On Fri, Jun 5, 2009 at 1:01 AM, Ken Schaefer<[email protected]> wrote: > a) users were made admins by default ...
I don't have a copy of NT 3.1 handy. It really put newly-created users into the "Administrators" group by default? I'm pretty sure NT 4.0 didn't. > Other OSes avoided [drive-by malware] by prompting users. Every other "real" OS I've seen doesn't prompt users the way UAC does. Rather, regular users simply do not have permission to modify the system. Separate administrator accounts were used instead. This paradigm has been an industry standard since at least the 1960s. MS-DOS could be forgiven for the lack of security since it was an OS for bitty boxes. Win 3.x was just a shell for MS-DOS, so it inherited the same problems. Win 95 broke a lot of DOS/Win16 compatibility, so it was somewhat less forgivable that security wasn't part of the picture. It became less and less forgivable as Microsoft continued to propagate the lack of security through the Win 98/ME products, when NT was a viable option. In my opinion, all the effort Microsoft spent cranking out those releases would have been better spent on improving NT. > UAC brings this to Windows I disagree with the premise that UAC (as implemented "out of the box" on most new computers) significantly increases security. All it does is add more "are you sure?" prompts to an OS that already has too many. Users are already desensitized to such prompts. The fact that UAC is brain-damaged in Vista and prompts multiple times for the same action just makes it that much worse. The fact that UAC strips the admin privileges from processes by default is immaterial; users still confirm the elevation, just like they do for all the other "are you sure?" prompts. The concept is somewhat better done in Mac OS, where user logon accounts have a password, and the privilege elevation prompt requires users to enter that password, rather than just click yet-another-OK-button. This is similar to the "sudo" concept from *nix. But I haven't seen any data that suggests a significant percentage of lusers will actually be more careful just because they have to enter password. It might be, but I've seen much stupider behavior. UAC has a less-publicized capability that *is* useful: If a non-admin user attempts an operation requiring system privileges, UAC will prompt to select and authenticate an account which does have the required privileges. This is similar to the "su" concept from *nix. If more "out of the box experiences" configuration employed this feature, I think it would be a real improvement. But of course, nobody wants to pay for security. :-( > b) (a) notwithstanding, the biggest problem at the moment is PEBKAC, and > that's a platform agnostic problem. Absolutely! I didn't miss that point at all. Indeed, I've argued it myself many times. I just think there's other stuff going on, too. :) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
