Will UAC Affect Your Application?
Whether or not User Account Control (UAC) will affect your application depends on the application's current state. In a number of cases, no changes will be necessary to comply with Microsoft Windows® Security requirements. However, some applications, including line of business (LOB) applications, may require changes to their install, function, and update processes to properly work in a Windows Vista® UAC environment.
If an application works well as standard user on Windows XP, then it will work well as a standard user on Windows Vista.
Why Do I Need to Remove My Application’s Administrative Dependencies?
One fundamental step toward increasing the security of the overall computing environment is to allow users to run without using their administrator access token. If an application only operates or installs when the user is an administrator, users are being forced to run applications with unnecessary elevated access. The fundamental problem is that, when users are always forced to run applications using elevated access tokens, deceptive or malicious code can easily modify the operating system, or worse, affect other users.
Microsoft’s goal is for customers to understand that applications should not unnecessarily run as an administrator and for users to question any time they are asked to approve an application’s request to run as an administrator. UAC is a fundamental component for helping to achieve this goal.
Reducing Your Application's Total Cost of Ownership
The standard user account is very attractive to information technology (IT) administrators interested in increasing security and control over their managed computers while reducing total cost of ownership (TCO). Because a standard user account cannot make system changes, there is a direct relationship to the reduction of TCO and better management of application installation and system-wide modifications. The standard user account is also attractive to home users since many parents share a computer with their children. Microsoft Windows Vista includes integrated parental controls, which are only successfully implemented by creating children's user accounts as standard users. Standard user accounts also cannot change or delete files created by other users. They cannot read files in other users’ profiles, infect system files, or alter system-shared executables, either accidentally or deliberately. Standard user accounts result in an overall improvement in computer security and parental controls.
Secure by Default
At Microsoft, the tenets of Microsoft's Trustworthy Computing Initiative have been ingrained into software development. Consequently, improved security has been an integral part of the Windows Vista development process.
The security pillar of Trustworthy Computing encompasses three fundamentals: secure by design, secure by default, and secure in deployment. How you and other independent software vendors (ISVs) develop your applications to contribute to the overall security of the operating system will be a key success factor for achieving Trustworthy Computing in Windows Vista.
The goal of the remainder of this guide is to help assist application developers with learning how to do the following:
Write applications that do not require the user to be an administrator to perform routine tasks.
Create installation packages with Windows® Installer 4.0 UAC patching technologies that deploy well to the standard user desktop in enterprises and also update correctly in the home.
Identify standard user and administrative functionality and extrapolate administrative tasks for UAC compatibility.
Write application user interfaces that utilize the UAC functionality.
It is essential for the success of UAC that application developers embrace the philosophy of least-privilege and design their applications to function correctly when running with a standard user account.
One of the goals of the Windows Vista release is to evangelize and encourage the principle of designing for standard users and administrators in Admin Approval Mode to all developers. Achieving this goal will assist in the prevention of various attacks against individual applications and mitigate the possibility that such attacks will compromise the security of the system. Although these goals can be accomplished in some degree today by requiring administrators to use two accounts, they tend to fail for the following reasons:
It is nearly impossible to control a user that has a full administrator access token. Administrators can install applications and run any application or script that they wish. IT managers are always seeking ways to create "standard desktops" where users log on as standard users. Standard desktops greatly reduce help desk costs and reduce IT overhead.
There is substantial overhead when switching between accounts whenever the user wishes to perform an administrative operation.
After users perform administrative operations, they may forget to switch back to a standard user account, or they might decide that it is too much effort to switch back.
As a result, users may decide to always logon with their administrator accounts, thus defeating the security measures. To help mitigate this, UAC introduces the concept of Admin Approval Mode.
In the enterprise, Admin Approval Mode will be used as a bridge technology for migration to Windows Vista. Ideally, enterprises will run all users as standard users and disable the elevation prompt for standard users. This setup enables a managed standard desktop where installations are deployed with a software deployment technology, such as Microsoft Systems Management Server (SMS).
Microsoft still recommends that members of the Domain Admins group continue to maintain two separate user accounts in Windows Vista: a standard user account and a domain administrator user account. All domain administration should be done with the domain administrator account. To further enhance security, consider deploying a smart card (http://go.microsoft.com/fwlink/?LinkId=71505) solution in domain environments.
The following are Windows Vista design goals for Admin Approval Mode:
Eliminate the need for two separate accounts for users who are members of the administrators group: This goal is accomplished by running programs only with a standard user access token, unless the user provides approval to use the full administrator access token.
Protect processes running with a full administrator access token from being accessed or modified by processes running as a standard user.
Provide for a seamless transition between administrator and standard user workspaces.
Currently, many Windows applications must be run as an administrator but do not actually perform administrative operations. These applications are a byproduct of the Microsoft Windows® 9x operating systems philosophy: "everyone is an administrator."
The following are examples of problematic applications:
Applications that unnecessarily write to HKEY_LOCAL_MACHINE (HKLM) or to system files within the file system.
An ActiveX® installation to facilitate a LOB application with a Web interface.
Applications that unnecessarily request access to resources that require a full administrative access token.
The next section presents new technologies for Windows Vista that impact ISVs.
How Do I Determine If My Application Has Administrative Dependencies?
To assist developers, ISVs, and organizations in evaluating their applications, Microsoft provides the Microsoft Standard User Analyzer. The Standard User Analyzer can be used to help identify an application's non-UAC–compliant. Microsoft recommends that developers run this tool to identify issues with running the application under a standard user account. These tests should be performed, even if the application already installs and runs properly under a standard user account on Windows XP. The application may perform operations, such as attempting to write to system registry locations, and make decisions based on the system’s behavior, such as looking for an error response. Windows Vista may behave differently than earlier versions of the Windows operating system due to the addition of new application compatibility support. Therefore, it is recommended that all applications be tested with the new version of the Standard User Analyzer, which can be downloaded from Microsoft (http://go.microsoft.com/fwlink/?LinkId=71359).
The Standard User Analyzer will record all administrative operations encountered by an application, including registry/file system access and elevated API calls. This data is stored in a log file and is displayed within the tool. The Standard User Analyzer identifies the following common dependencies, in addition to many others:
Dependency on objects that restrict the requested access to trusted users only.
For example, HKEY_LOCAL_MACHINE only grants KEY_WRITE to administrators and SYSTEM—an application that requests KEY_WRITE to HKEY_LOCAL_MACHINE will not work with UAC enabled.
Use of Windows privileges that have security ramifications, such as SE_DEBUG_PRIVILEGE, which allows the debugging of other users' processes and is granted only to administrators.
What Are the Requirements If I Have a Legitimate Administrator Application?
For applications that, by design, perform legitimate administrative operations, Microsoft has implemented an extension to the trustInfo section of the current Windows XP application manifest schema. You can use these new attributes to indicate to the computer that you have a legitimate administrative application; Windows Vista will automatically ask the user for approval to launch the application with a full administrator access token. For information about how to extend the application manifest, see Step 6: Create and Embed an Application Manifest (UAC)within this document.