User Account Control Overview

On This Page

	Introduction
	User Account Control Features and Benefits
	Ongoing Usability Enhancements
	Implications for Application Developers
	Additional Windows Vista Security Components
	Summary

Introduction

In today's world, companies and individuals face the challenge of maintaining control over their computers in response to constantly evolving security threats. IT administrators and users must balance computer security, while enabling user productivity. Companies need to both find a solution that is resilient to attack and protect data confidentiality, integrity, and availability.

For people who have installed a version of Microsoft Windows earlier than Microsoft Windows Vista on their computers, the majority of user accounts are configured as a member of the local administrator's group, because administrator privileges are required to install, update, and run many software applications without conflicts and to perform typical system-level tasks. Even the simplest operation, such as clicking the taskbar clock to view a calendar, requires administrator privileges.

Granting end-users administrative privileges makes individual computers and networks vulnerable to malware and increases total cost of ownership because users can make unapproved system changes. Malware can exploit the system-level privileges provided to the local administrator—damaging files, changing system configurations, and even transmitting confidential data outside the network. Unfortunately, deploying computers in a locked-down state by requiring users to operate in standard user mode severely limits user productivity. Without local administrative rights, many applications will not function properly, because they are designed to write to system locations during normal operation.

Windows Vista
Microsoft will be releasing a new version of the Microsoft Windows operating system in 2006, called Windows Vista. Windows Vista will be the most secure version of Windows that Microsoft has ever developed.

A significant focus of Windows Vista and a fundamental piece of Microsoft's overall vision is security. Windows Vista provides a simple and secure mechanism for running end-user accounts with standard user privileges, while eliminating the need for administrator privileges when performing many common tasks, such as installing a printer driver or connecting to a secure wireless network. This fundamental shift provides security at the OS level by preventing malware and root kits from damaging company-wide files and settings.

User Account Control: Delivering a More Secure Desktop
The main goal of User Account Control is to reduce the exposure and attack surface of the operating system by requiring that all users run in standard user mode. This limitation minimizes the ability for users to make changes that could destabilize their computers or inadvertently expose the network to viruses through undetected malware that has infected their computer.

With User Account Control, IT administrators can run most applications, components and processes with a limited privilege, but have "elevation potential" for specific administrative tasks and application functions.

Conversely, when users encountera system task that requires administrator privileges, such as attempting to install an application, Windows Vista will notify the user and require administrator authorization. This type of prompting helps ensure that users do not accidentally make modifications to their desktops. It also helps eliminate the ability for malware to invoke administrator privileges without a user's knowledge.

As a defense-in-depth measure, User Account Control also provides additional protection for administrators through its Administrator Approval Mode. With Administrator Approval Mode, Windows Vista will run most applications with standard user permissions even if the user is an administrator. If a user wishes to run a program that requires administrator permissions, they must give consent through a User Account Control prompt. This helps limit malware's ability to make system-wide changes without the administrator's knowledge. However, Administrator Approval Mode does not provide the same level of security or control as a true standard user account.

Redefining User Modes
Since the release of Windows 2000, the ability to invoke applications as an administrator while running as a standard user has been built into Windows architecture, with features such as RunAs for administrators. RunAs provides a command-line tool that administrators can use to run tools and programs with different permissions than the user's current logon provides.

This new definition of the user model is a permanent change in Windows. As a result, application developers will need to augment the way their applications function so that everyday users can complete basic tasks without requiring administrative privilege. To facilitate this process, Microsoft will provide extensive guidance for application developers. For more information, see Developer Best Practices and Guidelines for Applications in a Least Privileged Environment on MSDN.

User Account Control is designed to separate true administrative privilege tasks from standard account tasks. For example, some of the utilities that still call for administrative privileges include the following:

With Windows Vista, application developers need to decide which of the two levels of privilege their application needs to complete specific procedures. If an application doesn't need administrative privileges for a task, then it should be written to require only standard user mode privileges. For example, a standard user mode-compliant application should only write data files to a non-system location, such as the user profile, as opposed to the program files directory tree.

