If you have not looked at Microsoft Vista yet, there is still a great chance that you have heard something about User Account Control (UAC) at some point. UAC is being tagged as one of the most important features that Vista is providing to help ensure a more secure environment for both home users and corporations. UAC is designed to help with the issue where typical users are required to be “administrators” on their local computer to run applications, perform routine operating system tasks, etc. If you have users that run as “administrators” on their own computer solely to perform routine tasks, but you don’t like that configuration, UAC might be for you. Here, I will explain what UAC is and what it is not.
History of UAC
UAC is not what Microsoft initially called this technology that helps protect computers. Initially, the technology was called LUA, which stands for Least Privilege User Access. LUA is defined as:
“(The Principle of Least Privilege) requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use.”
This is quoted directly from the Department of Defense Trusted computer system Evaluation Criteria, (DOD-5200.28-STD), or the orange book. As you can see, the intent of LUA is very clear and desirable from a security perspective.
The problem is that LUA was not possible within Vista due to the roadmap that Microsoft laid out initially. Therefore, they changed the name of the technology to User Account Protection (UAP). UAP did not alter the technology, only the name differed. There were still parts of Vista that referred to LUA, even though the concept was known to not be achieved in the operating system.
Microsoft is notorious for changing acronyms for technologies during the Beta stages of the operating system, and LUA/UAP was no different. Soon after LUA was changed to UAP, it was again changed to User Account Control (UAC). UAC is now the name of the technology, and there appears to be no notion to change it.
Goals of UAC
UAC is being pushed by Microsoft as one technology in Vista that you can’t live without. In some circles it is being pushed as the end-all solution to the LUA bug. However, UAC does provide some distinct solutions that everyone should investigate, not withstanding the perception that is being put forth from Microsoft. The most important goals that UAC will tackle include:
Elevation prompt for administrators in Admin Approval Mode
When an administrator is running on a Vista computer, it is ideal to have them function as a standard user until a task needs to be completed that requires elevated privileges. Vista solves this with great ease by controlling this situation. When an administrator runs into a task that requires elevated privileges, a dialog box will be displayed, Figure 1, asking the user to approve the elevation to administrator status. This is an ideal solution and is a much better solution over the RunAs solution that has been used by some administrators since Windows 2000 Professional. The user in this situation won’t need to worry about configuring shortcuts or batch files to elevate their privileges, which are required for seamless RunAs solutions. Additionally, the user will rely on the operating system to determine if elevated privileges are required on the fly, which will save time and effort.
Figure 1: Dialog box for administrators running on Windows Vista
Elevation prompt for standard users
A long term problem for most companies is that standard users have been added to the local administrators group in order for routine operating system tasks and applications to run properly. Like the administrator's example listed above, it is desirable to have these standard users run without any administrative privileges, unless absolutely necessary. Vista will force standard users to run without elevated privileges until a task requires elevation. At this time, a dialog box will prompt them, Figure 2, to input the password of the local administrator account. Once the password is input the application or operating system feature will run.
Figure 2: Dialog box for standard users running on Windows Vista
Detect application installations and prompt for elevation
In a similar fashion to having applications and operating system features run, Vista and UAC will help control the installation of applications too. It is a known issue that users will install malicious and “bugged” applications without approval from the administrative staff. Vista prohibits this behavior by forcing users to run as a standard user, which won’t allow the installation of most applications. When a user does attempt to install an application requiring administrative privileges, a dialog box, Figure 3, will prompt them for credentials to elevate them to perform the task.
Figure 3: Dialog box for standard users trying to install applications in Windows Vista
Virtualize file and registry write failures to per-user locations
Not all applications are going to fit perfectly into the UAC compliant realm of applications and technology. What the virtualization within Vista will do is ensure that applications that are not UAC-compliant will still be able to run. This is best seen when a non-UAC-compliant application attempts to write to a protected directory on the computer, such as the System directory, the application will be forced to use its own virtualized view of the resource it is attempting to access. This virtualization is stored under the user’s profile, protecting it from the operating system and other users that might use the computer. If the application can run with full administrative access tokens, making them UAC-compliant, virtualization is not required.
Implementation of UAC
When you install Windows Vista, UAC is already enabled. Microsoft really wants everyone to use UAC, as it should increase the level of security on every computer greatly. However, it has been an issue so far, as the prompts are a little annoying and not everything is perfect yet. With a technology like UAC in a new OS like Vista, only time is going to tell whether or not the concepts will work in a production environment.
If you are considering UAC, which you should be, consider evaluating it on some computers with the most advanced users in your company. The standard user will get annoyed quickly and will get frustrated when things don’t work correctly or when they are constantly being prompted to run applications each day.
GPO settings of UAC
Like almost every setting in the Windows environment, UAC can be configured centrally using Group Policy. The Group Policy settings mimic all of the functions that you would want to control with UAC. The following Group Policy settings are available under Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options for controlling UAC:
- User Account Control: Admin Approval Mode for Built-in Administrator account
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
- User Account Control: Behavior of the elevation prompt for standard users
- User Account Control: Detect application installations and prompt for elevation
- User Account Control: Only elevate executables that are signed and validated
- User Account Control: Run all administrators in Admin Approval Mode
- User Account Control: Switch to the secure desktop when prompting for elevation
- User Account Control: Virtualize file and registry write failures to per-user locations
Vista is being touted as one of the most security rich operating systems that Microsoft has ever released. They have spent years working on the internal features and functions, making sure that the entire environment is more secure. UAC is just one of the many features in Vista, but is one of the most important features. With the ability to have both administrators and standard users function as non-administrators for most activities is a big step in the right direction. The prompts for elevating the tasks can be annoying, but over time Microsoft is promising to reduce the prompts and hoping that everyone can get used to them. With UAC on by default and being configurable via Group Policy, it makes it a quick and easy solution to increase the security on most, if not all, of your desktops as soon as you roll-out Vista. I suggest you give it a try and be patient with it as it will increase security in your organization.