In-Depth

Under Secure Control

Windows Vista is a safer OS for users due to its many new features, including one that you as an admin should look at more closely: The User Account Control.

One of the major issues that most modern operating systems face today is dealing with malicious software and spyware. Whether you use Macintosh, Linux or Windows on your computer, chances are you are somehow connected to the Internet and use Web browsers, e-mail client and other Web-based applications on a regular basis. Unfortunately, most bad things happen to your computer due to Internet connectivity.

Unlike Windows XP and older Windows operating systems that require users to logon with administrative credentials to perform system-level tasks, such as installing applications, changing the system time, or modifying the registry, Windows Vista uses a new feature called User Account Control (UAC) to eliminate these restrictions. UAC, which is enabled by default, prevents users from running applications with full administrator access token unless the users explicitly agree to run these applications.

Note: User Account Control (UAC) was previously referred to as LUA (Least Privileged User Account) and User Account Protection (UAP).

Macs have used a different strategy than the PCs for years. For example, the Mac OS X operating system is known for its default secure configuration. The Mac OS X administrator account disables access to the core OS functions. This is very different than the way Windows XP computers have operated. Macintosh computers that run a Unix-based operating system have employed a feature similar to UAC for some time. With Windows Vista, the Windows OS has finally caught up with Macs and introduced this much needed feature.

UAC is not the only Windows Vista feature that seems to be “inspired” by OS X, some of the new graphical user interface enhancements and the gadgets are also part of the Mac OS X.

Figure 1 shows a Mac security dialog box, which pops up when a user tries to do something that requires administrative privileges.

Mac security, clean and simple
Figure 1. Halt! Are you who you say you are?

Let’s take a closer look at how UAC works. As far as the user is concerned, the logon process in Windows Vista resembles the Windows XP logon. Behind the scenes, however, the logon process is very different. Let's examine how the logon process works from both administrator account as well as a standard user account perspectives.

Let's Act Like an Administrator
When you log on as a member of the local Administrators group in Windows Vista, you are granted two access tokens. One is a full administrator token and the other is a filtered, standard user token. This concept is important to understand because even when you log on as an administrator account, your administrative privileges are filtered enough to practically disable your administrative rights -- what you are left is, for all practical purposes, a standard user account. When you run an application or browse the Internet, you are using this filtered access token, which is pretty much a standard user token. If an application requires higher privileges, you are presented with an “elevation prompt” requesting your consent (see Figure 2). You may accept or reject the request.

Windows security dialog doesn't smirk in disdain.
Figure 2. Okay, Windows Vista asks the same, simple question, but in a less smug way.

Now, In the Shoes of the Standard User
When you logon as a standard user account, only the standard user access token is used. When you run an application or browse the Internet, you are using the minimum necessary privileges and therefore minimizing the risks from unauthorized installation of software or system modifications. If an application requires higher privileges, you are presented with an “elevation prompt” requesting your consent or credentials. If the application requires administrative-level permissions, UAC will require you to provide the administrator’s credentials.

Note: You can use Group Policy or Security Policy Editor to configure the behavior of the elevation prompt.

Unlike Windows XP, Power Users group is not used in Windows Vista. Instead, Microsoft has added permissions to the standard user account so users can easily perform their daily tasks. According to Microsoft, the following new permissions have been added to the standard user account.

  • View system clock and calendar
  • Change time zone
  • Install Wired Equivalent Privacy (WEP) to connect to secure wireless networks
  • Change power management settings
  • Add printers and other devices that have the required drivers installed on computer or have been allowed by an IT administrator in Group Policy
  • Install ActiveX Controls from sites approved by an IT administrator
  • Create and configure a Virtual Private Network connection
  • Install critical Windows Updates

These settings can be controlled through Group Policy settings.

The Whizbang of UAC
The UAC utilizes several different components to implement this new security model. The main components are AIS, File/Registry Virtualization, Elevation Prompt, and Installer Detection.

Application Information Service (AIS) is a new service in Windows Vista that is used to run applications that require one or more elevated privileges. Essentially, AIS starts a new process for the application with the administrator’s access token as long as the user provides credentials or gives consent. AIS runs by default and is configured to start automatically in Windows Vista.

The File System and Registry Virtualization feature provides a bridge to the legacy applications. When pre-Vista applications that are not compatible with UAC try to write to protected areas, UAC gives them a virtualized view of the resource using copy-on-write approach. This is accomplished by creating a separate copy of the virtualized file for each user under that user's profile. Virtualization takes place automatically in Windows Vista, unless you turn it off explicitly for an application.

A word of caution: Do not depend on this feature to run your legacy applications in Windows Vista as a permanent solution. Microsoft has provided this feature only as a temporary solution. Your goal should be to make your older applications Windows Vista compliant as soon as possible.

Elevation Prompt ensures that only authorized changes are made to the system. By default, this feature is turned on. The elevation prompt is color coded.

Table 1. Elevation prompts are color coded based on what privileges an application has.
Colors Used by UAC What It Means
Red background and red shield icon The application is either from a blocked publisher, or it’s blocked by a Group Policy.
Blue/green background The application is a Windows Vista administrative application, such as a Control Panel.
Gray background and gold shield icon The application is Authenticode signed and is trusted by the local computer.
Yellow background and red shield icon The application may be signed or unsigned but is not yet trusted by the local computer.

Installer Detection is responsible for detecting installation/uninstallation programs and prompts a user for elevation because only administrators are allowed to write to system areas and modify the registry. You can control the behavior of Installer Detection with a Group Policy setting. Installation detection takes place automatically in Windows Vista, unless you turn off this feature.

There's Always Another Option: Admin Approval Mode
Earlier I explained the differences between logging on as an administrator account versus a standard user account. You also have an option to run what is known as an Admin Approval Mode. In this mode you are prompted by a “consent” prompt. Because you are logged in Admin Approval Mode, you are not asked to provide credentials, as a standard user will be.

Notice that the concept of “consent prompt” is different from the “credentials prompt.” The consent prompt simply asks an administrator whether if she wants to run an application, while credentials prompt requires users to provide the name and password of an administrator account to perform a task that requires an administrator’s access token.

Tada! That's UAC
UAC is an important security feature in Windows Vista. Initially, when I used UAC in earlier betas, I found it pretty annoying. As I have grown to learn the importance of UAC and have been using Windows Vista for a while, dealing with elevation prompts is no longer such a nuisance.

UAC works at the computer level so you cannot turn it off on a user-by-user or a group-by-group basis. You must either enable or disable UAC for the entire computer. Although you can turn UAC off, I strongly recommend that you leave this feature on to prevent your computer from exposure to malware and other exploits. For more information on UAC, click here.

comments powered by Disqus
Most   Popular