I was excited when Dr. Crispin Cowan joined the company a while back – what security person wouldn’t be! As one of the key drivers behind StackGuard, Linux Security Modules and co-founder of Immunix, which produced AppArmor – few people are as qualified as Dr. Cowan to talk about security features and security boundaries.
So, when he asks “Is UAC a convenience feature, or a security feature?”, I would say it is worth reading at least twice. And if my recommendation is not good enough for you, let me share this quote that might entice you to go read the whole thing:
It is correct to say that UAC’s features are convenience features, in that it is much more convenient to respond to a UAC prompt than it is to have to switch to a separate desktop, log in as an administrator to do the administrative tasks, log out and then return to your standard user session. Whether one views a UAC prompt as a convenience or a nuisance depends on whether you compare it against running as a Standard User, or against running as a full Administrator: vs. running as Standard User UAC is a convenience feature that compromises security, but vs. running as an Administrator as was the default in XP UAC is a security enhancement.
But does that mean that UAC is not a security feature? No. UAC, in all of its forms, including Silent Mode, provides some obstacles to attacks, and so so it is always a security feature. UAC in operation does nothing other than to say “no” to some access requests, and so it cannot be anything but a security feature.
Of course, it is always nice when someone shares your own opinion. As I’ve said in the past, security features do not have to be perfect in order to provide security value. UAC definitely falls into that category. And, as is my wont, I’m now going to go off and see if I can find some (imperfect, most likely) way to measure that value…
Regards ~ Jeff