Share via

Getting Started with User Account Control in Windows Vista Beta 2

  • Article

 

Microsoft Corporation

May 2006

Summary: This white paper is intended as a quick-start guide for User Account Control (UAC) on Windows Vista Beta 2. This document contains basic UAC configuration and background information. (21 printed pages)

Contents

Introduction
User Account Control Overview
Making Applications that Work for Standard Users
Windows Vista Beta 2 Updates
UAC User Experience
How to Configure UAC for Your Computer
Known Issues and Resolutions
Providing Feedback
Resources

Introduction

This guide is intended for Windows Vista Beta 2 and UAC deployments in lab environments. This guide provides user experience and configuration data for both managed and unmanaged environments, as well as information about UAC updates included in Windows Vista Beta 2.

User Account Control Overview

User Account Control (UAC) is a new security component of the Windows Vista operating system. UAC enables users to perform common tasks as non-administrators (called “standard users” in Windows Vista) and as administrators without having to switch users, log off, or use Run As. A standard user account is synonymous with a user account in Windows XP. User accounts that are members of the local Administrators group will run most applications as a standard user. By separating user and administrator functions while enabling productivity, UAC is an important enhancement for Windows Vista.

When an administrator logs on to a Windows Vista Beta 2 computer, the user is assigned two separate access tokens. Access tokens, which contain a user’s group membership and authorization and access control data, are used by Windows to control what resources and tasks the user can access. Before Windows Vista, an administrator account received one access token, which included data to grant the user access to all Windows resources. This access control model did not include any fail-safe checks to ensure that users truly wanted to perform a task that required their administrative access token. As a result, malware—the overarching term for malicious software—could install on users’ computers without notifying them. This process is commonly referred to as “silent” installation. Because the user is an administrator, the malware could use the administrator’s access control data to infect core operating system files and, in some instances, to become nearly impossible to remove.

The primary difference between a standard user and an administrator in Windows Vista is the level of access the user has over core, protected areas of the computer. Administrators can change system state, turn off the firewall, configure security policy, install a service or a driver that affects every user on the computer, and install software for the entire computer. Standard users by default cannot perform these tasks and can only install per-user software.

To help prevent malware silent installation and computer-wide infection, Microsoft developed the UAC feature for Windows Vista. Unlike previous versions of Windows, when an administrator logs on to a Windows Vista computer, the user’s full administrator access token is split into two access tokens: a full administrator access token and a standard user access token. During the logon process, authorization and access control components that identify an administrator are removed or disabled, resulting in a standard user access token. The standard user access token is then used to launch the desktop, the Explorer.exe process. Because all applications inherit their access control data from the initial launch of the desktop, they all run as a standard user as well. Contrasting with this process, when a standard user logs on, only a standard user access token is created. This standard user access token is then used to launch the desktop.

After an administrator logs on, the full administrator access token is not invoked until the user attempts to perform an administrative task. Because the user experience is configurable with the Security Policy Manager snap-in (secpol.msc) and with Group Policy, there is not solely one UAC user experience. More information about the administrator and standard user experience is available later in this document.

Making Applications that Work for Standard Users

A major effort is currently underway to help Microsoft and independent software vendors (ISVs) redesign their applications to limit requests for a user’s administrative access token. The revised application development message is: only require the user to be an administrator when it is absolutely necessary.

In the past, developers have often performed an access check to ensure the user is an administrator when the application is initially launched. Many of these applications, however, do not have functions that actually require the user to be an administrator.

Some programs, however, will always require an administrator access token. Disk partitioning software is such an example. Programs that do require the user to be an administrator can be launched in Windows Vista with the user’s full administrator access token; however, the user is first notified of the application’s request to “elevate” the user from an administrator in Admin Approval Mode to a full administrator, and the user must choose to either approve or deny the elevation.

Note   The UAC functionality by default does not apply to the built-in Administrator account but can be configured to apply. In most cases, this account runs all applications and administrative tools as an administrator without being prompted for consent. The desktop is also launched as an administrator.

Windows Vista Beta 2 Updates

UAC Is Enabled by Default

While the User Account Control component was not turned on by default in Windows Vista Beta 1, it is enabled by default in Windows Vista Beta 2. As a result, you may encounter some compatibility problems with different applications that have not yet been updated for the Windows Vista UAC component.

