Lesson 2: Understanding User Account Control (UAC)
As mentioned earlier, one of the primary design goals for Windows Vista was to make it an extremely secure desktop operating system. This process has involved significant engineering effort in all areas of the Windows platform. Many of these improvements have been performed so that users might not readily notice them. Others, however, do require user interaction.
As a Consumer Support Technician, it’s likely that you’ve heard about the User Account Control (UAC) feature of Windows Vista. The primary purpose of UAC is to ensure that users and applications are granted the lowest level of permission they require to complete their tasks. The benefits include ensuring that people and programs cannot make potentially disastrous changes to their systems. In this lesson, you’ll learn about the purpose and function of UAC and how you can configure it based on customers’ requirements.
After this lesson, you will be able to:
- Describe common security issues and considerations related to desktop operating systems.
- Describe the purpose and function of a UAC file and registry virtualization and Admin Approval Mode.
- Perform permissions elevations, including answering of prompts for consent and prompts for credentials.
- Enable and disable UAC by using Control Panel.
- Configure the behavior of UAC by using Local Security Policy settings.
Estimated lesson time: 60 minutes
Understanding Common Security Risks and Threats
In the area of computer security, it is often wise to know the methods of the “enemy.” That is, it’s important to understand ways in which malicious programs or people might be able to perform unwanted actions on your computer. Some of these actions might include the following:
- Using system resources Malicious programs might use CPU, memory, disk, and network resources to perform their tasks. In one example, users’ computers are used to launch an attack on another site or computer without their knowledge. In those cases, users might notice that their computer appears to be working more slowly than before.
- Tampering with critical system files or data In some cases, the data might simply be destroyed. In other cases, it might be transmitted to other computers. Regardless, these changes can cause data loss and instability of the operating system.
- Attempting to obtain personal information such as credit card numbers, user names, and passwords Often, this data is then transmitted to a remote computer, where it might be used for actions such as identity theft.
- Tracking system usage Software that is commonly referred to as spyware often runs in the background on a computer, unknown to users. It collects information such as Web sites that are visited and then reports this information back to the distributor of the software. Apart from violating security, this can lead to system slowdowns and instability.
- Displaying unwanted advertisements It is a common practice for applications to include additional software that is installed with little or no warning to the user. The additional code can perform operations such as automatically loading content from Web sites.
Some of these programs might be designed with a specific purpose in mind (for example, collecting potentially useful personal financial data). In other cases, the programs might have no purpose other than to annoy the user. Regardless of the authors’ goals, it’s obvious that mal-ware should be prevented from running on desktop computers.
Understanding the Security Goals of Windows Vista
A fundamental principle of managing security is giving users and applications a minimal set of security permissions. This ensures that they can perform the most common operations that they need to accomplish tasks, but it greatly limits the potential damage that a malicious program can cause. For example, users rarely (if ever) need to modify operating system files directly. By preventing them from performing this action, the operating system can avoid the mistaken or malicious deletion of critical components. By default, applications that a user launches inherit all of the permissions of that user. If a user can open a Microsoft Word document, type a letter, and then e-mail it, a program could easily perform the same actions automatically. Therefore, it’s important to place restrictions.
Microsoft had two primary goals when designing security for the Windows Vista operating system. The first was to ensure that users and applications were granted a minimal set of permissions for completing common operations. The other goal, however, was to ensure compatibility with earlier applications. In previous versions of Windows, it was very common for programs to assume that they had full access to the computers on which they were running. They could easily perform tasks such as reading and writing files from the file system and making modifications to the system registry. Because developers relied on these capabilities, it was often necessary for users to log on to their systems with accounts that had full administrative permissions. If the permissions were not available, the application might fail to run or might return errors to the user. Based on the two goals of security and compatibility, let’s look at some new architectural features in Windows Vista.
There’s no doubt about it: things would be far simpler for everyone involved if security were not a concern. In the early days of desktop computing, users and programs expected to have full control of their computers. Accordingly, application developers designed their programs under the assumption that they would also have these permissions and rights. Users would be able to perform any action they required on their systems. Unfortunately, having these abilities also increases potential security risks.
It is very important to understand that maintaining complete end-to-end security requires a team effort. It has been said that a chain is only as strong as its weakest link. It’s not enough for a few users to follow the rules: all must do so. Application developers, home and business users, and Consumer Support Technicians must all exercise discipline to minimize security issues.
For example, from a network standpoint, having the world’s most sophisticated and powerful firewall software won’t prevent users from using their initials as their password. A malicious user might easily circumvent all of this protection simply by guessing the password. Similarly, you can easily disable the many security features in Windows Vista with just a few mouse clicks.
So how can you, as a Consumer Support Technician, do your part? Perhaps the most important aspect of ensuring security for the customers you support is to make sure that they understand the importance of features such as UAC. Users often don’t see the benefits of limiting what they can easily do on their systems. This can lead them to circumvent or disable the features altogether. When, on the other hand, they see the potential benefits of security, they are much more likely to use best practices. Overall, it’s your job to help lead the security team effort.
Understanding the UAC Process
In previous versions of Windows, it was most common for users to log on to their computers by using an account that had Administrator permissions. This meant that the user (and any program that he or she launched) would be able to perform any operation on the computer. This includes reading and writing to critical operating system files and accessing data stored anywhere on the system. In Windows Vista, it is recommended that users log on to the computer, using a limited set of permissions. In Lesson 1, you learned about the details of working with standard and administrative user accounts.
Microsoft designed the UAC feature of Windows Vista to allow users to log on to their computers using a standard user account. They can perform the majority of their tasks using a limited set of permissions. During the logon process, Windows Explorer (which provides the user interface for Windows Vista) automatically inherits the standard level of permissions. Additionally, any programs that are executed using Windows Explorer (for example, by double-clicking an application shortcut) also run with the standard set of user permissions. Many applications, including those that are included with the Windows Vista operating system itself, are designed to work properly in this way.
Other applications, especially those that were not specifically designed with the Windows Vista security settings in mind, often require additional permissions to run successfully. These types of programs are referred to as legacy applications. Additionally, actions such as installing new software, and making configuration changes to programs such as Windows Firewall, require more permissions than what is available to a standard user account. Windows Vista can automatically detect when an application is attempting to use more than standard user privileges.
Understanding Standard User Mode
When a user logs on to Windows Vista by using a standard user account, Windows Explorer and all other processes that are launched run with a minimal set of permissions. In this mode, UAC requires the user to provide credentials to the system whenever an application or operation requires elevated permissions. When an application or process requests access to more permissions, the user is prompted for approval. This process is known as application elevation because it allows Windows Vista to give a program a full set of permissions. Figure 6-8 shows a sample screen. After the credentials are provided and accepted, the program runs with elevated permissions. The user, however, still continues to have only a limited set of permissions.
In a typical consumer environment, the user might already have knowledge of the user name and password of an Administrator account on the computer. By providing those details, he or she is implying that he or she wishes to allow the program to run in an elevated way. Other users of the computer who do not have these credentials will be unable to perform administrator-level actions.
Another way in which the standard user mode can be used is often called the “over the shoulder” method. In this case, a parent or supervisor might want most users to run under the standard user mode. Whenever there is a need to elevate privileges, this person can provide the necessary credentials. For example, a mother might want her child to log on to the computer as a standard user. Whenever the child needs to perform tasks such as changing system settings or installing new software, the mother must provide the necessary credentials.
Understanding Admin Approval Mode
In some cases, users might want to log on to the computer by using an Administrator account but still have the security benefits of running with minimal permissions. UAC provides this ability by using the Admin Approval Mode. The user account technically has full permissions on the system, but UAC limits which actions the user can perform. This effectively makes the account behave like a standard user account for most operations. Actions that require additional permissions can be performed, but the user must first approve them.
When an application requests elevated privileges, the default prompt Windows Vista shows to the user is one that asks the user to provide consent (see Figure 6-9). This method ensures that the user is aware when an application is attempting to run with elevated privileges. It can also help prevent situations in which malware applications attempt to modify the system. However, by default, it does not require the user to provide credentials for an Administrator account, because the current account already has this ability. Later in this lesson, you’ll see how you can change UAC settings to require credentials in Admin Approval Mode.
Additional Security Features
In addition to the UAC elevation prompts in Windows Vista, there are several other security-related enhancements that have been designed to increase safety and provide compatibility for earlier applications. In this section, you’ll learn about how they work.
File System and Registry Virtualization
Two important areas of security-related concerns are the Windows file system and the registry. The file system contains files ranging from operating system components to user data. In the past, applications were designed with the assumption that they would be able to access these files and settings freely. These earlier applications often fail to run properly when they cannot make those changes.
To prevent direct access to secure file system locations (such as the operating system and Program Files folders), Windows Vista uses a technique called virtualization. This method works by monitoring for when applications request direct access to the file system or registry. When this occurs, the operating system automatically redirects the requests to the appropriate location. For example, if a previous program is attempting to write a configuration file to the Program Files folder, Windows Vista automatically intercepts that request and writes the file to a subfolder of the User profile. This is a much safer operation, and it still enables the application to run without modifications.
Understanding the Secure Desktop
One method by which malicious applications might attempt to collect sensitive information from the user is by emulating a standard application or window. This is particularly true of the UAC elevation prompt. Users might be prompted for credentials by an unauthorized application that appears to be a standard Windows dialog box. The program collects user names and passwords and then might use this information to compromise security.
To prevent this problem, Windows Vista displays elevation prompts, using a secure desktop. The secure desktop automatically dims the desktop background and prevents all applications from launching any new prompts or windows until the user makes a decision related to the UAC elevation prompt. In this way, the user can be assured that the UAC prompt is coming from the Windows Vista operating system itself.
Identifying Tasks That Require Privilege Elevation
Although you can perform the majority of common tasks in Windows Vista as a standard user, there are various functions that require elevated privileges. Built-in operating system tools and applications use a shield icon next to the appropriate button or link to indicate that privilege elevation is required (see Figure 6-10). This helps users understand when they are performing potentially unsafe actions.
Responding to Elevation Prompts
A common source of security-related and configuration-related issues occurs when users install unknown applications. In some cases, this might be done deliberately, but in other cases, users might be tricked into running a setup program without knowing it. UAC automatically attempts to verify whether an application is a known program or potentially unsafe. Figure 6-11 shows an example of the approval dialog box that is presented to users.
In addition to providing the name of the program and its publisher (if available), the details include the full path to the application. This can help users determine whether they really want to install the program. Options include allowing or disallowing the program to run.
Running Programs with Elevated Privileges
In some cases, users always want to run a particular program using Administrator permissions. For example, a customer might know that her former accounting software requires elevated permissions, and she does not want a prompt to appear automatically every time she launches the application. Run This Program As An Administrator offers the option to run a program always as an administrator. You can configure this setting on the Compatibility tab of a program or shortcut (see Figure 6-12).
In some cases, the Run This Program As An Administrator check box might be disabled. For example, the application might be a built-in program that is included with Windows Vista and might not require elevated credentials. In those cases, the check box is disabled.
Another way to launch a program with elevated permissions is to right-click a program or shortcut and select Run As Administrator. This setting launches the application with Administrator permissions. Unless UAC is disabled, the user is prompted to provide consent or credentials.
Understanding Installer Detection
Perhaps one of the most common tasks that requires elevated privileges is the process of installing new software. Setup programs and installers often need to write directly to secure file system locations (such as the Program Files folder) and make changes to the registry.
Windows Vista uses methods to identify installation programs automatically and automatically prompts for approval of elevation when the application is run. This helps prevent common error messages and issues that users encounter when attempting to install programs, using standard user permissions.
Enabling and Disabling UAC
To ensure security of new Windows Vista installations, the UAC feature is enabled by default. When users log on to the computer, they start launching processes under the context of a standard user.
There are several different ways to control the behavior of the UAC feature. In some cases, customers might ask you for information about how to disable the feature altogether. You can access the Use User Account Control (UAC) To Help Protect Your Computer check box from within Control Panel . This check box is available by clicking User Accounts And Family Safety and then clicking User Accounts. You can also access this check box by searching for UAC in Control Panel. As shown in Figure 6-13, the dialog box provides a single check box that determines whether UAC is enabled.
After selecting to enable or disable UAC, you are prompted to reboot your computer, which is necessary to make the changes effective. When you disable UAC, users receive a notification of this whenever they log on to the computer or access security-related settings in Control Panel. This is done to remind users that they are at risk of potential security issues. You’ll look at ways in which you can fine-tune the behavior of UAC later in this lesson.
Managing UAC Settings with Local Security Policy
In addition to the default behavior of UAC, there are several different options that you can use to control the specific way in which this feature works. You define these settings by using policy settings on the computer. To access them, open the Local Security Policy console from the Start menu. The utility is available in the Administrative Tools program group (if the Start menu options are set to display it) or by searching for Local Security Policy. The default interface shows several different groups of settings, each of which has dozens of available options.
To access the properties of the UAC functionality, expand Local Policies, and then select the Security Options folder. The right side of the console shows all of the available policy options along with their current settings. UAC-related policies are prefixed by the text User Account Control (see Figure 6-14).
Each of the settings pertains to some aspect of system behavior or permissions. For example, you can use the Accounts: Guest Account Status option to specify whether the built-in Guest account is enabled. To make changes to a policy setting, double-click the item in the list. For most options, the first tab that is shown, Local Security Setting, provides the options for the setting (see Figure 6-15).
It’s often difficult to understand the exact purpose of every available option. Fortunately, the Local Security Policy console also includes details about specific options on the Explain tab. The text that is displayed here (see Figure 6-16) provides background information about the policy, along with details about the effects of these settings. Most explanations also include details about the default setting for the option. This can be very helpful in troubleshooting configuration issues. In some cases, links to more information are provided. Overall, this can help you determine the purpose and function of each setting.
In relation to controlling the behavior of UAC, there are nine different settings that you can configure manually. These are as follows:
- User Account Control: Run All Administrators In Admin Approval Mode This setting can be considered a “master switch” that determines whether UAC is enabled on the local computer. The default setting is Enabled. The status of this setting corresponds to the Turn User Account Control (UAC) On Or Off setting in Control Panel. When the status is set to Disabled, Admin Approval Mode, file system and registry virtualization, and all related settings are effectively disabled. It is important to keep in mind that the other settings might appear to be properly configured, but they do not have any effect when this setting is disabled.
- User Account Control: Admin Approval Mode For The Built-In Administrator Account This setting specifies the UAC options for the built-in Administrator account. By default, this setting is set to Disabled, which means that users who log on with the Administrator account have full permissions on the system. In general, it is recommended that the default Administrator account not be used. If you do have a need to enable the Administrator account, you can add security by enabling this policy setting.
- User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode This setting specifies the type of elevation prompt that will be presented to administrative users when a program or process requests additional privileges. The settings include:
- Prompt For Consent (the default).
- Elevate Without Prompting.
- Prompt For Credentials.
The default setting provides a balance between security and usability. To improve security, you can require that administrators provide a user name and password to elevate permissions. Alternatively, you can choose to eliminate the prompt altogether.
- User Account Control: Behavior Of The Elevation Prompt For Standard Users This setting determines how elevation prompts will be shown to standard users. The default setting, Prompt For Credentials, requires the user to provide logon information for an Administrator user every time an application or process requests elevated permissions. In some cases, you might want to prevent elevation from occurring at all. That’s the purpose of the Automatically Deny Elevation Requests option.
- User Account Control: Detect Application Installations And Prompt For Elevation When users attempt to install an application, Windows Vista automatically attempts to elevate privileges. This is a useful feature, because most setup and installation programs require access to the file system and other protected areas of the computer. The default setting for consumer-focused editions of Windows Vista is for this option to be enabled. This means that users automatically see an elevation prompt whenever they launch an installer. The Disabled option is primarily used in company network environments in which IT staff can control the installation of software, using centralized methods.
- User Account Control: Only Elevate Executables That Are Signed And Validated One important potential security risk related to working with applications and software is in trusting the publisher of the application. Malware could easily create a new executable or shortcut that appears to be a familiar application (such as Microsoft Word), but that actually launches malicious code that could damage the system. One way to validate a program is to use a method based on Public Key Infrastructure (PKI) technology. This method allows trusted third parties to validate whether the publisher of the software is who it claims to be.
This option is set to Disabled, by default, because PKI technology has dependencies on other services such as a Certificate Server. Home and small-business users are unlikely to have the necessary infrastructure to do this.
- User Account Control: Only Elevate UIAccess Applications That Are Installed In Secure Locations Some applications might need to run with elevated privileges on Windows Vista. Developers of these applications can create a setting that instructs the operating system to prompt for elevated privileges automatically whenever the program is launched. One potential problem is for malware (such as programs downloaded from the Internet) to request full permissions and then make undesired changes to the system. This setting specifies that only applications that are located within known secure file system locations (such as the Program Files folder and subfolders of the Windows folder) are able to request elevation. This helps ensure that only properly installed programs are able to run with elevated permissions. The setting can be disabled, although this will reduce overall security.
- User Account Control: Switch To The Secure Desktop When Prompting For Elevation One method that malware authors have at their disposal is the possibility of tricking a user into providing sensitive information to a program. For example, a program could be designed to look very similar to the standard UAC elevation prompt. A user might provide a user name and password for privilege escalation, but the application itself is recording or sending this information elsewhere. To help prevent this type of intrusion, the default setting in Windows Vista is to use a secure desktop when an elevation prompt is presented. When this occurs, the entire desktop background is dimmed, and only the prompt is shown. Other applications will be unable to overwrite the prompt or create new windows that take the focus. When you disable this option, the UAC prompt appears like any other window. However, it is then possible for other applications to create a false UAC prompt.
- User Account Control: Virtualize File And Registry Write Failures To Per-User Locations This setting is designed to provide compatibility with legacy applications that request direct access to the file system or to the registry. When a program attempts to perform one of these actions, Windows Vista automatically redirects the request to a safe, virtual location. The benefit is that the program can still run successfully, but all write operations occur safely. When you disable this setting, earlier applications are prevented from directly writing to file system and registry locations. In most cases, this means that the applications fail to run correctly.
- What is the default elevation prompt that a user receives when running under Admin Approval Mode?
- How can you modify UAC to disable the use of the secure desktop?
Quick Check Answers
- The user is prompted for consent and is not required to provide logon credentials.
- You can change this setting by using the Local Security Policy console. Specifically, you can set the User Account Control: Switch To The Secure Desktop When Prompting For Elevation option to Disabled.
Practice: Working with UAC
These practice exercises walk you through steps that can be used to configure and customize the behavior of UAC in Windows Vista. The exercises assume that you have created at least one Administrator account and one standard user account (for more information about creating accounts, see Lesson 1).
Practice 1: Configure UAC Behavior
In this exercise, you configure UAC to prevent standard user accounts from performing system-level tasks, even if they have information about administrator credentials on the computer. It is important that you have at least one Administrator account configured on the computer before beginning. This exercise also assumes that all UAC options are set to their default values.
- Log on to the computer using an Administrator account.
- From the Start menu, open the Local Security Policy console.
- Expand the Local Policies folder and select Security Options.
- Double-click User Account Control: Behavior Of The Elevation Prompt For Standard Users.
- On the Local Security Setting tab, change the setting to Automatically Deny Elevation Requests.
This setting specifies that users who log on with a standard user account are not prompted to provide elevation credentials. Therefore, they are unable to run programs with administrator permissions.
- Log off the computer and log on as a standard user.
- From the Start menu, open Control Panel and click an item that has a shield next to it. Examples include Add Or Remove User Accounts or Allow A Program Through Windows Firewall. Note that you do not receive a UAC elevation prompt. The resulting dialog box states: “This program is blocked by group policy. For more information, contact your system administrator.”
- To change the UAC back to its initial settings, log off the computer and log on again as an administrator. Use the Local Security Policy console to change the User Account Control: Behavior Of The Elevation Prompt For Standard Users setting to Prompt For Credentials.
Practice 2: Run Programs with Administrator Credentials
This practice demonstrates two different methods of running a standard program as an administrator. This exercise assumes that you are logged on to the computer as a member who has administrator permissions with Admin Approval Mode enabled. To complete this exercise, you need to install a program that requires administrator permission on the computer. Place a shortcut to the program on your desktop to follow these steps.
- Log on to Windows Vista using an Administrator user account.
- Double-click the program shortcut to open the program.
You should receive a UAC elevation prompt that asks for approval to run under elevated permissions.
- Choose Cancel to prevent the program from running.
- To avoid the elevation prompt, right-click the program shortcut and choose Run As Administrator.
Note that the program launches and that you do not receive a prompt for UAC elevation.
- Close the program.
- To configure the program always to run using administrator credentials, right-click the program shortcut and choose Properties.
- Click the Compatibility tab, and then select the Run This Program As An Administrator check box. Click OK to save the settings.
- Double-click the program shortcut and note that you are not prompted for UAC approval.
- To change the shortcut settings back to the defaults, right-click the shortcut and select Properties. On the Compatibility tab, clear the Run This Program As An Administrator check box. Click OK to save the changes.
- Common computer security risks include viruses, adware, and other software that are collectively known as malware.
- For security reasons, users should log on to their computers by using a minimal set of permissions.
- Important design goals for Windows Vista include improving security settings while maintaining compatibility with earlier applications.
- The UAC process allows users to run with minimal permissions and provides prompts when programs require additional permissions.
- In the UAC Standard User Mode, users will be prompted to provide credentials whenever an application requires additional permissions.
- Admin Approval Mode allows a user to log on as an administrator but to run under a minimal set of permissions for most operations.
- File system and registry virtualization prevents direct access to secure operating system locations while still providing for backward compatibility with former applications.
- UAC settings and options can be modified using the Local Security Policy tool.
You can use the following questions to test your knowledge of the information in Lesson 2. The questions are also available on the companion CD if you prefer to review them in electronic form.
- Which of the following Local Security policy options can you set to disable all UAC functionality and options effectively?
A. User Account Control: Virtualization File And Registry Write Failures
B. User Account Control: Admin Approval Mode For The Built-In Administrator Account
C. User Account Control: Only Elevate Executables That Are Signed And Validated
D. User Account Control: Run All Administrators In Admin Approval Mode
- You are a Consumer Support Technician assisting a customer with configuring UAC features in Windows Vista. The customer would like to run using a minimal set of permissions but would like to be able to perform privilege escalation without providing credentials. Which of the following settings should you recommend?
A. An Administrator user account with Admin Approval Mode enabled
B. An Administrator user account with Admin Approval Mode disabled
C. A standard user account with the behavior of the elevation prompt set to Prompt For Credentials
D. A standard user account with the behavior of the elevation prompt set to Automatically Deny Elevation Requests
© Microsoft. All Rights Reserved.