Microsoft's advertising has stressed
the new security features found in Windows Vista. From the user
perspective, one such feature, User Access Control, is arguably the most
noticeable enhancement. User access control is a mechanism by which
users -- even administrators -- perform common Windows tasks with
non-administrative rights, or as a standard user. Before administrative
tasks can be performed, users must actively approve actions that could
be potentially dangerous to the computer.
In this article, I'll give
you a complete look at User Access Control's inner workings and show you
some ways you can change the behavior of this new feature.
How
does User Access Control work?
The inner workings of User Access
Control reveal a lot about how this feature protects your computer.
First, let's talk about why User Access Control was developed.
The
problem: Windows XP and silent installations
In pre-Vista
versions of Windows, upon login, a user was assigned an access token. A
non-administrative user was assigned a token that granted him access to
resources that did not require administrative rights. Users that were
members of an administrative group were assigned a single token that
granted them full rights to all of the resources on the local computer.
From
an ease-of-use perspective, this level of authority was great. However,
from a security perspective, it's not so great; even for IT pros.
Consider the potential for "drive-by" spyware installation. A drive-by
installation happens when you visit, either accidentally or
intentionally, a site containing malicious code that you don't know
about. While spyware scanners have significantly improved over the past
couple of years, there's not a single solution on the market that will
protect against every known threat. Even if there was such a product,
there would still be the issue of unknown threats. New spyware pops up
every day and it takes vendors time to discover these new nuisances and
update their products.
If you're logged in to Windows XP as a user
with administrative privileges at the time the drive-by takes place,
spyware may get installed to your computer with absolutely no notice to
you. This spyware could be anything from a fairly innocuous tool to a
key logger that keeps track of everything you type and sends the results
to a predetermined location. You might end up with the installation of a
back door that allows a hacker to make his way into your system at some
point in the future to achieve his nefarious goals. Worse, the deeper
spyware is embedded into your system, the more difficult it is to
remove, short of a complete system rebuild, which can take hours.
Note:
When you install Windows XP, the Setup Wizard assigns administrative
rights to all local accounts.
Now, you might tell yourself you
already knowall of this; but, in your organization, you're forced to
allow users to run as a local administrator for any number of reasons.
For example, many users (with the backing of management) feel it is
vital that they have the ability to install new applications on their
desktop. Unfortunately, they're often right. Doing business on the Web
often means having to install a new ActiveX control or other type of
application. While not the safest behavior, allowing people to do their
jobs is preferable to paying people to sit in a chair doing nothing
under the unyielding thumb of IT.
The solution: Windows Vista and
User Access Control
Windows Vista's introduction of User Access
Control aims to tame this beast and bring some order back to chaos.
Under Vista, when an administrative user logs in to the system, he is
granted not one, but two access tokens: an administrative access token
and a standard user access token. The standard access token is used to
start the user's desktop. The end result is that the administrator is
running a system with more limited rights than he would have received
upon login under Windows XP. Until there is a need, the second token --
the one with administrative rights -- is not used.
This situation
takes place, for example, when the administrative user starts a control
panel applet and tries to change a setting, Windows Vista's User Access
Control feature pops up a window indicating that permission is necessary
to continue. When you choose to allow an administrative action to take
place using the administrative token, you are allowing that application
to run with
elevated privileges. Figure A gives you a look at a
typical User Access Control dialog box. If you want to allow the action,
press the Continue button.
Figure A
User Access Control asks if you want to proceed with the
action.
If you've seen the Mac v. PC commercials on Apple's Web
site, you'll recognize this dialog box as being the point of discussion
between the PC and the Mac with a security guard standing behind the PC
to verify every communication with the Mac. In reality, the situation is
not quite that bad. In fact, although annoying from time to time, the
situation is much better as the new system provides a visual cue that
something is going on and gives a user an opportunity to decline an
action.
Annoyance is one of the results I will try to help you with
in this article. I'll show how you can disable User Access Control
altogether, and how to indicate that specific applications should always
run in an elevated state.
