Vista UAP (User Account Protection) – too much?
First let me tell you I have not seen first hand Microsoft’s Vista UAP (User Account Protection) I cannot then claim firsthand experience with it, the following is and will be based on what I have read plus how it relates and compares to linux and “run as” functionality. George Ou thinks that UAP is getting a “bum rap” from people, some of whom want it both ways, tighter file access security, but this is annoying… Another ZDNet columnist has done a more detailed look at UAP. One of the articles cited by George Ou is this post from Paul Thurrott which is highly critical of UAP
In fact…. Thurrott goes as far as this…
User Account Protection
Modern operating systems like Linux and Mac OS X operate under a security model where even administrative users don’t get full access to certain features unless they provide an in-place logon before performing any task that might harm the system. This type of security model protects users from themselves, and it is something that Microsoft should have added to Windows years and years ago.
Here’s the good news. In Windows Vista, Microsoft is indeed moving to this kind of security model. The feature is called User Account Protection (UAP) and, as you might expect, it prevents even administrative users from performing potentially dangerous tasks without first providing security credentials, thus ensuring that the user understands what they’re doing before making a critical mistake. It sounds like a good system. But this is Microsoft, we’re talking about here. They completely botched UAP.
The bad news, then, is that UAP is a sad, sad joke. It’s the most annoying feature that Microsoft has ever added to any software product, and yes, that includes that ridiculous Clippy character from older Office versions. The problem with UAP is that it throws up an unbelievable number of warning dialogs for even the simplest of tasks. That these dialogs pop up repeatedly for the same action would be comical if it weren’t so amazingly frustrating. It would be hilarious if it weren’t going to affect hundreds of millions of people in a few short months. It is, in fact, almost criminal in its insidiousness.
Let’s look a typical example. One of the first things I do whenever I install a new Windows version is download and install Mozilla Firefox. If we forget, for a moment, the number of warning dialogs we get during the download and install process (including a brazen security warning from Windows Firewall for which Microsoft should be chastised), let’s just examine one crucial, often overlooked issue. Once Firefox is installed, there are two icons on my Desktop I’d like to remove: The Setup application itself and a shortcut to Firefox. So I select both icons and drag them to the Recycle Bin. Simple, right?
Wrong. Here’s what you have to go through to actually delete those files in Windows Vista. First, you get a File Access Denied dialog (Figure) explaining that you don’t, in fact, have permission to delete a … shortcut?? To an application you just installed??? Seriously?
Well, ok – from the point of view George Ou approaches the above analysis. He’s got a point….
Thurrott specifically raises the “problem” that when he attempted to delete a Firefox shortcut from the desktop when he had just installed it, it demanded additional user authorization from Vista’s UAP which he thought was so stupid. What Thurrott failed to realize or disclose is that deleting a shared shortcut like the one Firefox installed on the Desktop means that you are deleting a shared shortcut from the “All Users” desktop which requires administrative privileges.
Let me question something. Why should there be something on a users desktop that they do not have explicit permission to add/remove/change/delete? Compare this to a linux desktop. In my case Mandriva 2006. “System” -placed icons, the equivalent of “all users” in Windows are usually symbolic links to the actual file. Each user has control over THEIR desktop files. When the user is created, the links are generated and if software is installed after the fact it 1) usually doesn’t dump icons on the desktop it uses a novel idea called the program menu, or 2) if it’s installed BY a specific user it “pollutes” that USERS desktop with an icon. Most anything installed system wide get’s placed in the users menu (like the start button..) and each user has control over what is in THEIR copy of that menu.
Yes, Windows has SORELY needed to make average users run with limited priviliges for YEARS. Paul’s argument is that they have simply BOTCHED the way their doing it with a feature that will be reviled. Here’s another example….
From the more detailed analysis of UAP
Drives and folders containing data created in an earlier version of Windows. Here’s the one that drives beta testers nuts. Let’s say you have a 250GB external USB drive packed with music files, videos, pictures, and backed-up documents. When you plug it into your new computer, Vista assigns it the drive letter F:. You have no trouble viewing those pictures and playing those music tracks. But as soon as you start organizing your files into new folders, Windows Vista begins prompting you for permission to perform file operations. You have to click Continue, switch to the Secure Desktop, and then click Continue in the Consent dialog box to complete each operation.Why? Because the default permissions on that external drive give Full Control to the Administrators group, but only Read permissions to Users. And remember, you’re running with the process token of a standard user, unlike Windows XP, which gave you full credit for logging on as an administrator.
What jumps out at me in the above is the confirmation for EACH operation. Ouch. Under linux, removable devices are usually given read-write access to (at least) the user with the first open desktop if I’m not mistaken. So, I’m sitting at a computer, working, decide to plug in a removable drive and somehow magically I can read-write to it. IF, the above is par for the course, I would tend to agree that UAP appears to have been botched.
It sounds to me as though they have gone a bit TOO far in the effort to tighten things up. Let me give an example of a tool that most linux distributions have. sudo…. sudo gives a limited privilege user administrative access with limits. (In fact you can be VERY specific about what administrative commands to give.) You can also take administrative priviliges for a limited period of time. I’m not sure if 10 minutes is the default for sudo, it may be 5 minutes, but the idea is that you sudo, type your password and then for the next X minutes you have administrative priviliges. I can’t imagine how annoying it would be to have to confirm each and every action done as admin….
Ok – I haven’t used it yet, just going on what I’ve read, but it sounds like it may need some serious help to make it user friendly.