, in which a limited number of Microsoft pre-approved programs could get administrative access without the annoying user prompts. It offers a sliding UAC scale, so users can pick the level of restriction for their applications. Windows 7 also established virtual accounts so individual applications could get their own user accounts, Cowan said.
After the talk, one audience member said he agreed that UAC probably did encourage application vendors to rewrite their programs, but wondered if that was really Microsoft's goal in the first place, given the amount of user dissatisfaction it caused. Cowan himself admitted, when discussing browser security, that "Prompts are not purely evil. Prompts in which the answer is almost always 'yes' are evil."
UAC was one of a number of features that, Cowan said, brought Windows to security parity with Unix. The other features include a built-in firewall and the signing of 64-bit kernel drivers. In some cases, he argued, Windows now has security features that aren't even found in most Unix distributions, such as network access protection, memory address randomization, and data execution prevention.
"Unix had a very large security lead. Since then, Microsoft has closed the gap on every front and in some cases exceeded Unix security," Cowan said.