ABOUT BENCH FORUMS PODCAST LOGIN REGISTER
PC Components
Smartphones & tablets
Systems
ENTERPRISE & IT
GUIDES

Windows 7: Release Candidate 1 Preview

 by Ryan Smith and Gary Key on May 5, 2009 11:00 PM EST
121 Comments | Add A Comment
121 Comments

Reworking UAC

Predictably, one of the most common complaints about Vista was the User Access Control (UAC) feature, which firmly established a real degree of security in Vista by blocking applications from attaining administrator-level privileges by default. It was something that was long overdue for Windows given how easy it is to compromise a machine when everything runs with admin privileges, but that doesn’t mean it was taken well.

Half of the problem going into Vista’s release was that few applications were coded following best security practices, even though Microsoft had been recommending such a thing for years, and such practices were necessary for applications to work correctly under limited user accounts. With so many poorly coded applications misbehaving under Vista until they were brought up to spec by their developers, it left a bad taste in the mouths of many. Compounding the problem was that Vista’s UAC implementation was not streamlined very well, resulting in redundant notices. Microsoft resolved some of the streamlining issues in Vista SP1, but this never completely satisfied users who were expecting a more XP-like (and insecure) experience.

With Windows 7 we have an attempt at a compromise, which is a noble intention by Microsoft, but leaves us concerned about the security implications. Previously UAC could only be turned on or off (Group Policy settings not withstanding), which would sometimes result in unhappy users shutting it off and giving up most of Vista’s security abilities in the process. With Windows 7, UAC has now been divided up into four levels: Off, followed by three levels of increasingly strong security. Level 3 is the equivalent of Vista’s UAC mode, meanwhile Level 2 is the default setting for Windows 7. With Level 2, certain signed Microsoft applications (basically most of the Control Panel apps) are allowed to elevate to administrator privileges without needing user confirmation. The working belief here is that most people are encountering most of their UAC prompts when initially configuring Windows, and if they didn’t encounter those early prompts they would have no great reason to turn UAC off entirely, particularly since 3rd party applications are so much better behaved these days.


The UAC Control Panel With Level Slider

Hence the compromise is that UAC prompts are disabled, but only for the Control Panel apps, meanwhile all other regular apps are still controlled by UAC as normal. The concern we have with this compromise is that with applications allowed to auto-elevate from user to administrator, it creates a potential local privilege escalation exploit. For Beta 1, a proof of concept exploit was put together that used rundll32 to disable UAC entirely without informing the user or requiring their intervention. In return Microsoft removed the UAC control panel from the auto-elevating list so that any direct attempts to manipulate it still require user intervention. This blocked the proof of concept exploit while maintaining all the other benefits of Level 2 UAC. It should be noted however that similar exploits could still work with Level 1, as it’s Level 2 without the secure desktop screen (thereby allowing apps to fake pressing the Allow button).

At this point it remains to be seen if Level 2 could be exploited in a similar manner, such as by breaking out of another auto-elevated application and attacking UAC from there. The fact that it leaves an obvious potential attack vector open leaves us leery of Level 2. Microsoft had the security situation right in the first place with Level 3/Vista, and it may have been better if it stayed that way.

With that said, Level 2 does what it’s advertised to do. Compared to Level 3/Vista, you’re going to get far fewer UAC prompts when messing with Windows’ settings. Undoubtedly it won’t satisfy those who absolutely abhor UAC, but at some point Microsoft has done everything they can.

Quickly, the other security element that was reworked for Windows 7 is the Security Center, which has been expanded and renamed the Action Center. Besides being a one-stop-shop for various Windows security features, now it is also home to an overview of system maintenance tasks and troubleshooting help. This doesn’t significantly change the functionality of the Action Center, and the biggest change that most people will notice is the GUI.


The Windows 7 Action Center

Windows Media : New Codecs, New Looks, New Features Libraries and Homegroups: New Ways to Organize and Share
PRINT THIS ARTICLE
Comments Locked

121 Comments

View All Comments

  • ssj4Gogeta - Wednesday, May 6, 2009 - link

    Exactly what SkullOne said. I also use Linux and know in what areas it's better than Windows. But I also know there are so many other areas in which it's a pain to use.

  • SkullOne - Wednesday, May 6, 2009 - link

    Spoken like a true jaded Linux fanboi. People like you are the reason Linux will never be mainstream. You think you're so high and mighty (or more secure) when you're not.

    Thanks for the laugh. I'd love for you to back up ANY of your comments with facts.

    Disclaimer: I use Linux and Windows every day in production environments. They both have their place in the world.

  • snookie - Wednesday, May 6, 2009 - link

    This blaming of Microsoft's Vista woes on Apple and a few commercials is just ridiculous. Most people pay no attention to such things those few that see them. It also has nothing to do with why Vista was a flop in the consumer space and an even bigger flop in the corporate marketplace. Certainly nothing to do with so many companies offering XP downgrades. Vista is a lousy product plain and simple and if there is any marketing fault it is Windows with their arcane multiple editions at ever increasing prices designed to milk customers. People aren't stupid even if they are computer novices. They know when they have been had, something is difficult to use, or not reliable. This is the result of years of piling layer upon layer of code on an ever expanding code base with no effort to start over and offer a clean efficient OS. The ONLY thing Windows 7 has over Vista is the interface is simplified and gets out of your way better. It can SEEM to run faster all it wants but test after test shows Windows 7 is barely faster than Vista at many tasks and in fact slower at some. Microsoft is in real trouble here because years of cruft code have left a huge amount of unusable code that consumes resources, adds instability, and provides entry to all sorts of malware. There is no way this codebase can be made to work efficiently with the quad and higher core procs that will be even more common in the next few years and what is Microsoft going to do then? They have three failed ad campaigns under their belt so their years of lying to their customers has fallen flat and corporate customers long ago stopped believing anything Microsoft said which is why open source that doesn't lock you in is becoming more and more prevalent. Microsoft has met the enemy and it is them.