Privilege Elevation Potential
The goal of User Account Control is to allow users to run Windows with standard user privileges and decrease the number of tasks and applications that require administrator privilege. Any privilege elevation brings a potential risk to the system because the elevated software may be vulnerable to attack. If the user's computer has been exposed to malicious software (malware), the user could be tricked into allowing malicious software to run with administrator privileges when using the UAC consent dialogue or credentials entry. Before approving any request for permission to elevate a program, ensure that up-to-date anti-malware and anti-virus software is running on computer and no malware has been detected.

For the highest protection against code running with administrator privileges, we recommend organizations deploy PCs with standard user accounts and do not provide users access to administrator credentials. Computer administrators are advised to use a standard user account for most tasks, and when needed, log in to a separate administrator account in a separate user session that is only used for administrative tasks.

Administrator Approval Mode reduces the threat of some types of malware attacks by starting programs with standard user privileges by default and alerting the user if a program is attempting to run with administrator privileges. However, this mode does not provide the same level of protection as a standard user account and does not guarantee that the software will not attempt malicious actions once it is elevated.

User Account Control is part of Microsoft's defense-in-depth strategy to provide multiple levels of protection in Windows Vista. Notwithstanding the exceptions noted above, all levels of User Account Control offer greater protection than running a previous version of Windows with full administrator privileges, as most users do today. To further improve the security of Windows-based PCs, Microsoft continues to recommend using up-to-date anti-malware software, using a firewall, and keeping the PC up-to-date with the latest security updates.

Top of page

User Account Control Features and Benefits

Standard User Privileges
In Windows Vista, Standard User accounts have been given additional privileges that users require to perform common tasks, without needing helpdesk support. These privileges have been determined to have minimal system impact and potential for risk, though administrators will also have the ability to restrict these permissions if they prefer. New permissions for standard user accounts in Windows Vista include:

• View system clock and calendar
• Change time zone
• Install Wired Equivalent Privacy (WEP) to connect to secure wireless networks
• Change power management settings
• Add printers and other devices that have the required drivers installed on computer or have been allowed by an IT administrator in Group Policy
• Install ActiveX Controls from sites approved by an IT administrator
• Create and configure a Virtual Private Network connection
• Install critical Windows Updates

Additionally, disk defragmentation is now an automatically scheduled process in Windows Vista, so users will not have a need to initiate that action.

UI Modifications to Assist Standard Users
In previous versions of Windows, a non-administrator could not easily tell what actions they were allowed to perform and which they weren't. Windows Vista reduces this uncertainty by using a shield icon throughout the operating system to identify commands that require administrator privileges.

File System and Registry Virtualization
In Windows Vista, many legacy applications that were not designed to support standard user accounts can run without modification, using the built-in file/registry virtualization feature. File/registry virtualization gives an application its own "virtualized" view of a resource it is attempting to change using a copy-on-write strategy. For example, when the application attempts to write to a file in the program files directory, Windows Vista gives the application its own private copy of the file in the user's profile so the application will function properly.

Virtualization also provides logging by default for applications that attempt to write to protected areas.

Microsoft's early testing of legacy applications running in standard user mode using file/registry virtualization under Windows Vista has shown promising application compatibility results. Although virtualization allows the majority of legacy applications to run, it is a short-term measure—not a long-term solution. Not only can a lack of compliance with User Account Control affect the security of an application, but it can also reduce the application's performance, require additional end-user training, and cause application conflicts.

Over-the-Shoulder (OTS) Credentials
Whenever standard users attempt an administrative task, such as software installation, they will be prompted for an administrator password. If they know their local administrator password they may enter it then or ask an IT administrator for assistance. This process is called over-the-shoulder (OTS) credentials. IT administrators can disable this feature, in which case the user is simply informed that they do not have the permission to perform the operation.

Admin Approval Mode: Right Privilege at the Right Time
To help protect administrators while doing non-administrative operations, the Windows Vista team has devised the Admin Approval Mode feature. This feature allows administrators to perform normal day-to-day tasks such as checking e-mail or browsing the Web while running with a standard user token. If administrator privileges are needed for an operation, the administrator will be notified and asked to provide either consent or credentials, depending on system policy settings. The Windows Vista team calls this approach "right privilege at the right time." There's no more switching back and forth between standard user and local administrator, juggling two user profiles.

No Need for the Power Users Group
The Power Users Group account in previous versions of Windows was designed to give users specific administrator privileges to perform basic system tasks while running applications. Unfortunately, this solution fixed the symptom—application failure—but it did not fix the problem: applications still fundamentally require unnecessary privileges.

User Account Control does not utilize the Power User mode because Standard mode users can now perform most common configuration tasks. For legacy applications that require administrative privileges under Windows XP, file and registry virtualization in Windows Vista will help them run smoothly without reconfiguration. For new, compliant applications, User Account Control guidelines will define the correct protocol for file locations, registry changes, and other common tasks.

Preventing Application-Based Shatter Attacks
Running in standard user mode gives customers increased protection against inadvertent system-level damage caused by "shatter attacks" and malware, such as root kits, spyware, and undetectable viruses. Shatter attacks take over a user interface by using the Windows messaging system (how applications communicate with the Windows operating system and each other) to run malicious code or overwrite administrative processes. The primary cause of this problem is that any application can send a message to any other application on the same desktop. When the target application receives a message, it has no way of discerning the process source or determining whether the application sending the message is authorized to do so.

This class of security breach is not a single attack, but rather a type of attack. Taken alone, each instance is not a critical problem. However, the fact that this attack vector is present in many applications makes the problem much more serious. The vulnerability lies in the way developers write software that runs on Windows. Microsoft has always recommended that software vendors refrain from using the messaging system for highly privileged applications. Unfortunately, numerous software products still haven't adopted this basic measure of protection.

User Account Control-compliant software applications isolate privileges by design, reducing the attack surface of the operating system by reducing the general set of privileges and helping prevent unauthorized applications from running without the user's consent. A strictly enforced User Account Control model makes it harder for worms and viruses to take over Windows-based systems by ensuring that existing security measures are not disabled by standard users running in Administrator mode.

Secure Desktop Prompting
In Windows Vista RC1 you will notice that, by default when User Account Control prompts appear, the rest of the screen is darkened. The prompts are being displayed in the Secure Desktop mode. The same mode you see when you log on or press CTL+ALT+DELETE. Displaying User Account Control elevation dialogs on the Secure Desktop helps protect the user from unknowingly allowing a program to run with elevated privileges without their consent. Without this protection, it is much easier to create malware that tricks the user into approving an elevation request prompt that they really wanted to deny. The Secure Desktop helps protect against this because other software running on the machine is blocked from interacting with the user's interface.

Application Compatibility Tools
To help developers test for application compatibility, stability, and security on User Account Control, IT administrators and application developers can use the following tools:

• Standard User Analyzer: This application compatibility tool helps developers and IT professionals diagnose issues that would prevent a program from running properly as a standard user.
• Microsoft Application Compatibility Toolkit (ACT) V5.0: A lifecycle management tool for your applications, ACT 5.0 assists in identifying and managing your overall application portfolio, reducing the cost and time involved in resolving application compatibility issues—including User Account Control issues.

Both tools produce a log of an application's privileged access requirements that would normally fail in Standard User mode—providing a roadmap for adjusting these tasks and achieving compliance with User Account Control. In addition, the Process Tracking Audit (Event ID #592) can be used to determine which applications are running with elevated privilege in an enterprise environment. To ensure the Windows user experience is not degraded by not being User Account Control-compliant, Microsoft recommends testing all components and applications with these tools.

Reducing Total Cost of Ownership and Increasing Security
User Account Control helps IT administrators gain configurable control over end-user tasks, such as installing and configuring applications. User Account Control also helps control access to sensitive files and data by securing the My Documents folder—other users cannot change, read, or delete files created by other users of the same computer.

