Wednesday, January 24, 2007

Jim Allchin on UAC and why he is still wrong

Jim Allchin, who has been the head of Windows development for a long time now, wrote a lengthy article on why User Account Protection (UAC) in Windows Vista is designed the way it is. It truly is a great article, I mean the great part is the fact that Jim felt the need to take the time to explain the design on this tells you how much heat Microsoft is going to take on this feature.

Heat? Why would anyone dog Microsoft on UAC in Vista? It is clearly better than Windows XP security situation, cut them some slack. That is the kind of refrain you will hear from Windows apologist, Vista security defaults are good enough.

But as Jim says the "Good Strategy" with regards to security is the Vista defaults, which are prompts for admin level tasks but no passwords. Too confusing he says. Jim also says the "Best Strategy" is to require passwords for standard users and local admin group users trying to execute an admin task, which you can enable in Vista. But lo and behold, the best strategy that Jim outlines is already what is enabled in Mac OS X 10.4 "Tiger". This is where the Windows apologist will get mad, because hey you can just turn it on right, why are you dogging Vista on this? Easy, because disabling password entry for admin elevated tasks for usability purposes is wrong. People can easy adapt to this, my parents easily did when they got their iMac 2 years ago, the request for an actual username and password is reassuring. But you can turn it on right in Vista? Sure, and we all know how far most users deviate from the defaults, which is hardly at all. Hell, I have even stopped lots of Windows customization because it wasn't worth the time. Stuff has to be reinstalled so often, and backing up settings is questionable because you don't know if that's the cause of some problem, and its opaque in the registry, forget about it. Information Week has a great review on why the design of Vista is worse than OS X. Jim admits as much by suggesting, correctly, with Vista defaults there is a window of oppurtunity where someone could walk up to a machine with a user logged in with admin rights and do whatever they want because all they have to do is click a button to get through the task.

Jim also suggests in one facet UAC is better than the UNIX way, which of course means OS X. He says UAC elevates only the particular task, not the whole process with admin rights. What could this mean? Elevation at the thread level? Kill the thread when a task is complete instead of the process? That's interesting because from a usability perspective, users don't want to see multiple UAC prompts for something they consider a task, like installing some software, not what the system does. OS X prompts once and then you get your work done. In Vista, since its elevating at the "OS security task" level, it will prompt repeatedly for something a user considers a task. That is bad usability, and that is the security vs. convenience trade-off that should have been made. It's great that Jim wrote the article, but it also means I can call it wrong if I disagree with his design decisions.