Mastering User Account Control
User Account Control seeks to improve usability while at the
same time enhancing security by controlling how standard user and administrator user accounts are used.
User Account Control does this by limiting the scope of
administrator-level access privileges and requiring all applications
to run in a specific user mode. In this way, UAC prevents users from making inadvertent changes to
system settings and locks down the computer to prevent
unauthorized applications from installing or performing malicious
actions.
Elevation, prompts, and the secure desktop
Unlike Windows XP and early releases of Windows, current
releases of Windows make it easy to determine which tasks standard
users can perform and which tasks administrators can perform. You
might have noticed the multicolored shield icon next to certain options in windows,
wizards, and dialog boxes. This is the Permissions icon. It indicates that the related option
requires administrator permissions to run. That doesn’t mean you’ll
see a prompt, though. The way the prompt works depends on the
following:
-
Whether UAC allows changing Windows settings without
prompting
-
Whether the computer is a member of a workgroup or a
domain
-
Whether you are logged on as a standard user or an
administrator
Note
UAC is disabled in Server Core installations. With
other Windows Server installations, the best way to configure the
UAC prompt is to use Group Policy settings. In Control Panel, tap
or click System And Security. Under the Action Center heading, tap
or click Change User Account Control Settings. On the User Account
Control Settings page, use the slider to choose when to be
notified about changes to the computer.
By default, when you are logged on to a computer as a standard
user, you see a User Account Control (UAC) prompt when programs try
to make changes to the computer that require administrator
permissions and when programs try to change Windows settings. In a
workgroup, the prompt shows the accounts of administrators. If you
tap or click an account, you must then enter the password for that
account and then tap or click Yes.
In a domain, as shown in Figure 1, the prompt
shows the logon domain and provides user name and password boxes. To proceed, you must
enter the name of an administrator account, type the account’s password,
and then tap or click Yes. The task or application will then run
with administrator permissions.
Note
The first screen capture shows the UAC prompt without details. The second screen
capture shows the UAC prompt with details.
Whether the computer is in a workgroup or domain, the prompt
shows the name of the program requesting elevation, the publisher of
that program, and the file origin. If you have any question about
the authenticity of the request, tap or click Show Details. You’ll
then see the program location, which shows the full path to the
program’s executable. For verified publishers, display their
verification certificate by clicking the link provided.
The prompt works differently when you are logged on with an
administrator account. Here, it doesn’t matter whether the computer
is in a workgroup or a domain and the prompt doesn’t require an
account selection or a password. Instead, your current credentials
are used and you are simply prompted to confirm that you want to
allow the task or program to make changes to the computer. If you
click Yes, the task or application will then run with administrator
permissions. (See Figure 2.)
The process of getting approval prior to running an
application in administrator mode and prior to performing actions
that change systemwide settings is known as
elevation. Elevation enhances security by reducing the exposure
and attack surface of the operating system. It does this by
providing notification when you are about to perform an action that
could affect system settings, such as installing an application, and
it eliminates the ability of malicious programs to invoke
administrator privileges without your knowledge and
consent.
Prior to the elevation and display of the User Account Control
(UAC) prompt, Windows Server performs several
background tasks. The key task you need to know about is that
Windows Server switches to a secure, isolated desktop prior to
displaying the prompt. The purpose of switching to the secure desktop is to prevent other processes or
applications from providing the required permissions or consent. All
other running programs and processes continue to run on the
interactive user desktop, and only the prompt itself runs on the
secure desktop.
Elevation, prompts, and the secure desktop are aspects of User
Account Control that affect you the most. Although they seem
restrictive at first, these features prevent users from making
inadvertent changes to system settings and they lock down the
computer to prevent unauthorized applications from installing or
performing malicious actions.
The key component of UAC that determines whether and how administrators are
prompted is Admin Approval Mode. By default, all administrators,
except the built-in local administrator account, run in and are
subject to Admin Approval Mode. Because they are running in and
subject to Admin Approval Mode, all administrators, except the
built-in local administrator account, see the elevation prompt
whenever they run administrator applications.
