Condividi tramite


Getting Started with User Account Control on Windows Vista

This getting started guide is intended for Microsoft® Windows VistaTM and UAC deployments in lab environments. This guide provides user experience and configuration data for both managed and unmanaged environments as well as information about UAC updates included in Windows Vista.

On This Page

User Account Control Overview
Windows Vista Updates
UAC User Experience
How to Configure UAC for Your Computer
Known Issues and Resolutions
Providing Feedback

User Account Control Overview

User Account Control (UAC) is a new security component of the Microsoft® Windows Vista operating system. UAC enables users to perform common tasks as non-administrators, called standard users in Windows Vista, and as administrators without having to switch users, log off, or use Run As. A standard user account is synonymous with a user account in Windows XP. User accounts that are members of the local Administrators group will run most applications as a standard user. By separating user and administrator functions while enabling productivity, UAC is an important enhancement for Windows Vista.

When an administrator logs on to a Windows Vista computer, the user is assigned two separate access tokens. Access tokens, which contain a user's group membership and authorization and access control data, are used by Windows to control what resources and tasks the user can access. Before Windows Vista, an administrator account received one access token, which included data to grant the user access to all Windows resources. This access control model did not include any fail-safe checks to ensure that users truly wanted to perform a task that required their administrative access token. As a result, malware--the overarching term for malicious software--could install on users' computers without notifying them. This process is commonly referred to as "silent" installation. Even more damaging, because the user is an administrator, the malware could use the administrator's access control data to infect core operating system files and, in some instances, to become nearly impossible to remove.

The primary difference between a standard user and an administrator in Windows Vista is the level of access the user has over core, protected areas of the computer. Administrators can change system state, turn off the firewall, configure security policy, install a service or a driver that affects every user on the computer, and install software for the entire computer. Standard users by default cannot perform these tasks and can only install per-user software.

To help prevent malware silent installation and computer-wide infection, Microsoft developed the UAC feature for Windows Vista. Unlike previous versions of Windows, when an administrator logs on to a Windows Vista computer, the user’s full administrator access token is split into two access tokens: a full administrator access token and a standard user access token. During the logon process, authorization and access control components that identify an administrator are removed or disabled, resulting in a standard user access token. The standard user access token is then used to launch the desktop, the Explorer.exe process. Because all applications inherit their access control data from the initial launch of the desktop, they all run as a standard user as well. Contrasting with this process, when a standard user logs on, only a standard user access token is created. This standard user access token is then used to launch the desktop.

After an administrator logs on, the full administrator access token is not invoked until the user attempts to perform an administrative task. Because the user experience is configurable with the Security Policy Manager snap-in (secpol.msc) and with Group Policy (gpedit.msc), there is not one sole UAC user experience. More information about the administrator and standard user experience is available later in this document.

Making Applications that Work for Standard Users

A major effort is currently underway to help Microsoft and independent software vendors (ISVs) redesign their applications to limit requests for a user's administrative access token. The revised application development message is: only require the user to be an administrator when it is absolutely necessary.

In the past, developers have often performed an access check to ensure the user is an administrator when the application is initially launched. Many of these applications, however, do not have functions that actually require the user to be an administrator.

Some programs, however, will always require an administrator access token. Disk partitioning software is such an example. Programs that do require the user to be an administrator can be launched in Windows Vista with the user's full administrator access token; however, the user is first notified of the application's request to "elevate" the user from an administrator in Admin Approval Mode to a full administrator, and the user must choose to either approve or deny the elevation.

Note

The UAC functionality by default does not apply to the built-in Administrator account but can be configured to apply. In most cases, this account runs all applications and administrative tools as an administrator without being prompted for consent. The desktop is also launched as an administrator.

Windows Vista Updates

The following updates are reflective of the cumulative core changes in functionality that have occurred in Windows Vista.

UAC is Enabled by Default

As a result, you might encounter some compatibility problems with different applications that have not yet been updated for the Windows Vista UAC component. If an application requires an administrator access token (this is indicative from an "access denied" error being returned when you attempt to run the application), you can run the program as an administrator by using the Run as administrator option on the context menu (right-click). How to do this is documented later in this document in the "Running Programs as an Administrator" section.

All Subsequent User Accounts are Created as Standard Users

Both standard user accounts and administrator user accounts can take advantage of the UAC enhanced security. On new installations, by default, the first user account created is a local administrator account in Admin Approval Mode (UAC enabled). All subsequent accounts are then created as standard users.

Built-in Administrator Account is Disabled by Default on New Installations

The built-in Administrator account is disabled by default in Windows Vista. If Windows Vista determines during an upgrade from Windows XP that the built-in Administrator is the only active local administrator account, Windows Vista leaves the account enabled and places the account in Admin Approval Mode. The built-in Administrator account, by default, cannot log on to the computer in safe mode. Please see the following sections for more information.

Non-Domain Joined

When there is at least one enabled local administrator account, safe mode will not allow logon with the disabled built-in Administrator account. Instead, any local administrator account can be used to logon. If the last local administrator account is inadvertently demoted, disabled or deleted, safe mode will allow the disabled built-in Administrator account to logon for disaster recovery.

Domain Joined

The disabled built-in Administrator account in all cases cannot logon in safe mode. A user account that is a member of the Domain Admins group can log on to the computer to create a local administrator if none exists.

Note

If the domain administrative account had never logged on before, then the computer must be started in Safe Mode with Networking since the credentials will not have been cached.

Note

Once the machine is disjoined, it will revert back to the non-domain joined behavior depicted previously.

Elevation Prompts are Displayed on the Secure Desktop by Default

The consent and credential prompts are displayed on the secure desktop by default in Windows Vista.

New UAC Security Settings and Security Setting Name Changes

The new security settings and security setting name updates are detailed in the Understanding and Configuring User Account Control in Windows Vista document (https://go.microsoft.com/fwlink/?LinkId=66020).

UAC User Experience

The user experience differs for standard users and administrators in Admin Approval Mode when UAC is enabled. The following sections detail those differences and explain the design of the UAC user interface.

With UAC enabled, Windows Vista either prompts for consent or for credentials for a valid administrator account before launching a program or task that requires a full administrator access token. This prompt helps to prevent the silent installation of malware.

The consent prompt is presented when an administrator attempts to perform a task that requires the user's full administrative access token. This default prompting behavior for administrators is configurable with the local Security Policy Editor snap-in (secpol.msc) and with Group Policy (gpedit.msc). The following is a screenshot of the User Account Control consent prompt.

User Account Control consent prompt

The following example shows how an administrator in Admin Approval Mode is prompted for consent when attempting to perform an administrative task.

  1. Log on to a Windows Vista computer with an administrator account in Admin Approval Mode.
  2. Click the Start button, right-click My Computer, and select Manage from the menu.
  3. At the User Account Control dialog box, click Continue.
The Credential Prompt

The credential prompt is presented when a standard user attempts to perform a task that requires a user's administrative access token. This standard user default prompt behavior is configurable with the Security Policy Manager snap-in (secpol.msc) and with Group Policy. Administrators can also be required to provide their credentials by setting the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode value to Prompt for credentials.

The following screenshot is an example of the User Account Control credential prompt.

User Account Control credential prompt

The following example illustrates how a standard user is prompted for credentials when attempting to perform an administrative task.

To view the credential prompt
  1. Log on to a Windows Vista computer with a standard user account.
  2. Click the Start button, right-click My Computer, and select Manage from the menu.
  3. In the User Account Control dialog box, click the user name for the appropriate administrator, then enter the password for that user account and click Submit.
Application Aware Elevation Prompts

The UAC elevation prompts are color-coded to be application-specific, enabling for immediate identification of an application's potential security risk. When an application attempts to run with an administrator's full access token, Windows Vista first analyzes the executable to determine its publisher. Applications are first separated into three categories based on the executable's publisher: Windows Vista, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows Vista determines which color elevation prompt to present to the user.

Application aware elevation prompts

The following details the elevation prompt color-coding:

  • Red background and red shield icon: The application is from a blocked publisher or is blocked by Group Policy.
  • Blue/green background: The application is a Windows Vista administrative application, such as a control panel.
  • Gray background and gold shield icon: The application is Authenticode signed and trusted by the local computer.
  • Yellow background and red shield icon: The application is unsigned or signed but not yet trusted by the local computer.

The color-coded elevation prompts align with the color-coded dialog boxes in Microsoft Internet Explorer.

Shield Icon

Some control panels, such as the Date and Time Properties control panel, contain a mix of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screenshot of the Date and Time Properties control panel.

Date and Time Properties

When a user needs to modify the time, the user clicks the shield icon button. The shield icon indicates to the system to use a full administrator access token, which requires a User Account Control elevation prompt.

Installing and Running a Program with UAC Enabled

Since installing some applications on a system requires an administrator access token, a mechanism is in place within the Windows Vista operating system to automatically detect the launch of a setup installer. When an application setup is detected, UAC displays an elevation prompt for the user to validate the installation process. Following installation, the application will not require the user to provide consent or credentials, unless it is an administrative application.

You can control what kind of user input that the prompt requires by configuring a new security policy setting introduced in Windows Vista. The setting is located in the Security Policy Manager Microsoft Management Console (MMC) snap-in under the path: Local Security Settings->Local Policies->Security Options.

You can configure the behavior of the elevation prompt separately for administrators and standard users. The following procedure details how to adjust the UAC prompting behavior for administrators in Admin Approval Mode. This task can be performed by standard users and administrators, but the following procedure details the process for an administrator in Admin Approval Mode.

To configure the UAC prompting behavior for administrators
  1. Log on to a Windows Vista computer with an administrator account in Admin Approval Mode.
  2. Click the Start button, click Run, type secpol.msc, and then click OK.
  3. At the User Account Control dialog box for the Microsoft Management Console, click Continue.
  4. In Local Security Settings, expand Local Security Settings, expand Local Policies, and then expand Security Options.
  5. Right click the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode setting and select Properties.

Note

For most situations, the No Prompt setting is NOT recommended. No prompt elevation would permit UAC applications to launch administrator applications without your knowledge or consent.

The following procedure details how to configure the User Account Control: Behavior of the elevation prompt for standard users setting. This task can be performed by standard users and administrators, but the following procedure details the process for an administrator in Admin Approval Mode.

To configure the UAC prompting behavior for standard users
  1. Click the Start button, click Run, type secpol.msc, and then click OK.
  2. At the User Account Control dialog box for the Microsoft Management Console, click Continue.
  3. In Local Security Settings, expand Local Security Settings, expand Local Policies, and then expand Security Options.
  4. Right click the User Account Control: Behavior of the elevation prompt for standard users setting and select Properties.

The following table describes the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode and the User Account Control: Behavior of the elevation prompt for standard users settings.

Consent policy for elevation

Setting Description Default Value

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

There are three possible values:

  1. No prompt - The elevation occurs automatically and silently.

  2. Prompt for consent - UAC asks for consent before elevating.

  3. Prompt for credentials - UAC requires valid administrator credentials are entered before elevating. This policy is only in effect when UAC is enabled.

Prompt for consent

User Account Control: Behavior of the elevation prompt for standard users

There are two possible values:

  1. No prompt - No elevation prompt is presented and the user cannot perform administrative tasks without using Run as administrator or by logging on with an administrator account.

  2. Prompt for credentials – UAC requires that valid administrator credentials are entered before elevating.

Prompt for credentials

Changing the behavior of the UAC elevation prompt should be done with careful consideration. This policy is configurable for both administrators in Admin Approval Mode and standard users. The following general guidance can help you determine how to configure the UAC prompting behavior for your environment.

Administrators in Admin Approval Mode

The prompt for consent option is recommended for most environments. More secure environments should use the prompt for credentials option.

