Logo
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
PREGNANCY
 
 
Windows 7

Security Essentials - Preventing Unsafe Actions with User Account Control

3/17/2011 11:40:24 AM
Windows Vista introduced one of the most controversial—and potentially most effective—security changes in User Account Control (UAC). In short, UAC intercedes whenever a user or program attempts to perform a system administrative task and asks for the consent of a computer administrator before commencing what could be risky business. As implemented in Windows Vista, UAC took a lot of heat because some users saw it as intrusive, annoying, or both—and many Windows Vista users ended up turning off UAC altogether.

Microsoft has made considerable changes to UAC in Windows 7. Users, whether logged on with an administrator account or a standard account, see far fewer prompts than in Windows Vista. In Windows 7, standard users can view Windows settings (in Device Manager, for example) without requiring elevation. (They'll still need administrative credentials to make changes, however.) Standard users can install updates and drivers from Windows Update, pair Bluetooth devices, and reset the network adapter—all tasks that require elevation in Windows Vista—without a peep from UAC in Windows 7. In other cases, such as with certain file operations and installing programs from Internet Explorer, several prompts are merged. In addition, Windows 7 provides more flexibility in configuring UAC to work the way you want; in Windows Vista, unless you dig into Local Security Policy, UAC is either on or off. For more information about changes to UAC in Windows 7, read the TechNet article "What's New in User Account Control" at w7io.com/1522.

To understand why UAC is effective, you need to look at security before Windows Vista. Computer security experts have long espoused least privilege, a rule that states that you give only enough access for a person to perform his or her job. (This basic security tenet is sometimes referred to as LUA, an acronym that, depending upon whom you ask, stands for "limited user account," "least user access," "least-privileged user account," or something similar.) In earlier versions of Windows, by default all accounts are set up as administrator accounts, with full privileges to do anything on the computer—including the ability to easily and inadvertently install viruses and perform other harmful tasks. This is a clear violation of LUA, and security experts recommended setting up users with limited accounts (comparable to standard accounts in Windows 7). Because these accounts have fewer rights and more restrictive permissions, users and programs running with limited accounts can do less damage. As it turns out, however, using a limited account in Windows XP is practically impossible, primarily because most applications of the day were written with the assumption that users would have full administrative privileges, and those programs don't run properly (or at all) when you start them from a limited account.

By contrast, in Windows 7, accounts after the first one are nonadministrator standard accounts by default; although they can carry out all the usual daily computing tasks, they're prevented from performing potentially harmful operations. These restrictions apply not just to the user; more importantly, they also apply to any programs launched by the user. Even administrator accounts run as so-called "protected administrator" accounts, in which they run with standard-user privileges except when they need to perform administrative tasks. (This is sometimes called Admin Approval Mode.)

Newer, security-aware programs are written so that they don't require administrator privileges for performing everyday tasks. Programs that truly need administrative access (such as utility programs that change computer settings) request elevation. And what about those older programs—many still in use—that require administrator privileges? Windows 7 has several ways of making most of them work properly. In one way or another, the program is made to act as if it's being run by an administrator. One method, for example, is file and registry virtualization (also known as data redirection). When a program attempts to write to (and subsequently read from) a file or registry key on which only administrators have write access, Windows instead uses a file or key within the current user's profile. In some cases, a program must be marked as requiring elevation, in which case it triggers a UAC prompt each time it runs—and then actually runs using an administrator's credentials.

1. What Triggers UAC Prompts

The types of actions that require elevation to administrator status (and therefore display a UAC elevation prompt) include those that make changes to systemwide settings or to files in %SystemRoot% or %ProgramFiles%. Among the actions that require elevation are the following:

  • Installing and uninstalling applications

  • Installing device drivers that are not included in Windows or provided through Windows Update

  • Installing ActiveX controls

  • Changing settings for Windows Firewall

  • Changing UAC settings

  • Configuring Windows Update

  • Adding or removing user accounts

  • Changing a user's account type

  • Configuring Parental Controls

  • Running Task Scheduler

  • Restoring backed-up system files

  • Viewing or changing another user's folders and files

Within Windows, you can identify in advance many actions that require elevation. A shield icon next to a button or link indicates that a UAC prompt will appear if you're using a standard account.



You'll notice that, if you log on with an administrator account (and if you leave the default UAC settings unchanged), you'll see fewer consent prompts than you do with Windows Vista. That's because the default setting prompts only when a program tries to install software or make other changes to the computer, but not when you make changes to Windows settings (even those that would trigger a prompt for a standard user with default UAC settings). Windows uses auto-elevation to elevate without prompting certain programs that are part of Windows. Programs that auto-elevate are from a predefined list, they must be digitally signed by the Windows publisher, and they must be stored in certain secure folders.

Is Auto-Elevation a Security Vulnerability?

The changes Microsoft made to User Account Control in Windows 7 represent a tradeoff between convenience and security. Some researchers have argued that the decision to automatically elevate certain tasks is a security hole. As they demonstrated with sample code, a program can inject itself into one of these tasks, allowing it to execute with no warning if you are logged on using a Protected Administrator account.

Is this a fundamental weakening of Windows security? In our opinion, no. Instead, it's a sobering illustration of a simple fact: User Account Control isn't a security silver bullet. It's one layer of a defense-in-depth strategy.

Some Windows users assume that UAC consent dialog boxes represent a security boundary. They don't. They simply represent a place for an administrator to make a trust decision. If a bad guy uses social engineering to convince you that you need his program, you've already made a trust decision. You'll click at least a half-dozen times to download, save, and launch the bad guy's program. A UAC consent request is perfectly normal in this sequence, so why wouldn't you click one more time?

If this scenario bothers you, the obvious solution is to adjust UAC to its highest level. This matches the default settings of Windows Vista and disables the Windows 7–specific auto-elevate behavior. (For details on how to do this, see Section 15.8.3 on Section 15.8.2.) If a program tries to use this subterfuge to sneak system changes past you, you'll see an unexpected consent dialog box from the system. But as soon as you provide those elevated credentials, the code can do anything it wants.

A better alternative is to log on using a standard account, which provides a real security boundary. A standard user who does not have the administrator password can make changes in her own user profile only, protecting the system from unintended tampering. (For more information, see Section 15.8.4 on Section 15.8.3 and Section 16.2.5 on Section 16.2.5.)

Even running as a standard user doesn't provide complete protection. Malware can be installed in your user profile, without triggering any system alarms. It can log your keystrokes, steal your passwords, and send out e-mail using your identity. Even if you reset UAC to its highest level you could fall victim to malware that lies in wait for you to elevate and then does its own dirty work alongside you.

As we said, enabling UAC is only one part of a multi-layered security strategy. It works best when supplemented by a healthy skepticism and up-to-date antivirus software.


2. Dealing with UAC Prompts

At logon, Windows creates a token that is used to identify the privilege levels of your account. Standard users get a standard token, but administrators actually get two: a standard token and an administrator token. The standard token is used to open Explorer.exe (the Windows shell), from which all subsequent programs are launched. Child processes inherit the token of the process that launches them so that, by default, all applications run as a standard user—even when you're logged on with an administrator account. Certain programs request elevation to administrator privileges; that's when the UAC prompt is displayed. If you provide administrator credentials, Windows then opens the program using the administrator token. Note that any processes that the successfully elevated program opens also run as administrator.

As an elevation-requesting application attempts to open, UAC evaluates the application and the request and then displays an appropriate prompt. As an administrator, the most common prompt you're likely to see is the consent prompt, which is shown in Figure 1. Read it, check the name of the program, click Yes, and carry on.

Figure 1. Clicking Show Details displays a link to the program's certifcate.


If you use a standard account, when a program requires elevation, you'll see the credentials prompt, which is shown in Figure 2. If the user is able to provide the credentials (that is, user name and password, smart card, or fingerprint, depending on how logon authentication is Configured on the computer) of an administrator, the application opens using the administrator's access token.

Figure 2. To perform an administrative task, a standard user must enter the password for an administrator account.


You'll encounter other UAC prompts as well. A colored background near the top of the prompt dialog box provides a quick visual clue to the type of program that's requesting elevation:

  • Red background and red shield icon Identifies an application from a blocked publisher or one that is blocked by Group Policy. Be extremely wary if you see one of these.

  • Yellow-orange background and red shield icon Identifies an application (signed or unsigned) that is not yet trusted by the local computer. (See Figure 3.)

  • Blue-green background Identifies an administrative application that is part of Windows. (See Figures Figure 1 and Figure 2.)

  • Gray background Identifies an application that is Authenticode signed and trusted by the local computer.

By default, the UAC dialog box sits atop the secure desktop, a separate process that no other application can interfere with. (If the secure desktop wasn't secure, a malicious program could put another dialog box in front of the UAC dialog box, perhaps with a message encouraging you to let the program proceed. Or a malicious program could grab your keystrokes, thereby learning your administrator logon password.) When the secure desktop is displayed, you can't switch tasks or click the windows on the desktop. (In fact, they're not really windows. When UAC invokes the secure desktop, it snaps a picture of the desktop, darkens it, and then displays that image behind the dialog box.)

Figure 3. When you install a new program, you'll see a UAC prompt.


TROUBLESHOOTING

There's a delay before the secure desktop appears

On some systems, you have to wait a few seconds before the screen darkens and the UAC prompt appears on the secure desktop. There's no easy way to solve the slowdown, but you can easily work around it. In User Account Control Settings (described in the next section, Section 15.8.3), you can take it down a notch. The setting below the default provides the same level of UAC protection (albeit with a slight risk that malware could hijack the desktop), except that it does not dim the desktop.



Note:

If an application other than the foreground application requests elevation, instead of interrupting your work (the foreground task) with a prompt, UAC signals its request with a flashing orange taskbar button. Click the taskbar button to see the prompt.


It becomes natural to click through dialog boxes without reading them or giving them a second thought. But it's important to recognize that security risks to your computer are real, and that actions that trigger a UAC prompt are potentially dangerous. Clearly, if you know what you're doing and you click a button to, say, set the Windows Update settings, you can blow past that security dialog box with no more than a quick glance to be sure it was raised by the expected application. But if a UAC prompt appears when you're not expecting it—stop, read it carefully, and think before you click.

3. Modifying UAC Settings

User Account Control is not for everybody, but in Windows 7 you can tone it down without disabling it altogether. To review your options and make changes, in the Start menu search box or in Control Panel, type uac and then click Change User Account Control Settings. A window similar to the one shown in Figure 4 appears.

Figure 4. The topmost setting is comparable to UAC in Windows Vista; the bottom setting turns off UAC.


Your choices in this window vary slightly depending on whether you use an administrator account or a standard account. (Specifically, the second option from the top is different.) For standard accounts, the top setting is the default; for administrator accounts, the second setting from the top is the default. Table 1 summarizes the available options.

To make changes, move the slider to the position you want. Be sure to take note of the advisory message in the bottom of the box as you move the slider. Click OK when you're done—and then respond to the UAC prompt that appears! Note that, when you're logged on with a standard account, you can't select one of the bottom two options, even if you have the password for an administrator account. To select one of those options, you must log on as an administrator and then make the change.

Table 1. User account Control Settings
Slider PositionPrompts when a program tries to install software or make changes to the computerPrompts when you make changes to Windows settingsDisplays prompts on a secure desktop
Standard user account   
Top (Default)
Second  
Third   
Bottom (Off)   
Administrator account   
Top
Second Default)  
Third   
Bottom (Off)   

TROUBLESHOOTING

User Account Control settings don't stick

If you find that nothing happens when you make a change in User Account Control settings, be sure that you're the only one logged on to your computer Simultaneous logons using Fast User Switching can cause this problem


Inside Out: Use Local Security Policy to customize UAC behavior

Users of the Professional, Enterprise, and Ultimate editions of Windows 7 can use the Local Security Policy console to modify the behavior of UAC. Start Local Security Policy (Secpol.msc), and open Security Settings\Local Policies\Security Options. In the details pane, scroll down to the policies whose names begin with "User Account Control " For each policy, double-click it and click the Explain tab for information before you decide on a setting. With these 10 policies, you can make several refinements in the way UAC works—including some that are not possible in the User Account Control Settings window. For details about each of these policies, see "UAC Group Policy Settings" at w7io.com/1523.


Regardless of your UAC setting, the shield icons still appear throughout Control Panel, but you won't see UAC prompts if you've lowered the UAC protection level. Clicking a button or link identified with a shield immediately begins the desired action. Administrators run with full administrator privileges; standard users, of course, still have only standard privileges.


Warning:

Don't forget that UAC is more than annoying prompts. Only when UAC is enabled does an administrator run with a standard token. Only when UAC is enabled does Internet. Explorer run in a low-privilege Protected Mode. And, of course, only when UAC is enabled does it warn you when a rogue application attempts to perform a task with systemwide impact. For these reasons, we urge you not to select the bottom option in User Account Control Settings, which turns off UAC completely.


4. Working Around UAC Without Disabling It

Although the UAC prompts are sometimes intrusive, that's the point. First, they provide a not-so-subtle reminder that what you're about to do has a systemwide effect. But most importantly, UAC prevents a malicious application from silently installing without your knowledge. Most spyware, viruses, and other malware get installed as a direct, albeit unintended, result of a user action, such as clicking a link. When you click a link that you think is going to display some pretty pictures, wouldn't you be pleased to have UAC tell you that it's attempting to install a program?

One misperception about UAC is that it doesn't let you do certain things, or that it "locks you out" of your own computer. In fact, UAC doesn't prevent anything—all it does is inform you when an application requires administrator access. Remember that, even when you're logged on with an administrator account, you ordinarily run as a standard user. Need to run something that requires full administrator privileges? Simply respond to the prompt. (If you find that you can't access certain folders and files, it's likely that the restriction is imposed by NTFS permissions—which are only tangentially related to UAC.)

Most people encounter lots of UAC prompts while setting up a new computer, configuring it, and installing programs. After that, they seldom see a prompt from UAC and forget that it's even there. But if you frequently tweak your computer's settings or install new programs, consider these tricks for running into fewer prompts:

  • Use an administrator Command prompt window Because child processes inherit the access token of the process that opens them, programs that you run from an administrator command prompt run as an administrator without further prompting. You'll need to respond to just a single prompt when you open the Command Prompt window. Then you can enter commands, open Microsoft Management Console (MMC) consoles, start programs, and edit the registry without further prompting.

    To open an administrator Command Prompt window, use one of these methods:

    • In the Start menu search box, type cmd. Then press Ctrl+Shift+Enter. (This little-known shortcut is equivalent to right-clicking a shortcut and clicking Run As Administrator.)

    • Create a shortcut to Cmd.exe. Open the shortcut's properties dialog box and, on the Shortcut tab, click Advanced. Select Run As Administrator.

    Naturally, you can run only programs for which you know the name and location of the executable file, as well as any required command-line parameters. (You can often glean this information by examining an application's shortcut.) Also note that Windows Explorer, Internet Explorer, and Control Panel do not run as administrator, even when started from an administrator command prompt. (You can run Control Panel applications if you know the command line; it's just the main Control Panel window that does not run with elevated privileges.)

  • Run as a standard user As a standard user, you'll probably encounter fewer elevation prompts than you do as an administrator. In this situation, many applications refuse to run or they run with limitations. (For example, they might not display all settings or they might not save settings you make.) On occasions when you do need to use such an application with full capabilities, right-click and choose Run As Administrator. Or, in the Start menu search box, type the program name and press Ctrl+Shift+Enter.

