Logo
PREGNANCY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Vista

Managing Client Protection : User Account Control (part 1) - UAC for Standard Users, UAC for Administrators

4/28/2013 11:31:38 AM

Most administrators know that users should log on to their computers using accounts that are members of the Users group, but not the Administrators group. By limiting your user account’s privileges, you also limit the privileges of any applications that you start—including software installed without full consent. Therefore, if you can’t add a startup application, neither can a malicious process that you accidentally launch.

With earlier versions of Windows, however, not being a member of the Administrators group could be very difficult, for a few reasons:

  • Many applications would only run with administrative privileges.

  • Running applications with elevated privileges required users to either right-click the icon and then click Run As or create a custom shortcut, which is inconvenient, requires training, and requires that the user have a local administrator account (largely defeating the purpose of limiting privileges).

  • Many common operating system tasks, such as changing the time zone or adding a printer, required administrative privileges.

UAC is a feature of Windows Vista that improves client security by making it much easier to use accounts without administrative privileges. At a high level, UAC offers the following benefits:

  • Most applications can now run without administrative privileges Applications created for Windows Vista should be designed to not require administrative credentials. Additionally, UAC virtualizes commonly accessed file and registry locations to provide backward compatibility for applications created for earlier versions of Windows that still require administrative credentials. For example, if an application attempts to write to a protected portion of the registry that will affect the entire computer, UAC virtualization will redirect the write attempt to a non-protected area of the user registry that will only affect that single application.

  • Applications that require administrative privileges automatically prompt the user for administrative credentials For example, if a standard user attempts to open the Computer Management console, a User Account Control dialog box appears and prompts for administrative credentials, as shown in Figure 1. If the current account has administrative credentials, the dialog box prompts to confirm the action before granting the process administrative privileges.

    Figure 1. UAC prompts standard users for administrative credentials when necessary.

  • Users no longer require administrative privileges for common tasks Windows Vista has been improved so that users can make common types of configuration changes without administrative credentials. For example, in earlier versions of Windows, users needed administrative credentials to change the time zone. In Windows Vista, any user can change the time zone, which is important for users who travel. Changing the system time, which has the potential to be malicious, still requires administrative credentials, however.

  • Operating system components display an icon when administrative credentials are required In earlier versions of Windows, users were often surprised when an aspect of the operating system required more privileges than they had. For example, users might attempt to adjust the date and time, only to receive a dialog informing them that they lack necessary privileges. In Windows Vista, any user can open the Date And Time properties dialog box. However, users need to click a button to change the time (which requires administrative privileges), and that button has a shield icon indicating that administrative privileges are required. Users will come to recognize this visual cue and not be surprised when they are prompted for credentials.

  • If you log on with administrative privileges, Windows Vista will still run applications using standard user privileges by default Most Windows Vista users should log on with only standard user credentials. If users do log on with an account that has Administrator privileges, however, UAC will still launch all processes with only User privileges. Before a process can gain Administrator privileges, the user must confirm the additional rights using a UAC prompt.

Table 1 illustrates the key differences in the behavior of Windows Vista with UAC installed when compared to Windows XP.

Table 1. Behavior Changes in Windows Vista with UAC
Windows XPWindows Vista with UAC
When logged on as a standard user, administrators could run administrative tools by right-clicking the tool’s icon, clicking Run As, and then providing administrative credentials.Standard users open administrative tools without right-clicking. UAC then prompts the user for administrative credentials. All users can still explicitly launch an application with administrative credentials by right-clicking, but it is rarely necessary.
Using a standard user account could be a nuisance, especially for technical or mobile users.The same number of security prompts are required for standard and administrative accounts, and standard accounts can perform many tasks that previously required elevation.
When a user was logged on as a standard user, an application that needed to change a file or setting in a protected location would fail.When a user is logged on as a standard user, UAC provides virtualization for important parts of the system, allowing the application to run successfully while protecting the operating system integrity. Some applications may still fail, however.
If a specific Windows feature required administrative privileges, the entire tool required administrative privileges.Windows Vista displays the UAC shield on buttons to warn users that the feature requires elevated privileges.
When a user was logged on as an administrator, all applications ran with administrative privileges.When a user is logged on as an administrator, all applications run with standard user privileges. UAC confirms elevated privileges before launching a tool that requires administrative privileges.

The sections that follow describe UAC behavior in more detail.

1. UAC for Standard Users

Microsoft made many changes to the operating system so that standard users could perform almost any day-to-day task. Tasks standard users can do without receiving a UAC prompt that required administrative privileges in Windows XP include:

  • View the system clock and calendar
  • Change the time zone
  • Connect to wired or wireless networks
  • Connect to virtual private networks (VPNs)
  • Change display settings and the desktop background
  • Change their own passwords
  • Install critical Windows Updates
  • Add printers and other devices that have the required drivers installed on computer or have been allowed by an administrator in Group Policy
  • Install ActiveX Controls from sites approved by an administrator
  • Play or burn CDs and DVDs (configurable with Group Policy settings)
  • Connect to another computer with Remote Desktop
  • Configure battery power options on mobile computers
  • Configure accessibility settings
  • Configure and use synchronization with a mobile device
  • Connect and configure a Bluetooth device
  • Restore backed-up files from the same user

Additionally, disk defragmentation is scheduled to automatically happen in the background, so users do not need privileges to manually initiate a defragmentation.

Some of the common tasks standard users cannot do include:

  • Install and uninstall applications
  • Install device drivers
  • Install non-critical Windows Updates
  • Install ActiveX controls from sites not approved by an administrator

    Note

    To install ActiveX controls in Internet Explorer, launch Internet Explorer by right-clicking the icon and then clicking Run As Administrator. After installing the ActiveX control, close Internet Explorer and reopen it using standard privileges. Once installed, the ActiveX control will be available to standard users.

  • Change Windows Firewall settings, including enabling exceptions
  • Configure Remote Desktop access
  • Create scheduled tasks
  • Restore system files from a backup

The Power Users group still exists in Windows Vista. However, Windows Vista removes the elevated privileges. Therefore, you should make users a member of the Users group and not use the Power Users group at all. To use the Power Users group on Windows Vista, you must change the default permissions on system folders and the registry to grant Power Users group permissions equivalent to Windows XP.

2. UAC for Administrators

UAC uses Admin Approval Mode to help protect administrators from malicious and potentially unwanted software. When an administrator logs on, Windows Vista generates two access tokens:

  • Standard user access token This token is used to launch the desktop (Explorer.exe). Because the desktop is the parent process for all user-initiated processes, any applications the user launches also use the standard user access token, which does not have privileges to install software or make important system changes.

  • Full administrator access token This token has almost unlimited privileges to the local computer. This token is used only after the user confirms a UAC prompt.

If the administrator attempts to launch an application that requires administrative rights (as identified in the application’s manifest, described later), UAC prompts the administrator to grant additional rights using the consent prompt, as shown in Figure 2. If the user chooses to grant elevated privileges to an application, the Application Information service creates the new process using the full administrator access token. The elevated privileges will also apply to any child processes that the application launches. Parent and child processes must have the same integrity level. 

Figure 2. Admin Approval Mode prompts administrators to confirm elevated privileges by default.


Note

The Application Information service must be running to launch processes with elevated privileges.

Command prompts require special consideration, because UAC will not prompt you to elevate privileges if you attempt to run a command that requires administrative rights. To run a command with administrative rights, right-click Command Prompt on the Start menu, and then click Run As Administrator. The command prompt that opens will include Administrator: in the title, helping you identify the window on your taskbar.