By helping ensure that users do not accidentally make computer or file modifications that cannot be easily reversed, User Account Control reduces the cost of managing desktops and the overall total cost of ownership (TCO). In addition, a more consistent environment means that administrators no longer need to devote large blocks of time to troubleshoot computers that were changed by users. Administrators also gain better control over software licensing because they can ensure that only authorized applications are installed. As a result, they will have a reduced risk of unlicensed or malicious software endangering their network, causing system downtime and data loss, or creating licensing liabilities.

Top of page

Ongoing Usability Enhancements

By making User Account Control available to Windows Vista beta users through our Consumer Technology Preview (CTP) program, we have received valuable feedback that will help make the experience better in the final release. In particular, administrators told us that they faced too many alerts and it was difficult to identify which ones were caused by potential security risks. In response to this customer feedback we have made numerous enhancements to User Account Control in Beta and will continue to make refinements until the final release of Windows Vista.

Customer Feedback Cycle
The most valuable feedback we received has come directly from beta users. The public copies of Windows Vista are instrumented to report data on how many prompts each user sees and what is causing them. We then analyze the top 100 causes of prompts to see which can be eliminated without a major impact on security. Some examples of prompts we aim to eliminate:

• Common control panel applets that people use as part of their everyday activities. Eliminating these prompts often involves re-coding part of the control panel so that it no longer requires administrator privileges.
• Prompts caused by other software that alerts the user every time they run the program. Many applications prompt for administer privileges they don't necessarily need in order to run. In many of these cases we can develop an "application fix" as part of Windows Vista that will enable the program to run without prompting. In other cases we alert the software developer with guidance on how they can modify their application.
• Programs that prompt the user every time they start their computer. These are the highest priority issues and can be resolved using one of the methods listed above.

By using the data to focus on the top causes of prompts we can greatly reduce the number of prompts that the majority of customers see.

Enhancements in Windows Vista RC and Beyond
Customers who have used previous versions of Windows Vista should experience fewer and clearer prompts when using RC1. Some key improvements include:

• Many more control panel applets (Mouse, Keyboard, Audio devices, Text to Speech, Infrared, Bluetooth, Search Index) no longer require a prompt to open.
• A prompt is no longer required to open Task Manager.
• A dialog is removed in the processes of downloading files from Internet Explorer.
• Found New Hardware wizard no longer prompts automatically.
• We have applied fixes that will help almost 100 more applications—including popular games—work well without prompting.

In addition to reducing the number of prompts, we have redesigned the dialogs to make it more clear what program is generating the prompt, making it easier to identify the programs with greatest potential risk.

We have already made additional enhancements that will be reflected in the releases after Beta 2 and we will continue to improve the experience and remove unnecessary dialogs using our feedback process until the final release. One fix that we already know will be reflected in Windows Vista RC1 is the ability for administrators to delete shared desktop shortcuts.

Developer Readiness
A requirement for providing customers a great experience with User Account Control is having third-party software that does not require and prompt for administrator privileges. We are applying fixes to many issues that we identify in our own testing and we are also giving developers tools and guidance to create software that operates seamlessly in this new security environment. This quarter we will release the Standard User Analyzer, a tool to help developers diagnose issues that would prevent a program from running properly without administrator privileges. We have also provided training to thousands of ISVs and hosted hands-on labs at the Microsoft labs to help them make Windows Vista-ready software available when the final version of the operating system is released to the market.

Target for Final Release
Customers will experience the most prompts in the first few days of using Windows Vista as a normal part of the initial setup while they install new applications and configure their PCs for their individual needs. After that initial period, our goal is that when customers use the final version of Windows Vista for their everyday activities, on most days they will not experience any prompts.

Top of page

Implications for Application Developers

Writing Applications for Standard User Mode
The standard user account type will be a major change for many application developers, who will need to shift the way they write their applications and access certain shared system files and registry keys. For example, changes to various Windows features areas such as the Kernel, Process Creation, Security, File System, Registry, Shell, UI, Control Panel Applets, and Application compatibility will require a number of changes from the applications that interact with them.

If you are developing an off-the-shelf, logo-compliant application, it should work without privileges that can compromise a computer. The benefit of this new approach will, in terms of application stability and client security, far outweigh the initial investment in understanding the technology. To meet this goal, the software industry as a whole will need to work together to introduce the next generation of applications that deliver a substantially more secure application.

WindowsVista Logo Program
The Windows Vista-Compliant Logo Program will enforce strict certification guidelines, providing assurance to customers that certified products will integrate properly with Windows Vista. As a result, the Logo certification will provide a competitive differentiator and credibility for ISVs who achieve Logo certification. For more information, visit the Windows Vista Logo Program page.

User Account Control-Compliance as a Competitive Differentiator
No application developer wants a hacker to make headlines by exploiting their product. However, developing an application that is not standard user mode-compatible and opens up vulnerabilities as a result of not adhering to Microsoft security guidelines will leave an ISV's customers vulnerable to malware attacks. Customers who run their desktops with Standard User permissions will require software that is compatible with User Account Control and will need to specify this requirement in their RFPs.

User Account Control compatibility offers ISVs the infrastructure needed to implement good security practices and help avoid security breeches and negative publicity. By making an application User Account Control-compatible and adhering to basic rules of Logo compliance, an ISV can also establish improved credibility in the marketplace.

Top of page

Additional Windows Vista Security Components

Writing Managed Applications
Managed applications are designed with security in mind—they are written according to a specific security protocol, so that they will perform only authorized functions, making their code less vulnerable to exploits. In Windows Vista, each managed application can indicate the specific permission level it needs to function. The Windows Vista Trust Manager will then use this information to determine whether to allow the application to be installed on a computer.

If a developer writes an application whose permission requirements fall entirely within the Trust Manager's no-risk permission set, it can run without generating any security alerts. Tasks that operate within this set should be unable to harm a computer—either intentionally or accidentally. However, if the application receives a more dangerous risk rating based on the permissions it requests, the administrator will be prompted with a dialog box describing its potential dangers, and asked to confirm that the application is safe to install. For ISVs with new or emerging market products, achieving a low risk rating is critical to maintaining customer trust.

Microsoft Windows Installer
There are several options for installing software in Windows Vista, such as having an administrator perform an installation for all users on a computer or network. However, installations based on the Microsoft Windows Installer (MSI) is the recommended way to install an application using group policy on behalf of a user without giving them administrative privileges—a critical capability for enterprise applications that are deployed to thousands of users. For large enterprises, SMS provides an improved installation process and allows administrators to track successful installations.

Application Manifest
An Application Manifest will identify an application to Windows Vista and allow administrators to define the application's desired security credentials—an important step in the deployment process that helps facilitate a better user experience. The manifest informs Windows Vista when an application is User Account Control-compliant and when to prompt users for administrator authorization to elevate privileges. To ensure integrity and functionality, these manifests can and should be signed.

Run Levels
If a level other than standard user is required, the manifest should contain a runLevel. RunLevels let the system know that in order to operate correctly; a specific task needs to be elevated with an administrator token. Some examples of elevated application tasks include:

• Highest: An application requests the highest available privilege level. The application can modify behavior based on the level of elevated privileges obtained. This application is launched using the full process token.
• Administrator: An application requests administrator privilege level. The token contains the Administrator Group Security Identifier (SID). This application may fail to initialize if unable to obtain necessary privileges.

Top of page

Summary

User Account Control offers a new approach to improving computer security, by fundamentally changing the way applications interact with an operating system and its files. As hackers and others with malicious intent evolve in the level of their security threats, it is imperative that developers work together with Microsoft to continue to create technology that minimizes the impact of this malware. When running in standard user mode, organizations and users are less likely to be impacted by system-level malware. User Account Control will also help organizations reduce total cost of ownership by preventing users from installing unapproved software and changing system configurations—enabling a more managed desktop. In Windows Vista, Microsoft has developed a simple and more secure mechanism for running in Standard User mode with common operating system configuration tasks that currently require elevated privileges.

In order to ensure security and application performance in the future, software developers will need to focus more on making their applications User Account Control-compatible. With Windows Vista, Microsoft has made significant progress in the security technology field—a significant step in the continuous process of advancing technology for the benefit of society and helping its customers reach their potential.

For additional information visit the Windows Vista home page on Microsoft.com.

Top of page