Microsoft cites 'click fatigue' for Windows 7 security change
Executive defends UAC tweak, says prompts were 'irritating' users
Computerworld - Microsoft Corp. changed the default settings of one of its most important security features for Windows 7 because users balked at clicking more than two prompts a day, a company executive said today.
According to Jon DeVaan, the senior vice president responsible for Windows' architecture and core components, the company changed User Account Control (UAC) in Windows 7 because data showed that users got ticked off when they were asked to deal with more than two UAC prompts in a day.
Responding to mounting criticism of the changes Microsoft has made to UAC for its still-in-development Windows 7, DeVaan said that the company studied how people reacted to the security feature, which debuted in 2007 with Windows Vista.
"In making our choice for the default setting for the Windows 7 beta, we monitored the behavior of two groups of regular people," said DeVaan in a long entry to a company blog. "Half were set to 'Notify me only when ...' and half to 'Always Notify.' We analyzed the results and attitudes of these people to inform our choice."
The pain threshold, it turned out, was just two prompts in a session, which DeVaan defined as the time from turning the PC on to turning it off, or a day, whichever is shorter. "If people see more than two prompts in a session they feel that the prompts are irritating and interfering with their use of the computer," DeVaan said.
That, in turn, led Microsoft to boost the number of UAC settings in Windows 7. In Vista, users could either turn UAC off or leave it on; Windows 7 adds "Notify me only when programs try to make changes to my computer," and uses that as the default.
And therein lies the rub.
Some users and developers have questioned the default setting. Last week, a pair of Windows bloggers, Rafael Rivera and Long Zheng, published a simple proof-of-concept script that demonstrates how hackers can easily disable UAC entirely without the user being the wiser. Their recommendation is to reset Windows 7's UAC to the highest level of warning, "Always notify me when," which is essentially mimics the behavior of the security feature in Vista.
Although DeVaan stopped short of saying Microsoft would not modify the default setting for UAC in Windows, he hinted that it would stick to its guns. "We are very happy with the positive feedback we have received about UAC," he said today.
That confirms what a company spokesman said yesterday, that Microsoft would not roll back UAC to the more persistent prompting found in Vista. "No, Microsoft has not reverted Windows 7 UAC's behavior to mimic Windows Vista," the spokesman said when asked to clarify a fix the company said it has made to another reported problem in UAC.
Windows 7: Vista Reloaded
- New post-beta Windows 7 build leaks to Web
- Report: Free Windows 7 upgrades to run until January 2010
- Microsoft dumps Ultimate Extras from Windows 7
- HP says its netbooks will likely run three versions of Windows 7
- Economy could slow enterprise adoption of Windows 7
- Microsoft caves, will change Windows 7 UAC
- Microsoft tweaks Windows 7 UAC after new exploit code surfaces
- Microsoft cites 'click fatigue' for Windows 7 security change
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts