Microsoft to tweak key Vista security feature

It's responding to criticism about its User Account Control

Bowing to criticism, Microsoft Corp. plans to modify a key new security feature in its upcoming Windows Vista operating system to make it less cumbersome for users.

The current implementation of the User Account Control (UAC) feature in Vista triggers too many pop-up boxes, requiring users to click on them to confirm things as simple as running regular programs, Steve Hiskey, lead program manager for User Account Control in Microsoft's Windows Security Core group, acknowledged in his blog on the MSDN Web site.

According to the June 1 blog, Hiskey said that the next beta release of Windows Vista, Release Candidate 1 (RC1), will reduce the number of security prompts users will face by creating safe scenarios for Standard User accounts. Microsoft will also create fixes, called "shims," for applications that don't easily run as a standard user.

Vista RC1, originally set for mid-July, is now slated for Aug. 25.

Microsoft officials did not return calls seeking comment today.

Current versions of Windows, including Windows XP, grant logged-in users full administrator rights over all software and processes by default.

By contrast, operating systems considered more secure, such as Linux, tend to have users and software running at a "nonroot" level, meaning that malware or hackers that successfully take over some application or process are hemmed in and can't do as much damage.

UAC was designed to reduce the ability of hackers and malware to take control of systems by forcing users to confirm that they intended to perform key administrative tasks. But the current implementation evidently not only "annoyed" users, said Michael Gartenberg, an analyst at Jupiter Research, but it also likely caused them to start clicking "yes" on prompts without reading them.

"If you have too many locks on the front door, after a while, you may eventually stop using them," he said.

Gartenberg said that Microsoft's strategy in Beta 2 was likely to "make things as locked down as secure, and then figure out in what areas they could tone it down. It's better to do it this way than to do it in reverse."

"Microsoft was going to get flack no matter which way they approached it," he said. "Part of being Microsoft is that you get flack."

Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon