[joenathanone]

Ever since UAC was introduced Windows has been pretty secure. Having provided IT support for over a decade, I went from seeing viruses/worms infect fresh install Windows machines a few minutes after they were connected to the internet, without any user input at all, just a connection to the internet was enough (I'm talking around the XP/2000 days).

Now 99% of infections are from users being tricked and downloading and installing the malware themselves. The biggest help with that has been uBlock origin. The next biggest risk I have encountered is phishing emails and that is 90% user education, filters can only do so much.

[agloeregrets]

> The next biggest risk I have encountered is phishing emails and that is 90% user education

I would bet that ~90% of all major breaches today are pure user engineering or user error related. Maybe 95%.

Every item on the list means nothing if a CSR (for example) uses the same passwords for their work accounts as they use on sketchy games from the app store or if they leave your hardware unattended. Boom, breach or even installs of spyware on company systems, good luck finding who screwed up. Many companies are guilty of giving way too many people access to way too much data because 'Business said they MUST have access'. And that is before you even consider the number of people who use work emails as if they are personal emails.

[alexvoda]

I would argue that UAC is a much more polished solution compared to solutions available on Linux like PolKit and its UIs.

Maybe the reason is that Microsoft was under a lot more pressure to solve this and once solved had a lot more power to enforce the rules on 3rd party software.

[sandworm101]

>> The next biggest risk I have encountered is phishing emails

I describe that threat much differently. I don't blame users. I blame windows for allowing a link clicked in an email to install software, to alter system files, to upload PII to Nigerian servers. Users should not be trusted. Just because a macro in an excel doc inside an email CAN do something clever doesn't mean that windows should allow that to happen so easily.

[cirthaya]

Email Software like Outlook is largely responsible for a lot of phishing problems. E.g. email addresses are usually hidden and only visible after a lot of fiddling. Bad UI such as Outlook's makes most users powerless to recognize phishing. The blame should be put where it belongs: with the people responsible for deciding on the fatal Outlook/Exchange combination.

[hulitu]

Outlook is not alone. Some email programs also hide the address or headers.

[AstralStorm]

Windows does what it can with SmartGuard. Users just click through it. You can enforce signed software plus whitelist if you want in a system policy. Just entertain the thought that now you will have to curate a lot of software on the machines.

You can disable execute for download directories too.

These are not the default because it annoys everyone to no end. Likewise installing applications just from Microsoft Store. (Where badness has slipped in too.)

And finally, people still get caught with an MS Office document which will be opened from a download just fine and with a fake website.

[luch]

yep this problem has been solved on Android and iOS where the only place to install software is the App Store.

Windows did try to incite devs to use the windows store but it did not catch on. Restraining third-party installation only from the Store is a good way to remove adwares and co.

Honestly Microsoft did shat the bed with their app store, it has no right to be as difficult to use (both as user and developer) as it is.

[holbrad]

One of the big reasons that the Microsoft store failed so hard was the absurd cut Microsoft wanted (30%).

Windows developers were and are already doing app distribution. 30% for something dev's were already doing...

[kyriakos]

Numerous android apps were found to be doing dodgy things after the fact. Probably ios ones too. It's not foolproof.

[pletsch]

Would also like to see block mounting of ISOs by default.

[moepstar]

> infect fresh install Windows machines a few minutes after they were connected to the internet

yes - because back then, NAT'ing / putting a machine behind a router wasn't commonplace yet.

[joenathanone]

That is true and on that point, Windows didn't have an integrated firewall until the XP Service Pack 2 release.

[sumtechguy]

The default user being administrator did not help. I would get most of that effect by just adding a second standard user to peoples machines. "use this user for everything but installing things". That cut down on the calls a lot. UAC just put a spot in place for the user to go 'oh im doing something adminy' which helped so much.

[xattt]

Back then, a ton of software would complain or not work if it wasn’t running under an account with admin privileges.

UAC forced developers to make the software work no matter what.

[sumtechguy]

Surprisingly a lot of it was usually just a misplaced registry entry or one with the wrong ACL on it.

[larsonnn]

The first we did with UAC was disabling it. Because nobody did care.

So you can throw the best security at users for free. Some dud will disable it because his powershell script is not working anymore.

[sumtechguy]

People that were technical sometimes did that, or re-enabled administrator, or both. Because it 'got in the way'. But for the vast majority of people UAC worked as it should.

[noyoudumbdolt]

Almost all the bad things you’re worried about don’t require an elevated token. I’m much more worried about someone stealing my data, installing a trojan, etc. (none of which require elevation) than installing a device driver (which does).

This obsession with not running as root/using UAC is just cargo cult security for single user systems.

[noyoudumbdolt]

UAC offers almost no additional security for single user systems. You’re trying to protect your data and passwords and stuff, not the ability to install device drivers.

[cesarb]

> yes - because back then, NAT'ing / putting a machine behind a router wasn't commonplace yet.

Back then, even putting the machine behind a firewall (which is what you really meant, since being a router does not necessarily mean it has a firewall enabled) wouldn't have been enough; it was not that uncommon to already have infected machines on the local network (because they had earlier been connected without being behind a firewall).

[jmau111]

> The biggest help with that has been uBlock origin

It seems that browsers and extensions handle a huge part of the global security for users, maybe even more than the OSes.

[whizzter]

That might've helped with maybe 30% of the issues, even behind firewalls and w/o UAC you also had all the early IE fault (Let's make ActiveX run x86 code from untrusted sources... facepalm) that let adversaries get an initial foothold on computers.

Regular Windows usage back around y2k was just insecure, compared to then MS has really made strides.

[neogodless]

Windows Vista was introduced in January 2007, and was the first version of Windows to include User Account Control (UAC).

[noyoudumbdolt]

First, a bit of pedantry: UAC is not a security feature. https://devblogs.microsoft.com/oldnewthing/20160816-00/?p=94... . It just works to encourage developers to make their software work without an elevated token. The security feature is Windows administrator accounts running apps with non-elevated tokens by default.

Protecting local administrator tokens is also kind of a useless security feature these days. What are you worried about? Data theft? Ransomware? Trojans? Credentials theft? All of those can be done just fine with only standard user permissions, without an administrator token. OTOH, you need an elevated token to install device drivers or whatever.

[AstralStorm]

You need an elevated token to inject code into (well written) protected applications as well, and sometimes even that might not be enough.

Generally admins tend to be most worried about central databases or user visible services being compromised. Compromising an user account is a necessary step to get there, often enough.

[noyoudumbdolt]

>Compromising an user account is a necessary step to get there, often enough.

But whether you have an elevated token or not won’t make a difference in almost all cases.