  • Use a fingerprint reader If you ordinarily use a standard user account—always a good practice—and you're required to type the password for your administrator password when UAC presents a credential prompt (see Figure 5), you'll find it easier to use biometric authentication, such as a fingerprint reader. With this inexpensive peripheral (included as a standard feature on many business-class notebook PCs), you can simply swipe your finger instead of typing a lengthy password.

Figure 5. You can set up your user accounts so that one finger logs on to your standard account, and a different finger can log on to an administrator account or provide administrator credentials for a UAC elevation prompt.



Other -----------------
- Security Essentials - Stopping Spyware with Windows Defender
- Security Essentials - Blocking Viruses and Worms with an Antivirus Program
- Blocking Intruders with Windows Firewall (part 2) - Allowing Connections Through the Firewall
- Blocking Intruders with Windows Firewall (part 1)
- Monitoring Your Computer's Security
- Recording and Watching TV
- Using Windows Live Web Services
- Using Windows Live Programs (part 3) - Using Windows Live Photo Gallery
- Using Windows Live Programs (part 2) - Using Windows Live Mail
- Using Windows Live Programs (part 1) - Obtaining a Windows Live ID & Using Windows Live Messenger
- Using Speech Recognition and Voice Commands
- Reading, Writing, and Editing with Pen and Touch Tools (part 1) - Using Gestures in Windows 7
- Reading, Writing, and Editing with Pen and Touch Tools (part 1) - Using Gestures in Windows 7
- Enabling and Customizing Pen and Touch Features
- Working with (and Around) Digital Rights Management
- Managing Your Media Library
- Ripping CDs
- Using Windows Media Player (part 2) - Working with Playlists
- Using Windows Media Player (part 1)
- Which File Formats and Codecs Does Windows 7 Support?
 
 
Most view of day
- Windows Phone 8 : Configuring Basic Device Settings - Providing Feedback
- Windows Phone 7 : Running XNA Projects in Windows (part 3) - Input Differences, Isolated Storage, Application Life Cycle
- SharePoint 2010 : Farm Governance - Installing a feature and activating it
- Sharepoint 2013 : Integrating Apps for Office with SharePoint (part 1) - Standalone Apps for Office
- Windows Phone 8 : Designing for the Phone - Designing with Visual Studio
- Microsoft Excel 2010 : Calculating the Mean (part 1) - Understanding Functions, Arguments, and Results
- Configuring Startup and Troubleshooting Startup Issues : How to Configure Startup Settings (part 1)
- Sharepoint 2013 : Planning for Disaster Recovery
- Maintaining Desktop Health : Using Task Scheduler (part 2) - Task Scheduler Security, Task Scheduler User Interface
- Integrating BizTalk Server 2010 and Microsoft Dynamics CRM : Communicating from BizTalk Server to Dynamics CRM (part 4) - Configuring the BizTalk endpoints
Top 10
- SQL Server 2012 : Latch Contention Examples - UP Latches in tempdb, Spinlock Contention in Name Resolution
- SQL Server 2012 : Latch Contention Examples - Queuing
- SQL Server 2012 : Latch Contention Examples - Inserts When the Clustered Index Key Is an Identity Field
- SQL Server 2012 : Latches and Spinlocks - Monitoring Latches and Spinlocks
- SQL Server 2012 : Latches and Spinlocks - SuperLatches/Sublatches
- SQL Server 2012 : Latches and Spinlocks - Latch Types, Latch Modes
- Sharepoint 2013 : Overview of The Client-Side Object Model and Rest APIs - Client-Side Object Model API Coverage
- Sharepoint 2013 : Overview of The Client-Side Object Model and Rest APIs - REST and OData (part 3) - Creating, Updating, and Deleting
- Sharepoint 2013 : Overview of The Client-Side Object Model and Rest APIs - REST and OData (part 2) - Filtering and Selecting
- Sharepoint 2013 : Overview of The Client-Side Object Model and Rest APIs - REST and OData (part 1) - Getting Started with REST and OData
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro