Logo
PREGNANCY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Vista

User Account Control (UAC)

3/13/2011 10:31:26 PM
A new feature in Windows Vista is User Account Control, or UAC. This secures the computer by running the desktop and other applications with the privilege level (rights and permissions) of a standard user, whether you are logged on as a standard user or as an administrator. When an administrator logs in, with Admin Mode enabled in UAC, as it is by default, the user is issued a split token. One half is a standard user token that is used to launch nonadministrative tasks, like standard applications. The second half is an administrator token, which can be used to feed the administrator credentials to the UAC process as needed.

This feature is all new, it is security related, and you can bet it is test worthy. You’ll need to know several different configuration settings on this new technology.

User Account Control is enabled by default in Windows Vista and recognizes when more privilege is required to complete a task. When UAC detects that elevated privilege is needed, UAC first locks the desktop so no malicious activity can occur. This is called the Secure Desktop and is shown in Figure 1. Then UAC prompts the user for the credentials of an Administrator account.

Figure 1. Whether you’re logged on as a standard user or an administrator, when you launch a task requiring elevated privilege, UAC implements the Secure Desktop.


Alert

If you are not being prompted for credentials when launching an administrative task, it is possible that UAC has been turned off. If you want to be prompted for administrator credentials when running elevated privilege tasks, you can re-enable UAC in the Windows Security Center, as shown in Figure 2.

Figure 2. If UAC gets turned off, you can turn it back on in the Windows Security Center or the Local Computer Policy. You must then reboot the computer to make your change effective.


There are several settings in the Local Computer Policy (LCP) for the local Vista computer. Figure 3 shows the LCP UAC settings.

Figure 3. The LCP can be used to fine-tune the UAC configuration.

When a user is logged on as a standard user, all tasks requiring elevation of privilege trigger UAC. Because the standard user has not provided administrator logon credentials, administrator credentials are required for every elevation of privilege by default. If this gets turned off and you want to be sure UAC triggers, you can force a user who is logged on as a standard user to provide credentials with every elevation of privilege. You must configure the Behavior of the Elevation Prompt for Standard Users back to the default setting of prompt for credentials.

You can also use this Behavior of the Elevation Prompt for Standard Users setting to disallow a standard user from ever being able to run administrative tasks, even if he knows the administrator username and password. You can configure the setting to Prompt for Credentials. These two settings are shown in Figure 4.

Figure 4. The Behavior of the Elevation Prompt for Standard Users can be set to Prompt for Credentials or set to Automatically Deny Elevation Prompts.

Even when a user is logged on as an administrator, UAC confirms the elevation of privilege required to perform a task. By default, the Behavior of the Elevation Prompt for Administrators in Admin Approval Mode setting in Windows Vista is configured to the Prompt for Consent setting. Because the administrator has already provided his logon credentials, no additional credentials are required, only a confirmation that the administrator wants to proceed.

To force a user who is logged on as an administrator to provide credentials with every elevation of privilege, you must configure the Behavior of the Elevation Prompt for Administrators in Admin Approval Mode to the setting of Prompt for credentials.

To have Vista elevate the privilege level without prompting a user who is logged on as an administrator, you must configure the Behavior of the Elevation Prompt for Administrators in Admin Approval Mode to the setting of Elevate Without Prompting.

These three settings are shown in Figure 5.

Figure 5. The Behavior of the Elevation Prompt for Administrators in Admin Approval Mode can be set to Elevate Without Prompting, Prompt for Credentials, or Prompt for Consent.

To disable UAC for administrators but leave UAC running for users, you must disable the Run All Administrators in Admin Approval Mode setting.

These settings are all configurable in the LCP, as well as in a Group Policy Object, if you are working in an Active Directory environment.

To summarize, UAC can be configured to do the following:

  • Elevate without prompting

  • Prompt for credentials

  • Prompt for consent

  • Be disabled for administrators

  • Be disabled for all users (Standard and Administrators)

Other -----------------
- Troubleshoot Authentication Issues - SmartCards
- Configure and Troubleshoot Access to Resources (part 4) - Securing Network Traffic for Remote Desktop Protocol (RDP) Access
- Configure and Troubleshoot Access to Resources (part 3) - IPSec for Securing Network Traffic on the Local LAN
- Configure and Troubleshoot Access to Resources (part 2) - Printer Sharing
- Configure and Troubleshoot Access to Resources (part 1) - Permissions
- Windows Update (part 4) - Troubleshooting Updates
- Windows Update (part 3) - Windows Server Update Services Server (WSUS)
- Windows Update (part 2) - Automatic Updates
- Windows Update (part 1) - Manual Updates
- Windows Defender and Other Defenses Against Malware
- Windows Firewall
- Troubleshoot Security Configuration Issues (part 2) - Securing Data in Storage with Encrypting File System & Securing Computers with the Security Configuration and Analysis Tool
- Troubleshoot Security Configuration Issues (part 1) - The Windows Security Center & Securing the Operating System and Data in Storage with BitLocker
- Configure and Troubleshoot Security for Windows Internet Explorer 7 (part 4) - Digital Certificates
- Configure and Troubleshoot Security for Windows Internet Explorer 7 (part 3) - Cookie-Handling & ActiveX Opt-In
- Configure and Troubleshoot Security for Windows Internet Explorer 7 (part 2) - Internet Explorer’s Protected Mode
- Configure and Troubleshoot Security for Windows Internet Explorer 7 (part 1) - Pop-Up Blocker & Phishing Filter
- Troubleshooting Deployment Issues
- Perform Post-Installation Tasks (part 3) - Managing Computers with Multiple Operating Systems
- Perform Post-Installation Tasks (part 2) - Managing User Data
 
 
Most view of day
- Microsoft Exchange Server 2010 : Getting Started with Email Archiving - Enabling Archiving (part 1) - Archive Quotas , Exchange 2010 Discovery Operation Considerations
- Windows Home Server 2011 : Maintaining Windows Home Server - Checking System Uptime
- Microsoft Lync Server 2010 : Planning for Voice Deployment - Voice Resilience
- Microsoft Project 2010 : Tracking Progress on Tasks (part 1) - Saving a Project Baseline
- Microsoft Systems Management Server 2003 : NTFS Security
- System Center Configuration Manager 2007 : Customizing Configuration Manager Reports (part 3) - Reporting on Custom Data
- Managing Change through Group Policy (part 2) - Working with central policies
- Windows Server 2012 : Configuring IPsec (part 2) - Configuring IPsec settings - Customizing IPsec defaults
- Using the Windows 7 Libraries : USING THE EXPLORER BROWSER CONTROL (part 1) - Adding the Explorer Browser to Your Toolbox , Configuring the Explorer Browser Example
- Windows Server 2008 : Promoting a Domain Controller with dcpromo
Top 10
- Sharepoint 2013 : Working with the CSOM (part 6) - Working with the JavaScript client object model - Creating, reading, updating, and deleting in the JavaScript client object model
- Sharepoint 2013 : Working with the CSOM (part 5) - Working with the JavaScript client object model - Handling errors
- Sharepoint 2013 : Working with the CSOM (part 4) - Working with the JavaScript client object model - Returning collections
- Sharepoint 2013 : Working with the CSOM (part 3) - Working with the managed client object model - Creating, reading, updating, and deleting
- Sharepoint 2013 : Working with the CSOM (part 2) - Working with the managed client object model - Handling errors
- Sharepoint 2013 : Working with the CSOM (part 1) - Understanding client object model fundamentals
- Windows Phone 8 : Configuring Mailbox Settings (part 5) - Configuring Automatic Replies
- Windows Phone 8 : Configuring Mailbox Settings (part 4) - Lightening the Display,Changing the Mailbox Sync Settings
- Windows Phone 8 : Configuring Mailbox Settings (part 3) - Message Signatures, Blind CCing Yourself
- Windows Phone 8 : Configuring Mailbox Settings (part 2) - Unlinking Mailboxes, Conversation View
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro