Microsoft cites 'click fatigue' for Windows 7 security change
Executive defends UAC tweak, says prompts were 'irritating' users
Computerworld - Microsoft Corp. changed the default settings of one of its most important security features for Windows 7 because users balked at clicking more than two prompts a day, a company executive said today.
According to Jon DeVaan, the senior vice president responsible for Windows' architecture and core components, the company changed User Account Control (UAC) in Windows 7 because data showed that users got ticked off when they were asked to deal with more than two UAC prompts in a day.
Responding to mounting criticism of the changes Microsoft has made to UAC for its still-in-development Windows 7, DeVaan said that the company studied how people reacted to the security feature, which debuted in 2007 with Windows Vista.
"In making our choice for the default setting for the Windows 7 beta, we monitored the behavior of two groups of regular people," said DeVaan in a long entry to a company blog. "Half were set to 'Notify me only when ...' and half to 'Always Notify.' We analyzed the results and attitudes of these people to inform our choice."
The pain threshold, it turned out, was just two prompts in a session, which DeVaan defined as the time from turning the PC on to turning it off, or a day, whichever is shorter. "If people see more than two prompts in a session they feel that the prompts are irritating and interfering with their use of the computer," DeVaan said.
That, in turn, led Microsoft to boost the number of UAC settings in Windows 7. In Vista, users could either turn UAC off or leave it on; Windows 7 adds "Notify me only when programs try to make changes to my computer," and uses that as the default.
And therein lies the rub.
Some users and developers have questioned the default setting. Last week, a pair of Windows bloggers, Rafael Rivera and Long Zheng, published a simple proof-of-concept script that demonstrates how hackers can easily disable UAC entirely without the user being the wiser. Their recommendation is to reset Windows 7's UAC to the highest level of warning, "Always notify me when," which is essentially mimics the behavior of the security feature in Vista.
Although DeVaan stopped short of saying Microsoft would not modify the default setting for UAC in Windows, he hinted that it would stick to its guns. "We are very happy with the positive feedback we have received about UAC," he said today.
That confirms what a company spokesman said yesterday, that Microsoft would not roll back UAC to the more persistent prompting found in Vista. "No, Microsoft has not reverted Windows 7 UAC's behavior to mimic Windows Vista," the spokesman said when asked to clarify a fix the company said it has made to another reported problem in UAC.
Windows 7: Vista Reloaded
- New post-beta Windows 7 build leaks to Web
- Report: Free Windows 7 upgrades to run until January 2010
- Microsoft dumps Ultimate Extras from Windows 7
- HP says its netbooks will likely run three versions of Windows 7
- Economy could slow enterprise adoption of Windows 7
- Microsoft caves, will change Windows 7 UAC
- Microsoft tweaks Windows 7 UAC after new exploit code surfaces
- Microsoft cites 'click fatigue' for Windows 7 security change
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts