Configuring User Account Control
In versions of Windows prior to Vista, many users became frustrated with the inability to perform many common tasks and therefore ran their computers with an administrative user account, often the default Administrator account created when Windows was installed. These users received total system privileges as required for installing and configuring applications, modifying system configuration, running background system tasks, installing device drivers, and performing other system configuration actions. Such a practice left the computers open to many types of attacks by malware programs such as viruses, worms, rootkits, and others.
Administrators and technical support personnel in a corporate environment were often left in a dilemma. They could grant users administrative privileges, which can result in users changing settings, either accidentally or deliberately, that disrupted computer or network performance or compromised security. Or they could limit user privileges, which often limited productivity because users were unable to perform basic tasks such as connecting to a wireless network or installing a printer driver. Beginning with Windows Vista, Microsoft addressed this problem by introducing a new feature called User Account Control (UAC). Simply put, UAC requires users performing high-level tasks to confirm that they actually initiated the task. Members of the Administrators group are logged on with only normal user privileges and must approve administrative actions before such actions will run. Nonadministrative users must provide an administrative password. Providing administrative approval to run such tasks places the computer into Admin Approval Mode.
However, the implementation of UAC in Windows Vista generated large numbers of system prompts, even for such tasks as moving, renaming, or deleting files created or modified by a different user. I frequently experienced this problem in working with my extensive collection of photographic images, many of which had been originally copied onto an older computer running Windows XP. These annoying prompts contributed to the overall low consumer satisfaction of Vista and led many people to disable UAC completely, thereby negating its advantages. Microsoft has improved UAC in Windows 7, making it more user-friendly and less annoying while still providing protection against undesirable activities (such as installing unwanted software, unwittingly installing malware, and so on). You can now configure UAC to manage the extent of prompts provided, as will be discussed in the sections to come.
For additional information on UAC improvements in Windows 7, refer to "What's New in User Account Control" at http://technet.microsoft.com/en-us/library/dd446675(WS.10).aspx.
Features of User Account Control
UAC requests approval before running administrative tasks on the computer. UAC redefines what a standard user is permitted to do. Such a user can perform many basic functions that pose no security risk; these functions previously required a user to have administrative privileges. In addition, UAC facilitates the act of providing administrative credentials when users need to perform higher-level tasks, such as installing an application or configuring system settings. Furthermore, UAC makes administrative accounts safer by limiting the types of tasks that can be performed without users providing additional consent. UAC still requests consent before allowing users to perform tasks that require higher privileges, such as system tasks.
Under UAC, all users (administrative or not) can perform the following tasks without supplying administrative credentials:
- Viewing the system clock and calendar and configuring the time zone (but users cannot change the system time)
- Modifying power management settings
- Installing printers and hardware devices that an administrator has allowed using Group Policy
- Interfacing portable devices (such as Bluetooth) with the computer
- Using Wired Equivalent Privacy (WEP) to connect to approved wireless networks
- Creating and configuring approved virtual private network (VPN) connections
- Installing ActiveX controls from sites that an administrator has approved
- Installing critical updates from Windows Update
The tasks summarized here are similar to those granted to members of the Power Users group in Windows versions prior to Vista. Windows 7 includes the Power Users group solely for backward compatibility purposes. You do not need to add users to this group to perform these functions. Add users to this group only if required for running noncertified or legacy applications. To grant this group all the privileges provided in Windows XP, you must apply a default security template that modifies default permissions on system folders and the Registry.
When authenticating a member of the Administrators group, Windows 7 issues two access tokens:
- A full administrator token:
The administrator token is used only when administrative privileges are required.
- A standard user token:
The standard token is used for all actions that do not require administrative privileges.
Windows 7 also marks tasks and programs as belonging to one of two integrity levels, which are implied levels of trust in these actions:
- Low integrity:
A task or application (such as a web browser, email, or word processing program) that is less likely to compromise the operating system.
- High integrity:
An action that performs tasks (such as installing applications) that have a higher potential for compromising the system. Applications running at low integrity levels cannot modify data in applications using a higher integrity level.
Windows 7 informs you when a task requires elevated (administrative) privileges by displaying shield icons such as those that appear in the left column of the System applet. On selecting one of these tasks, you receive a UAC prompt. Click Yes to proceed with the task or No to cancel it. When you selected one of these tasks on a Windows Vista computer, the screen dimmed and a UAC prompt (also known as an elevation prompt) displayed. When you accepted the prompt, the administrative access token granted you elevated privileges, enabling you to perform the task you have selected. In Windows 7, this behavior depends on the UAC setting you've specified (as you will learn later in this section). The default setting enables administrators to perform most of the actions marked with shield icons without receiving UAC prompts; they receive prompts for performing tasks such as installing programs or running the Registry Editor or other programs that have a high potential for producing damaging effects.
The dimmed screen indicates that the UAC prompt is running in secure desktop mode (such as when the Ctrl+Alt+Delete prompt appears when logging on to a domain-based computer). This means that you must either approve or cancel the UAC prompt before you can continue performing any other task on the computer.
A user who is not a member of the Administrators group receives only the standard user token when access is authenticated. Such a user receives the UAC prompt, which requires that a password for an Administrator user account be entered. By default in Windows 7, a nonadministrative user receives this prompt for any action marked by a shield icon.
When you receive a UAC prompt, always ensure that the action that launches the prompt is the one you want to perform. This is especially true if a UAC prompt appears unexpectedly, which could indicate a malware programattempting to run. Should this happen, click No and the program cannot run. You should then scan your computer with one or more malware detection programs.
If a background application that is minimized to the taskbar requires elevated privileges, the UAC prompt appears on the taskbar and blinks to draw attention. An example of where this would happen is in the downloading of an application from the Internet. When the download completes and approval for installation is required, the user can click the prompt to approve it. This enables the user to continue performing other tasks, such as reading email, while the download is underway; the user can continue with these tasks without being interrupted by the dimming of her screen and a UAC prompt displaying onscreen.
UAC causes some third-party applications to display prompts when you attempt to run them. This helps to secure your computer because the prompt informs you of the program that is attempting to run so that you can verify that it is a program you really want to run. Click Yes to run the program or No to exit. The type of shield icon depends on the security risk involved in running the program:
- High-risk blocked program:
Windows displays a message box with a red title bar and red shield stating This program has been blocked for your protection. Such a program comes from a blocked publisher and cannot be run under any circumstances.
- Program signed by Windows:
The UAC prompt includes a blue title bar and blue and yellow shield for an administrative user. Click Yes to run the program. For a nonadministrative user, the prompt is shown. Provide an administrative password to run the program.
- Unsigned program from a verified publisher:
When running with an administrative account, a program with a legitimate digital signature that includes its name and publisher will display a prompt. Click Yes to run the program. A nonadministrative user will receive a prompt that asks for an administrative password.
- Unsigned program from a nonverified publisher:
If the third-party program does not have a digital signature that includes its name and publisher, the prompt that appears is a stronger caution. It uses a yellow title bar and yellow shield. Click Yes to run the program. Again, a nonadministrative user will receive a prompt that asks for an administrative password.
For more information on the various prompts that UAC can issue in Windows 7, refer to "UAC Processes and Interactions" at http://technet.microsoft.com/en-us/library/dd835561(WS.10).aspx.
Running Programs with Elevated Privileges
Microsoft has provided several means of configuring applications and tasks to run with elevated privileges. Use the following procedure to perform a task with elevated privileges:
- Start the program or task displayed with a shield icon. The display dims and the UAC prompt appears.
- Verify that the UAC prompt is requesting privileges for the task you're attempting to run (remember, some malware can deceive you here, so make certain the correct program or task is described in this prompt). If desired, click Show details for more information on the task.
- If this is indeed the correct program or task, click Yes to start the task or application.