Microsoft strongly advises against setting the No Prompt option; disabling the UAC prompt behavior removes the ability of a user to approve an application before it runs. As a result, any application can then "silently elevate" and use the administrator's access token, including malware, without the user's approval.

Standard users

Microsoft strongly recommends that standard users be prompted for administrator credentials. When the No prompt option is enabled, standard users will not be able to perform administrative tasks without using Run as administrator or logging on with an account that is a member of the local administrators group.

Secure Desktop

The consent and credential prompts are displayed on the secure desktop by default in Windows Vista. Only Windows processes can access the secure desktop. In addition to the recommendations for administrators and standard users, Microsoft also strongly recommends that the User Account Control: Switch to the secure desktop when prompting for elevation setting should be kept enabled for higher levels of security.

When an executable requests elevation, the interactive desktop (also called the user desktop) is switched to the secure desktop. The secure desktop renders an alpha-blended bitmap of the user desktop and displays a highlighted elevation prompt and corresponding calling application window. When the user clicks Continue or Cancel, the desktop switches back to the user desktop.

It is worthwhile to note that malware can paint over the interactive desktop and present an imitation of the secure desktop, but when the setting is set to prompting for approval the malware does not gain elevation should the user be tricked into clicking Continue on the imitation. If the setting is set to prompt for credentials, malware imitating the credential prompt may be able to gather the credentials from the user. Note that this does also does not gain malware elevated privilege and that the system has other protections that mitigate malware from automated driving of user interface even with a harvested password.

Important

While malware could present an imitation of the secure desktop, this issue cannot occur unless a user previously installed the malware on the computer. Because processes requiring an administrator access token cannot silently install when UAC is enabled, the user must explicitly provide consent by clicking Continue or by providing administrator credentials. The specific behavior of the UAC elevation prompt is dependent upon Group Policy.

Running Programs as an Administrator

Windows Vista includes functionality to manually and preemptively request that an application be started (launched). To launch a program with a full administrator access token one time, right-click the program icon and select Run as administrator on the menu. After the user authorizes the elevation, the program will launch and run with the user's full administrative access token. The following procedure details this process as performed by an administrator in Admin Approval Mode.

To run a program one time as an administrator
  1. Right-click the program that you would like to run as an administrator and select Run as administrator.
  2. At the User Account Control dialog box, select Continue.

After the user authorizes the elevation, the program will launch and run with the user's full administrative access token.

Note   Using Run as administrator will only elevate an application once. If an application requires an administrative access token to launch, you can mark it to require a full administrator access token. The proceeding section details this process.

Marking an Application that Requires a Full Administrator Access Token

There may be situations where certain applications will not function correctly unless they are run by a user with a full administrator access token. This can occur with pre-Windows Vista programs that are not designed to operate under the UAC environment. Microsoft has provided a mechanism to ensure that these applications can be enabled so they will always be marked as requiring a full administrator access token. The following procedure details how to mark an application to always require an administrator access token when it is launched.

To mark an application to always require a full administrator access token
  1. Right click the program you would like to modify and select Properties.
  2. In Properties, select the Compatibility tab.
  3. Under Privilege Level, select the Run this program as an administrator check box, and then click Apply or OK.
  4. If this is the first time the application has been marked to run as an administrator, a dialog box will appear.
  5. Click OK to continue.

Note

If this is the first time that this application was marked, a message will appear indicating that Windows Vista will instruct the application to gather information about which operations the program is performing that requires it to run with a full administrator access token. This information will help Microsoft determine if any steps can be taken to correct the program in the future so that will no longer require a full administrator access token. When asked to check for "Solutions to Problems," always check for solutions on any product that has a LUADiagnostics problem. This will ensure that the collected information is sent to Microsoft. If you do not want to send this information, do not check for "Solutions to Problems."

Once complete, the program will prompt for elevation consent whenever it is launched.

Important

Marking an application to require an administrator access token does not prevent the User Account Control elevation prompt from being displayed. The application will still require the user to provide authorization before it can use a full administrator access token.

How to Configure UAC for Your Computer

While this section is about how to configure UAC for your specific computing environment, it is important to note that UAC touches every element of the Windows Vista user experience. UAC is an integral component of the Windows Vista security architecture.

In an enterprise, Microsoft recommends using Group Policy and Microsoft Systems Management Server (SMS) to manage UAC. For computers that are not a member of a domain or that are part of a workgroup, Microsoft recommends utilizing the default UAC configurations.

Based on the preceding recommendations, choose between one of the two possible methods for configuring Windows Vista with UAC enabled:

  • Configure UAC for an enterprise workstation
  • Configure UAC for a home or unmanaged computer

Configure UAC for an Enterprise Workstation

In an enterprise, ensuring that users cannot alter system settings, install malware, and compromise data is paramount. As a result, Microsoft recommends that enterprises configure their workstations to run as standard users. Using the following configuration will help mitigate potential problems:

  • UAC is enabled throughout the environment and maintained centrally with Group Policy.
  • The built-in Administrator account is kept disabled and a password is set to prevent any offline attacks.
  • Every user of the desktop runs with a standard user account.
  • Domain administrators have two accounts: a standard user account and an administrator account in Admin Approval Mode.
  • IT deploys applications using Microsoft Systems Management Server (SMS), Group Policy software installation (GPSI), or another similar application deployment technology. If you have a UAC deployment mechanism in place, Microsoft recommends disabling application installer detection.
  • Access token elevations are handled by a help desk or an IT staff member by either using Remote Assistance or physically entering the credentials at the user's computer.

Note

If possible remove or disable all local computer administrators.

Configure UAC for a Home or Unmanaged Computer

While UAC enables comprehensive control of enterprise desktops, it also will greatly improve security on home computers. While a standard user account has existed in Windows since NT 4.0, most home users are unaware that there are different account types. As a result, a majority of home users browses the Web, read e-mail, shop online, and compose documents as administrators. Because an administrator has full access to system resources, any malicious software that is inadvertently installed on your computer can affect files and folders throughout your computer. With the introduction of UAC in Windows Vista, support is provided within the operating system to make it much easier for users to run as standard users. Running as a standard user is inherently more secure and helps limit system-wide data loss due to system-wide malicious software installs.

Choose one of the following two options for your home environment configuration:

  • Configure UAC with parental controls
  • Configure UAC without parental controls
Configure UAC with Parental Controls

UAC enables flexible use of parental controls by clarifying user tasks and user account types.

Note

The Parental Controls control panel is not displayed in Control Panel on domain joined computers.

Recommended home configuration to enable parental controls:

  • UAC is enabled on the computer.
  • All parental accounts are created as administrator accounts in Admin Approval Mode.
  • All children's accounts are created as standard user accounts.

Important

It is essential that all parental accounts have strong passwords. For information about how to create a strong password, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=52122).

The following diagram uses the preceding guidelines to illustrate how a parent (administrator in Admin Approval Mode) can set parental controls for a child (standard user account).

Setting Parental Controls

In this scenario, Denise Smith wants to set parental controls on her Windows Vista computer to control what time her son Brian can log on to the computer.

Parental Controls scenario users

Name Description User Account Type
Brian Smith

12-year-old boy who enjoys playing computer games and browsing the Web.

Standard

Denise Smith

Brian's mother. Denise wants to ensure that her son is only allowed to log on during certain hours.

Administrator in Admin Approval Mode

  1. Denise installs Windows Vista and creates an account for herself during the installation. This account is created as a local administrator account with UAC enabled by default.

  2. Denise then uses the Users control panel to create a standard user account for Brian and then opens the Parental Controls control panel.

  3. Because Denise wants to ensure that Brian does not use the computer late into the evening, Denise then uses the Parental Controls control panel to designate time limits, allowing Brian to only log on to the computer from the hours of 3 PM to 10 PM. The following screenshot details the configuration.

    Time limit configuration

  4. Denise then enables activity reporting to receive reports about Brian's computer activity; including the Web pages that Brian visits most often, his log on times, and the most recent Web sites blocked by parental controls.

