The changes Microsoft made to User Account Control in Windows 7 represent a tradeoff between convenience and security. Some researchers have argued that the decision to automatically elevate certain tasks is a security hole. As they demonstrated with sample code, a program can inject itself into one of these tasks, allowing it to execute with no warning if you are logged on using a Protected Administrator account.
Is this a fundamental weakening of Windows security? In our opinion, no . Instead, it's a sobering illustration of a simple fact: User Account Control isn't a security silver bullet. It's one layer of a defense-in-depth strategy.
Some Windows users assume that UAC consent dialog boxes represent a security boundary. They don't. They simply represent a place for an administrator to make a trust decision . If a bad guy uses social engineering to convince you that you need his program, you've already made a trust decision. You'll click at least a half-dozen times to download, save, and launch the bad guy's program . A UAC consent request is perfectly normal in this sequence, so why wouldn't you click one more time?
If this scenario bothers you, the obvious solution is to adjust UAC to its highest level . This matches the default settings of Windows Vista and disables the Windows 7-specific auto-elevate behavior. (For details on how to do this, see "Modifying UAC Settings" on page 537.) If a program tries to use this subterfuge to sneak system changes past you, you'll see an unexpected consent dialog box from the system . But as soon as you provide those elevated credentials, the code can do anything it wants .
A better alternative is to log on using a standard account, which provides a real security boundary. A standard user who does not have the administrator password can make changes in her own user profile only, protecting the system from unintended tampering . (For more information, see "Working Around UAC Without Disabling It" on page 539 and "Effectively Implementing User Accounts on a Shared Computer" on page 560.)
Even running as a standard user doesn't provide complete protection. Malware can be installed in your user profile, without triggering any system alarms . It can log your keystrokes, steal your passwords, and send out e-mail using your identity. Even if you reset UAC to its highest level you could fall victim to malware that lies in wait for you to elevate and then does its own dirty work alongside you.
As we said, enabling UAC is only one part of a multi-layered security strategy. It works best when supplemented by a healthy skepticism and up-to-date antivirus software.
Was this article helpful?