Thursday, July 10, 2008

Are UAC related problems permission related or security related?

This is effectively the debate going on in my virtual classroom right now. One of the questions in Assessment 3-1 triggered the debate, as two of my students didn't choose UAC as a possible cause of a security related issue and two did.
The one side is arguing based on the material in the book. Several questions are expecting a textbook answer and UAC is explicity referred to in a paragraph above the security related issues and not under the security related heading.

This is the way I see it:
UAC is based on controlling access to ressources based on which privileges a user has at the time of executing a program. with UAC on, that would be the least priviliges required to run an applicaiton. Priviliges mean effectively permissions on files, settings and folders.
When we talk about security we usually differentiate between physical security, securing access to the data and securing the information itself.
  • We put our servers into locked rooms to secure the physical aspect
  • We put firewalls and passwords in place to secure access to the data
  • We put encryption in place to secure the information itself contained in the data.
Where does UAC belong? in the middle section. Securing access to data. By requesting elevated permissions or even an username and password to continue executing a piece of code or accessing a certain file or setting, we have another layer of access security in place to protect our systems.
Thus when anybody asks me if UAC could be a possible cause for security related installation or execution problems I'd go for "yeah, sure it is. look there first!"

Be sure to mention to your students that the paragraph in Module 3-1 headed "Security-Related Problems" should reall be labelled "Other Security-Related Problems" to avoid this discussion :-)

No comments: