Slider settings for UAC in Win 7 are source of controversy.

Network administrators looking to Microsoft’s latest operating system Windows 7 for a measure of relief from the armada of malware aimed at past versions of the OS aren’t likely to find it if a recent experiment conducted by security researchers is any indication of what’s in store for new users of the software.

The White Hats installed the operating system on a clean machine without any anti-virus software and, using the default settings for User Access Control (UAC) discovered that seven of 10 malware samples easily infected the computer.

Malware programs that successfully ran in Windows 7 were Troj/FakeAV-AFY, Mal/EncPk-KY, Mal/EncPk-KP, Troj/agent-LIW, TrojFakeAV-AFX, Troj/Zbot-JN and W32/Autorun-ATC. Malicious code that failed to execute included Troj/Bredo-M, W32/autorun-ATK and Troj/Banker-EUT.

Folks naive enough to believe Microsoft’s security claims about Windows 7 will no doubt be disappointed by these findings that suggest the new operating system shares some of the drawbacks of its progeny, but the bad app battlers said they weren’t surprised by the results. A major concern with the new UAC system in Windows 7 is that users will believe that it will protect them from cracker attacks. It won’t. The revamped UAC feature is as ineffective in blocking a majority of malware programs as anti-virus applications that rely solely on signature-based scanning to prevent the execution of malicious code. Moreover, the false sense of security the new UAC can create among users may induce them not to install security software on their machines, which would be a serious mistake.

The new UAC also presents system administrators with a dilemma. Microsoft was deluged with complaints about UAC in Windows 7′s predecessor, the reviled Vista, because it burdened users with a rain of security prompts. The feature was so annoying that many users just turned it off. They preferred risking a security breach to incessant pestering prompts. That’s why Microsoft scrapped the approach in Windows 7 in favor of a four position slider control.

At the bottom of the slider is the “Never Notify Me” setting. Since that setting shuts off access control, it’s one that only the foolhardy may find useful. However, some experts recommend that this setting combined with restricted user access privileges be used in enterprise settings. Limiting what a user can do with a computer also limits the ability of a machine to be victimized by malware, they reason, and turning off notifications will prevent irrelevant security prompts from popping up and nagging users.

The next slider setting notifies a user when a program tries to make a change to his or her computer and disables secure desktop mode. Secure desktop mode dims a computer’s display when it’s active. That can be irksome when trying to perform a task like a screen capture.

The third slider, which is the default setting, is the same as the second except screen dimming is enabled. Some experts believe this default setting isn’t secure enough for most users. With that default setting, they argue, any malware that exploits remote code execution vulnerabilities can take control of a computer without the user’s knowledge.

And the highest security level is “Always Notify Me,” which is the same as it was in Vista.

To take advantage of these settings, a user must log into their computer as an administrator. That, however, isn’t recommended for enterprises using any version of Windows. One study has shown that reducing the number of users who have administrative privileges can reduce the number of exposed Windows vulnerabilities by more than 90 percent. It declared that boosting the number of users with standard privileges–requiring them to log on to their machines and defining what they can and can’t do on their computers–greatly enhances an organization’s security profile.

Hence the network administrator’s dilemma. To run Windows 7 securely on a network, user privileges should be below administrator levels. But if they’re below that level, then users can’t take advantage of the redesigned UAC feature of Win 7, leaving the network administrator with a new operating system but a hangover from an old one.

Despite some optimistic predictions that Windows 7 would remove the need for users to run with administrative privileges to avoid the UAC problems that cropped up in Vista, that doesn’t seem to be the case. Users with standard access privileges in Windows 7 will be facing some of the same productivity and usability problems they faced in Vista.

Enterprises face Win 7 security challenges

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

One of the biggest user complaints about Windows Vista was the UAC (User Account Control) feature, which generated frequent popups as a way of notifying users whenever anything tried to make changes to the computer. The UAC was in theory a good idea. Spam or rogue email attachments frequently contain malware designed to make changes or trigger a download, and the UAC would let you know when something’s going on. The problem was that it popped up for many routine tasks, and users became annoyed. Now personally, I’d rather have tight security and have to deal with clicking “allow” a few times a day, as opposed to loose security and more convenience, but that’s just me, and I always tend towards paranoia.

According to a Microsoft blog entry, Windows 7′s UAC now has a little more flexibility, with four settings: “Never notify”, “Notify me only when programs try to make changes to my computer (without desktop dimming), “Notify only when programs try to make changes to my computer (with desktop dimming)”, and “Always notify.” Vista on the other hand, was all or nothing, with choices only for “Always notify” or “Never notify.” The risk now however, is that users will tend towards shutting it off completely, since that option is now a lot easier to do—thereby leaving the door open to more attacks.

Of course, Microsoft took a lot of flak over the UAC under Vista, and they’ll probably take more flak now for going in the other direction with Win7′s UAC. The medium setting on Windows 7, which is the default setting, may offer inadequate protection, though time will tell. It is advisable to bite the bullet and use the “Always notify” setting—although it may be a hard sell to get users to agree.

