|
User Account Control (UAC) is a technology and security infrastructure introduced with Microsoft's Windows Vista operating system. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase in privilege level. In this way, only applications that the user trusts receive higher privileges, and malware should be kept from receiving the privileges necessary to compromise the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not also have those privileges unless they are approved beforehand or the user explicitly authorizes it to have higher privileges.
To reduce the possibility of lower-privilege applications communicating with higher-privilege ones, another new technology, User Interface Privilege Isolation is used in conjunction with User Account Control to isolate these processes from each other.[1] One prominent use of this is Internet Explorer 7's "Protected Mode".[2]
History
Differentiation of a superuser and userland has been common in mainframes and servers for decades. This had an obvious security component, but also an administrative component, in that it prevented users from accidentally changing system settings.
Microsoft home operating systems (such as Windows 95, Windows 98 and Windows Me) did not have a concept of different user accounts on the same machine, and all actions were performed as super user. Windows NT introduced multiple user accounts, but in practice most users continued to operate as super user administrator for their normal operations. Further, many applications tend to assume that the user is super user, and will simply not work if they are not.
Subsequent versions of Windows and Microsoft applications have encouraged the use of non-administrator user logins, but the uptake has been slow. User Account Control is a stronger approach to do this introduced in Vista. But it is difficult to introduce new security features without breaking existing applications.
When logging into Vista as a standard user, a logon session is created and a token containing only the most basic privileges is assigned. In this way, the new logon session is incapable of making changes that would affect the entire system. When logging in as a user in the Administrators group, two separate tokens are assigned. The first token contains all privileges typically awarded to an administrator, and the second is a restricted token similar to what a standard user would receive. User applications, including the Windows Shell, are then started with the restricted token, resulting in a reduced privilege environment even under an Administrator account. When an application requests higher privileges or "Run as administrator" is clicked, UAC will prompt for confirmation and, if consent is given, start the process using the unrestricted token.[4]
Tasks that trigger a UAC prompt
Tasks that require administrator privileges will trigger a UAC prompt (if UAC is enabled) are typically marked by a 4-color security shield symbol. In the case of executable files, the icon will have a security shield overlay. Ed Bott's Windows Vista Inside Out lists the following tasks which require administrator privileges:
* Changes to system-wide settings or to files in %SystemRoot% or %ProgramFiles%
* Installing and uninstalling applications
* Installing device drivers
* Installing ActiveX controls
* Changing settings for Windows Firewall
* Changing UAC settings
* Configuring Windows Update
* Adding or removing user accounts
* Changing a user’s account type
* Configuring Parental Controls
* Running Task Scheduler
* Restoring backed-up system files
* Viewing or changing another user’s folders and files
Common tasks, such as changing the time zone, do not require administrator privileges[6] (although changing the system time itself does, since the system time is commonly used in security protocols). A number of tasks that required administrator privileges in earlier versions of Windows, such as installing critical Windows updates, no longer do so in Vista.[7] Any program can be run as administrator by right-clicking its icon and clicking "Run as administrator".
Features
User Account Control asks for credentials in a Secure Desktop mode, where the entire screen is temporarily darkened and Windows Aero disabled and only the authorization window is enlightened, to present only the elevation user interface (UI). This is to prevent spoofing of the UI or the mouse by the application requesting elevation.[8] If an administrative activity comes from a minimized application, the secure desktop request will also be minimized so as to prevent the focus from being lost. It is possible to disable Secure Desktop, though this is inadvisable from a security perspective.[9]
Applications written with the assumption that the user will be running with administrator privileges experienced problems in earlier versions of Windows when run from limited user accounts, often because they attempted to write to machine-wide or system directories (such as Program Files) or registry keys (notably HKLM)[3]. UAC attempts to alleviate this using File and Registry Virtualization, which redirects writes (and subsequent reads) to a per-user location within the user’s profile. For example, if an application attempts to write to “C:\program files\appname\settings.ini” and the user doesn’t have permissions to write to that directory, the write will get redirected to “C:\Users\username\AppData\Local\VirtualStore\Program Files\appname\settings.ini”.
There are a number of configurable UAC settings. It is possible to:[10]
* Require administrators to re-enter their password for heightened security;
* Require the user to press Ctrl+Alt+Del as part of the authentication process for heightened security;
* Disable Admin Approval Mode (UAC prompts for administrators) entirely;
Command Prompt windows that are running elevated will prefix the title of the window with the word "Administrator", so that a user can discern which instances are running with elevated privileges.[11]
A distinction is made between elevation requests from a signed executable and an unsigned executable; and if the former, whether the publisher is 'Windows Vista'. The color, icon, and wording of the prompts are different in each case; for example, attempting to convey a greater sense of warning if the executable is unsigned than if not.[12]
Internet Explorer 7's "Protected Mode" feature uses UAC to run with a 'low' integrity level (a Standard user token has an integrity level of 'medium'; an elevated (Administrator) token has an integrity level of 'high'). As such, it effectively runs in a sandbox, unable to write to most of the system (apart from the Temporary Internet Files folder) without elevating via UAC.[4][13] Since toolbars and ActiveX controls run within the Internet Explorer process, they will run with low privileges as well, and will be severely limited in what damage they can do to the system.[14]
Configuration
UAC can be configured via security settings (secpol.msc -> Local Policies -> Security Options), though this is only available for the Business and Ultimate editions. All configuration items are prefixed with “User Account Control”.
* 'Behaviour of the elevation prompt for administrators in admin approval mode'. Can be set to:
o 'Turn off UAC' (no prompt).
o 'Prompt for consent' (default).
o 'Prompt for credentials'.
* 'Behaviour of the elevation prompt for standard users'. This setting determines what happens if you run as a standard user and start a program that needs administrator rights (for the cases UAC can determine admin rights are required e.g. does not work for MMC snapins). Can be set to:
o 'No prompt: fail and do not start the program if it required admin rights'.
o 'Prompt for credentials' (default).
* 'Admin approval mode for the built-in administrator account'. This setting can be used to disable UAC for the built-in Administrator account (however, this account is disabled by default in Windows Vista). Can be set to 'Enable' (the default) or 'Disable'.
* 'Detect application installations and prompt for elevation'. Windows by default uses some heuristics to determine if an EXE is an installer (which most likely requires elevation). Can be set to 'Enable' (the default) or 'Disable'.
* 'Switch to the secure desktop when prompting for elevation'. Can be set to 'Enable' (the default) or 'Disable'.
* 'Only execute executables that are signed and validated'. If enabled an additional check is done after the elevation prompt. If the EXE is not signed the EXE will not be started. Can be set to 'Enable' or 'Disable' (the default).
* 'Virtualize file and registry write failures to per-user locations'. Can be set to 'Enable' (the default) or 'Disable'.
* 'Run all administrators in Admin Approval Mode'. To switch off UAC set this setting to disabled and reboot. All UAC behavior will be disabled, including file and registry virtualization. Can be set to 'Enable' (the default) or 'Disable'.
The other way to configure UAC is using tool called LEACfg. This is commandline tool and running this takes effect immediately and without a system restart. This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.
|
