http://forums.microsoft.com/technet/showpost.aspx?postid=1358057&siteid=17&sb=0&d=1&at=7&ft=11&tf=0&pageid=6

The problem with NT security has never been the OS, it's the applications.  The architects of NT/Win32, or even .NET for that matter, were very intelligent, and made good choices.  Many of us in the OS/2 and UNIX world loved the MAC design in the original NT 3.1/Win32 API, and we very much approve of the .NET model.

The problem?

Microsoft's own tool developers and, worse yet, application developers have never adopted their own, good APIs and designs!  So you get things like MS IE -- designed for access control ignorant "Chicago" (aka DOS 7+Windows 4 aka Windows 9x) -- as core DLLs in Visual Studio 4.0+ and at the heart of NT, bypassing security.  Same deal now for .NET, the API has been regulated to largely Indigo (Internet/web-centric .NET services) and nothing else.

100% of Microsoft's own Windows applications utterly failed the "Designed for Windows NT" logo branding in 1995, because they were written with Visual Studio 4.0, which was largely targeting Windows 95 and ignoring all sorts of mandatory Win32 APIs.  So the legacy continues today, we have a very, very "Chicago polluted" Win32 API, nothing as originally designed.

As such, end-users must run as "administrator" for so many applications to run correctly or completely, and do all sorts of other things as "administrator."  That makes all the real, solid MAC (and even newer RBAC) controls and designs of NT/Win32/.NET utterly useless as they are completely bypassed by 90%+ of users!  And that's exactly what happens!

Hence why Microsoft came up with this stupid UAC non-sense, to enforce it with "nagware" from the OS, instead of just fixing the problem at the tools/application level in their own tool/app departments.  If they would get their own tool/app developers to start doing that (internally, not just ISVs, although everything is outsource today, even at Microsoft's app division, so it happens), and enforce "least privilege model" in the applications from the get-go, that would solve the problem much better.

Ironically, with all its advanced, superior MAC/RBAC design over legacy UNIX/POSIX, NT (even 6.0/Vista) is rather useless because the tools/apps don't assume users are unpriviledged, which any common UNIX/POSIX developer automatically assumes from code line #1.  Then you mix in additive MAC/RBAC and auditing options like SELinux that companies like Red Hat is pushing on everyone, and most critical open source apps are adopting, and despite the "legacy" aspect of Linux, it's quite a good sell for a standard, hardened, well audited platform.

Kinda sad, because I believed in NT from day 1 when I took hold of the NT 3.1 betas.  But because the entire toolchain and apps are so far behind API changes -- from the original NT/Win32 to .NET API (both of which were quite ahead of their time, and still better than SUSv3/POSIX-2001+ today) -- NT in implementation requires stupid things like UAC to have any effect.  Sad, really sad.  The OS design is good.