An uncharacteristically-frank Microsoft employee has admitted that a security feature of the software giant's Vista operating system was deliberately designed to get on users' nerves.

David Cross told the RSA Conference in San Francisco last week, "The reason we put User Account Control into the Vista platform was to annoy users – I'm serious.”

User Account Control (UAC) is the part of the Vista platform that governs the security privileges of applications. It requires system administrators to regularly confirm permission for applications to change local data, something many users find frustrating.

But it was all part of a plan to improve independently-developed software, claims Cross. By deliberately impairing the user experience, Microsoft hoped to encourage independent software vendors (ISVs) to make the applications more secure and more mindful of user privileges.

"UAC is changing the ISV ecosystem," he said. "Applications are getting more secure [as a result]. We needed to change the ecosystem, and we needed a heavy hammer to do it."

According to Cross, 88% of Vista users have the feature enabled, contrary to the popular belief that disabling UAC is one of the first steps many take when setting up a Vista system.

Anti-virus firm Kaspersky Labs expressed doubts over the effectiveness of UAC when Vista was initially released, fearing that applications performing harmless actions could appear to be malicious in a security context and spook users unnecessarily.

But at the recent RSA conference Kaspersky seemed to have warmed to the feature: "Anything trying to shrink that attack surface and promote secure apps development has to be a good thing," Jeff Aliber, senior director of product marketing, noted.

Further reading

IT security is a futile pursuit says IBM

The China security threat The threat that China poses to IT security is making Western business executives nervous.

Find more stories in the Security & Continuity Briefing Room