Review of Microsoft Windows Version 7 UAC
In Windows 7 UAC (User Account Control) is much less ‘in your face’. Microsoft has re-thought when it’s desirable fro the UAC to leap into action and inform us of a significant change to the operating system settings. Furthermore, if you disagree with Microsoft’s default settings it’s much easier to make the UAC even less intrusive.
Just click on the Start orb, and navigate to the Control Panel, User Accounts, Change User Account Settings.
Security v Ease of Use
The above screenshot illustrates the trade-off between security and the annoying UAC interface interrupting your configuration work. Adjusting the computer’s clock is a case study on Microsoft’s re-design of the UAC. The crucial issue is that changing the time is a security issue, it should require the UAC. However a user changing the time-zone does not compromise any of the operating system’s audit time-stamps, and thus there is no need for the UAC to annoy a user moving to a new time-zone.
Windows 7 also allows standard users to view the firewall settings and even use Windows Update to install optional updates and drivers. They can also adjust the display DPI, and refresh the IP address with needing administrative privileges and hence attracting the UAC dialog box.
What is the UAC?
I find that knowledge of what the UAC is trying to do makes me more forgiving when it appears. Also understand the goals behind the UAC make me appreciate the improvements between Vista and Windows 7.
The goal of UAC is to encourage people to logon as standard users and not the administrator. To achieve this goal Windows 7 enables standard users to perform operations that previously required administrative rights. As a result, even the default Windows 7 UAC mode makes the administration experience smoother by reducing prompts.
When the UAC does kick-in it’s because you selects a setting that wants to modify the file system, the registry, or call upon the Protected Administrator (PA) account. Talking of the registry, it’s the HKEY_LOCAL_MACHINE (HKLM) part that’s a security threat, therefore applications should use the HKEY_CURRENT_USER \Software section of the registry.
Windows Version 7 Topics
- What to Expect from Windows Version 7
- Run Command in Windows 8
- Windows 8 Disable UAC
- Disable UAC Windows Server 2012
Windows Version 7 UAC
Standard user accounts provide for better security and lower total cost of ownership in both home and corporate environments. When users run with standard user rights instead of administrative rights, the security configuration of the system, including antivirus and firewall, is protected. This provides users a secure area that can protect their account and the rest of the system. For enterprise deployments, the policies set by desktop IT managers cannot be overridden, and on a shared family computer, different user accounts are protected from changes made by other accounts.
However, Windows has had a long history of ordinary users logging on with administrative rights. As a result, software has often been developed to run in administrative accounts and take dependencies, often unintentionally, on administrative rights. To both enable more software to run with standard user rights and to help developers write applications that run correctly with standard user rights, Windows Vista introduced User Account Control (UAC). I’ve talked about these in detail in my conference presentations and TechNet Magazine UAC internals article.
Windows 7 carries forward UAC’s goals with the underlying technologies relatively unchanged. However, it does introduce two new modes that UAC’s PA account can operate with and an auto-elevation mechanism for some built-in Windows components. In this post, I’ll cover the motivations behind UAC’s technologies, revisit the relationship between UAC and security, describe the two new modes, and explain how exactly auto-elevation works. Note that the information in this post reflects the behavior of the Windows 7 release candidate, which is different in several ways from the beta.
The most basic element and direct benefit of UAC’s technology is simply making Windows more standard-user friendly. The showcase example is the difference between the privilege requirements of setting the time zone on Windows XP and Windows Vista. On Windows XP, changing the time zone actually, even looking at the time zone with the time/date control panel applet requires administrative rights.
That’s because Windows XP doesn’t differentiate between changing the time, which is a security-sensitive system operation, from changing the time zone, which merely affects the way that time is displayed. In Windows Vista (and Windows 7), changing the time zone isn’t an administrative operation and the time/date control panel applet separates administrative operations from the standard user operations. This change alone enables many enterprises to configure traveling users with standard user accounts, because users can adjust the time zone to reflect their current location. Windows 7 goes further, making things like refreshing the system’s IP address, using Windows Update to install optional updates and drivers, changing the display DPI, and viewing the current firewall settings accessible to standard users.
File system and registry virtualization work behind the scenes to help many applications that inadvertently use administrative rights to run correctly without them. The most common unnecessary uses of administrative rights are the storage of application settings or user data in areas of the registry or file system that are for use by the system. Some legacy applications store their settings in the system-wide portion of the registry (HKEY_LOCAL_MACHINE\Software) instead of the per-user portion (HKEY_CURRENT_USER\Software), for example, and registry virtualization diverts attempts to write to the system location to one in HKEY_CURRENT_USER (HKCU) while preserving application compatibility.
The PA account was designed to encourage developers to write their applications to require only standard user rights while enabling as many applications that share state between administrative components and standard user components to continue working. By default, the first account on a Windows Vista or Windows 7 system, which was a full administrator account on previous versions of Windows, is a PA account. Any programs a PA user executes are run with standard-user rights unless the user explicitly elevates the application, which grants the application administrative rights. Elevation prompts are triggered by user activities such as installing applications and changing system settings. These elevation prompts are the most visible UAC technology, manifesting as a switch to a screen with an allow/cancel dialog and grayed snapshot of the desktop as the background.
Accounts created subsequent to the installation are standard user accounts by default that provide the ability to elevate via an "over the shoulder" prompt that asks for credentials of an administrative account that will be used to grant administrative rights. This facility enables a family member sharing a home computer or a more security-conscious user using a standard user account to run applications with administrative rights, provided they know the password to an administrative account, without having to manually switch to a different user logon session. Common examples of such applications include installers and parental control configuration.
When UAC is enabled, all user accounts including administrative accounts run with standard user rights. This means that application developers must consider the fact that their software won’t have administrative rights by default. This should remind them to design their application to work with standard user rights. If the application or parts of its functionality require administrative rights, it can leverage the elevation mechanism to enable the user to unlock that functionality. Generally, application developers need to make only minor changes to their applications to work well with standard user rights. As the E7 blog post on UAC shows, UAC is successfully changing the way developers write software.
Elevation prompts also provide the benefit that they "notify" the user when software wants to make changes to the system, and it gives the user an opportunity to prevent it. For example, if a software package that the user doesn’t trust or want to allow to modify the system asks for administrative rights, they can decline the prompt.
Elevations and Malware Security
The primary goal of UAC is to enable more users to run with standard user rights. However, one of UAC’s technologies looks and smells like a security feature: the consent prompt. Many people believed that the fact that software has to ask the user to grant it administrative rights means that they can prevent malware from gaining administrative rights. Besides the visual implication that a prompt is a gateway to administrative rights for just the operation it describes, the switch to a different desktop for the elevation dialog and the use of the Windows Integrity Mechanism, including User Interface Privilege Isolation (UIPI), seem to reinforce that belief.
As we’ve stated since before the launch of Windows Vista, the primary purpose of elevation is not security, though, it’s convenience: if users had to switch accounts to perform administrative operations, either by logging into or Fast User Switching to an administrative account, most users would switch once and not switch back. There would be no progress changing the environment that application developers design for. So what are the secure desktop and Windows Integrity Mechanism for?