Microsoft Corp. changed the default settings of one of its most important security features for Windows 7 because users balked at clicking more than two prompts a day, a company executive said today.
According to Jon DeVaan, the senior vice president responsible for Windows' architecture and core components, the company changed User Account Control (UAC) in Windows 7 because data showed that users got ticked off when they were asked to deal with more than two UAC prompts in a day.
Responding to mounting criticism of the changes Microsoft has made to UAC for its still-in-development Windows 7, DeVaan said that the company studied how people reacted to the security feature, which debuted in 2007 with Windows Vista.
"In making our choice for the default setting for the Windows 7 beta, we monitored the behavior of two groups of regular people," said DeVaan in a long entry to a company blog. "Half were set to 'Notify me only when ...' and half to 'Always Notify.' We analyzed the results and attitudes of these people to inform our choice."
The pain threshold, it turned out, was just two prompts in a session, which DeVaan defined as the time from turning the PC on to turning it off, or a day, whichever is shorter. "If people see more than two prompts in a session they feel that the prompts are irritating and interfering with their use of the computer," DeVaan said.
That, in turn, led Microsoft to boost the number of UAC settings in Windows 7. In Vista, users could either turn UAC off or leave it on; Windows 7 adds "Notify me only when programs try to make changes to my computer," and uses that as the default.
And therein lies the rub.
Some users and developers have questioned the default setting. Last week, a pair of Windows bloggers, Rafael Rivera and Long Zheng, published a simple proof-of-concept script that demonstrates how hackers can easily disable UAC entirely without the user being the wiser. Their recommendation is to reset Windows 7's UAC to the highest level of warning, "Always notify me when," which is essentially mimics the behavior of the security feature in Vista.
Although DeVaan stopped short of saying Microsoft would not modify the default setting for UAC in Windows, he hinted that it would stick to its guns. "We are very happy with the positive feedback we have received about UAC," he said today.
That confirms what a company spokesman said yesterday, that Microsoft would not roll back UAC to the more persistent prompting found in Vista. "No, Microsoft has not reverted Windows 7 UAC's behavior to mimic Windows Vista," the spokesman said when asked to clarify a fix the company said it has made to another reported problem in UAC.
John Pescatore, an analyst at Gartner Inc., said he wouldn't fault Microsoft for making the change and sticking to it. "UAC in Vista was universally hated," he said. In fact, Microsoft's biggest operating system rival, Apple Inc., used that dislike to poke fun at Vista in its television advertising campaign.
"From a usability standpoint, no one was happy. And from a security standpoint, no one was happy either, because we knew that people get 'click fatigue,'" Pescatore continued, referring to users who grow tired of answering prompts, or give those prompts short shrift. "Everyone hated it."
By toning down UAC, Microsoft is making Windows behave more like Apple's Mac OS X, said Pescatore. Mac OS X prompts users for an administrative password for some tasks, primarily before allowing a program's to install. "What Microsoft's doing here is not far from what the Macintosh does," he said.
Rivera, however, took exception to DeVaan's reasoning about why Microsoft doesn't consider the UAC problem a security vulnerability. "I'm concerned Microsoft is relying too heavily on external security mechanisms in Windows 7," he said via instant messaging Thursday. "With UAC weaker in Windows 7, I feel as if we've regressed back to having only a single layer of security. Once a border application becomes comprised by Windows 7-targeted malware, it's game over."
DeVaan, on the other hand, dismissed the concerns of Rivera, Zheng and others, saying that the default setting of UAC does not constitute a "security vulnerability" because "the reports have not shown a way for malware to get onto the machine in the first place without express consent." He then went on to argue that UAC is not a "security boundary" in Windows.
But in an interview yesterday about problems with UAC's "auto-elevate" -- the technique Microsoft used to decrease the number of prompts -- Rivera said: "I understand 'something else' has to be breached," he said. "I hear Microsoft loud and clear here. The problem I have is that in Windows 7, a user can have malware that can break its [standard user] confinement to do administrative-level damage to the machine."