Windows Vista UAC Effective Defense Against Rootkits

vista Considering turning off UAC on your Windows Vista computer? You might want to think again.

UAC is Microsoft’s User Account Control. It’s a sometimes nagging interface that can help to protect your computer. It has specific rules on what an administrator can and cannot do. When UAC is turned on, the software on your computer is running without administrative permissions. If you or your computer attempts to perform an action that requires administrative privileges, UAC pops up a window asking if you want to elevate to administrator so the action can be completed.

The good – if left on, UAC can be an extremely effective defense against many infections. Most recently proven in a paper by AV-Test.org when they tried to infect a Windows Vista test system with rootkits. Rootkits are the nastiest of infections that work by installing a system driver that hides other infections as they steal your information or ruin your operating system. With UAC turned on, AV-Test couldn’t get any of the rootkits to install. In order to install the rootkits, they had to disable UAC.

uacThe bad – it’s sometimes annoying. Really annoying. Especially when initially setting up a computer. When you install a program, change network settings, and reconfigure many system settings, UAC will always pop up the window, sometimes multiple times, asking for permission.

There are a lot of things that Microsoft can do to improve UAC for your typical consumer. First, rethink what things require administrative permissions. Many things that UAC asks for permission for should not require those permissions. Next, place a time limit on the elevated privileges. Right now UAC promotes the user until the action is over, thus making it necessary to ask multiple times if the first action initiates a second or third action that requires the elevated privileges. Finally, grant the ability to set a timeframe for elevated privileges. If a user is going to be testing network settings or installing a bunch of software, they should be able to tell UAC to promote them for the next fifteen minutes, or half hour.

Windows Vista Service Pack 1 made improvements to reduce the number of UAC prompts. After initial setup, UAC prompts average fewer than two per session. If you’ve had UAC disabled on your system(s) it’s a good time to reconsider. If you decide to enable UAC, tell us about your experience in the comments.

With all things considered, Windows Vista UAC is certainly a step in the right direction. Sure, it can be annoying, and Microsoft can do some things to make it more user friendly. However, it’s far less annoying, and far less costly than getting your computer infected with a nasty rootkit. The results from AV-Test show just how effective UAC can be when left on, even against the nastiest of nasty infections. Is it worth it to click “Continue” every now and then?

  • This is so old news in ubuntu. These types of policies are success stories for Microsoft, but just a walk in the park for Linux users around.

  • This is so old news in ubuntu. These types of policies are success stories for Microsoft, but just a walk in the park for Linux users around.

  • SpuD

    [quote] There are a lot of things that Microsoft can do to improve UAC for your typical consumer. First, rethink what things require administrative permissions. Many things that UAC asks for permission for should not require those permissions. Next, place a time limit on the elevated privileges. Right now UAC promotes the user until the action is over, thus making it necessary to ask multiple times if the first action initiates a second or third action that requires the elevated privileges. Finally, grant the ability to set a timeframe for elevated privileges. If a user is going to be testing network settings or installing a bunch of software, they should be able to tell UAC to promote them for the next fifteen minutes, or half hour.

    [/quote]

    Yeap if they did this i would definatley have it on permantley!

    It's a great idea and as proven can stop you getting infected but it is definatley really anoying, before the SP1 i had it every time i tried to open up any program say itunes and had to accept more than 2 - 3 times!

    Microsoft should defintaley consider adding some of these feature to it!

    SpuD

  • SpuD

    [quote] There are a lot of things that Microsoft can do to improve UAC for your typical consumer. First, rethink what things require administrative permissions. Many things that UAC asks for permission for should not require those permissions. Next, place a time limit on the elevated privileges. Right now UAC promotes the user until the action is over, thus making it necessary to ask multiple times if the first action initiates a second or third action that requires the elevated privileges. Finally, grant the ability to set a timeframe for elevated privileges. If a user is going to be testing network settings or installing a bunch of software, they should be able to tell UAC to promote them for the next fifteen minutes, or half hour.

    [/quote]

    Yeap if they did this i would definatley have it on permantley!

    It's a great idea and as proven can stop you getting infected but it is definatley really anoying, before the SP1 i had it every time i tried to open up any program say itunes and had to accept more than 2 - 3 times!

    Microsoft should defintaley consider adding some of these feature to it!

    SpuD

  • Pingback: WindowsObserver.com » Blog Archive » Windows Vista Google Alerts for 01 June 2008()

  • Some non-Microsoft programs will not update unless you have UAC turned off.

    While UAC is a good idea, it can certainly be improved.

    Some programs should be able to preform basic tasks without a user prompt.

  • Some non-Microsoft programs will not update unless you have UAC turned off.

    While UAC is a good idea, it can certainly be improved.

    Some programs should be able to preform basic tasks without a user prompt.

  • I remember having many issues with UAC while testing games, including many online, at Vivendi Games' Sierra Online.

    There were so many issues (and I experienced more in my newest PC when I upgraded to Vista last fall) that it convinced me to turn off UAC from the very beginning with my new PC.

    After having many issues with a huge amount of Vista features, I found a guide online and disabled a vast and large amount of unneeded services to enable my computer to run better, also enabling my L2 cache that Microsoft seems to purposely turn off to force people into upgrading hardware that would otherwise perform far better.

    As the last user said, UAC is both poorly implemented and poorly supported by third-parties.

  • I remember having many issues with UAC while testing games, including many online, at Vivendi Games' Sierra Online.

    There were so many issues (and I experienced more in my newest PC when I upgraded to Vista last fall) that it convinced me to turn off UAC from the very beginning with my new PC.

    After having many issues with a huge amount of Vista features, I found a guide online and disabled a vast and large amount of unneeded services to enable my computer to run better, also enabling my L2 cache that Microsoft seems to purposely turn off to force people into upgrading hardware that would otherwise perform far better.

    As the last user said, UAC is both poorly implemented and poorly supported by third-parties.

  • I am primary a mac user but have examined Vista in detail. I think the answer to the problems with UAC lies less in when it prompts people but more in how.

  • I am primary a mac user but have examined Vista in detail. I think the answer to the problems with UAC lies less in when it prompts people but more in how.

  • GaMt

    I agree that if Microsoft did update the way the UAC worked, it would be far more appealing.

    For now I'll stick with it, because right now it's not annoying enough for me..I rather be secured & annoyed instead of infected and annoyed.

  • GaMt

    I agree that if Microsoft did update the way the UAC worked, it would be far more appealing.

    For now I'll stick with it, because right now it's not annoying enough for me..I rather be secured & annoyed instead of infected and annoyed.

  • SomeCrazyStuff

    [quote]Finally, grant the ability to set a timeframe for elevated privileges. If a user is going to be testing network settings or installing a bunch of software, they should be able to tell UAC to promote them for the next fifteen minutes, or half hour.[/quote]

    Um... would seem to me if you gave a certain timeframe that would decrease security. Say you allow 1 hour to do all of your setting up and such, which will include driver installs and registering products and software over the internet.. but with only and hours time on the internet you will no doubt start getting hit by AV2008/2009 along with a variety of other malware instances. So leaving a user with admin rights just allows for something to turn around and bite them in the butt. it would be better for there not to be a time period and have to answer a message for everytime you need admin rights. That way you can go as long as you like without av2009 finding you and saying oh look he has admin rights for the next 10 minutes.. lets have a party and play hide and seek.

    Just my thoughts though...

    Yes i know this is and old post.. im just now seeing it though...

  • SomeCrazyStuff

    [quote]Finally, grant the ability to set a timeframe for elevated privileges. If a user is going to be testing network settings or installing a bunch of software, they should be able to tell UAC to promote them for the next fifteen minutes, or half hour.[/quote]

    Um... would seem to me if you gave a certain timeframe that would decrease security. Say you allow 1 hour to do all of your setting up and such, which will include driver installs and registering products and software over the internet.. but with only and hours time on the internet you will no doubt start getting hit by AV2008/2009 along with a variety of other malware instances. So leaving a user with admin rights just allows for something to turn around and bite them in the butt. it would be better for there not to be a time period and have to answer a message for everytime you need admin rights. That way you can go as long as you like without av2009 finding you and saying oh look he has admin rights for the next 10 minutes.. lets have a party and play hide and seek.

    Just my thoughts though...

    Yes i know this is and old post.. im just now seeing it though...