A discussion of Windows Vista is almost impossible without some mention of the major changes to its user-level security. Microsoft collectively refers to these changes as User Account Control (UAC), and they've attracted as much controversy as they have praise.
Stop for the prompt
UAC allows a user to perform administrative actions without forcing him to run with administrative privileges all the time.
In order for this to happen, the following actions are required:
- Users will run all operations in the context of a regular, non-administrative user. This includes people logged in under administrative accounts. In short, even if you log in as an administrator on a Windows Vista machine, you will still be running tasks as a regular user. This is described as a least-privileged environment: You're running with the absolute minimum of privileges needed to do the vast majority of things.
- Whenever you need to do something that requires administrative permissions, you'll be prompted to confirm your admin privileges.
The dialog box is the one part of User Account Control that people will work most directly with. When a box appears, it'll show the name of the application, process or activity that the user is attempting to run. If you're logged in as an admin, you'll see the following Continue | Cancel dialog box:
If you're logged in as a regular, non-admin user, you'll be prompted to type in the username and password for an administrator account before you can complete the action.
When the UAC pop-ups appear, a couple of things happen behind the scenes. For one, the rest of the screen is rendered inactive and the computer will only respond to the user's direct instructions to either confirm or deny the User Account Control request. In other words, you can't script a UAC confirmation, which would in itself be a security issue.
The only things that can run on the secure desktop are processes that are explicitly trusted to run under the system account. That makes it extremely difficult for a program to trick you into running it as administrator. In Microsoft's User Account Control team weblog, there's a post that describes how it might be possible to spoof the look of the UAC screen, but not its behavior.
Know the signs
The more you work with User Account Control, the more familiar it becomes, and the more of a sense you get as to when the UAC prompts come up. UAC confirmations generally appear when you try to do any of the following:
- Installations (hardware, drivers, ActiveX controls, updates)
- Changing system settings (firewall, network adapter settings, UAC itself, modifying parental controls)
- Changing another user's settings
- Working with anything owned by another user (such as their files)
- Running an application that has been specifically tagged to run in admin mode as a compatibility issue
Software installs and system configuration changes most commonly trigger UAC when Vista is first set up. This is something people have complained about -- especially during the beta 1 and beta 2 test phases for Vista -- and Microsoft did its best to roll back both the number of interruptions and the inconvenience involved.
Another thing Microsoft did was place visual cues in Vista to alert you when a given action might cause a UAC prompt. If you see an application icon or a command button that's branded with the four-color "security shield" logo, that means activating that item will require a UAC confirmation. Keep an eye out for them and you'll rarely be caught by surprise.
For the most part, day-to-day activities -- for instance, launching a program that runs properly as a limited user -- should not generate a UAC prompt. If they do, there's a chance the application itself was not written correctly or was installed in such a way that it is being run from a directory that requires privilege elevation in order to work correctly. (In my own work, I typically go whole days without once encountering a UAC prompt.)
Is it possible to disable User Account Control? In a word, yes. UAC can be disabled and just as easily re-enabled from the User Accounts window in the Control Panel. Each time you enable or disable it, you'll need to reboot, as the mechanisms that control UAC can't just be stopped or restarted on the fly.
Some people have taken to shutting off UAC while setting up their systems or installing software and then re-enabling it when they're done. On the surface of it, this isn't a bad idea, since you're sparing yourself the hassle (however minor) of dealing with the UAC prompt. But it's not always a good idea to disable UAC, even if only as an interim measure, for these reasons:
- With UAC turned off, it's hard to tell which actions will cause UAC prompts and which won't. If you're used to working on a Vista system that has UAC disabled and then you're forced to switch to one where it's turned on, the sudden presence of the UAC dialogs in places where you didn't see them before may be disruptive.
- UAC provides a degree of protection against malware that attempts to run in the administrator context. If the UAC dialog pops up by itself without any apparent reason for being invoked -- for instance, if a program has triggered silently in the background -- it's a good idea to pay close attention to which program it is and where it resides (you can find out by clicking the Details tab). If you're in any doubt, you can always hit Cancel.
The second reason of those two is, in my opinion, the more important. I had an experience involving a UAC warning like that once, and while the program in question turned out to be relatively benign, it was nice to know that UAC was doing its job and not letting something run administratively without my say-so.
The specific kind of security protection that UAC provides in Vista is, I think, what has confused a lot of people. It's meant to address how privilege elevation is managed in Windows and to provide a mechanism by which people can elevate privileges to the admin level, but only when they're needed. It isn't a catch-all security system and isn't intended to be one -- and so it should be approached in the spirit it was intended. User Account Control is a way to allow administrative actions to be performed without forcing a user to run as admin all the time, which leads to the according security risks.
About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
This was first published in March 2007