Windows Vista Feature Focus: User Account Control

With Windows Vista, Microsoft has finally moved the Windows platform to a security model that competing operating systems such as Mac OS X and Linux have employed for years. Now, even administrators run most applications and system services with Standard User privileges by default, providing a smaller "attack surface" for electronic attacks and increasing the overall security of the system. This feature is called User Account Control (UAC, previously called User Account Protection and Limited User Account).

User Account Control is necessary because Microsoft architected previous Windows versions such that it was too easy for most users to configure their accounts with administrator privileges, providing them with complete and open access to the system. As a result, most Windows applications created over the past decade have been written to assume that users have administrator access. But a user has this level of system access, every application and service that runs on the system does so with complete administrative privileges as well. If your system is compromised by a worm, Trojan, virus, or other form of malware, that malicious code then runs with administrator privileges as well. That's how PCs get "owned."

Security-minded individuals who attempted to run Windows XP or previous Windows versions using only Limited User (or similar) account types quickly came to understand that it was next to impossible to do so. Despite some features built into the system, such as Run As, which were designed to temporarily escalate the current user's privilege level to administrator so that certain poorly-written applications would run currently, many applications, in fact, just won't work in such a configuration. So even those few hardy people who tried to do the right thing found themselves stymied by the poor security model employed by previous Windows versions.

Using User Account Control

In Windows Vista, Microsoft has finally overcome this problem by rearchitecting Windows in a number of ways. There are a number of technologies built into Windows Vista designed specifically to lock down the system but still provide hidden compatibility features that let legacy applications continue to load and run as they always did. The key technology in this group is User Account Control, which accomplishes two basic goals. First, UAC segregates the tasks you can accomplish in Windows into two groups, those tasks that can be accomplished by standard users and those that can only be accomplished by administrators. Second, UAC silently causes even administrator accounts to run as standard accounts most of the time; when an admin-level task is attempted, the user will receive a UAC prompt so that they can temporarily elevate their privileges in order to complete just that single task.

So what tasks belong in each group? Installing a new application, changing the system date or time, or accessing many Control Panel applets falls into the administrator-level task group. Meanwhile, nondestructive tasks like changing power management settings or adding a new printer can be completed by any user. Microsoft applies a Windows Shield icon to most user interface elements that, when clicked, will require account escalation. This icon can be seen in the following screenshot; here, you can change the time zone without getting prompted, but if you try to change the date or time, you'll need to provide your consent.

UAC works differently depending on which type of account you have. Standard users, when attempting to perform an admin-level task, will be confronted by a credentials dialog that asks for an administrator's user name and password (or other similar method of obtaining admin-level credentials). Here's what this prompt looks like:

Meanwhile, administrator-type users, who now run in what Microsoft calls Administrator Approval Mode by default, receive a slightly different (and somewhat less intrusive) user experience called a consent dialog. The consent dialog simply asks you whether you'd like to continue with the task you've attempted to launch. This dialog looks like so:

There's also a third type of UAC dialog, which appears whenever you attempt to execute an application that has not been digitally signed or validated. This dialog, by design, is bigger, more colorful, and more prominent than the other UAC dialogs, and it will appear whether you are an admin or not. Here it is:

Tip: Administrator-level users who would like to configure the system for better security can, in fact, configure Windows Vista to always prompt for a user name and password, just like a standard user account. I'll discuss the ways in which you configure (and, yes, disable) UAC in the next section below.

In all cases, the screen will flash briefly and come to a dead halt until you've dealt with the UAC dialog. What's really happening here is that the system takes a screenshot of your desktop, jumps into a malware-hardened mode called Secure Desktop (which is also utilized by Vista's Welcome/logon screen), and then provides you with a modal UAC dialog box. You cannot do anything else with your PC until you've dealt with this dialog. The screen will resemble the following:

Click image for a larger version

There are two reasons why Microsoft doesn't simply pop-up a normal dialog that doesn't lock up the rest of the PC. First, the company's security researchers recognized that it might be possible to spoof the version of UAC it originally developed, which did indeed appear as a normal dialog box onscreen. Second, if the user has a lot of windows open simultaneously, it would be possible for the UAC consent dialog to get buried under other windows. In such a case, the user might not realize that authorization was required for certain tasks, and the user might assume that the task she had requested was completing silently in the background when, in fact, it was waiting for the user to interact with it.

User Account Control is new and unique in Windows Vista: There is no analog to this feature in Windows XP. The aforementioned Run As command does provide a way for the user to manually elevate certain tasks to administrator privileges. But the XP shell doesn't know anything about Run As per se, and can't automatically prompt the user when a task fails to run under standard user privileges. In Vista, UAC provides a solution that is both more elegant and more integrated with the entire OS. Indeed, one of the best features of UAC is that it makes it possible for parents to configure standard user accounts for their kids. When their children need to install an application, for example, a parent can review the application first and then provide her credentials for the install only when she's sure it's safe.

Under the covers, UAC also provides some interesting features related to backwards compatibility. On a typical Windows XP system, applications are almost always granted complete control over the system they are installed to, so it's possible for them to read and write information anywhere in both the Registry and the file system. In Windows Vista, the Registry and file system are locked down, however. So UAC provides Registry and file system virtualization services that silently redirect read and write operations from protected portions of the Registry and file system to unprotected places located with the user's profile.

UAC evolved somewhat dramatically over the course of the Windows Vista beta. When I wrote When Vista Fails, the fifth part of my Windows Vista February 2006 CTP/Build 5342 review, UAC was popping up consent dialogs far too frequently. Also, there was a bug in UAC that resulted in certain consent dialogs appearing repeatedly with no way to authenticate certain tasks. The proliferation of dialogs and aforementioned bug were later fixed in Windows Vista Beta 2, and Microsoft made further changes to UAC over the remainder of the beta program to further reduce the number of times users will have to provide consent. In short, what was once aggravating is now quite bearable. The security benefits of UAC far outweigh whatever annoyances its dialogs might cause, and users will notice that UAC calms down quite a bit after you've installed applications and configured the system to your liking.

Configuring and Disabling User Account Control

That said, certain users will want to configure UAC in particular ways or even turn it off all together. My advice here is simple: Leave UAC alone and adapt to its presence because the system is more secure with UAC enabled. However, if you're looking to change or even disable UAC, there are various ways to do so.

The most complete UAC configuration is available via the Local Security Settings console (assuming you're not connected to a domain). To access this console, open the Start Menu, type Local Security Policy, and hit ENTER. You'll see the following window appear:

Click image for a larger version

Then, navigate to Local Policies, Security Options and scroll to the bottom of the list. You will see the following 8 UAC options listed:

User Account Control: Admin Approval Mode for the Built-in Administrator Account
Default setting: Disabled
What it does: Toggles Admin Approval Mode for the built-in administrator account, which is hidden by default.

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
Default setting: Prompt for consent
What it does: Determines what type of prompt admin-level users will receive when attempting admin-levels tasks. The default is Prompt for consent, which provides a consent dialog. If set to No prompt, UAC consent dialogs will not appear. If set to Prompt for credentials, the user will need to enter an admin-level username and password.

User Account Control: Behavior of the elevation prompt for standard users
Default setting: Prompt for credentials
What it does: Determines what type of prompt standard users will receive when attempting admin-levels tasks. The default is Prompt for credentials, which requires the user to enter an admin-level username and password. If set to No prompt, UAC consent dialogs will not appear. If set to Prompt for consent, the user will see a consent dialog.

User Account Control: Detect application installations and prompt for elevation
Default setting: Enabled
What it does: Determines whether signed and unsigned application installs trigger a UAC elevation dialog.

User Account Control: Only elevate executables that are signed and validated
Default setting: Enabled
What it does: Determines whether only signed executables can be elevated.

User Account Control: Run all administrators in Admin Approval Mode
Default setting: Enabled
What it does: Determines whether all admin-levels accounts run in Admin Approval Mode, which generates UAC consent dialogs for admin-level tasks.

User Account Control: Control Switch to the secure desktop when prompting for elevation
Default setting: Enabled
What it does: Determines whether the Secure Desktop environment appears whenever a UAC prompt is initiated by the system. If disabled, UAC prompts will appear on the normal Windows desktop and could be spoofed by malware.

User Account Control: Virtualize file and registry write failures to per-user locations
Default setting: Enabled
What it does: Determines whether UAC virtualizes the Registry and file system for legacy applications that attempt to read or write from private parts of the system. Warning: For compatibility reasons, you should not disable this option. Note that file and Registry virtualization require that UAC be enabled.

If you just want to disable UAC on a per account basis, you can do so easily via the Control Panel. Navigate to Control Panel, User Account and Family Safety, User Accounts, Change Security Settings to disable UAC. This portion of the Control Panel resembles the following:

Click image for a larger version

If you disable UAC in this fashion, Windows Security Center will trigger a warning. In the Other security settings section of UAC, you'll see an option for User Account Control that monitors whether this feature is enabled. If UAC is disabled, a Turn on now button will let you restart UAC (a system restart will be required).

--Paul Thurrott
May 27, 2006
Updated February 22, 2007