User Account Control (UAC) is designed to address the need for a solution that is resilient to attack from an ever-growing array of malicious software (also called malware) programs. For those who have installed and used an earlier version of Microsoft Windows, UAC represents a significant change in the way user accounts are used and configured. It does this by reducing the need for administrator privileges and by carefully defining the standard user and administrator user modes.
In earlier versions of Windows, most user accounts are configured as members of the local administrator’s group to ensure that users can install, update, and run software applications without conflicts and to perform common system-level tasks. In Windows XP and earlier versions of Windows, some of the most basic tasks, such as clicking the taskbar clock to view a calendar, require administrator privileges, and this is why many user accounts are configured as local administrators. Unfortunately, configuring user accounts as local administrators makes individual computers and networks vulnerable to malicious software and also makes maintaining computers more difficult, as users might be able to make unapproved system changes.
Malicious software programs exploit the system-level privileges provided to the local administrator. Not only does this allow malicious software to install itself, it also allows malicious software to damage files, change the system configuration, and steal your confidential data. Some organizations try to combat malicious software by locking down computers and requiring users to operate in standard user mode. While this can solve some problems with malicious software, it can also seriously affect productivity, as many applications designed for Windows XP will not function properly without local administrative rights. Why? Typically, Windows XP applications use local administrative rights to write to system locations during normal operations.
Through User Account Control, Windows Vista provides the architecture for running user accounts with standard user privileges while eliminating the need for using administrator privileges to perform common tasks. This fundamental shift in computing serves to better protect computers against malicious software while ensuring that users can perform their day-to-day tasks.
User Account Control is an architecture that includes a set of infrastructure technologies. These technologies require all users to run applications and tasks with a standard user account, limiting administrator-level access to authorized processes. Because of UAC, computers can be locked down to prevent unauthorized applications from installing and to stop standard users from making inadvertent changes to system settings.
In Windows Vista, there are two levels of users:
Administrator users Administrator users run applications with an administrator account and are members of the local Administrators group. When an administrator user starts an application, her access token and its associated administrator privileges are applied to the application at run time. This means that an application started by a member of the local Administrators group runs with all the rights and privileges of a local administrator.
Standard users Standard users run applications with a user account and are members of the Users group. When a user starts an application, her access token and its associated privileges are applied to the application at run time. This means that an application started by a member of the Users group runs with the rights and privileges of a standard user.
In Windows Vista, many common tasks can be performed with a standard user account, and users should log on using accounts with standard user privileges. Whenever a user attempts to perform a task that requires administrator permissions, the user sees a Windows Security dialog box containing a warning prompt. The way the prompt works depends on whether the user is logged on with an administrator account or a standard user account:
Users with administrator permissions are asked for confirmation.
Users with standard accounts are asked to provide a password for an administrator account.
Administrator users run as standard users until an application or system component that requires administrative credentials requests permission to run. Windows Vista determines whether a user needs elevated permissions to run a program by supplying most applications and processes with a security token. Windows Vista uses the token as follows:
If an application or process has an “administrator” token, elevated privileges are required to run the application or process, and Windows Vista will prompt the user for permission confirmation prior to running the application.
If an application or process has a “standard” token or an application cannot be identified as an administrator application, elevated privileges are not required to run the application or process, and Windows Vista will start it as a standard application by default.
By requiring that all users run in standard user mode and by limiting administrator-level access to authorized processes, UAC reduces the exposure and attack surface of the operating system. The process of getting an administrator or standard user’s approval prior to running an application in administrator mode and prior to performing actions that change system-wide settings is known as elevation, and this feature is known as Admin Approval Mode. Elevation enhances security and reduces the impact of malicious software by:
Ensuring that users are notified when they are about to perform an action that could impact system settings, such as installing an application.
Eliminating the ability for malicious software to invoke administrator privileges without a user’s knowledge.
Preventing users, and the applications they are running, from making unauthorized or accidental system-wide changes to operating system settings.
Protecting administrator applications from attacks by standard applications and processes.
Elevation is a new feature and a permanent change to the Windows operating system.
Elevation affects not only users and administrators, but developers as well. Developers must design their programs so that everyday users can complete basic tasks without requiring administrator privileges. A key part of this is determining which of the two levels of privilege their applications need to complete specific procedures. If an application doesn’t need administrator privileges for a task, it should be written to require only standard user privileges. As an example, a standard user–compliant application should write data files only to a nonsystem location, such as the user profile folder.