UAC flaws pshaw: disable admin rights to make Windows and IE safe
By Microsoft Subnet on Wed, 02/04/09 - 7:37pm.Fuggeddaboud Microsoft's crazy User Account Control. One security researcher has discovered that just by disabling admin rights, 92% of Microsoft vulnerabilities are cured, or at least the damage a hacker could do by exploiting them is severely limited, according to an article in Computerworld. Enterprise security company BeyondTrust says so -- of course, let's factor into its analysis that the company offers a product called Privilege Manager. Even still, BeyondTrust came to its numbers by looking at the individual vulnerabilities that Microsoft disclosed in 2008 and counting the number of times Redmond said that attacks could be thwarted (or the effects lessoned) on computers with fewer rights.
If that's the case, the simplest thing to do to make Windows desktops safe -- or at least safer -- is to configure computers so that users login as an ordinary user, not an administrator, and can't change that setting.
This news comes as a dose of reality during a week when Microsoft's technological attempts to solve the user rights issue has gotten a lot of bad press. Earlier this week, blogger Long Zheng wrote that he discovered a security flaw with UAC that allows an attacker to override Windows 7 UAC without the knowledge of the user. He also noted that the fix is to set Windows 7 to "always notify" -- which will only drive the user so crazy that the "always notify" setting will no doubt be quickly turned off. Microsoft fired back that the UAC override issue Zheng found is not a flaw but a part of UAC's intentional design. Reports VNUnet.com:
"The intent of the default configuration of UAC is that users do not get prompted when making changes to Windows settings," a company representative told vnunet.com. "This includes changing the UAC prompting level."
Zheng was not to be undone ... he wrote that he found a second problem with UAC in Windows 7.
"In summary, a second UAC security flaw in the Windows 7 beta’s default security configuration allows a malicious application to autonomously elevate themselves to full administrative privileges without UAC prompts or turning UAC off. A result I'm sure cannot be classified as 'by design'."
Perhaps a public boot in the backside by bloggers like Zheng will have Microsoft change the UAC. Perhaps not. Until then, enterprises may be able to save themselves a lot of agony by limiting user rights themselves.
Visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers.
Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)Shareholder activist targets Microsoft
U.S. government may explore standardizing on open source
Microsoft layoff: Is excessive R&D spending to blame?
Windows 7: the untold story of how the enterprise gets snubbed
EU slaps Microsoft (again) for antitrust over IE bundled with Windows
- About The Microsoft Update
Julie Bort is the editor of Microsoft Subnet and Network World's Online Community Editor. She also writes the Open Source Subnet blog and is the editor responsible for the Cisco Subnet and Open Source Subnet web sites. If you have an idea for a blog, or a news tip on Microsoft, Cisco or Open Source technologies, contact her at jbort@nww.com, 970-482-6454 or follow Julie on Twitter @Julie188.The Microsoft Subnet blog is the official blog of the Network World's Microsoft Subnet community. Microsoft Subnet is the independent voice of Microsoft customers and is your gateway to daily Microsoft news, blogs, opinion, books, prize giveaways and more. Visit the Microsoft Subnet index page daily, and while you are there, subscribe to the Microsoft newsletter.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited
Most Discussed Posts
- Blog Roll
-
- Microsoft Subnet Home Page
- http://www.networkworld.com/subnets/microsoft/
- All Microsoft Subnet bloggers
- http://www.networkworld.com/community/blogs/microsoft/feed
- ActiveWin
- http://www.activewin.com
- Blake Handler The Road to Know Where
- http://bhandler.spaces.live.com/
- Dmitry's PowerBlog
- http://dmitrysotnikov.wordpress.com/
- Doug Brown,DABCC
- http://www.dabcc.com
- Ed Bott's Windows Expertise
- http://www.edbott.com/weblog/
- Joseph Tartakoff Microsoft Blog
- http://blog.seattlepi.nwsource.com/microsoft/
- Long Zheng istartedsomething
- http://www.istartedsomething.com/
- Mini-Microsoft
- http://minimsft.blogspot.com/
- Paul Thurrott's Supersite for Windows
- http://www.winsupersite.com
- Robert McLaws WindowsNow
- http://www.windows-now.com
- Scobleizer
- http://scobleizer.com/
- Techmeme
- http://www.techmeme.com/
- Todd Bishop's Microsoft Blog
- http://www.techflash.com/Microsoft
-
Network World, Inc
The Connected Enterprise