Thursday, October 15, 2009

Windows 7 Security versus Usability: The Beat Goes On

Usability and security are competing goals: the more secure a computer is, the harder it is to use. The easier a computer is to use, the less secure it is. In my opinion, Windows 7 is easier to use than Vista.

With Vista, Microsoft introduced User Account Control (UAC), which frequently shows pop-ups asking the user to confirm any configuration changes, like changing network settings. UAC was one of the biggest usability problems with Vista and was lampooned by Apple in one of their hilarious "I'm a Mac and I'm a PC" commercials."

With Windows 7, Microsoft backed off on the UAC prompts, which greatly improves usability. My personal observation as a user is that Windows 7 is much more pleasant to use than Vista. This is important, because UAC had the effect of making the entire Vista experience very un-fun and slowed adoption of an operating system that has other important security improvements.

However, as is nearly always the case, increasing operating system usability also increases security risks -- risks of infection and compromise of data and functionality. The changes to Windows 7 UAC have made it easy for malware writers to turn UAC off entirely without the user's knowledge. Microsoft recommends keeping UAC turned on and yet allows malware to turn it off without the user's knowledge. A post on the Windows 7 Engineering Blog explains some of the thinking behind the no-prompt-to-turn-off-UAC issue.

The story gets much more complicated at this point. If malware is on the computer, hasn't the game already been lost? Why worry about UAC if a password-stealing Trojan is on your computer? The answer lies in the difficulties inherent in identifying a program as goodware or malware. If my son downloads a game (goodware) that has been secretly tampered with to introduce malicious capability (malware) that tries to change my system configuration, I will not see a UAC prompt warning me of the configuration change. The first step of this malicious code will be to turn off UAC and avoid warnings. I cannot depend on antivirus to detect the malware, and I cannot depend on UAC to put up a prompt that will make my son say, "Daaaaaaad??!"

No comments: