Comments on: Windows 7 security: An overall improvement?

Microsoft is making some changes to User Account Control and the Windows firewall, plus extending BitLocker to removable devices in its next operating system.

[timber2005]

"In Windows 7, users can adjust consent prompt behavior using a slider control, if they have administrative privileges. Microsoft says they'll still be protected against malicious software, even if they never see another alert. I'm wondering if that's actually a bad idea: if people never see an alert, they might think nothing bad ever happens to their computer. We lose an element of user education. "

Better of two evils right now. Pick out ANY PC World magazine since Vista debuted, and you'll find instructions on how to disable UAC and leave the PC vulnerable.

[The_Decider]

UAC is a nag screen not security. 9999/10000 the correct answer is yes, so they are trained to constantly click yes without question.

[itsmillertime4u]

You may want to look at Norton UAC. It replaces the Windows UAC (or rather you disable one and install the other), and it is much better then the Windows UAC. See here: http://www.nortonlabs.com/inthelab/uac.php

[Lerianis]

Not true, The_Decider. There have been a few cases where UAC has stopped me from installing something because the window pops up suddenly, I think "Why the hell is this popping up now!?" and when I look..... some malware is trying to install itself.

[Lerianis]

Thanks for the 'heads-up' on the Norton UAC. It's a good thing, and the addition of that "Allow the freaking thing forever!" is a good bonus!

[Super2online]

I agree Lerianis,

I have had that happen twice myself where the UAC popped up instantly as the infection was still in the process of installing! I was able to quarantine it immediately and delete it after if finished. The feeling of relief that nothing bad happened you get when that happenes it worth all the nagging in the world, believe me!

[wolivere]

I beta'd norton's stuff for Vista, and every one I tried was really crap. It ground the system down chewed up resources. Maybe they have gotten better in the past year, but prior?

[myles taylor]

I think what The_Decider is saying is that people are hit yes so often that they don't read it and just automatically hit yes whenever it pops up. It can only stop the installation of malicious software if you hit no.

[The_Decider]

You are correct Myles. Everyone else misread.

[The_Decider]

"I'm wondering if that's actually a bad idea: if people never see an alert, they might think nothing bad ever happens to their computer. We lose an element of user education."

MS users are not educated to begin with.

Nothing in here is really security oriented. The nonsense MS trumpted as secure features for Vista have all been completely compromised. They need to start from scratch.

The "highlight":

"The idea is that third parties can take advantage of aspects of the Microsoft Windows Firewall in their own products. Microsoft says "third-party products also can selectively turn parts of the Windows Firewall on or off, enabling you to choose which software firewall you want to use and have it coexist with Windows Firewall."

That is a built in security hole, even worse than the laughable SetWindowsHookEx function that gives anyone the ability to trace anything going on. It just proves that despite all their PR, MS simply does not understand security. I am sure backdoor writers are loving it.

[sythara]

Are you saying I'm not educated?

[Vegaman_Dan]

And to exploit that security hole, you would first have to agree to it with the UAC. So... you choose to open it intentionally.

You can also jump out of your car while driving on the freeway. That's your choice. It may be a stupid choice, but the auto maker isn't going to get in your way because you intentionally chose that action.

That is a problem with giving people the power of choice- they can willingly and ignorantly choose to do more harm to themselves.

[Lerianis]

Wrong. I am very well educated, have an A+ degree, and the reason I use Vista: it's a damn good operating system.
As to the 'built-in security hole'..... the optional firewall makers would be HOWLING if Microsoft didn't have that 'security hole' in there to allow their software to turn off the Windows Firewall.

I'm kinda getting tired of seeing your posts where you automatically say "It's Microsoft's BAD!" No, Microsoft has to take into account that some companies are whiny babies and if they don't allow them to disable some things in Vista and their other operating system..... they will sue them!

[the_redistributor]

Typical idiotic response from the decider. How dumbo how does it feel to have a call name that insults your political opponents? He,he,he

[Super2online]

All I have to say to you "The_Decider" is your lack of social skills and human understanding brings enormous discredit to any thoughts you may have on the subject. To make a blanket statement like, "MS users are not educated to begin with" speakes volumes about your own education or lack thereof.

[wolivere]

Wow is all I have to say. The other posters already made all the points on this.

[Penguinisto]

@Lerianis: A+ is a simple cert, not a degree. When you can build a VM cluster/SAN combo from scratch, come back and let us know. ;)

That said, most typical users won't know or care (hence, "uneducated"), which is a very valid point.

IMPO, Microsoft is still going about it the wrong way - instead of building a core that inherently trusts nothing, they slathered on a couple of layers of protection, hoping that the layer or two will hold up. Judging by the readily exploitable bugs still found --even in the pre-beta Windows 7-- that's a bad way to go about it.

I kind of hoped that they'd build the thing from scratch, but I'm guessing that isn't likely.



@

[Hernys]

Huh? All those features you mention as "holes" require administrative privileges to turn on and off, do you realize that?
And once a process has administrative privileges on a box, no security roadblocks are possible.
So while your statements show you are trying to pass for a security expert, it looks like you are actually a security troll.
If MS doesn't understand security, why is it that their products have fewer holes of any kind than the alternatives by about an order of magnitude?

[Penguinisto]

@Henrys: proof, please. And no, lumping in thousands of included apps w/ an OS install doesn't count. kernel/OS only, plz.

[The_Decider]

Wow, lots of idiotic MS trolls decided to show up. First of all, they are uneducated in computing matters, the exceptions prove the rule.

"Wrong. I am very well educated, have an A+ degree,... "

LOL Did you actually say that? Can I email your response around? This could be better than the "Computer Science III" guy. As penguin pointed out a cert is not the same thing as being educated.

"And to exploit that security hole, you would first have to agree to it with the UAC. So... you choose to open it intentionally."

Wrong . UAC won't protect you here, this is a backdoor of epic proportions. BTW, UAC won't complain if I put a DLL on your system that hooks into every single process that has access to the keyboard and run it via a service. MS delivers the keyboard logging functionality on a silver platter.

" Typical idiotic response from the decider. How dumbo how does it feel to have a call name that insults your political opponents? He,he,he"

How 'dumbo' are you that you couldn't refute anything I wrote?

"All I have to say to you "The_Decider" is your lack of social skills and human understanding brings enormous discredit to any thoughts you may have on the subject. To make a blanket statement like, "MS users are not educated to begin with" speakes volumes about your own education or lack thereof."

Excuse me? MS relies on its users ignorance, it is part of their business model.

I don't have an A+ cert, but all I need is to finish my thesis and go through a defense, and my MS in computer science will be completed. However, that pales to the almighty A+ certificate!

" Wow is all I have to say. The other posters already made all the points on this."

If you think anyone made any valid points you are hopeless. No wonder MS puts massive security holes in their software, their users don't care!

"Huh? All those features you mention as "holes" require administrative privileges to turn on and off, do you realize that? "

Do you realize how easy it is to get elevated privileges on any Windows system? It can be done without your knowledge or consent.

"And once a process has administrative privileges on a box, no security roadblocks are possible."
Wrong
"So while your statements show you are trying to pass for a security expert, it looks like you are actually a security troll."
Wrong again
"If MS doesn't understand security, why is it that their products have fewer holes of any kind than the alternatives by about an order of magnitude?"
Is that a joke? MS has orders of magnitude more exploits than anything they compete with. I see you don;t understand the difference between a hole and an exploitable hole, but no matter, Windows is by far the least secure OS today. It is not even close.

[yacahuma]

Could Windows finally have 2 things
1. A task bar that actually tells you what is going on and which processes are killing your machine. Any program running in the system should have some kind of digital signature, so I can make sure who created that particular program.

2. a true uninstaller. Like Revo Unistaller. No more junk left behind.

[wolivere]

There are ways now to do 1, I agree would be nicer if it was tweaked some what.

Point 2 is it an MS issue or the APP issue? because I totally agree, there are so many app's that just don't properly uninstall.

[The_Decider]

Digital signatures are not a guarantee of anything.

They help but to rely on it is foolish.

#2 is a great idea, but how many years has Windows existed without MS being able to implement this properly?

[Seaspray0]

@ decider. The time it would take to crack the average certificate is 5 years (by which time most certificates would be expired). No, they are not a guarantee, but they are very, very good compared to everything else. BTW: decider, you life is no guarantee. you will die. Does that mean it sux? Keep that in mind the next time you post.

[Spartan_458]

Wow, I'm impressed. Vista's security is already impressive. If 7 is even better, kudos to Microsoft!

[The_Decider]

You do realize that every single security "feature" in Vista has been compromised don't you?

That is impressive, but not in a good way.

[Seaspray0]

"that every single security "feature" in Vista has been compromised ..."

Show me the proof that every single security feature has been compromised. Back up what you claim, decider.

[myles taylor]

It looks so much like Vista....

Maybe that's a good thing. Vista looked fine.

My biggest problem with Vista was that it made settings that were already mildly hard to get to in XP even harder and more confusing to get to. I work for an ISP and they buried the network connections. Also, another issue I had with Vista was basic command line commands were turned off by default (like ipconfig). That's just annoying.

[Imalittleteapot]

Gone is the Security Center, introduced in Windows XP SP2. Instead, there will be an "Action Center".

