Computer Performance, Microsoft Windows Vista

3CX Phone System for Windows - VOIP IP PBX

3CX Phone System for Windows -
VOIP IP PBX

Get your 5 free applications now

Application Publishing with 2X ApplicationServer

Guy RecommendsGFi Events Manager

A solution to monitor, manage and archive thousands of events that are generated by devices across the entire network. 
Download FREE trial

Windows Vista - User Account Protection (UAP)

Windows Vista - User Account Control (UAC)
Formerly User Account Protection (UAP)

Microsoft changed the name from User Account Protection to User Account Protection therefore, I rewrote the UAC page and moved here.

What User Account Control (UAC) does is to allow you to logon as an administrator, yet run applications such as Outlook and Word in the context of an ordinary user.  If you needed to perform an Administrator task, such as install a driver, Vista presents you with a dialog box to enter your password then receive elevated rights for the duration of the task.  The key concept is you don't have to logoff.  Instead you empower the operating system by giving your password and Vista just switches tokens, performs a named task, then returns to normal user status.

Topics for User Account Control  in Windows Vista

Evolution of User Account Control from UAP

In the winter of 2005, UAC was called UAP (User Account Protection).  More than just a change of acronym, this indicates an area which is undergoing changes.  Following feedback, Microsoft are fine tuning how much security and how much ease of use to build into UAC.

My view is that User Account Control  has grown out of the 'Run as..' feature of Windows Server 2003 or the 'Switch User' feature of XP.  I have to say that at least on training courses, RunAs was one of the least liked features of Windows Server 2003.  Microsoft's official line is User Account Control  is a development of Least-privilege user access, or LUA.

Even when we ignored Run as on those training courses, we had this feeling of being naughty boys and not taking security seriously.  User Account Control  makes it easier to work securely.  UAP is like opening a draw using a plastic card kept in your top pocket, compared with RunAs, which is like walking over to the filing cabinet and finding the correct key for your draw.  In summary, User Account Control  automatically gives you the best of both worlds, rely on a basic token for routine tasks and just use the Administrative token for special jobs.

.

Example of User Account Control User Account Protection UAP in Vista

User Account Control is an example of Vista being smarter than XP.  Let us assume that you logon as user and notice that Excel thinks that the computer's clock is displaying the wrong time.  Since you don't have the administrative privileges you cannot see, never mind change, the clock in the notification area.  Gotcha.  In Vista you can see the clock as an ordinary user and although you cannot immediately change the time, at least you can confirm the skewed time. 

Good news, you can change the clock by supplying the administrative credentials through a simple dialog box.  As an aside, and before Mr Angry writes to me, Vista clients, like XP, automatically synchronise clocks with the Domain Controller holding the PDC emulator role.  Therefore, assume that the above example was on a standalone machine.

How User Account Control (UAP) works

From knowledge of Kerberos in Windows Server 2003, you may be familiar with the idea once a user has logged on successfully, the operating system supplies them with a security token.  That token has their privileges and group membership.  The whole idea is that the user does not have to keep typing in their password every time they need to open a file or print.  User Account Control extends this idea by supplying what some call a split token and other call two tokens.  What ever the semantics, the idea is that to perform jobs like checking their email or updating their spreadsheets, the user relies on the lesser token, the one with minimal rights.  Suppose that the same user account now needs to carry out a higher level administrative task, for example, changing a DNS record or amending a DHCP scope option; at this point they need to switch to the other full token.  Thanks to User Account Control, a menu appears, the user enters the administrator's password, job done, no need to logoff as a user and the logon as the administrator.

Registry Change to User Account Control

One of the underlying computer dilemmas is productivity versus security.  If Microsoft make UAP too difficult, then Administrator's will investigate registry hacks that make their jobs easier, even if easier means less secure.  On my test network I move the imaginary productivity -v- security slider to ease of use, whereas for customers, I move the same slider over to more secure settings.

In terms of overall strategy, Microsoft are committed to UAP in some shape or form, however, there has been a lack of enthusiasm for this feature amongst Vista Beta testers, therefore the tactics may change by the final version.

Thanks to a registry hack called ConsentPromptBehavior, you can switch the token by pressing OK, rather than having to type what is usually a complex and tricky password.  See more about ConsentPromptBehavior here. 

How User Account Control Works.

  1. Imagine a user launching a snap-in from the MMC.  The Windows Vista shell calls CreateProcess, which then queries the application to see whether it requires elevated privileges

  2. If the application does not require elevated privilege the process is created through NtCreateProcess - end of story.  However, let us assume that the snap-in requires elevated privilege, in this instance CreateProcess, returns an error to ShellExecute.

  3. Next, ShellExecute calls Application Information Service (AIS) and now initiates an elevated launch.
    AIS then prompts the user for a password through the Consent User Interface.

  4. ShellExecute now tries again, but this time uses the full token to launch the application on the client's Vista machine.

Summary of User Account Control

User Account Control is central to Microsoft's initiative.  If you are concerned about triggering rogue programs when you logon as administrator, then investigate User Account Control.  When it becomes annoying consider making this registry change.

TrainSignal - Recommended Vista Training VideosTrain Signal has just released their New Windows Vista Training Course.  As an MCT trainer, I am a huge advocate of Train Signal’s products.  What impresses is me is that they demonstrate everything that they teach and they stay away from traditional 'lecture-style' training.  If you are looking for a complete DETAILED coverage of Windows Vista, then I highly recommend that you give this course a try.  I have reviewed their 18 hours of videos myself, and I guarantee that you will not be disappointed!

Watch a Vista Training Video Demo.

Windows Vista Security:

 

Other Sections

^

Google
WebComputerperformance.co.uk

GFi Events Manager

Guy Recommends: GFi EventsManager

Here is a solution to monitor, manage and archive thousands of events that are generated by devices across your entire network.  Get your free evaluation copy of GFI EventsManager.

 

Home Copyright © 1999-2008 Computer Performance LTD All rights reserved

Please report a broken link, or an error.