Exposing Microsoft Windows 7 User Account Control (UAC)
If you have not heard about User Account Control (UAC) yet, then you need to spend a little time in the archives and blogs surrounding Windows Vista and 7. UAC was first introduced with Windows Vista and ever since has been one of the most debated, talked about, and controversial technologies surrounding post Windows XP desktops. For administrators, UAC is one of the primary reasons Windows Vista is not running for the desktop operating system. For end users, UAC never quite lived up to the marketing and potential that was first generated by Microsoft around the technology. Now that we have nearly seen the full cycle of Windows Vista (yup, it was short lived and not all that glamorous), the next generation, Windows 7, is being tested, evaluated, and criticized for the implementation of UAC that it contains. Here we will look at the old and new UAC technology to determine if you should consider Windows 7 and UAC.
UAC, what it was designed to do
UAC was originally supposed to fix the issue surrounding applications that required administrative privileges, forcing end users to be configured as local administrator. In the beginning, UAC was actually referred to as LUA (Least Privilege User Access), but soon was changed due to the fact it did not come close to solving the issue.
In the final product, UAC is a security related technology that is designed to protect the operating system files and Registry from malicious malware, viruses, and code trying to update the protected areas of the computer. This malicious software attempts to add, modify, and delete key parts of the operating system in an attempt to control the computer and not be noticed.
How UAC Works
UAC (for both Windows Vista and 7) works in a similar manner. There are some changes to Windows 7 that are not included in Windows Vista, but we will look at these in a minute. What UAC does is strip away any "administrative" power from applications, tasks, features, or actions that a user performs during routine functionality. There are really two different modes that UAC can apply to, for a user that has membership in the local Administrators group and a user that does not have membership in this group.
If we look at how Windows Vista UAC works, we will then be able to make the comparison to how Windows 7 UAC is different. We need to look at both modes of operation to see how each works. First, let us look at when a non-Administrator is logged in. In this case, the user has not administrative credentials at logon, so any application, task, or feature will fail to run if it requires administrative privileges. When UAC is enabled (by default to prompt for consent) a dialog box will appear giving the user the ability to input a username and password of an account that has administrative privileges. If credentials are input, then only the application, task, or feature that UAC flagged and prompted for will be elevated to have administrative privileges. Figure 1 illustrates the UAC prompt for consent.
Figure 1: UAC Prompt for Consent dialog box for a standard user
Next, we need to investigate UAC on Windows Vista for when an "Administrator" is logged in. In the situation where a user is logged in with administrative privileges, UAC in essence strips away all of administrative privileges until a task requires it. This is done such that background apps, viruses, malware, worms and so on, can not modify the operating system files and registry using the logged in credentials. If we look at an authentication token of a user account that has logged in with membership in the Domain Admins group, you can clearly see that the "administrative privileges" have been stripped away. Figure 2 clearly shows how the Domain Admins group SID has been set to "DENY" for the token.
Figure 2: UAC sets the Domain Admins group SID to Deny permissions on the token
This is the most important aspect of UAC for when an administrator is logged in. Since nearly all malicious applications are written to take full advantage of the currently logged on credentials, the applications will fail! Of course the negative to this is that when ANY application, even those that are well known and run often, are launched, there will be a prompt for consent to run the application. This prompt can be seen in Figure 3.
Figure 3: UAC can prompt users for consent if they have administrative privileges
This can be annoying after the tenth time you run an application that you know is safe. However, security has never been easy or not without hassle. The benefit is that when that malicious application does try to make a touch to a protected file or registry entry, a prompt will appear, indicating to you that something is going on in the background, which you did not initiate.
This behavior for both non-administrators and administrators is when UAC is in the most secure mode, which is to prompt for any task that requires administrative privileges. Anything less than this level of prompting does not protect the computer from malicious applications or viruses, since the background activity would not be noticed and would be allowed to change the system.
UAC Options with Windows 7
The way that UAC functions with Windows Vista has caused many administrators and companies (for non-administrators) to stay away from Vista. With all of this lack of revenue Microsoft was forced back to the drawing board to fix the perceived "annoying" pop-ups that are associated with UAC. The solution that Microsoft came up with in Windows 7 is called the UAC slider.
The slider control allows the administrator of the computer to control which level of UAC prompts, and security, will be implemented. The slider controls which application "types" will cause a prompt and which ones will be allowed to elevate without a prompt. There are a total of four different slider settings, which can be seen in Figure 4.
Figure 4: UAC slider in Windows 7
The different levels are defined as follows:
- Always notify on every system change. This is Vista behavior - a UAC prompt will result when any system-level change is made (Windows settings, software installation, etc.)
- Notify me only when programs try to make changes to my computer. This setting does not prompt when you change Windows settings, such as control panel and administration tasks.
- Notify me only when programs try to make changes to my computer, without using the Secure Desktop. This is the same as #2, but the UAC prompt appears on the normal desktop instead of the Secure Desktop. While this is useful for certain video drivers which make the desktop switch slowly, note that the Secure Desktop is a barrier to software that might try to spoof your response.
- Never notify. This turns off UAC altogether.
For most that I have spoken with about this, they feel that the slider, and all but the most secure setting of level 1, is a good alternative. However, all but the most secure setting, level 1, has been hacked! I do not want to go into the hack and Microsoft position here, but you can read all about it by clicking on this link.
So, with Windows 7 you will have a slider to control whether you have a Windows Vista type UAC prompt environment or non-prompting environment. The most secure setting is annoying, but very secure. The non-prompting environment basically turns your Windows 7 computer into a Windows XP computer, which begs the question... why even upgrade if you do not care about security!?
Windows Vista is more secure than Windows XP due to the benefits that UAC provides. If you don't prompt or disable UAC, the computer is not much better off than Windows XP. If you run Windows 7 in any mode other than the most secure UAC mode, you are working with the same security as you did with Windows XP. Security has never been easy or convenient. If you decide to disable the great security feature of UAC or dial it down with the slider, you are missing the best security that Windows desktops offer today. If security is not an issue, why even upgrade?? Save your money for when the next version of ConFlicker attacks your computer, you will need it!