User Account Control (UAC) affects which privileges
standard users and administrator users have, how applications are
installed and run, and much more.
Note
Learning how UAC works will help you be a better administrator. To
support UAC, many aspects of the Windows operating system had to be
reworked. Some of the most extensive changes have to do with how
applications are installed and run.
Redefining Standard User and Administrator User Accounts
In Windows XP and earlier version of Windows, malicious software
programs could exploit the fact that most user accounts are configured
as members of the local computer’s Administrators group. Not only does
this allow malicious software to install itself, but it also allows
malicious software to use these elevated privileges to wreak havoc on
the computer, because programs installed by administrators can write to
otherwise secure areas of the registry and the file system.
To combat the growing threat of malicious software, organizations
have locked down computers, required users to log on using standard
user accounts, and required administrators to use the Run As command to
perform administrative tasks. Unfortunately, these procedural changes
can have serious negative consequences on productivity. A person logged
on as a standard user under Windows XP can’t perform some of the most
basic tasks, such as changing the system clock and calendar, changing
the computer’s time zone, or changing the computer’s power management
settings. Many software programs designed for Windows XP simply will
not function properly without local administrator rights—these programs
use local administrator rights to write to system locations during
installation and during normal operations. Additionally, Windows XP
doesn’t let you know beforehand when a task you are performing requires
administrator privileges.
UAC seeks to improve usability while at the same time enhancing
security by redefining how standard user and administrator user
accounts are used. UAC represents a fundamental shift in computing by
providing a framework that limits the scope of administrator-level
access privileges and requires all applications to run in a specific
user mode. In this way, UAC prevents users from making inadvertent
changes to system settings and locks down the computer to prevent
unauthorized applications from being installed or performing malicious
actions.
Because of UAC, Windows 8 defines two levels of user accounts:
standard and administrator. Windows 8 also defines two modes (run
levels) for applications: standard user mode and administrator mode.
Although standard user accounts can use most software and can change
system settings that do not affect other users or the security of the
computer, administrator user accounts have complete access to the
computer and can make any changes that are needed. When an
administrator user starts an application, her access token and its
associated administrator privileges are applied to the application,
giving her all the rights and privileges of a local computer
administrator for that application. When a standard user starts an
application, her access token and its associated privileges are applied
to the application at run time, limiting her to the rights and
privileges of a standard user for that application. Further, all
applications are configured to run in a specific mode during
installation. Any tasks run by standard-mode applications that require
administrator privileges not only are identified during setup but
require user approval to run.
In Windows 8, the set of privileges assigned to standard user accounts includes:
-
Installing fonts, viewing the system clock and calendar, and changing the time zone. -
Changing the display settings and the power management settings. -
Adding printers and other devices (when the required drivers are
installed on the computer or are provided by an IT administrator). -
Downloading and installing updates (when the updates use UAC-compatible installers). -
Creating and configuring virtual private network (VPN) connections.
VPN connections are used to establish secure connections to private
networks over the public Internet. -
Installing Wired Equivalent Privacy (WEP) to connect to secure
wireless networks. The WEP security protocol provides wireless networks
with improved security. -
Accessing the computer from the network and shutting down the computer.
Windows 8 also defines two run levels for applications: standard
and administrator. Windows 8 determines whether a user needs elevated
privileges to run a program by supplying most applications and
processes with a security token. If an application has a standard
token, or an application cannot be identified as an administrator
application, elevated privileges are not required to run the
application, and Windows 8 starts it as a standard application by
default. If an application has an administrator token, elevated
privileges are required to run the application, and Windows 8 prompts
the user for permission or confirmation prior to running the
application.
The process of getting approval prior to running an application in
administrator mode and prior to performing tasks that change system
configuration is known as elevation.
Elevation enhances security and reduces the impact of malicious
software by notifying users before they perform any action that could
impact system settings and by preventing applications from using
administrator privileges without first notifying users. Elevation also
protects administrator applications from attacks by standard
applications.
By default, Windows 8 switches to the secure desktop prior to
displaying the elevation prompt. The secure desktop restricts the
programs and processes that have access to the desktop environment, and
in this way reduces the possibility that a malicious program or user
could gain access to the process being elevated. If you don’t want
Windows 8 to switch to the secure desktop prior to prompting for
elevation, you can choose settings that use the standard desktop rather
than the secure desktop. However, this makes the computer more
susceptible to malware and attack.
Optimizing UAC and Admin Approval Mode
Every computer has a built-in local Administrator account. This
built-in account is not protected by UAC, and using this account for
administration can put your computer at risk. To safeguard computers in
environments in which you use a local Administrator account for
administration, you should create a new local Administrator account and
use this account for administration.
UAC can be configured or disabled for any individual user account.
If you disable UAC for a user account, you lose the additional security
protections UAC offers and put the computer at risk. To completely
disable UAC or to reenable UAC after disabling it, the computer must be
restarted for the change to take effect.
Admin Approval Mode is the key component of UAC that determines
whether and how administrators are prompted when running administrator
applications. The default way that Admin Approval Mode works is as
follows:
-
All administrators, including the built-in local Administrator account, run in and are subject to Admin Approval Mode. -
Because they are running in and subject to Admin Approval Mode, all
administrators, including the built-in local Administrator account, see
the elevation prompt when they run administrator applications.
If you are logged on as an administrator, you can modify the way UAC works for all users by completing the following steps:
-
In Control Panel, tap or click System And Security. Under the Action Center heading, tap or click Change User Account Control Settings. -
On the User Account Control Settings page, as shown in Figure 1, use the slider to choose when to be notified about changes to the computer, and then tap or click OK. Table 1 summarizes the available options.
Table 1. User Account Control Settings
OPTION |
DESCRIPTION |
WHEN TO USE |
USES THE SECURE DESKTOP? |
---|
Always Notify |
Always notifies the current user when programs try to install
software or make changes to the computer and when the user changes
Windows settings. |
Choose this option when a computer requires the highest security
possible and users frequently install software and visit unfamiliar
websites. |
Yes |
Default |
Notifies the current user only when programs try to make changes to the computer and not when the user changes Windows settings. |
Choose this option when a computer requires high security and you
want to reduce the number of notification prompts that users see. |
Yes |
Notify Me Only When … (Do Not Dim My Desktop) |
Same as Default but also prevents UAC from switching to the secure desktop. |
Choose this option when users work in a trusted environment with familiar applications and do not visit unfamiliar websites. |
No |
Never Notify |
Turns off all UAC notification prompts. |
Choose this option when security is not a priority and users work in
a trusted environment with programs that are not certified for Windows
8 because they do not support UAC. |
No |
In Group Policy, you can manage Admin Approval Mode and elevation
prompting by using settings under Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security Options. These
security settings are:
-
User Account Control: Admin Approval Mode For The Built-In Administrator Account
Determines whether users and processes running as the built-in local
Administrator account are subject to Admin Approval Mode. By default,
this feature is disabled, which means the built-in local Administrator
account is not subject to Admin Approval Mode and also not subject to
the elevation prompt behavior stipulated for administrators in Admin
Approval Mode. If you disable this setting, users and processes running
as the built-in local administrator are not subject to Admin Approval
Mode and therefore not subject to the elevation prompt behavior
stipulated for administrators in Admin Approval Mode. -
User Account Control: Allow UIAccess Applications To Prompt For Elevation Without Using The Secure Desktop
Determines whether User Interface Accessibility (UIAccess) programs can automatically disable the secure desktop for elevation
prompts used by a standard user. If you enable this setting, UIAccess
programs, including Windows Remote Assistance, can disable the secure
desktop for elevation prompts. -
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode
Determines whether administrators subject to Admin Approval Mode see an
elevation prompt when running administrator applications, and also
determines how the elevation prompt works. By default, administrators
are prompted for consent when running administrator applications on the
secure desktop. You can configure this option so that administrators
are prompted for consent without the secure desktop, prompted for
credentials with or without the secure desktop (as is the case with
standard users), or prompted for consent only for non-Windows binaries.
You can also configure this option so that administrators are not
prompted at all, in which case an administrator will be elevated
automatically. No setting will prevent an administrator from pressing
and holding or right-clicking an application shortcut and selecting Run
As Administrator. -
User Account Control: Behavior Of The Elevation Prompt For Standard Users
Determines whether
users logged on with a standard user account see an elevation prompt
when running administrator applications. By default, users logged on
with a standard user account are prompted for the credentials of an
administrator on the secure desktop when running administrator
applications or performing administrator tasks. You can also configure
this option so that users are prompted for credentials on the standard
desktop rather than the secure desktop, or you can deny elevation
requests automatically, in which case users will not be able to elevate
their privileges by supplying administrator credentials. The latter
option doesn’t prevent users from pressing and holding or
right-clicking an application shortcut and selecting Run As
Administrator. -
User Account Control: Only Elevate Executables That Are Signed And Validated
Determines whether applications must be signed and validated to
elevate. If enabled, only executables that pass signature checks and
have certificates in the Trusted Publisher store will elevate. Use this
option only when the highest security is required and you’ve verified
that all applications in use are signed and valid. -
User Account Control: Only Elevate UIAccess Applications That Are Installed in Secure Locations
Determines whether UIAccess programs must reside in a secure location
on the file system to elevate. If enabled, UIAccess programs must
reside in a secure location under %SystemRoot%\Program Files,
%SystemRoot%\Program Files (x86), or %SystemRoot%\Windows\System32. -
User Account Control: Run All Administrators In Admin Approval Mode
Determines whether users logged on with an administrator account are
subject to Admin Approval Mode. By default, this feature is enabled,
which means administrators are subject to Admin Approval Mode and also subject to the elevation
prompt behavior stipulated for administrators in Admin Approval Mode.
If you disable this setting, users logged on with an administrator account
are not subject to Admin Approval and therefore are not subject to the
elevation prompt behavior stipulated for administrators in Admin
Approval Mode.
In a domain environment, you can use Active Directory–based Group
Policy to apply the security configuration you want to a particular set
of computers. You can also configure these settings on a per-computer
basis using local security policy. To do this, follow these steps:
-
Open Local Group Policy Editor. One way to do this is by pressing the Windows key, typing gpedit.msc, and then pressing Enter. -
In the console tree, under Security Settings, expand Local Policies, and then select Security Options, as shown in Figure 2.
-
Double-tap or double-click the setting you want to work
with, make any necessary changes, and then tap or click OK. Repeat this
step to modify other security settings as necessary.
|