You can also mark an application to always run with elevated privileges. This situation might occur if the application developer has coded the program to access protected folders such as the %ProgramFiles% or %Systemroot% folders or requires access to the Registry. You can also configure a program to request administrative privileges from its shortcut properties. When you do this, the program always displays a UAC prompt when started from its shortcut. Use the following procedure to mark an application to always run with elevated privileges:
- Ensure that you are logged on to the computer as a member of the local Administrators group.
- If necessary, drag a shortcut to the desktop.
- Right-click the shortcut and choose Properties.
- On the Shortcut tab, click the Advanced button.
- On the Advanced Properties dialog box shown, select the Run as administrator check box and then click OK.
- Click OK to close the shortcut Properties dialog box.
If you are logged on using the default Administrator account created when you installed Windows 7, you do not receive any UAC prompts. Do not use this account except under emergency conditions. Best practices recommend that this account remain disabled; it is disabled by default in Windows 7.
Configuring User Account Control
In Windows 7, as already mentioned, you can configure several levels of UAC that determine whether prompts are displayed and how they appear on the screen. Click Start → Control Panel → System and Security and then select Change User Account Control settings under Action Center. Alternatively, you can type User Account Control into the Start menu Search field and then select this option from the search list. You receive the dialog box. Select from the following options, click OK, and then accept the UAC prompt that appears:
- Always notify me when:
Windows displays a UAC prompt whenever you make changes to Windows settings or programs try to install software or make changes to your computer. This behavior is similar to that of Vista.
- Default-Notify me only when programs try to make changes to my computer:
The default setting in Windows 7, this setting does not prompt you when you make changes to Windows settings. You are prompted on the secure desktop (that is, the desktop dims) when you perform higher-level actions, such as installing programs or accessing the Registry Editor.
- Notify me only when programs try to make changes to my computer (do not dim my desktop):
Similar to the default setting, except that the desktop does not dim when a UAC prompt appears. With this setting, you can ignore the UAC prompt and continue performing tasks other than the task that is requesting approval.
- Never notify me:
Disables UAC completely. This setting is not recommended; you should use it only when absolutely necessary to run a program that displays the red shield icon mentioned earlier in this section.
User Account Control Policies
Microsoft has provided a series of policies in Windows 7 Group Policy that govern the behavior of UAC. These policies are available from the Group Policy Management Editor snap-in or from the Local Security Policy snap-in in (available by typing Local Security from the Start menu Search field and then selecting the program from the list that appears). Use the following procedure to configure UAC policies:
- Click Start, type gpedit.msc in the Search field, and then press Enter.
- Navigate to the Computer Configuration\Windows Settings\ Security Settings\Local Policies\Security Options node.
- Scroll to the bottom of the policy list to view and configure the available policies.
- To configure a policy, right-click it and choose Properties. Choose Enabled or Disabled as required and click OK. Two of the policies offer options from a drop-down list. You can also click the Explain tab for further information on each policy.
- When finished, click OK.
You can use this procedure to configure the following UAC policies:
- Admin Approval Mode for the Built-in Administrator:
Governs the behavior of the built-in Administrator account. When enabled, this account displays the UAC prompt for all actions requiring elevated privileges. When disabled, this account runs all actions with full administrative privileges. This policy is disabled by default.
- Allow UIAccess applications to prompt for elevation without using the secure desktop:
Determines whether User Interface Accessibility (UIAccess) programs can automatically disable the secure desktop with a standard user. When enabled, these programs (such as Remote Assistance) automatically disable the secure desktop for elevation prompts. When disabled, the application runs with UIAccess integrity regardless of its location in the file system. Note that UIAccess application programs and accessibility tools are used by developers to push input to higher desktop windows that require the uiAccess flag to be equal to true (that is, uiAccess=true). Also, the application program that wants to receive the uiAccess privilege must reside on the hard drive in a trusted location and be digitally signed. This policy is disabled by default.
- Behavior of the elevation prompt for administrators in Admin Approval Mode:
Determines the behavior of the UAC prompt for administrative users. This policy has the following options:
- Prompt for consent for non-Windows binaries:
Prompts a user on the secure desktop to select either Permit or Deny when a non-Microsoft program needs elevated privileges. Select Permit to run the action with the highest possible privileges. This option is the default setting.
- Prompt for consent:
Prompts a user to select either Permit or Deny when an action runs that requires elevated privileges. Select Permit to run the action with the highest possible privileges.
- Prompt for credentials:
Prompts for an administrative username and password when an action requires administrative privileges but does not display the secure desktop. When selected, administrative users receive the for nonadministrative users.
- Prompt for consent on the secure desktop:
Prompts a user to select either Permit or Deny on the secure desktop when an action runs that requires elevated privileges. Select Permit to run the action with the highest possible privileges.
- Prompt for credentials on the secure desktop:
Prompts for an administrative username and password on the secure desktop when an action requires administrative privileges. When selected, administrative users receive the prompt shown for nonadministrative users.
- Elevate without prompting:
Enables the administrator to perform the action without consent or credentials. In other words, the administrator receives Admin Approval Mode automatically. This setting is not recommended for normal environments.
- Prompt for consent for non-Windows binaries:
- Behavior of the elevation prompt for standard users:
Determines the behavior of the UAC prompt for nonadministrative users. This policy has the following options:
- Prompt for credentials:
Displays a prompt to enter an administrative username and password when a standard user attempts to run an action that requires elevated privileges. This option is the default setting.
- Prompt for credentials on the secure desktop:
Displays a prompt on the secure desktop to enter an administrative username and password when a standard user attempts to run an action that requires elevated privileges.
- Automatically deny elevation requests:
Displays an Access is Denied message shown when a standard user attempts to run an action that requires elevated privileges.
- Detect application installations and prompt for elevation:
When enabled, displays a UAC prompt when a user installs an application package that requires elevated privileges. When disabled, domain-based Group Policy or other enterprise-level technologies govern application installation behavior. This option is enabled by default in an enterprise setting and disabled by default in a home setting.
- Only elevate executables that are signed and validated:
When enabled, performs public key infrastructure (PKI) signature checks on executable programs that require elevated privileges before they are permitted to run. When disabled, no PKI checks are performed. This option is disabled by default.
- Only elevate UIAccess applications that are installed in secure locations:
When enabled, runs applications with UIAccess integrity only if situated in a secure location within the file system such as %ProgramFiles% or %Windir%. When disabled, the application runs with UIAccess integrity regardless of its location in the file system. This option is disabled by default.
- Run all administrators in Admin Approval Mode:
When enabled, enforces Admin Approval Mode and other UAC policies. When disabled, all UAC policies are disabled and no UAC prompts are displayed. In addition, the Windows Security Center notifies the user when disabled and offers the option to enable UAC. This option is enabled by default.
- Switch to the secure desktop when prompting for elevation:
When enabled, displays the secure desktop when a UAC prompt appears. When disabled, the UAC prompt remains on the interactive user's desktop. This option is enabled by default.
- Virtualize file and registry write failures to per user locations:
When enabled, redirects application write failures for pre-Windows 7 applications to defined locations in the Registry and the file system, such as %ProgramFiles%, %Windir%, or %Systemroot%. When disabled, applications that write to protected locations fail, as was the case in previous Windows versions. This option is enabled by default.
- Prompt for credentials:
Caution: If you disable the Run all administrators in Admin Approval Mode policy setting, you disable UAC completely and no prompts will appear for actions requiring elevated privileges. This leaves your computer wide open for attack by malicious software. Do not disable this setting at any time!
If you do disable this setting, note that the Windows Action Center will display a message from the notification area.
For information on problems you might encounter with UAC in Windows 7 and Windows Server 2008 R2, consult the links referenced in "User Account Control Troubleshooting Guide" at http://technet.microsoft.com/en-ca/library/ee844169(WS.10).aspx?ITPID=insider.