Completely disabling User Access
Control
I'll preface this section by saying I don't recommend you
take this action, even on your own computer. Much as I am loathe to
admit it, even though I preach the dangers of the "blind click" on a
pop-up and the resulting spyware that ensues to students and users, I
sometimes forget my own advice. Last summer, when I was in a hurry to
complete a task, I got what appeared to be a system dialog box and
pressed the OK button. Just as I released the mouse button, I realized
that the "OK button" I had just pressed was actually a pop-up from a Web
site. Just hours later, my system was infested with spyware.
The
lesson here is this: Even those of us that do this for a living fall
victim to spyware. With User Access Control, at least there is one more
barrier between us and them.
But, if you find that User Access
Control is seriously debilitating, you candisable it and move on. There
are a number of ways to disable User Access Control. I'll show you how
to do so using the Control Panel, the Registry Editor, and Group Policy.
All
of the solutions in this article require that you log on as a user with
administrative rights. For most solutions, however, you cannot use the
local administrator account. This account is not subject to
administrative approval. Use another account that is a member of the
local administrators group.
Disable User Access Control using
MSConfig
For a few machines, you can use MSConfig to change the
behavior of User Access Control:
- Go to Start |
All Programs | Accessories | Run.
- In the Run box, type
"msconfig", and press [Enter].
- From the System
Configuration window, choose the Tools tab, as shown in Figure B.
- In
the Tool Name column, look for the Disable UAC option.
- Press
the Launch button.
- Reboot the system.
Figure
B
The System Configuration window Tools tab.
Disable User
Access Control via the Control Panel
If you have just a couple of
machines, the easiest way to disable User Access Control is to disable
the feature via the Control Panel. Follow these steps to achieve this
goal:
- Go to Start | Control Panel.
- Viewing
the Control Panel in "Classic" mode, choose the User Accounts applet.
This opens the screen shown below in Figure C.
Figure
C
The User Accounts control panel applet.
- Choose the "Turn User Account Control on or off" option.
Note that this applet has a little shield next to it. This shield
indicates that this function is itself protected by User Account
Control.
- Deselect the checkbox next to Use User Account
Control (UAC) To Help Protect Your Computer. See Figure D.
Figure D
The User Accounts control panel applet.
- Press
OK.
- Reboot your computer for the changes to take effect.
Disable User Access Control via the Registry Editor
A
second way to disable User Access Control involves the use of the
registry editor. By changing a specific key on each Vista machine, you
can disable User Access Control. Here are the steps:
- Start
the Registry Editor.
- Browse to the following key: HKEY_LOCAL_MACHINE
Software Microsoft Windows CurrentVersion Policies System.
- Change
the value of the EnableLUA entry to "0" If you ever want to re-enable
User Access Control, follow these instructions, but change the value of
the EnableLUA entry to "1". See Figure E for a look at the screen.
- When
you are done, reboot the computer for the change to take effect.
Figure E
The EnableLUA key in the Registry Editor.
Manage/Disable
User Access Control via Group Policy
If you have a lot of
computers and you want to change User Access Control behavior across all
of them, your best bet is to use Group Policy. The Group Policy method
is also the most granular of the bunch and allows you to set a variety
of parameter related to User Access Control. I'll show you how to
accomplish this using the local group policy administrative tool.
- Go to Start | All Programs | Accessories | Run.
- In
the Run box, type "secpol.msc" and press [Enter].
- When
User Account Control asks for permission to continue, press the Continue
button.
- Browse to Computer Configuration | Windows
Settings | Security Settings | Local Policies | Security Options. You'll
see the screen shown in Figure F.
- Select the group policy
object you wish to modify and change the setting to the desired value.
The list below provides you with a look at all of the group policy
settings associated with User Access Control.
Figure
F
The Group Policy Object Editor.
There are a number of
options related to User Access Control:
- User
Account Control: Behavior of the elevation prompt for the built-in
Administrator account -- This setting determines the behavior of User
Access Control when used with the built-in Administrator account.
- Enabled:
When running an application that needs administrative rights, the
built-in Administrator account will be subject to User Access Control.
- Disabled (default): The built-in Administrator account will
run all applications without further prompting.
- User
Account Control: of the elevation prompt for administrators in Admin
Approval Mode -- This setting determines what takes place when
administrators (besides the built-in Administrator account) run a
privileged application.