Windows 7 and security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Will Exchange support boost Apple's corp cred?

Despite the crowing by fans of Apple computers that  their lovely machines are gaining traction in the corporate realm, resistance to OS X boxes by CIOs appears to still be strong, even with the much trumpeted support of Microsoft Exchange in the latest edition of the Mac operating system, Snow Leopard.

The logic behind the expectation that Exchange support will be a deal maker for corporate IT departments stems from the infectious behavior Apple products have had in the past on markets. The iPod’s popularity, for example, had a halo effect that enticed consumers to move to Apple computers. More to the point, when Exchange support was built-in to the iPhone, it began to win nods from more corporate users.

But there are indications that, at least initially, the halo effect may not be as strong this time around. One of those indicators is a recent “jury poll” taken by TechRepublic, a Web site targeted at IT professionals. In that poll, a “jury” of CIOs voted 12-0 against adding new Macs to their existing computer mix. All the executives voted “no” to the question, “Does the release of Snow Leopard make your IT department more likely to adopt more Mac OS X machines?

The TechRepublic jury was a diverse group. It included IT bigwigs from an accounting firm (SS&G Financial Services), a college (Emory University School of Medicine), the Girl Scouts in Minnesota and Wisconsin, an engineering consulting firm (Structural Integrity Associates) and a number of government agencies (Wllingford, Conn., public schools and the Massachusetts Department of Public Utilities).

More than 50 percent of the 90-member jury pool responded to the Snow Leopard question, TechRepublic reported, and the overwhelming sentiment in those responses was that the operating system revamp would not impact their IT infrastructure. “Nearly every respondent wrote that Macs simply don’t make sense in their corporate network,” the IT publication reported.

When TechRepublic began to drill into the reasons behind the resistance to Macs in the various corporate departments, the litany was a familiar one.

• We’re heavily invested into PCs. Besides, Macs are for graphic designers and educational institutions.
• We’re running Windows-based software so we don’t want to look at a non-Windows platform.
• We know we can run Windows software on a Mac, but it requires virtualization and supporting two operating systems, which is a headache we don’t need.
• We need to comply with federal regulations and Macs aren’t a good fit for that kind of environment.
• We’re operating under budget constraints and Macs cost more than PCs.
• We depend on key software vendors to support our core applications, and those vendors support only Windows.
• We’re a Windows shop because Microsoft makes pricing very, very attractive for higher education.
• We can’t afford to retrain users and support staff in a new hardware platform.

Apple has attempted to address many of the mines placed in the path of its Macs on the road into corporate environments, and for a while, it seemed to be making some progress. But earlier this year there appeared to be signs of slippage, as Forrester research reported that the Mac adoption rate for businesses in Europe and North America had declined from five percent in 2008 to three percent in early 2009.

As the TechRepublic poll suggests, the strong mix of real concerns–costs connected to hardware purchase, training and support–and popular perception–Macs are only for graphics and students–is creating roadblocks into the enterprise on which a change like Exchange support will have very little impact. That impact will be diluted even more by the fact that that support does not extend to the entire Exchange market but only to Exchange Server 2007 installations.

Moreover, the proximity of Snow Leopard’s release to the appearance on retail shelves of Microsoft’s Windows 7 operating system will take some of the bounce the Apple OS may have gotten in corporate environments.

In the coming weeks, the public will be bombarded with the benefits of Win7, benefits such as a smaller memory footprint, faster performance, improved aesthetics and, maybe most important of all, it’s not being called Vista 2009.

Since the release of Vista in 2007, Apple has been able to grow its share of the corporate sphere. To some extent, that’s been due to Vista’s miserable performance in the market. Beating up on Vista became a national pastime rivaling baseball. With the arrival of Windows 7, Apple may find its pitch to corporate IT departments a bit more difficult without Vista to kick around anymore.

Mac resistance still strong despite Exchange support

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Microsoft is changing the AutoPlay feature of Windows 7, so that it will not be able to enable AutoRun for USB devices. The change was necessary, since some malware (including Conficker), uses the AutoRun feature to spread. Malware isn’t just an email-borne problem any more–specifically, malware writers recognize that email security has been improving overall, and are looking for new attack vectors. Removable media, such as USB devices, make a perfect attack vector for them.

Although Conficker is the most well-known piece of malware that uses the default AutoRun settings to propagate itself, others have also used this feature in the past and continue to do so now. Spreading malware via USB devices started to become prevalent last year.

There will no doubt be some outcry about Windows 7 hampering usability, but the move makes sense. With this update, the AutoRun task will continue to work for removable media such as CDs and DVDs, but it will not be enabled for other devices, such as USB drives. In addition to being incorporated in Windows 7, the change will also be reflected in future updates of Vista and XP.

Microsoft issues anti-malware changes to Windows 7

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators