A new feature in Windows Vista is User
Account Control, or UAC. This secures the computer by running the
desktop and other applications with the privilege level (rights and
permissions) of a standard user, whether you are logged on as a standard
user or as an administrator. When an administrator logs in, with Admin
Mode enabled in UAC, as it is by default, the user is issued a split
token. One half is a standard user token that is used to launch
nonadministrative tasks, like standard applications. The second half is
an administrator token, which can be used to feed the administrator
credentials to the UAC process as needed.
This feature is all new, it is
security related, and you can bet it is test worthy. You’ll need to know
several different configuration settings on this new technology.
User Account Control is
enabled by default in Windows Vista and recognizes when more privilege
is required to complete a task. When UAC detects that elevated privilege
is needed, UAC first locks the desktop so no malicious activity can
occur. This is called the Secure Desktop and is shown in Figure 1. Then UAC prompts the user for the credentials of
an Administrator account.
Alert
If
you are not being prompted for credentials when launching an
administrative task, it is possible that UAC has been turned off. If you
want to be prompted for administrator credentials when running elevated
privilege tasks, you can re-enable UAC in the Windows Security Center,
as shown in Figure
2.
There are several settings in
the Local Computer Policy (LCP) for the local Vista computer. Figure 3
shows the LCP UAC settings.
When a user is logged on as a
standard user, all tasks requiring elevation of privilege trigger UAC.
Because the standard user has not provided administrator logon
credentials, administrator credentials are required for every elevation
of privilege by default. If this gets turned off and you want to be sure
UAC triggers, you can force a user who is logged on as a standard user
to provide credentials with every elevation of privilege. You must
configure the Behavior of the Elevation Prompt for Standard Users back
to the default setting of prompt for credentials.
You can also use this Behavior
of the Elevation Prompt for Standard Users setting to disallow a
standard user from ever being able to run administrative tasks, even if
he knows the administrator username and password. You can configure the
setting to Prompt for Credentials. These two settings are shown in Figure 4.
Even when a user is logged on
as an administrator, UAC confirms the elevation of privilege required
to perform a task. By default, the Behavior of the Elevation Prompt for
Administrators in Admin Approval Mode setting in Windows Vista is
configured to the Prompt for Consent setting. Because the administrator
has already provided his logon credentials, no additional credentials
are required, only a confirmation that the administrator wants to
proceed.
To force a user who is logged on
as an administrator to provide credentials with every elevation of
privilege, you must configure the Behavior of the Elevation Prompt for
Administrators in Admin Approval Mode to the setting of Prompt for
credentials.
To have Vista elevate the
privilege level without prompting a user who is logged on as an
administrator, you must configure the Behavior of the Elevation Prompt
for Administrators in Admin Approval Mode to the setting of Elevate
Without Prompting.
These three settings are shown in Figure 5.
To disable UAC for
administrators but leave UAC running for users, you must disable the Run
All Administrators in Admin Approval Mode setting.
These settings are all
configurable in the LCP, as well as in a Group Policy Object, if you are
working in an Active Directory environment.
To summarize, UAC can be
configured to do the following:
Elevate without
prompting
Prompt for credentials
Prompt for consent
Be
disabled for administrators
Be disabled for all users (Standard and Administrators)