UAC Explained
User Account Control (UAC) is a set of tools built into Windows Vista
that helps to protect your system. UAC uses the “least privileges” rule.
Which states that all users and software run with the least privileges
possible at all times. Any time a user or software needs administrative
privileges a consent prompt appears.
When a consent prompt appears, your
screen is locked except for the consent prompt.
The purpose of the consent prompt is to notify you about an administrative
task being attempted. You have to OK the task or cancel it for your screen
to unlock. This feature is in place to make sure the user knows when administrative
tasks are being done.
In the world of scripting, UAC can sometimes cause great headaches when
attempting to automate something and the user is always getting prompted.
What Triggers UAC Consent Prompts
Installing and uninstalling of: Software, Device
drivers, ActiveX controls, Windows Updates
Changing settings for: Windows Firewall, UAC
Configuring Windows Update
Adding or removing user accounts
Changing user account type
Configuring Parental Controls
Running the Task Scheduler
Restoring or backing up of system files
Viewing or changing another user’s files and folders
Software needing to run with administrative privileges(
like WinBatch scripts that do administrative types of operations)
Software, like WinBatch, that
needs to perform system tasks (defragmenting
your hard drive)
The Consent and Credential Prompts
With UAC enabled, Windows Vista either prompts for consent or for credentials
for a valid administrator account before launching a program or task that
requires a full administrator access token. This prompt ensures that no
malicious application can silently install.
The Consent Prompt
The consent prompt is presented when a user
attempts to perform a task that requires a user's administrative access
token.
The Credential Prompt
The credential prompt is presented when a
standard user attempts to perform a task that requires a user's administrative
access token. This standard user default prompt behavior is configurable
with the Security Policy Manager snap-in (secpol.msc) and with Group Policy.
Administrators can also be required to provide their credentials by setting
the User Account Control: Behavior of the elevation prompt for administrators
in Admin Approval Mode value to Prompt for credentials.
User Modes
In Windows Vista, there are two types of user accounts: standard user
accounts and administrator accounts. Standard users are equivalent to
the standard user account in previous versions of Windows. Standard users
have limited administrative privileges and user rights—they cannot install
or uninstall applications that install into %systemroot%, change system
settings, or perform other administrative tasks. However, standard users
can perform these tasks if they are able to provide valid administrative
credentials when prompted. With UAC enabled, members of the local Administrators
group run with the same access token as standard users. Only when a member
of the local Administrators group gives approval can a process use the
administrator’s full access token. This process is the basis of the principle
of Admin Approval Mode.
The following table lists some of the tasks a standard user can perform
and what tasks require elevation to an administrator account.
Standard Users |
Administrators |
Establish a Local Area Network connection |
Install and uninstall applications |
Establish and configure a wireless connection |
Install a driver for a device (E.G. a digital camera driver) |
Modify Display Settings |
Install Windows updates |
Users cannot defragment the hard drive, but a service does this on their
behalf |
Configure Parental Controls |
Play CD/DVD media (configurable with Group Policy) |
Install
an ActiveX control |
Burn CD/DVD media (configurable with Group Policy) |
Open the Windows Firewall Control Panel |
Change the desktop background for the current user |
Change a user's account type |
Open the Date and Time Control Panel and change the time zone |
Modify UAC settings in the Security Policy Editor snap-in (secpol.msc) |
Use Remote Desktop to connect to another computer |
Configure Remote Desktop access |
Change user's own account password |
Add or remove a user account |
Configure battery power options |
Copy or move files into the Program Files or Windows directory |
Configure Accessibility options |
Schedule Automated Tasks |
Restore user's backed-up files |
Restore system backed-up files |
Set-up computer synchronization with a mobile device (smart phone, laptop,
or PDA) |
Configure Automatic Updates |
Connect and configure a Bluetooth device |
Browse
to another user's directory |
Application Launch Behavior
Whether an application can run and obtain a full administrator access
token at runtime is dependent on the combination of the application’s
requested execution level in the application compatibility database and
the privileges and user rights available to the user account that launched
the application. The following tables identify the possible run-time behavior
based on such possible combinations.
An Administrator in Admin Approval Mode
Parent Process Access Token |
Consent Policy |
None or asInvoker |
highestAvailable |
requireAdministrator |
Standard user |
No prompt |
Application
launches as a standard user |
Application
launches with a full administrative access token; no prompt
|
Application
launches with a full administrative access token; no prompt
|
Standard user |
Prompt for consent |
Application launches as a standard user |
Application launches with a full administrative access token; prompt
for consent |
Application launches with a full administrative access token; prompt
for consent |
Standard user |
Prompt for credentials |
Application launches as a standard user |
Application launches with a full administrative access token; prompt
for credentials |
Application launches with a full administrative access token; prompt
for credentials |
Administrator (UAC is disabled) |
NA |
Application
launches with a full administrative access token; no prompt |
Application
launches with a full administrative access token; no prompt |
Application
launches with a full administrative access token; no prompt |
A Standard User Account
Parent Process Access Token |
Consent Policy |
None or asInvoker |
highestAvailable |
requireAdministrator |
Standard user |
No prompt |
Application launches as a standard user |
Application launches as a standard user |
Application fails to launch |
Standard user |
Prompt for credentials |
Application launches as a standard user |
Application
launches as a standard user |
Prompt for administrator credentials before running application |
Standard user (UAC is disabled) |
NA |
Application launches as a standard user |
Application launches as a standard user |
Application fails to launch |
A Standard User with Additional Privileges
(E.G. Backup Operator)
Parent Process Access Token |
Consent Policy |
None or asInvoker |
highestAvailable |
requireAdministrator |
Standard user |
No Prompt |
Application launches as a standard user |
Application launches as a standard user |
Application
fails to launch |
Standard user |
Prompt
for credentials |
Application
launches as a standard user |
Application launches as a standard user |
Prompt for administrator credentials before running application |
Standard user (UAC is disabled) |
NA |
Application
launches as a standard user |
Application
launches as a standard user |
Application fails to launch |
The Application Compatibility Toolkit (ACT) is a Microsoft toolkit that
enables WinBatch developers to
determine whether their compiled EXEs are compatible with a new version
of the Microsoft® Windows® operating system. ACT also enables such individuals
to determine how an update to the new version will impact their applications.
Prior to Windows Vista, standard users often had the option of installing
applications. The key difference then was that, although administrators
could create Group Policy settings to limit application installations,
they did not have access to limit application installations for standard
users as a default setting. In a UAC environment, they do, and administrators
can still use Group Policy to define an approved list of devices and deployment.
There are eight Group Policy object (GPO) settings that can be configured
for UAC. The following table lists the settings and their default
UAC Settings |
Description |
Default Value |
User Account Control: Admin Approval Mode for the Built-in Administrator
account. |
There are two possible settings:
• Enabled - The built-in Administrator will be run as an administrator
in Admin Approval Mode.
• Disabled - The administrator runs with a full administrator access
token.
|
• Disabled for new installations and for upgrades where the built-in
Administrator is NOT the only local active administrator on the computer.
The built-in Administrator account is disabled by default for installations
and upgrades on domain-joined computers.
• Enabled for upgrades when Windows Vista determines that the built-in
Administrator account is the only active local administrator on the computer.
If Windows Vista determines this, the built-in Administrator account is
also kept enabled following the upgrade. The built-in Administrator account
is disabled by default for installations and upgrades on domain-joined
computers.
|
User Account Control: Behavior of the elevation prompt for administrators
in Admin Approval Mode |
There are three possible values:
• No prompt – The elevation occurs automatically and silently. This
option allows an administrator in Admin Approval Mode to perform an operation
that requires elevation without consent or credentials. Note: this scenario
should only be used in the most constrained environments and is NOT recommended.
• Prompt for consent – An operation that requires a full administrator
access token will prompt the administrator in Admin Approval Mode to select
either Continue or Cancel. If the administrator clicks Continue, the operation
will continue with their highest available privilege.
• Prompt for credentials – An operation that requires a full administrator
access token will prompt an administrator in Admin Approval Mode to enter
an administrator user name and password. If the user enters valid credentials,
the operation will continue with the applicable privilege.
|
Prompt for consent |
User Account Control: Behavior of the elevation prompt for standard
users |
There are two possible values:
• No prompt – No elevation prompt is presented and the user cannot perform
administrative tasks without using Run as administrator or by logging
on with an administrator account. Most enterprises running desktops as
standard user will configure the “No prompt” policy to reduce help desk
calls.
• Prompt for credentials – An operation that requires a full administrator
access token will prompt the user to enter an administrative user name
and password. If the user enters valid credentials the operation will
continue with the applicable privilege.
|
Enabled |
User Account Control: Only elevate executables that are signed and validated |
There are two possible values:
• Enabled - Only signed executable files will run. This policy will
enforce PKI signature checks on any interactive application that requests
elevation. Enterprise administrators can control the administrative application
allowed list through the population of certificates in the local computers
Trusted Publisher Store.
• Disabled - Both signed and unsigned code will be run.
|
Disabled |
User Account Control: Only elevate uiAccess applications that are installed
in secure locations |
There are two possible values:
• The system will only give uiAccess privileges and user rights to executables
that are launched from under %ProgramFiles% or %windir%. The ACLs on these
directories ensure that the executable is not user-modifiable (which would
otherwise allow elevation of privilege). uiAccess executables launched
from other locations will launch without additional privileges (i.e. they
will run "asInvoker").
• Disabled - The location checks are not done, so all uiAccess applications
will be launched with the user's full access token upon user approval.
|
Enabled |
User Account Control: Run all administrators in Admin Approval Mode |
There are two possible values:
• Enabled - Both administrators and standard users will be prompted
when attempting to perform administrative operations. The prompt style
is dependent on policy.
• Disabled - UAC is essentially "turned off" and the AIS service
is disabled from automatically starting. The Windows Security Center will
also notify the logged on user that the overall security of the operating
system has been reduced and will give the user the ability to self- enable
UAC.
Note: Changing this setting will require a system reboot.
|
Enabled |
User Account Control: Switch to the secure desktop when prompting for
elevation |
There are two possible values:
• Enabled - Displays the UAC elevation prompt on the secure desktop.
The secure desktop can only receive messages from Windows processes, which
eliminates messages from malicious software.
• Disabled - The UAC elevation prompt is displayed on the interactive
(user) desktop.
|
Enabled |
User Account Control: Virtualize file and registry write failures to
per-user locations |
There are two possible values:
• Enabled - This policy enables the redirection of pre-Windows Vista
application write failures to defined locations in both the registry and
file system. This feature mitigates those applications that historically
ran as administrator and wrote runtime application data back to %ProgramFiles%;
%Windir%; %Windir%\system32; or HKLM\Software\.... This setting should
be kept enabled in environments that utilize non-UAC compliant software.
Applications that lack an application compatibility database entry or
a requested execution level marking in the application manifest are not
UAC compliant.
• Disabled - Virtualization facilitates the running of pre-Windows Vista
(legacy) applications that historically failed to run as a standard user.
An administrator running only Windows Vista compliant applications may
choose to disable this feature as it is unnecessary. Non-UAC compliant
applications that attempt to write %ProgramFiles%; %Windir%; %Windir%\system32;
or HKLM\Software\.... will silently fail if this setting is disabled.
|
Enabled |
Configure the UAC Group Policy settings.
You must be logged in as a member of the local administrator’s group
to perform the procedure. You can also perform the procedure as a standard
user if you are able to provide valid credentials for an administrator
account at the User Account Control credential prompt.
To configure
the UAC Group Policy settings:
1. Click
Start, click Run, type secpol.msc, and then click OK.
2. In
Security Settings, expand Local Policies, and then select Security Options.
3. In
the details pane (the right pane), right-click the relevant UAC setting
and select Properties.
4. Use
the drop-down list-box to choose the appropriate value for the setting.
Note: Modifying
the User Account control: Run all administrators in Admin Approval Mode
setting will require a computer restart before the setting becomes effective.
All other UAC Group Policy settings are dynamic and do not require a reboot.
Disabling UAC
Disabling the User Account Control: Run administrators in Admin Approval
Mode setting turns UAC “off.” Files and folders are no longer virtualized
to per-user locations for non-UAC compliant applications and all local
administrators are automatically logged in with a full administrative
access token. Disabling this setting essentially causes Windows Vista
to revert to the Windows XP user model. While some non-UAC compliant applications
may recommend turning UAC off, it is not necessary to do so since Windows
Vista includes folder and registry virtualization for pre-Windows Vista
or non-UAC compliant applications by default. Turning UAC off opens your
computer to system-wide malware installs. If this setting is changed,
a system restart will be required in order for this change to go into
effect.
More Information on UAC
This is only a basic explanation of UAC. For more info on UAC:
Understanding and Configuring User Account Control
|