Admin Approval Mode does not apply to the built-in Administrator account. To protect this account from attack, the built-in Administrator account is disabled by default.
Other -----------------
- Maintaining Desktop Health : Using Task Scheduler (part 5) - Scheduled Tasks Events, Troubleshooting Task Scheduler
- Maintaining Desktop Health : Using Task Scheduler (part 4) - Managing Tasks
- Maintaining Desktop Health : Using Task Scheduler (part 3) - Creating New Tasks
- Maintaining Desktop Health : Using Task Scheduler (part 2) - Task Scheduler Security, Task Scheduler User Interface
- Maintaining Desktop Health : Using Task Scheduler (part 1) - Task Scheduler Architecture
- Maintaining Desktop Health : Understanding Windows Error Reporting (part 4) - Using the Problem Reports And Solutions Control Panel
- Maintaining Desktop Health : Understanding Windows Error Reporting (part 3) - Architecture of Windows Error Reporting, Configuring Windows Error Reporting
- Maintaining Desktop Health : Understanding Windows Error Reporting (part 2) - Conceptual Components
- Maintaining Desktop Health : Understanding Windows Error Reporting (part 1) - Error Reporting Cycle, Report Data Overview
- Maintaining Desktop Health : Using Performance Information And Tools
- Maintaining Desktop Health : Understanding the Windows System Assessment Tool
- Maintaining Desktop Health : Understanding Windows Eventing (part 2) - Event Viewer User Interface
- Maintaining Desktop Health : Understanding Windows Eventing (part 1) - Windows Eventing Capabilities
- Using Voice and Sounds : Associating a Sound with an Event, Using Alternatives to Sound
- Using Voice and Sounds : Letting Your Computer Do the Talking, Creating a Sound File
- Managing Windows Licensing and Activation : Notification Experience and Reduced Functionality Mode
- Managing Windows Licensing and Activation : Managing Volume License Activation (part 3) - Managing licensing and activation, Implementing KMS activation
- Managing Windows Licensing and Activation : Managing Volume License Activation (part 2) - Leveraging MAK activation, Comparing KMS and MAK activation
- Managing Windows Licensing and Activation : Managing Volume License Activation (part 1) - Centralizing activation with KMS
- Managing Windows Licensing and Activation : Licensing Windows
 
 
Most view of day
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 4) - Creating the To-Do Item Shell Tile, Saving a To-Do Item
- Sharing Your Computer with Others : Join a Homegroup
- Programming Drivers for the User Mode Driver Framework : Using the Skeleton Driver as a Basis for Development
- Microsoft Excel 2010 : Protecting and Securing a Workbook - Marking a Workbook as Read-Only
- SQL Server 2012 : Running SQL Server in A Virtual Environment - EXTENDED FEATURES OF VIRTUALIZATION
- System Center Configuration Manager 2007 : Distributing Packages - Creating Collections (part 2) - Creating a Dynamic Collection
- System Center Configuration Manager 2007 : Desired Configuration Management - Configurations
- Advanced Windows 7 Programming : Working in the Background - DEVELOPING TRIGGER-START SERVICES (part 5)
- System Center Configuration Manager 2007 : Network Design - Fast Networks and Slow Networks
- Maintaining Windows 7 : Defragment Your Hard Drive on a Schedule
Top 10
- Configuring and Troubleshooting IPv6 in Windows Vista (part 4) - Troubleshooting IPv6 Connectivity
- Configuring and Troubleshooting IPv6 in Windows Vista (part 3) - Configuring IPv6 in Windows Vista Using Netsh , Other IPv6 Configuration Tasks
- Configuring and Troubleshooting IPv6 in Windows Vista (part 2) - Configuring IPv6 in Windows Vista Using the User Interface
- Configuring and Troubleshooting IPv6 in Windows Vista (part 1) - Displaying IPv6 Address Settings
- Deploying IPv6 : IPv6 Enhancements in Windows Vista
- Games and Windows 7 : Games for Windows - LIVE (part 2) - Accessing Games for Windows - LIVE from within Compatible Games
- Games and Windows 7 : Games for Windows - LIVE (part 1) - Using the Games for Windows - LIVE Marketplace
- Sharepoint 2013 : Client-side Programming - Working with the REST API (part 3)
- Sharepoint 2013 : Client-side Programming - Working with the REST API (part 2) - Working with the REST API in JavaScript
- Sharepoint 2013 : Client-side Programming - Working with the REST API (part 1) - Understanding REST fundamentals
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro