In-Depth
Under Secure Control
Windows Vista is a safer OS for users due to its many new features, including one that you as an admin should look at more closely: The User Account Control.
One of the major issues that most modern operating systems face today
is dealing with malicious software and spyware. Whether you use Macintosh,
Linux or Windows on your computer, chances are you are somehow connected
to the Internet and use Web browsers, e-mail client and other Web-based
applications on a regular basis. Unfortunately, most bad things happen
to your computer due to Internet connectivity.
Unlike Windows XP and older Windows operating systems that require users
to logon with administrative credentials to perform system-level tasks,
such as installing applications, changing the system time, or modifying
the registry, Windows Vista uses a new feature called User Account Control
(UAC) to eliminate these restrictions. UAC, which is enabled by default,
prevents users from running applications with full administrator access
token unless the users explicitly agree to run these applications.
Note: User Account Control (UAC) was previously referred to as
LUA (Least Privileged User Account) and User Account Protection (UAP).
Macs have used a different strategy than the PCs for years. For example,
the Mac OS X operating system is known for its default secure configuration.
The Mac OS X administrator account disables access to the core OS functions.
This is very different than the way Windows XP computers have operated.
Macintosh computers that run a Unix-based operating system have employed
a feature similar to UAC for some time. With Windows Vista, the Windows
OS has finally caught up with Macs and introduced this much needed feature.
UAC is not the only Windows Vista feature that seems to be “inspired”
by OS X, some of the new graphical user interface enhancements and the
gadgets are also part of the Mac OS X.
Figure 1 shows a Mac security dialog box, which pops up when a user tries
to do something that requires administrative privileges.
|
Figure 1. Halt! Are you who you say you are?
|
Let’s take a closer look at how UAC works. As far as the user is
concerned, the logon process in Windows Vista resembles the Windows XP
logon. Behind the scenes, however, the logon process is very different.
Let's examine how the logon process works from both administrator account
as well as a standard user account perspectives.
Let's Act Like an Administrator
When you log on as a member of the local Administrators group in Windows
Vista, you are granted two access tokens. One is a full administrator
token and the other is a filtered, standard user token. This concept is
important to understand because even when you log on as an administrator
account, your administrative privileges are filtered enough to practically
disable your administrative rights -- what you are left is, for all practical
purposes, a standard user account. When you run an application or browse
the Internet, you are using this filtered access token, which is pretty
much a standard user token. If an application requires higher privileges,
you are presented with an “elevation prompt” requesting your
consent (see Figure 2). You may accept or reject the request.
|
Figure 2. Okay, Windows Vista asks the same,
simple question, but in a less smug way. |
Now, In the Shoes of the Standard User
When you logon as a standard user account, only the standard user access
token is used. When you run an application or browse the Internet, you
are using the minimum necessary privileges and therefore minimizing the
risks from unauthorized installation of software or system modifications.
If an application requires higher privileges, you are presented with an
“elevation prompt” requesting your consent or credentials. If
the application requires administrative-level permissions, UAC will require
you to provide the administrator’s credentials.
Note: You can use Group Policy or Security Policy Editor to configure
the behavior of the elevation prompt.
Unlike Windows XP, Power Users group is not used in Windows Vista. Instead,
Microsoft has added permissions to the standard user account so users
can easily perform their daily tasks. According to Microsoft, the following
new permissions have been added to the standard user account.
- View system clock and calendar
- Change time zone
- Install Wired Equivalent Privacy (WEP) to connect to secure wireless
networks
- Change power management settings
- Add printers and other devices that have the required drivers installed
on computer or have been allowed by an IT administrator in Group Policy
- Install ActiveX Controls from sites approved by an IT administrator
- Create and configure a Virtual Private Network connection
- Install critical Windows Updates
These settings can be controlled through Group Policy settings.
The Whizbang of UAC
The UAC utilizes several different components to implement this new security
model. The main components are AIS, File/Registry Virtualization, Elevation
Prompt, and Installer Detection.
Application Information Service (AIS) is a new service in Windows Vista
that is used to run applications that require one or more elevated privileges.
Essentially, AIS starts a new process for the application with the administrator’s
access token as long as the user provides credentials or gives consent.
AIS runs by default and is configured to start automatically in Windows
Vista.
The File System and Registry Virtualization feature provides a bridge
to the legacy applications. When pre-Vista applications that are not compatible
with UAC try to write to protected areas, UAC gives them a virtualized
view of the resource using copy-on-write approach. This is accomplished
by creating a separate copy of the virtualized file for each user under
that user's profile. Virtualization takes place automatically in Windows
Vista, unless you turn it off explicitly for an application.
A word of caution: Do not depend on this feature to run your legacy
applications in Windows Vista as a permanent solution. Microsoft has provided
this feature only as a temporary solution. Your goal should be to make
your older applications Windows Vista compliant as soon as possible.
Elevation Prompt ensures that only authorized changes are made to the
system. By default, this feature is turned on. The elevation prompt is
color coded.
Table 1. Elevation
prompts are color coded based on what privileges an application has. |
Colors
Used by UAC |
What
It Means |
Red
background and
red shield icon |
The application is either from
a blocked publisher, or it’s blocked by a Group Policy. |
Blue/green
background |
The application is a Windows
Vista administrative application, such as a Control Panel. |
Gray
background and
gold shield icon |
The application is Authenticode
signed and is trusted by the local computer. |
Yellow
background and
red shield icon |
The application may be signed
or unsigned but is not yet trusted by the local computer. |
|
|
Installer Detection is responsible for detecting installation/uninstallation
programs and prompts a user for elevation because only administrators
are allowed to write to system areas and modify the registry. You can
control the behavior of Installer Detection with a Group Policy setting.
Installation detection takes place automatically in Windows Vista, unless
you turn off this feature.
There's Always Another Option: Admin Approval Mode
Earlier I explained the differences between logging on as an administrator
account versus a standard user account. You also have an option to run
what is known as an Admin Approval Mode. In this mode you are prompted
by a “consent” prompt. Because you are logged in Admin Approval
Mode, you are not asked to provide credentials, as a standard user will
be.
Notice that the concept of “consent prompt” is different from
the “credentials prompt.” The consent prompt simply asks an
administrator whether if she wants to run an application, while credentials
prompt requires users to provide the name and password of an administrator
account to perform a task that requires an administrator’s access
token.
Tada! That's UAC
UAC is an important security feature in Windows Vista. Initially, when
I used UAC in earlier betas, I found it pretty annoying. As I have grown
to learn the importance of UAC and have been using Windows Vista for a
while, dealing with elevation prompts is no longer such a nuisance.
UAC works at the computer level so you cannot turn it off on a user-by-user
or a group-by-group basis. You must either enable or disable UAC for the
entire computer. Although you can turn UAC off, I strongly recommend that
you leave this feature on to prevent your computer from exposure to malware
and other exploits. For more information on UAC, click here.