  5. Brian attempts to log on to the computer at 10:30 PM and receives the following error: "Your account has time restrictions that prevent you from logging on at this time. Please try again later."

  6. Denise logs on and views an activity report for Brian's user account.

The following table details available parental controls.

Windows Vista Parental Controls

Parental Control Description

Web restrictions

Control allowed Web sites, downloads, etc.

Time limits

Control when a specific user is allowed to use the computer

Games

Control games by rating, content, or title

Allow and Block specific programs

Allow or block any programs on your computer

Activity reports

View activity reports

Configure UAC without Parental Controls

The recommended method for configuring UAC without parental controls for a home computer is similar to the enterprise workstation configuration scenario highlighted earlier in this document. The following list details the recommended home computer configuration for Windows Vista:

  • Create one administrator account in Admin Approval Mode
  • Create one standard user account as your primary user account
  • Create all subsequent accounts as standard user accounts

The following sections detail how to complete this process, the general user experience that you will encounter, and different ways to configure UAC.

Note

While the standard user scenario illustrated here is for the home computing environment, enterprises will also greatly benefit from reduced TCO if they implement standard user accounts on their workstations.

Create one administrator account in Admin Approval Mode

During the Windows Vista installation process, you will be prompted to provide information for a user account. By default, this user account is created as an administrator account in Admin Approval Mode. Because Microsoft recommends that you use this initial administrator account sparingly, ensure that you do not name the account as you would for your primary user account. For example, a user named Michael Patten might use the following naming scheme for his two user accounts:

  • Administrator account in Admin Approval Mode: mpAdmin
  • Standard user account: Michael
Create one standard user account as your primary user account

You should complete the following procedure after immediately Windows has finished installation. This procedure was written by referencing the default Control Panel view and not Classic View.

To create a standard user account
  1. Log on with an administrator account in Admin Approval Mode.
  2. Click Start, click Control Panel, and then click Add or remove user accounts under the User Accounts and Family Safety heading.
  3. At the User Account Control dialog box, click Continue.
  4. In Manage Accounts, click Create a new account.
  5. In Create new account, type the desired name for a primary user account, and ensure that Standard user is selected.
  6. In Manage Accounts, click the new user account.
  7. In Change an account, click Create a password.
  8. In Create Password, enter a strong password.

Note

While Windows Vista does not require a password for standard user accounts, you should ensure that you do set a strong password. Password guidelines are provided on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=52122)and are available by clicking How to create a strong password in the Create Password section of the Users control panel.

Create all subsequent user accounts as standard users

Each subsequent user account you create after the first two accounts should be a standard user account. Follow the "Create a standard user account" procedure detailed in the preceding topic to create your standard user accounts. By default, each subsequent user account after the first administrator account is created will be created as a standard user account in Windows Vista.

Known Issues and Resolutions

Known issues and resolutions

Problem Resolution

Unable to install some ActiveX controls in Internet Explorer

Launch Internet Explorer elevated by clicking the Start button, and then pointing to All Programs. Right-click Internet Explorer and select Run as administrator. Next, perform the ActiveX installation. Exit this instance of Internet Explorer and start a new instance running as a standard user to continue.

Non-administrator users cannot create files on the system root drive, for example, c:\

By default, Windows Vista redirects any writes to protected areas (E.G. C:\ and C:\%systemroot%) to the currently logged-on user's profile.

Resolution:

  • Create files and folders in the user's profile (under \users\(user) or \users\public).

OR

  • Right-click Command Prompt and select Run as administrator. Create the directory from the elevated command window.

Setup detection may not detect all setups

Run the setup.exe elevated. See the section Marking an Application that Requires a Full Administrator Access Token.

No elevation prompts from command windows

Launch the program by clicking the Start button and then pointing to Run.

Providing Feedback

Your feedback about any potential application compatibility issues will be greatly appreciated and will help Microsoft and independent software vendors (ISVs) collaborate to make Windows Vista the most secure operating system. Please submit all feedback to the User Account Control Documentation Feedback .