All Subsequent User Accounts are Created as Standard Users

Both standard user accounts and administrator user accounts can take advantage of the UAC enhanced security. On new installations, by default, the first user account created is a local administrator account in Admin Approval Mode (UAC enabled). All subsequent accounts are then created as standard users.

Built-in Administrator Account Is Disabled by Default on New Installations

The built-in Administrator account is disabled by default in Windows Vista Beta 2. If Windows Vista determines during an upgrade from Windows XP that the built-in Administrator is the only active local administrator account, Windows Vista leaves the account enabled and places the account in Admin Approval Mode.

Elevation Prompts are Displayed on the Secure Desktop by Default

The consent and credential prompts are displayed on the secure desktop by default in Windows Vista Beta 2.

New UAC Security Settings and Security Setting Name Changes

The new security settings and security setting name updates are detailed at Understanding and Configuring User Account Control in Windows Vistahttps://www.microsoft.com/technet/WindowsVista/library/00d04415-2b2f-422c-b70e-b18ff918c281.mspx).

UAC Name Update

UAC was previously referred to as User Account Protection (UAP) in Windows Vista Beta 1.

UAC User Experience

The user experience differs for standard users and administrators in Admin Approval Mode when UAC is enabled. The following sections detail those differences and explain the design of the UAC user interface.

With UAC enabled, Windows Vista either prompts for consent or for credentials for a valid administrator account before launching a program or task that requires a full administrator access token. This prompt helps to prevent the silent installation of malware.

The consent prompt is presented when an administrator attempts to perform a task that requires the user’s full administrative access token. This default prompting behavior for administrators is configurable with the local Security Policy Editor snap-in (secpol.msc) and with Group Policy. The following (Figure 1) is a screenshot of the User Account Control consent prompt.

User Account Control Consent Prompt

Bb188740.vistabeta2uac01(en-us,MSDN.10).jpg

User Account Control Consent Prompt Figure 1.

The following example shows how an administrator in Admin Approval Mode is prompted for consent when attempting to perform an administrative task.

To view the consent prompt:

  1. Log on to a Windows Vista computer with an administrator account in Admin Approval Mode.
  2. Click the Start button, right-click My Computer, and select Manage from the menu.
  3. At the User Account Control consent prompt, click Continue.

The Credential Prompt

The credential prompt is presented when a standard user attempts to perform a task that requires a user’s administrative access token. This standard user default prompt behavior is configurable with the Security Policy Manager snap-in (secpol.msc) and with Group Policy. Administrators can also be required to provide their credentials by setting the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode value to Prompt for credentials.

The following (Figure 2) is an example of the User Account Control credential prompt.

User Account Control Credential Prompt

Bb188740.vistabeta2uac02(en-us,MSDN.10).jpg

User Account Credential Prompt Figure 2.

The following example illustrates how a standard user is prompted for credentials when attempting to perform an administrative task.

To view the credential prompt:

  1. Log on to a Windows Vista computer with a standard user account.
  2. Click the Start button, right-click My Computer, and select Manage from the menu.
  3. In the User Account Control credential prompt, click the username for the appropriate administrator, then enter the password for that user account and click Submit.

Application Aware Elevation Prompts

The UAC elevation prompts are color-coded to be application-specific, enabling for immediate identification of an application’s potential security risk. When an application attempts to run with an administrator’s full access token, Windows Vista first analyzes the executable to determine its publisher. Applications are first separated into three categories based on the executable’s publisher: Windows Vista, publisher verified (signed), and publisher not verified (unsigned). The following diagram (Figure 3) illustrates how Windows Vista determines which color elevation prompt to present to the user.

Application Aware Elevation Prompts

Bb188740.vistabeta2uac03(en-us,MSDN.10).jpg

Application Aware Elevation Prompts Figure 3

The following details the elevation prompt color-coding:

  • Red background and red shield icon: The application is from a blocked publisher or is blocked by Group Policy.
  • Blue/green background: The application is a Windows Vista administrative application, such as a control panel.
  • Gray background and gold shield icon: The application is Authenticode signed and trusted by the local computer.
  • Yellow background and red shield icon: The application is unsigned or signed but not yet trusted by the local computer.

The color-coded elevation prompts align with the color-coded dialog boxes in Microsoft Internet Explorer.

The Shield Icon

Some control panels, such as the Date and Time Properties control panel, contain a mix of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following (Figure 4) is a screenshot of the Date and Time Properties Control Panel.

Date and Time Properties

Bb188740.vistabeta2uac04(en-us,MSDN.10).jpg

Date and Time Properties Figure 4

When a user needs to modify the time, the user clicks the Shield icon button. The Shield icon indicates to the system to use a full administrator access token, which requires a User Account Control elevation prompt.

Installing and Running a Program with UAC Enabled

Since installing some applications on a system requires an administrator access token, a mechanism is in place within the Windows Vista operating system to automatically detect the launch of a setup installer. When an application setup is detected, UAC displays an elevation prompt for the user to validate the installation process. Following installation, the application will not require the user to provide consent or credentials, unless it is an administrative application.

You can control what kind of user input that the prompt requires by configuring a new security policy setting introduced in Windows Vista. The setting is located in the Security Policy Manager Microsoft Management Console (MMC) snap-in under the path: Local Security Settings->Local Policies->Security Options.

You can configure the behavior of the elevation prompt separately for administrators and standard users. The following procedure details how to adjust the UAC prompting behavior for administrators in Admin Approval Mode. This task can be performed by standard users and administrators, but the following procedure details the process for an administrator in Admin Approval Mode.

To configure the UAC prompting behavior for administrators:

  1. Log on to a Windows Vista computer with an administrator account in Admin Approval Mode.
  2. Click the Start button, click Run, type secpol.msc, and then click OK.
  3. In Local Security Settings, expand Local Security Settings, expand Local Policies, and then expand Security Options.
  4. Right-click the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode setting and select Properties.

Note   For most situations, the No Prompt setting is not recommended. No prompt elevation would permit UAC applications to launch administrator applications without your knowledge or consent.

The following procedure details how to configure the User Account Control: Behavior of the elevation prompt for standard users setting. This task can be performed by standard users and administrators, but the following procedure details the process for an administrator in Admin Approval Mode.

To configure the UAC prompting behavior for standard users:

  1. Click the Start button, click Run, type secpol.msc, and then click OK.
  2. In Local Security Settings, expand Local Security Settings, expand Local Policies, and then expand Security Options.
  3. Right click the User Account Control: Behavior of the elevation prompt for standard users setting and select Properties.

The following table describes the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode and the User Account Control: Behavior of the elevation prompt for standard users settings.

Consent policy for elevation

Setting Description Default Value
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode There are three possible values:
  1. No prompt – The elevation occurs automatically and silently.
  2. Prompt for consent – UAC asks for consent before elevating.
  3. Prompt for credentials – UAC requires valid administrator credentials are entered before elevating. This policy is only in effect when UAC is enabled.
 Prompt for consent
User Account Control: Behavior of the elevation prompt for standard users There are two possible values:
  1. No prompt – No elevation prompt is presented and the user cannot perform administrative tasks without using Run as administrator or by logging on with an administrator account.
  2. Prompt for credentials – UAC requires that valid administrator credentials are entered before elevating.
 Prompt for credentials

Changing the behavior of the UAC elevation prompt should be done with careful consideration. This policy is configurable for both administrators in Admin Approval Mode and standard users. The following general guidance can help you determine how to configure the UAC prompting behavior for your environment.

Administrators in Admin Approval Mode

The prompt for consent option is recommended for most environments. More secure environments should use the prompt for credentials option.

Microsoft strongly advises against setting the No Prompt option; disabling the UAC prompt behavior removes the ability of a user to approve an application before it runs. As a result, any application can then “silently elevate” and use the administrator’s access token, including malware, without the user’s approval.

Standard users

Microsoft strongly recommends that standard users be prompted for administrator credentials. When the No prompt option is enabled, standard users will not be able to perform administrative tasks without using Run as administrator or logging on with an account that is a member of the local administrators group.

