Microsoft: Vista paved the way for secure Windows

A Microsoft security expert asserts Windows 7 is every bit a secure as Unix

Despite being widely derided (even by Microsoft executives), the Vista OS was instrumental in finally bringing to the world a secure version of Windows, at least if a presentation by a Microsoft security expert at the Usenix Security Symposium, being held this week in Washington, D.C, is any indication.

And it was the most widely hated feature of Vista -- User Access Control (UAC) -- that can take the credit.

It was all the users complaining about the annoying UAC pop-up boxes that finally spurred many application developers to rewrite their programs, explained Crispin Cowan, a Microsoft senior program manager for the Windows core security team.

These programs were rewritten so that they did not require full administrative privileges to run, which, in turn, cut down on the UAC boxes and allowed users to slowly grow more comfortable running in more limited, but safer, user modes.

"The purpose of UAC was to move applications away from using administrative privileges. Its job was to spank programs that used administrator that don't need to," Cowan said.

UAC, in effect, caused a "massive decimation of the population of ill-behaved [Windows] programs," he said. "The number of programs asking for admin rights dropped precipitously."

Cowan's talk was an extended argument on why Windows 7 is as secure as Unix variants such as Linux. And this security parity came about, in his view, in large part thanks to the fact that Windows Vista was the first desktop version of Windows to not, by default, give each user account full administrative privileges.

Windows' reputation for lousy security has been fully deserved, Cowan admitted. Even today, the most widely used version of Windows is Windows XP, which was built in 2001, and lacks most of the security provisions needed for today's environments (though Service Pack 2 added a lot of security features, he said).

Early versions of the Windows OS stressed usability over security, as well as interoperability among different programs, Cowan said. As a result, Windows allowed every user to have full control over the machine, in effect giving each user account full administrative control over a machine.

"If you are running as administrator, security is fairly hopeless," he said. Unfettered administrative rights is what allowed malware and viruses to take control of computers.

Beginning in 2002, however, Microsoft started making security an essential part of software development. As a result, the then next version of Windows, Vista, featured a total separation between what a user can do on a machine and what an administrator can do, a separation that has always been enforced on Unix distributions.

This separation, enforced by UAC, limits the damage that a user can do to a machine.

UAC could be seen as the Windows equivalent to the Unix sudo command, Cowan explained. Sudo allows a user to execute privilege tasks only after supplying an administrator, or root, password. Some Linux distributions, such as Ubuntu, do away, at least out of the box, with root accounts altogether, relying entirely on sudo.

Many users chafed at using UAC, however. Every time a program would require full administrative rights to run, a UAC box would pop up on the screen, asking the user for permission.

The annoyance of UAC actually proved to be beneficial over the long run, Cowan explained, because it reduced the number of applications that required administrative rights.

In many cases, programs did not need administrative permissions at all. Many Windows programs were designed to write their configuration data to the system registry, when it could as just as easily be stored in user folders.

Over time, application developers got the message from all the user complaints. Using anonymous telemetry data, Microsoft estimated that the number of Windows applications that required user access dropped from approximately 900,000 to 180,000.

While Vista got the bad reputation for user-hostility, Windows 7 made UAC more user friendly without relaxing the strict divide between user and administrator. This OS offered auto-elevation, in which a limited number of Microsoft pre-approved programs could get administrative access without the annoying user prompts. It offers a sliding UAC scale, so users can pick the level of restriction for their applications. Windows 7 also established virtual accounts so individual applications could get their own user accounts, Cowan said.

After the talk, one audience member said he agreed that UAC probably did encourage application vendors to rewrite their programs, but wondered if that was really Microsoft's goal in the first place, given the amount of user dissatisfaction it caused. Cowan himself admitted, when discussing browser security, that "Prompts are not purely evil. Prompts in which the answer is almost always 'yes' are evil."

UAC was one of a number of features that, Cowan said, brought Windows to security parity with Unix. The other features include a built-in firewall and the signing of 64-bit kernel drivers. In some cases, he argued, Windows now has security features that aren't even found in most Unix distributions, such as network access protection, memory address randomization, and data execution prevention.

"Unix had a very large security lead. Since then, Microsoft has closed the gap on every front and in some cases exceeded Unix security," Cowan said.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

Join the PC World newsletter!

Error: Please check your email address.

Tags unixLinuxMicrosoftWindowsWindows desktopsoftwareWindows 7non-Windowsoperating systems

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joab Jackson

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?