In a Thursday presentation at RSA 2008 in San Francisco, David Cross, a product unit manager at Microsoft who was part of the team that developed UAC, admitted that Microsoft's strategy with UAC was to irritate users and ISVs in order to get them to change their behavior.
"The reason we put UAC into the platform was to annoy users. I'm serious," said Cross.
Microsoft not only wanted to get users to stop running as administrators, which exacerbates the effects of attacks, but also wanted to convince ISVs to stop building applications that require administrative privileges to install and run, Cross explained.
"We needed to change the ecosystem, and we needed a heavy hammer to do it," Cross said.
Keith Meisner, senior systems engineer at AppTech, a Tacoma, Wash.-based solution provider, says UAC has helped Microsoft improve end users' overall security posture.
"Many of the situations we deal with have to do with users being uninformed about threats on the Internet," said Meisner. "Are there some annoyances with UAC? Yes, but advanced users know how to get around them."
But while UAC is good for overall security, it does present logistical issues, said Steve Snider, president of Cadre Information Security, a Cincinnati-based solution provider. "For people working in an office, close to IT, it's not a problem, but when you have a very mobile workforce, and you have to load and update applications, that's when it becomes more of an issue," he said.
As a result of UAC, software vendors have changed their approach to developing software, to the point where fewer applications and tasks are triggering alerts, said Cross. "Most users, on a daily basis, actually have zero UAC prompts," he said.
Cross also disputed the popular notion that many frustrated users have decided to shut off UAC alerts entirely. He cited internal Microsoft research that shows 88 percent of all Vista users operate with UAC turned on, and 66 percent of sessions have no prompts, and number he says will continue to grow over time.
"UAC is not a perfect security boundary, but it [has helped us] move from 'zero click' exploits to 'one click' defense," said Cross.
related stories
trending stories
Video
sponsored resources
From our advertisers
Scale Computing
Scale Computing
AT&T Cybersecurity
Cloud Security 360
NPD
Industry Trends 360
Siemon
Network Infrastructure 360
XChange Showcase
Jabra
Mobile Workforce 360
Rebates-On
Running Your Business 360
Park Place Technologies
Data Center Management 360
Dell EMC Monitors
Displays and Monitors 360
Spectrum
Network Communications 360
CoreDial
Managed Cloud Communications 360
Cylance
Cylance Security Learning Center
Partner Program Guide Showcase
Epson
Epson Hassle-Free Printing Hub
Micro Focus
Enterprise Application Software 360
ESET
Managed Services 360
APC by Schneider Electric
IoT Platforms 360
Fluency Security
Security as a Service 360
BAE Systems
Data Breaches 360
Wasabi
Wasabi
Cohesity
Cohesity Learning Center
Intermedia
Intermedia: Uniting Communication and Collaboration
Comcast
Comcast Business Learning Center
HPE Zone
HYCU
Cloud Backup and Recovery 360
Vertiv
Edge Computing 360
Dell Technologies
IoT 360
Dell EMC
Software-defined Data Center 360
HPI
HP Toner and Ink
Eaton
Eaton Learning Center
NetApp
NetApp Data Driven Learning Center
Symantec
Symantec Cloud Security Learning Center
Arrow
Arrow IoT Learning Center
Veeam
Veeam
Storagecraft
Disaster Recovery Learning Center
Silver Peak
Silver Peak Learning Center
Check Point
Threat Management 360
Commvault
Commvault Learning Center
ID Agent
Managed Security 360
Quick Base
Digital Transformation 360
