Slider settings for UAC in Win 7 are source of controversy.

Network administrators looking to Microsoft’s latest operating system Windows 7 for a measure of relief from the armada of malware aimed at past versions of the OS aren’t likely to find it if a recent experiment conducted by security researchers is any indication of what’s in store for new users of the software.

The White Hats installed the operating system on a clean machine without any anti-virus software and, using the default settings for User Access Control (UAC) discovered that seven of 10 malware samples easily infected the computer.

Malware programs that successfully ran in Windows 7 were Troj/FakeAV-AFY, Mal/EncPk-KY, Mal/EncPk-KP, Troj/agent-LIW, TrojFakeAV-AFX, Troj/Zbot-JN and W32/Autorun-ATC. Malicious code that failed to execute included Troj/Bredo-M, W32/autorun-ATK and Troj/Banker-EUT.

Folks naive enough to believe Microsoft’s security claims about Windows 7 will no doubt be disappointed by these findings that suggest the new operating system shares some of the drawbacks of its progeny, but the bad app battlers said they weren’t surprised by the results. A major concern with the new UAC system in Windows 7 is that users will believe that it will protect them from cracker attacks. It won’t. The revamped UAC feature is as ineffective in blocking a majority of malware programs as anti-virus applications that rely solely on signature-based scanning to prevent the execution of malicious code. Moreover, the false sense of security the new UAC can create among users may induce them not to install security software on their machines, which would be a serious mistake.

The new UAC also presents system administrators with a dilemma. Microsoft was deluged with complaints about UAC in Windows 7’s predecessor, the reviled Vista, because it burdened users with a rain of security prompts. The feature was so annoying that many users just turned it off. They preferred risking a security breach to incessant pestering prompts. That’s why Microsoft scrapped the approach in Windows 7 in favor of a four position slider control.

At the bottom of the slider is the “Never Notify Me” setting. Since that setting shuts off access control, it’s one that only the foolhardy may find useful. However, some experts recommend that this setting combined with restricted user access privileges be used in enterprise settings. Limiting what a user can do with a computer also limits the ability of a machine to be victimized by malware, they reason, and turning off notifications will prevent irrelevant security prompts from popping up and nagging users.

The next slider setting notifies a user when a program tries to make a change to his or her computer and disables secure desktop mode. Secure desktop mode dims a computer’s display when it’s active. That can be irksome when trying to perform a task like a screen capture.

The third slider, which is the default setting, is the same as the second except screen dimming is enabled. Some experts believe this default setting isn’t secure enough for most users. With that default setting, they argue, any malware that exploits remote code execution vulnerabilities can take control of a computer without the user’s knowledge.

And the highest security level is “Always Notify Me,” which is the same as it was in Vista.

To take advantage of these settings, a user must log into their computer as an administrator. That, however, isn’t recommended for enterprises using any version of Windows. One study has shown that reducing the number of users who have administrative privileges can reduce the number of exposed Windows vulnerabilities by more than 90 percent. It declared that boosting the number of users with standard privileges–requiring them to log on to their machines and defining what they can and can’t do on their computers–greatly enhances an organization’s security profile.

Hence the network administrator’s dilemma. To run Windows 7 securely on a network, user privileges should be below administrator levels. But if they’re below that level, then users can’t take advantage of the redesigned UAC feature of Win 7, leaving the network administrator with a new operating system but a hangover from an old one.

Despite some optimistic predictions that Windows 7 would remove the need for users to run with administrative privileges to avoid the UAC problems that cropped up in Vista, that doesn’t seem to be the case. Users with standard access privileges in Windows 7 will be facing some of the same productivity and usability problems they faced in Vista.