What's New in User Account Control

Applies To: Windows 7, Windows Server 2008 R2

What's new in User Account Control?

Before the introduction of User Account Control (UAC), when a user was logged on as an administrator, that user was automatically granted full access to all system resources. While running as an administrator enabled a user to install legitimate software, the user could also unintentionally or intentionally install a malicious program. A malicious program installed by an administrator can fully compromise the computer and affect all users.

With the introduction of UAC, the access control model changed to help mitigate the impact of a malicious program. When a user attempts to start an administrator task or service, the User Account Control dialog box asks the user to click either Yes or No before the user's full administrator access token can be used. If the user is not an administrator, the user must provide an administrator's credentials to run the program. Because UAC requires an administrator to approve application installations, unauthorized applications cannot be installed automatically or without the explicit consent of an administrator.

In Windows® 7 and Windows Server® 2008 R2, UAC functionality is improved to:

  • Increase the number of tasks that the standard user can perform that do not prompt for administrator approval.

  • Allow a user with administrator privileges to configure the UAC experience in the Control Panel.

  • Provide additional local security policies that enable a local administrator to change the behavior of the UAC messages for local administrators in Admin Approval Mode.

  • Provide additional local security policies that enable a local administrator to change the behavior of the UAC messages for standard users.

Who will want to use UAC?

UAC helps standard users and administrators protect their computers by preventing programs that may be malicious from running. The improved user experience makes it easier for users to perform daily tasks while protecting their computers.

UAC helps enterprise administrators protect their network by preventing users from running malicious software.

What are the benefits of the new and changed features?

By default, standard users and administrators access resources and run applications in the security context of standard users. When a user logs on to a computer, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges.

When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs have been removed. The standard user access token is used to start applications that do not perform administrative tasks (standard user applications).

When the user runs applications that perform administrative tasks (administrator applications), the user is prompted to change or "elevate" the security context from a standard user to an administrator, called Admin Approval Mode. In this mode, the administrator must provide approval for applications to run on the secure desktop with administrative privileges. The improvements to UAC in Windows 7 and Windows Server 2008 R2 result in an improved user experience when configuring and troubleshooting your computer.

The built-in Administrator account in Windows Server 2008 R2 does not run in Admin Approval Mode

The built-in Administrator account in Windows Server 2008 R2, which is the first account created on a server, does not run in Admin Approval Mode. All subsequently created administrator accounts in Windows Server 2008 R2 do run in Admin Approval Mode.

The built-in Administrator account is disabled by default in Windows 7

The built-in Administrator account is disabled by default in Windows 7. The built-in Administrator account, by default, cannot log on to the computer in Safe Mode.

Behavior of computers that are not domain members

When there is at least one configured local administrator account, the disabled built-in Administrator account cannot log on in Safe Mode. Instead, any local administrator account can be used to log on. If the last local administrator account is inadvertently demoted, disabled, or deleted, Safe Mode allows the disabled built-in Administrator account to log on for disaster recovery.

If the built-in Administrator account is the only administrator account on Windows Vista, when upgrading to Windows 7, Safe Mode allows the disabled built-in Administrator account to log on to create at least one administrator account.

Behavior of computers that are domain members

The disabled built-in Administrator account in all cases cannot log on in Safe Mode. A user account that is a member of the Domain Admins group can log on to the computer to create a local administrator if none exists.

Important

If the domain administrator account has never logged on to the client computer, you must start the computer in Safe Mode with Networking to cache the credentials on the client computer.

Note

After the computer is removed from the domain, it reverts back to the non-domain member behavior.

All subsequent user accounts are created as standard users in Windows 7

Standard user accounts and administrator user accounts can use UAC enhanced security. In new Windows 7 installations, by default, the first user account created is a local administrator account in Admin Approval Mode (UAC enabled). All subsequent accounts are then created as standard users.

Reduced number of UAC prompts

Windows 7 and Windows Server 2008 R2 reduce the number of UAC prompts that local administrators and standard users must respond to.

To reduce the number of prompts that a local administrator must respond to:

  • File operation prompts are merged.

  • Internet Explorer prompts for running application installers are merged.

  • Internet Explorer prompts for installing ActiveX® controls are merged.

The default UAC setting allows a standard user to perform the following tasks without receiving a UAC prompt:

  • Install updates from Windows Update.

  • Install drivers that are downloaded from Windows Update or included with the operating system.

  • View Windows settings. (However, a standard user is prompted for elevated privileges when changing Windows settings.)

  • Pair Bluetooth devices to the computer.

  • Reset the network adapter and perform other network diagnostic and repair tasks.

Configure UAC experience in Control Panel

Windows Vista® offers two levels of UAC protection to the user: on or off. Windows 7 and Windows Server 2008 R2 introduce additional prompt levels that are similar to the Internet Explorer security zone model. If you are logged on as a local administrator, you can enable or disable UAC prompts, or choose when to be notified about changes to the computer. There are four levels of notification to choose from:

  • Never notify me. You are not notified of any changes made to Windows settings or when software is installed.

  • Only notify me when programs try to make changes to my computer. You are not notified when you make changes to Windows settings, but you do receive notification when a program attempts to make changes to the computer.

  • Always notify me. You are notified when you make changes to Windows settings and when programs attempt to make changes to the computer.

  • Always notify me and wait for my response. You are prompted for all administrator tasks on the secure desktop. This choice is similar to the current Windows Vista behavior.

The following table compares the number of UAC prompts for user actions in Windows 7 and Windows Server 2008 R2 with the number of UAC prompts in Windows Vista Service Pack 1.

Actions Only notify me when programs try to make changes to my computer Always notify me

Change personalization settings

No prompts

Fewer prompts

Manage your desktop

No prompts

Fewer prompts

Set up and troubleshoot your network

No prompts

Fewer prompts

Use Windows Easy Transfer

Fewer prompts

Same number of prompts

Install ActiveX controls through Internet Explorer

Fewer prompts

Fewer prompts

Connect devices

No prompts

No prompts if drivers are on Windows Update, or similar number of prompts if drivers are not on Windows Update

Use Windows Update

No prompts

No prompts

Set up backups

No prompts

Same number of prompts

Install or remove software

No prompts

Fewer prompts

Change the behavior of UAC messages for local administrators

If you are logged on as a local administrator, you can change the behavior of UAC prompts in the local security policies for local administrators in Admin Approval Mode.

  • Elevate without prompting. Applications that are marked as administrator applications and applications that are detected as setup applications are run automatically with the full administrator access token. All other applications are automatically run with the standard user token.

  • Prompt for credentials on the secure desktop. The User Account Control dialog box is displayed on the secure desktop. To give consent for an application to run with the full administrator access token, the user must enter administrative credentials. This setting supports compliance with Common Criteria or corporate policies.

  • Prompt for consent on the secure desktop. The User Account Control dialog box is displayed on the secure desktop. To give consent for an application to run with the full administrator access token, the user must click Yes or No on the User Account Control dialog box. If the user is not a member of the local Administrators group, the user is prompted for administrative credentials. This setting supports compliance with Common Criteria or corporate policies.

  • Prompt for credentials. This setting is similar to Prompt for credentials on the secure desktop, but the User Account Control dialog box is displayed on the desktop instead.

  • Prompt for consent. This setting is similar to Prompt for consent on the secure desktop, but the User Account Control dialog box is displayed on the desktop instead.

  • Prompt for consent for non-Windows binaries. The User Account Control dialog box is displayed on the desktop for all files that are not digitally signed with the Windows digital certificate.

Change the behavior of UAC messages for standard users

If you are logged on as a local administrator, you can change the behavior of UAC prompts in the local security policies for standard users.

  • Automatically deny elevation requests. Administrator applications cannot run. The user receives an error message that indicates a policy is preventing the application from running.

  • Prompt for credentials. This is the default setting. For an application to run with the full administrator access token, the user must enter administrative credentials in the User Account Control dialog box that is displayed on the desktop.

  • Prompt for credentials on the secure desktop. For an application to run with the full administrator access token, the user must enter administrative credentials in the User Account Control dialog box that is displayed on the secure desktop.

What's the impact of these changes on UAC?

In response to customer requests, the improved UAC allows users to perform their daily tasks with fewer prompts and gives administrators more control over how UAC prompts users.

Because of the changes to UAC, when upgrading from Windows Vista to Windows 7, UAC settings are not transferred.