Security feature in Microsoft's new Windows
could drive users nuts

Posted 5/15/2006 9:54 PM ET Reprinted from USA Today

Dialogue boxes like this one could get annoying for Vista beta testers.

By Byron Acohido, USA TODAY

SEATTLE — An annoying surprise awaits 2 million consumers expected to enthusiastically step forward in the next few weeks to help Microsoft test its new Windows Vista PC operating system.

Volunteers will test Vista Beta 2, a near-final version of the much-hyped upgrade of Windows. The testing is the last step leading up to Vista's broad consumer release, scheduled for January.

Beta 2 testers can expect to encounter an obtrusive security feature, called User Account Control (UAC). Designed to prevent intruders from performing harmful tasks, the feature grays out the computer screen, then prods you to confirm that you really want to do certain functions.

In early test versions, the queries crop up so often that they interrupt routine tasks, such as changing the time clock or deleting shortcuts. And UAC sometimes triggers an endless loop of dialogue boxes that can be curtailed only by rebooting, says Paul Thurrott, news editor of Windows IT Pro magazine.

"Microsoft completely botched UAC," Thurrott says. "It's almost criminal in its insidiousness."

Microsoft counters that refinements are being continually made. "The final product will be very usable and have a good balance of security," says Windows senior product manager Alex Heaton.

Once scheduled to arrive in 2004, Vista has been beset by delays, the latest nudging its public launch from fall to early 2007. Vista improves on Windows XP; it is the cornerstone of the software giant's push to extend its products deeper into the workplace and home. Yet Microsoft has struggled to infuse Vista with tighter security, partly because of a decision to let older software applications run on it, says Michael Cherry, tech security analyst at Directions on Microsoft.

Most Windows applications are written to take advantage of the fact that the operating system treats users as "system administrators" with carte blanche to alter basic system configurations. Trouble is, this has opened the door for cybercrooks to infect Windows with malicious programs that steal data and use infected PCs to carry out cyberfraud.

Microsoft should have set stricter parameters for Vista, Cherry says. But it hasn't required software developers to retool system administrator access.

Instead, it devised workarounds. The result: UAC's labyrinth of dialogue boxes. "Windows historically has been wide open," says Andrew Jaquith, senior analyst at the Yankee Group. "By trying to restrict what people can do, it's going to cause a lot of pain."

Security experts worry that Vista users will dismiss the dialogue boxes, clicking through them rapidly and undermining any security benefit. Or they will figure out how to turn off UAC. "Consumers, sadly, are probably going to disable it," Thurrott says.