Windows 7 UAC changes just 'lipstick,' argues vendor

Computerworld - Microsoft Corp.'s plans to change a controversial security feature in Windows 7 are only cosmetic, nothing more than "lipstick on UAC," a developer of enterprise rights management tools said today.

BeyondTrust Corp., which touts its Privilege Manager software as a way for enterprises to sidestep intrusive messages from Vista's User Account Control (UAC) while still locking down PCs, took exception with Microsoft's plans to revamp the feature in its upcoming operating system.

In an e-mail yesterday, BeyondTrust CEO John Moyer called the UAC modifications "lipstick" and said "they still do not solve the major issue for enterprises."

Instead, he argued that Microsoft hasn't taken UAC's problems head on. "Windows 7 promises cosmetic changes to reduce UAC prompts, but it does nothing to fix the underlying security and usability problems for businesses," he said. "Just like Vista's UAC, Windows 7 keeps end users in charge of the security decision of what applications to run with administrative privileges. That's like hanging out a 'Welcome' sign for malicious users, hackers and malware."

In an interview Wednesday, Scott McCarley, BeyondTrust's director of marketing, expanded on that theme. "The changes [to UAC] didn't fix a lot of the issues that we see with UAC in Vista," he said. "They don't address the usability and security issues."

Yesterday at the Professional Developers Conference (PDC), Steven Sinofsky, the head of Windows' development at Microsoft, outlined UAC tweaks slated for Windows 7.

After he acknowledged that Microsoft "went a little too far" in displaying pop-up prompts, he said the company would answer critics by letting users and administrators set the warning frequency. "We've actually added a slider that allows you to decide how much of the UAC you want to see on your machine," Sinofsky said during his Windows 7 presentation at PDC on Tuesday.

That's just window dressing, countered BeyondTrust. "The slider control is a cool feature," said McCarley, "but it's designed for administrators [and] is a benefit only to administrators. They've done nothing to improve the standard user experience; they've only improved the messaging of UAC."

BeyondTrust markets its Privilege Manager software to enterprises that want to give users limited control over their machines without the hassle of wading through the UAC warnings. "UAC is tough to implement because users need to do things that prompt, like system changes and software installations," said Peter Beauregard, a product manager at the Portsmouth, N.H.-based firm. "A lot of our customers come to [Privilege Manager] to use with laptop users who they need to manage, but who also need to do things on their own from time to time, like install a program."