Seriously? It made more sense before. It's like they have to change everything just for the sake of change except for the stuff that's actually broken. It's like a consistent theme with them or something.

Oh well, as long it runs on 1 ghz and 1 gig of ram like they say it will I'll use it and call it an improvement. But I swear to God if Microsoft just started doing the exact opposite of what they usually do they're product would probably be much better off.

[0zSpit]

i also read it only takes up about 2.5 gb of hard drive. also, lol @ the_decider, aka the village idiot

[Fire Balls]

Ok for the people that want a UAC that you can set programs to auto allow. Well the reason for it not being that was is this. First all you would have to do is compromise a program with the auto allow and you could do anything instead of hey why is it asking for admin rights at this point in the program. Also the problem as to why some people see it so much is because of sloppy code done by so many software developers. If it was written the right way it wouldn?t need those rights and therefore no UAC prompt. I understand with some software there is no way around that and for it to perform the functions it needs to that more rights are required. But for the most part it is just sloppy code.
To address another issue. I personally feel that yes Microsoft could be a better job at security. But honestly what software company couldn?t? I mean come on Linux (probably most people?s ?golden os? for the people complaining on here or BSOD) is full of holes as well. And don?t even get me started on the lack of security on MAC OSX I mean come on they are behind just about everyone else. (yes I know they don?t get exploited much but that?s not because they are more secure and what is sad is because of that most apple users feel much more secure then they really are.) Microsoft has to find a balance for it home users who don?t want to be prompted about much of anything and who probably don?t even care about a password or much security they just want to run around and have nothing bug them and the business user for who security is a very important thing. That?s why there are other products made by Microsoft and other venders for the workplace to address theses issues while trying to find a balance at a home user level as well.
And as for building the OS from scratch yeah that would be great but they have enough backwards compatibility problems as it is without doing things. If you step back and take a good look at everything they are doing, the vast amount of software and hardware that they support on their OS (Linux = what?s an exe?) the amount of market penetration, environment, and users that they have to cater to I think they are doing a good job. Could it be better well I would like to think so. But until you take everything into account instead of just focusing on one part of a program I don?t think you can give a 100% educated answer on that.
In summery what I am saying is don?t just harp on security (as very important as it is trust me it may not sound like it but I do care about it a lot!) when you don?t look at functionally and support for different products. We don?t live in a perfect software world and Microsoft isn?t the only one fighting that battle. And for anyone in the open source community that want to say hey we are more secure and have good functionality I laugh and point to the vast libraries of software that windows can run that you won?t touch for decades. And hardware that I have been able to use for years with ease and you are just now being able to run affectively. Try and see the whole picture
P.S. yes I know I will be torn to shreds for some of the things I said in this. But that?s life some people are stuck in a rut they will never get out of. I can only hope that someday they will be able to see more then 2 in. in front of their face.

[megadeth--2008]

have they done anything to fix the terrible memory management in vista? If you enjoy page faulting apps being wrote to the hard drive instead of staying in memory, windows is great

until they fix that they will have speed problems, I hope beta testers really test it this time, because vista was NOT beta tested properly

[ferretboy88]

I have not had one single crash or virus/malware with Vista and have been using it since day one with UAC off. I am pretty smart so I know not to click on the fart button. I also use Linux.

[caelli]

Hold on!!!
We are approaching the 20th anniversary of Windows'NT - the forerunner of all this...and
NT was originally designed - from the base up - with minimal security and only added Discretionary Access Control - DAC ( remember the "Orange Book" and C2 compliance needs for the Feds back then - "C2 by '92") later in development. DAC is OBSOLETE in the global Internet age and such modern systems as "Flexible Mandatory Access Control (FMAC)" - as per "Secure LINUX" and Solaris 10 (Secure Environment) should be the BASE for any public or private enterprise wishing to protect its vital information systems - including keeping up with national and international legislation! Shame - Win7 could have entered the 21st century security environment BUT it looks as if it is still in a 1980s DAC security mode!! ( I wonder what Microsoft's Rashid thinks - after all he developed Mach which led to "Trusted Mach - TMach" - perhaps he has no influence at all on the real MS OS product sets - that's also a shame!)

[TurboSuper]

UAC is pretty useless, the headache it gives you is not nearly worth the security it gives you. Especially if you have a half decent anti-virus. There's also a program called Malwarebytes Anti-Malwalware which does an AMAZING job at hunting down rootkits and other nasties your AV will miss. Oh, and it's free.

Anyways, I'd much rather see MS spend their efforts addressing the bugs in Windows instead of all this "security". So many PCs ship with Norton AV these days anyways, I don't quite see the point.

[andeyejah]

I am please to announce the deciders true identity his name is Philip Hornnet of apple computers living in new york city east77.