    I notice you run Microsoft ads btw.

  • ssj4Gogeta - Wednesday, May 6, 2009 - link

    I know so many people who haven't even TRIED Vista once and they keep telling other people how bad it is.

  • formulav8 - Wednesday, May 6, 2009 - link

    I agree almost 100%. I have customers who wants to make sure they have/get windows xp because vista is so bad. If you ask them why, they basically say its because a friend of a friends father said it was slow.

    I do know one of the biggest downfalls for Microsoft and Vista was allowing Intel to pressure them into getting Vista Certified compatability with those trashy integrated chipsets of Intel. So many users have those trash Intel xtreme/gma video chipsets and they had very bad Aero interface performance.

    Anyways, I use both Vista and Windows7 daily. I like Vista better than XP overall and like Windows7 thus far compared to Vista.

    I really think Windows7 will end up being one of the best oses made, even when compared to osx and windows xp.


    Jason

  • vectorm12 - Wednesday, May 6, 2009 - link

    Personally I never took to windows XP nor vista(had it been tecnologically possible I would still have been on WinNT 4.0), however as I bought a new PC I hit the RAM cap of 32bit XP Pro and therefore felt I had no decent choice than to move to 64bit Vista.

    My Vista experience has been far from great, reinstalls, crap drivers from nVidia and ATI not to mention a bunch of other third parties. However it hasn't been all bad, vista has quite a few ideas that just didn't work out just the way I would have liked.

    Look at the save file dialogs for example where you actually had to click a button to browse directories other than the default one.

    I've now been running on Win7 x64 since build 7k reinstalling almost every time a new version has been leaked and I'd say most of the things that bugged me with Vista has been corrected.

    At this point the only thing I still want for Win7 is the "old" style control panel and an integration of the "administrator tools" into the control panel.

    Looking at the big picture I say Win7 (even in BETA) is the best modern OS Microsoft has produced. The performance issues of Vista have been dealt with to a large degree. Drivers seem to work better and the most annoying GUI issues have been dealt with.

    All Microsoft can do now to make me feel completely satisfied with my computing experience over the last few years is give me a BIG rebate on the upgrade to Windows7 from my old Vista licence.

  • johnsonx - Wednesday, May 6, 2009 - link

    I just upgraded my XP-era Vista box (2.2ghz single core A64, 2GB RAM, VIA AGP mobo, X1950Pro) to Windows 7 tonight, and it was absolutely painless. It certainly seems faster than Vista, in particular I notice that my e-mail client and web browser launch and become ready much more quickly.

    I'm finding the new UI features to be actually useful as well, rather than Vista's pointless eye candy. I often have 6 or 7 browser tabs and several e-mail windows open, along with another couple of apps, and the new task bar makes it much easier to switch among them. I can see if I have any new e-mail just by moving the mouse over the client icon on the taskbar, no need to even click on it. Aero-Peek makes gadgets more usable too, since you can see them without minimizing every window. AeroSnap is great too. Only AeroShake defies explanation, but perhaps time will prove that one too.

    I was never a Vista hater, though it certainly had it's frustrations. But it only took me 20 minutes with Windows 7 to never want to touch another Vista box again.

    I was initially concerned that ATI's Windows 7 driver only supports cards back to the HD2000 series (presumably because the WDDM 1.1 driver model requires DX10 class hardware, which my X1950Pro is not), but the MS provided driver had no problems with Half-Life 2 (the only game I happen to have installed on this box) or any of the fancy GUI features.

    The only weirdness so far as that at last boot up Windows told me a driver for Trend Micro Internet Security was being blocked due to a compatibility problem with Windows 7. That's understandable, except for the fact that I don't have any Trend Micro product installed, nor has one ever been installed in the past. It wouldn't tell me exactly what driver it was complaining about though, so I can't investigate further (I suspect some log somewhere will tell me exactly what driver it blocked).

    One taskbar UI incontinuity: so much now works by simply moving the mouse over the various items, it suddenly seems odd to have to actually click on the start menu to get it to open.

  • johnsonx - Wednesday, May 6, 2009 - link

    ok, it turns out the offending driver was TMCOMM.SYS, and it really was from Trend Micro. I have a vague recollection of running an online scan once a couple years ago (trying to scan a friend's external drive), so I guess it was trend micro and it left that driver around.
    As with most such things, the blocking event was neatly logged in the system event log.

  • thebeastie - Wednesday, May 6, 2009 - link

    Wow, this new OS looks like Vista but with all the latest patches,IE8 and DirectX11. Then just a few cosmetic graphics changes.
    I AM EXCITED!
    Come on what else did you expect? Maybe its something that has stuck deep in side people since they were kids around new PCs but when it comes to Microsoft new OSes people are just getting more and more nieve.

  • thebeastie - Wednesday, May 6, 2009 - link

    More tests appear to be slower in Windows 7 then Vista etc.
    Things like reltek sound performance can be put to just as much to the 3rd party drivers then anything else.

    I can't believe how many people I have talked to that use but hate Vista and expect Windows server to be light on its feet as XP but with the features of Vista, they are behaving as its something they could bet their life on.
    What does it take for people to get some some technical intuition?
    I mean thats what people really really really need here.
Copyright © 2024. All rights reserved.
BENCH
TOPICS
FOLLOW
ABOUT

Log in

Don't have an account? Sign up now