- Elevate without prompting: This
is the most dangerous setting and should be used only in very secure
environments. Restricted applications are run with administrative rights
without intervention.
- Prompt for credentials: The user is
prompted to provide the user name and password for a user with local
administrative rights.
- Prompt for consent (default): This
is the normal behavior for User Access Control and asks the user
(assuming the user has administrative rights) to permit or deny running
an application with administrative rights.
- User
Account Control: Behavior of the elevation prompt for standard users
-- This setting determines what takes place when standard users try to
run a privileged application.
- Prompt for credentials
(Default for Home editions): The user is prompted to provide the user
name and password for a user with local administrative rights.
- Automatically
deny elevation requests (Default for Enterprise editions): The user
will receive a message indicating that access to the application has
been denied.
- User Account Control: Detect
application installations and prompt for elevation -- How will the User
Access Control system respond to requests for the installation of new
programs?
- Enabled (Default for home): Application
installations that require administrative privileges will trigger the
User Access Control prompt.
- Disabled (Default for
enterprise): Since many application installations are handled via Group
Policy, user intervention and approval is not necessary.
- User Account Control: Only elevate executables that are
signed and validated -- Do elevated applications require a valid PKI
certificate chain?
- Enabled: Requires that an
application has a valid PKI certificate chain before it is allowed to
run.
- Disabled (default): Does not require that an
application be signed in order to run.
- User
Account Control: Only elevate UIAccess applications that are installed
in secure location -- Applications that request execution with a
UIAccess integrity level must reside in a secure area of the system.
- Enabled (default): An application with UIAccess integrity
with launch only if it resides in a protected area of the system.
- Disabled:
An application with UIAccess integrity will launch regardless of the
location of the executable.
- User Account
Control: Run all administrators in Admin Approval Mode -- Run all users,
including administrators, as standard users. This effectively enables
or disables User Access Control. If you change this setting, you must
reboot the system.
- Enabled (default): Administrative
Approval Mode and User Access Control is enabled.
- Disabled:
Disable User Access Control and Admin Approval Mode.
- User Account Control: Switch to the secure desktop when
prompting for elevation -- When User Access Control is enabled and
displays an elevation prompt, change Windows Vista to the secure desktop
as opposed to the standard user's desktop.
- Enabled
(default): Elevation requests are directed to a secure desktop.
- Disabled:
Elevation requests are directed to the standard desktop.
- User Account Control: Virtualize file and registry write
failures to per-user locations -- This setting enables the redirection
of legacy application write failures to defined locations in both the
registry and file system, mitigating those applications that
historically ran as administrator and wrote runtime application data
back to %ProgramFiles%, %Windir%; %Windir%\system32
or HKLM\Software\. In short, this key helps to maintain backward
compatibility with legacy applications that do not like to run as a
standard user.
- Enabled (default): Applications writing
data to protected areas will be redirected to other locations.
- Disabled:
Applications writing data to protected areas will fail.
</LI>
Selectively disabling User Access Control
Not all
applications are marked in such a way as to trigger a User Access
Control warning when executed. However, many applications need to be run
with administrative rights enabled in order to function as intended. In
order to accommodate this situation, you can mark an application so it
runs with administrative rights each time the application is executed.
To do so:
- Right-click the executable
associated with the application.
- From the shortcut menu,
choose the Properties option.
- From the Properties page,
select the Compatibility tab.
- Under the Privilege Level
heading, select the checkbox next to "Run this program as an
administrator" , as seen in Figure G.
- Press OK.
Figure G
The application' s Compatibility tab.
For some
applications, the "Run this program as an administrator" option may not
be available. There can be a number of reasons for this:
- You
are not logged in as a user with administrative rights.
- The
application is not capable of being run with elevated rights.
- The
application is a part of the operating system. OS applications cannot
be modified in this manner.
Annoying, but worth it
User
Access Control might be an annoying way to achieve system security, but
it's actually pretty welcome when it comes to maintaining system
security, especially for home users. Mac and Linux users have long had
to deal with the same basic security scheme, but it's new to Windows
users. Once Windows users get used to it, they'll appreciate the added
security it provides.
