Windows Vista – User Account Protection (UAP)

Windows Vista – User Account Control (UAC)
Formerly User Account Protection (UAP)

Microsoft changed the name from User Account Protection to User Account Protection therefore, I rewrote the UAC page and moved here.

What User Account Control (UAC) does is to allow you to logon as an administrator, yet run applications such as Outlook and Word in the context of an ordinary user.  If you needed to perform an Administrator task, such as install a driver, Vista presents you with a dialog box to enter your password then receive elevated rights for the duration of the task.  The key concept is you don’t have to logoff.  Instead you empower the operating system by giving your password and Vista just switches tokens, performs a named task, then returns to normal user status.

Topics for User Account Control  in Windows Vista

 ♦

Evolution of User Account Control from UAP

In the winter of 2005, UAC was called UAP (User Account Protection).  More than just a change of acronym, this indicates an area which is undergoing changes.  Following feedback, Microsoft are fine tuning how much security and how much ease of use to build into UAC.

My view is that User Account Control  has grown out of the ‘Run as..’ feature of Windows Server 2003 or the ‘Switch User’ feature of XP.  I have to say that at least on training courses, RunAs was one of the least liked features of Windows Server 2003.  Microsoft’s official line is User Account Control  is a development of Least-privilege user access, or LUA.

Even when we ignored Run as on those training courses, we had this feeling of being naughty boys and not taking security seriously.  User Account Control  makes it easier to work securely.  UAP is like opening a draw using a plastic card kept in your top pocket, compared with RunAs, which is like walking over to the filing cabinet and finding the correct key for your draw.  In summary, User Account Control  automatically gives you the best of both worlds, rely on a basic token for routine tasks and just use the Administrative token for special jobs.

Recommended: Solarwinds’ Permissions Analyzer – Free Active Directory ToolFree Permissions Analyzer for Active Directory

I like thePermissions Analyzer because it enables me to see WHO has permissions to do WHAT at a glance.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, and takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free SolarWinds utility saves when you are troubleshooting authorization problems for user’s access to a resource.  Give this permissions monitor a try – it’s free!

Download SolarWinds’ Free Permissions Analyser – Active Directory Tool

Example of User Account Control User Account Protection UAP in Vista

User Account Control is an example of Vista being smarter than XP.  Let us assume that you logon as user and notice that Excel thinks that the computer’s clock is displaying the wrong time.  Since you don’t have the administrative privileges you cannot see, never mind change, the clock in the notification area.  Gotcha.  In Vista you can see the clock as an ordinary user and although you cannot immediately change the time, at least you can confirm the skewed time. 

Good news, you can change the clock by supplying the administrative credentials through a simple dialog box.  As an aside, and before Mr Angry writes to me, Vista clients, like XP, automatically synchronise clocks with the Domain Controller holding the PDC emulator role.  Therefore, assume that the above example was on a standalone machine.

How User Account Control (UAP) works

From knowledge of Kerberos in Windows Server 2003, you may be familiar with the idea once a user has logged on successfully, the operating system supplies them with a security token.  That token has their privileges and group membership.  The whole idea is that the user does not have to keep typing in their password every time they need to open a file or print.  User Account Control extends this idea by supplying what some call a split token and other call two tokens.  What ever the semantics, the idea is that to perform jobs like checking their email or updating their spreadsheets, the user relies on the lesser token, the one with minimal rights.  Suppose that the same user account now needs to carry out a higher level administrative task, for example, changing a DNS record or amending a DHCP scope option; at this point they need to switch to the other full token.  Thanks to User Account Control, a menu appears, the user enters the administrator’s password, job done, no need to logoff as a user and the logon as the administrator.

Registry Change to User Account Control

One of the underlying computer dilemmas is productivity versus security.  If Microsoft make UAP too difficult, then Administrator’s will investigate registry hacks that make their jobs easier, even if easier means less secure.  On my test network I move the imaginary productivity -v- security slider to ease of use, whereas for customers, I move the same slider over to more secure settings.

In terms of overall strategy, Microsoft are committed to UAP in some shape or form, however, there has been a lack of enthusiasm for this feature amongst Vista Beta testers, therefore the tactics may change by the final version.

Thanks to a registry hack called ConsentPromptBehavior, you can switch the token by pressing OK, rather than having to type what is usually a complex and tricky password. See more about ConsentPromptBehavior here. 

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM)Review of Orion NPM v11.5 v11.5

SolarWinds’ Orion performance monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

What I like best is the way NPM suggests solutions to network problems.  Its also has the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.

Download a free trial of Solarwinds’ Network Performance Monitor

How User Account Control Works.

  1. Imagine a user launching a snap-in from the MMC.  The Windows Vista shell calls CreateProcess, which then queries the application to see whether it requires elevated privileges

  2. If the application does not require elevated privilege the process is created through NtCreateProcess – end of story.  However, let us assume that the snap-in requires elevated privilege, in this instance CreateProcess, returns an error to ShellExecute.

  3. Next, ShellExecute calls Application Information Service (AIS) and now initiates an elevated launch.
    AIS then prompts the user for a password through the Consent User Interface.

  4. ShellExecute now tries again, but this time uses the full token to launch the application on the client’s Vista machine.

Summary of User Account Control

User Account Control is central to Microsoft’s initiative.  If you are concerned about triggering rogue programs when you logon as administrator, then investigate User Account Control.  When it becomes annoying consider making this registry change.

If you like this page then please share it with your friends

 


Windows Vista Security:

Other Sections