Secure Desktop

The consent and credential prompts are displayed on the secure desktop by default in Windows Vista Beta 2. Only Windows processes can access the secure desktop. In addition to the recommendations for administrators and standard users, Microsoft also strongly recommends that the User Account Control: Switch to the secure desktop when prompting for elevation setting should be kept enabled for higher levels of security.

When an executable requests elevation, the interactive desktop (also called the user desktop) is switched to the secure desktop. The secure desktop renders an alpha-blended bitmap of the user desktop and displays a highlighted elevation prompt and corresponding calling application window. When the user clicks Continue or Cancel, the desktop switches back to the user desktop.

It is worthwhile to note that malware can paint over the interactive desktop and present an imitation of the secure desktop, but when the policy is set to prompting for approval the malware does not gain elevation should the user be tricked into clicking Continue on the imitation. If the policy is set to prompt for credentials, malware imitating the credential prompt may be able to gather the credentials from the user. Note that this does also does not gain malware elevated privilege and that the system has other protections that mitigate malware from automated driving of user interface even with a harvested password.

Running Programs as an Administrator

Windows Vista includes functionality to manually and preemptively request that an application be started (launched). To launch a program with a full administrator access token one time, right-click the program icon and select Run as administrator on the menu. After the user authorizes the elevation, the program will launch and run with the user’s full administrative access token. The following procedure details this process as performed by an administrator in Admin Approval Mode.

To run a program one time as an administrator:

  1. Right-click the program that you would like to run as an administrator and select Run as administrator.
  2. At the User Account Control consent prompt, select Continue.

After the user authorizes the elevation, the program will launch and run with the user’s full administrative access token.

Note    Using Run as administrator will only elevate an application once. If an application requires an administrative access token to launch, you can mark it to require a full administrator access token. The proceeding section details this process.

Marking an Application that Requires a Full Administrator Access Token

There may be situations where certain applications will not function correctly unless they are run by a user with a full administrator access token. This can occur with pre-Windows Vista programs that are not designed to operate under the UAC environment. Microsoft has provided a mechanism to ensure that these applications can be enabled so they will always be marked as requiring a full administrator access token. The following procedure details how to mark an application to always require an administrator access token when it is launched.

To mark an application to always require a full administrator access token:

  1. Right click the program you would like to modify and select Properties.
  2. In Properties, select the Compatibility tab.
  3. Under Privilege Level, select the Run this program as an administrator check box, and then click Apply or OK.
  4. If this is the first time the application has been marked to run as an administrator, a dialog box will appear.
  5. Click OK to continue.

Note   If this is the first time that this application was marked, a message will appear indicating that Windows Vista will instruct the application to gather information about which operations the program is performing that requires it to run with a full administrator access token. This information will help Microsoft determine if any steps can be taken to correct the program in the future so that will no longer require a full administrator access token. When asked to check for “Solutions to Problems”, always check for solutions on any product that has a LUADiagnostics problem. This will ensure that the collected information is sent to Microsoft. If you do not want to send this information, do not check for “Solutions to Problems”.

Once complete, the program will prompt for elevation consent whenever it is launched.

Important   Marking an application to require an administrator access token does not prevent the User Account Control elevation prompt from being displayed. The application will still require the user to provide authorization before it can use a full administrator access token.

How to Configure UAC for Your Computer

While this section is about how to configure UAC for your specific computing environment, it is important to note that UAC touches every element of the Windows Vista user experience. UAC is an integral component of the Windows Vista security architecture.

In an enterprise, Microsoft recommends using Group Policy and Microsoft Systems Management Server (SMS) to manage UAC. For computers that are not a member of a domain or that are part of a workgroup, Microsoft recommends utilizing the default UAC configurations.

Based on the preceding recommendations, choose between one of the two possible methods for configuring Windows Vista Beta 2 with UAC enabled:

  • Configure UAC for an Enterprise Workstation
  • Configure UAC for a Home or Unmanaged Computer

Configure UAC for an Enterprise Workstation

In an enterprise, ensuring that users cannot alter system settings, install malware, and compromise data is paramount. As a result, Microsoft recommends that enterprises configure their workstations to run as standard users. Using the following configuration will help mitigate potential problems:

  • UAC is enabled throughout the environment and maintained centrally with Group Policy.
  • The built-in Administrator account is kept disabled and a password is set to prevent any offline attacks.
  • Every user of the desktop runs with a standard user account.
  • Domain administrators have two accounts: a standard user account and an administrator account in Admin Approval Mode.
  • IT deploys applications using Microsoft Systems Management Server (SMS), Group Policy software installation (GPSI), or another similar application deployment technology. If you have a UAC deployment mechanism in place, Microsoft recommends disabling application installer detection.
  • Access token elevations are handled by a help desk or an IT staff member by either using Remote Assistance or physically entering the credentials at the user’s computer.

Note   If possible remove or disable all local computer administrators.

Configure UAC for a Home or Unmanaged Computer

While UAC enables comprehensive control of enterprise desktops, it also will greatly improve security on home computers. While a standard user account has existed in Windows since NT 4.0, most home users are unaware that there are different account types. As a result, a majority of home users browses the Web, read e-mail, shop online, and compose documents as administrators. Because an administrator has full access to system resources, any malicious software that is inadvertently installed on your computer can affect files and folders throughout your computer. With the introduction of UAC in Windows Vista, support is provided within the operating system to make it much easier for users to run as standard users. Running as a standard user is inherently more secure and helps limit system-wide data loss due to system-wide malicious software installs.

Choose one of the following two options for your home environment configuration:

  • Configure UAC with parental controls
  • Configure UAC without parental controls

Configure UAC with parental controls

UAC enables flexible use of parental controls by clarifying user tasks and user account types.

Note   The Parental Controls control panel is not displayed in the Control Panel on domain joined computers.

Recommended home configuration to enable parental controls:

  • UAC is enabled on the computer.

  • All parental accounts are created as administrator accounts in Admin Approval Mode.

  • All children’s accounts are created as standard user accounts.

    Strong Passwords: How to Create and Use Them

The following diagram (Figure 5) uses the preceding guidelines to illustrate how a parent (administrator in Admin Approval Mode) can set parental controls for a child (standard user account).

Setting Parental Controls

Bb188740.vistabeta2uac05(en-us,MSDN.10).jpg

Setting Parental Controls Figure 5

In this scenario, Denise Smith wants to set parental controls on her Windows Vista Beta 2 computer to control what time her son Brian can log on to the computer.

Parental Controls Scenario Users

Name Description User Account Type
Brian Smith 12 year-old boy who enjoys playing computer games and browsing the Web. Standard.
Denise Smith Brian’s mother. Denise wants to ensure that her son is only allowed to log on during certain hours. Administrator in Admin Approval Mode.

  1. Denise installs Windows Vista Beta 2 and creates an account for herself during the installation. This account is created as a local administrator account with UAC enabled by default.

  2. Denise then uses the Users control panel to create a standard user account for Brian and then opens the Parental Controls control panel.

  3. Because Denise wants to ensure that Brian does not use the computer late into the evening, Denise then uses the Parental Controls control panel to designate time limits, allowing Brian to only log on to the computer from the hours of 3 PM to 10 PM. The following screenshot details the configuration.

    Time Limit Configuration

    Bb188740.vistabeta2uac06(en-us,MSDN.10).jpg

Time Limit Configuration Figure 6

  1. Denise then enables activity reporting to receive reports about Brian’s computer activity; including the Web pages that Brian visits most often, his log on times, and the most recent Web sites blocked by parental controls.
  2. Brian attempts to log on to the computer at 10:30 PM and receives the following error: “Your account has time restrictions that prevent you from logging on at this time. Please try again later.”
  3. Denise logs on and views an activity report for Brian’s user account.

The following table details available parental controls.

Windows Vista Parental Controls

Parental Control Description
Web restrictions Control allowed Web sites, downloads, etc.
Time limits Control when a specific user is allowed to use the computer
Games Control games by rating, content, or title
Allow and Block specific programs Allow or block any programs on your computer
Activity reports View activity reports

Configure UAC without parental controls

The recommended method for configuring UAC without parental controls for a home computer is similar to the enterprise workstation configuration scenario highlighted earlier in this document. The following list details the recommended home computer configuration for Windows Vista Beta 2:

  • Create one administrator account in Admin Approval Mode
  • Create one standard user account as your primary user account
  • Create all subsequent accounts as standard user accounts

The following sections detail how to complete this process, the general user experience that you will encounter, and different ways to configure UAC.

Note   While the Beta 2 standard user scenario illustrated here is for the home computing environment, enterprises will also greatly benefit from reduced TCO if they implement standard user accounts on their workstations.

Create one administrator account in Admin Approval Mode

During the Windows Vista Beta 2 installation process, you will be prompted to provide information for a user account. By default, this user account is created as an administrator account in Admin Approval Mode. Because Microsoft recommends that you use this initial administrator account sparingly, ensure that you do not name the account as you would for your primary user account. For example, a user named Michael Patten might use the following naming scheme for his two user accounts:

  • Administrator account in Admin Approval Mode: mpAdmin
  • Standard user account: Michael

Create one standard user account as your primary user account

You should complete the following procedure after immediately Windows has finished installation. This procedure was written by referencing the default Control Panel view and not Classic View.

To create a standard user account

  1. Log on with an administrator account in Admin Approval Mode.

  2. Click Start, click Control Panel, and then click Add or remove user accounts under the User Accounts and Family Safety heading.

  3. Click Continue at the User Account Control consent prompt.

  4. In Manage Accounts, click Create a new account.

  5. In Create new account, type the desired name for a primary user account, and ensure that Standard user is selected.

  6. In Manage Accounts, click the new user account.

  7. In Change an account, click Create a password.

  8. In Create Password, enter a strong password.

    Note   While Windows Vista Beta 2 does not require a password for standard user accounts, you should ensure that you do set a strong password. More information is available by clicking How to create a strong password in the Create Password section of the Users control panel. Password guidelines are also available on the Microsoft Web site at Strong Passwords: How to Create and Use Them.

Create all subsequent user accounts as standard users

Each subsequent user account you create after the first two accounts should be a standard user account. Follow the “Create a standard user account” procedure detailed in the preceding topic to create your standard user accounts. By default, each subsequent user account after the first administrator account is created will be created as a standard user account in Windows Vista Beta 2.

Known Issues and Resolutions

Known issues and resolutions

Problem Resolution
Unable to install ActiveX controls in Internet Explorer Launch Internet Explorer elevated by clicking the Start button, and then pointing to All Programs. Right-click Internet Explorer and select Run Elevated. Next, perform the ActiveX installation. Exit this instance of Internet Explorer and start a new instance running as a standard user to continue.
Non-administrator users cannot create files on the system root drive, for example, c:\ By default, Windows Vista redirects any writes to protected areas (E.G. C:\ and C:\%systemroot%) to the currently logged-on user’s profile.

Resolution:

  • Create files and folders in the user’s profile (under \users\(user) or \users\public).

OR

  • Right-click Command Prompt and select Run Elevated. Create the directory from the elevated command window.
Unable to install printers For Beta 2, always install printers directly from the Control Panel.
Unable to set up network connections For Beta 2, always install networks directly from the Control Panel.
Cannot delete files from the public startup menu Right-click Command Prompt and select Run Elevated. Go to the \Uses\Public\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup folder and perform the edits.
Applications started with a full administrator access token do not show up on the taskbar Start system tray (systray.exe) from an elevated command prompt.

Use the Alt tab to switch between active programs and select one of the elevated programs.
Setup detection may not detect all setups Run the setup.exe elevated. See the section Marking an Application that Requires a Full Administrator Access Token.
No elevation prompts from command windows Launch the program by clicking the Start button, and then pointing to Run.

Providing Feedback

Your feedback about any potential application compatibility issues will be greatly appreciated and will help Microsoft and independent software vendors (ISVs) collaborate to make Windows Vista the most secure operating system. Please submit all feedback to User Account Control Documentation.

Resources

  • User Account Control Team Web Log (UACBlog)
  • User Account Control IT Professional Resourceshttps://www.microsoft.com/technet/windowsvista/security/uac.mspx
  • Strong Passwords: How to Create and Use Themhttps://www.microsoft.com/athome/security/privacy/password.mspx.