Q: What is the goal of the UAC security feature that Microsoft introduced in Windows Vista?

A: User Account Control (UAC) is a Windows security feature that automatically informs you when you're about to start a program that requires administrator-level permissions or when a program wants to make a change that requires administrator-level permissions. Under the hood, UAC controls the permission level of your user account. UAC always tries to let you do your routine Windows work -- such as reading email, creating documents, and surfing the web -- as a standard -- that is, a non-privileged or non-administrator -- user, even if you're logged on as an administrator.

When you or a program wants to make changes that require administrator-level permissions, UAC automatically notifies you with a dialog box like the one illustrated in Figure 1. If you're an administrator, you can simply click Continue or Yes (depending on the OS version) to proceed with the action. If you don't have administrator access, someone who has an administrator account on the computer needs to enter the administrator password so that you can continue.

Figure 1: A UAC warning dialog box

If you or the administrator account gives permission, you're temporarily given the rights of an administrator to complete the task. When the task is done, UAC automatically returns your permission level back to that of a standard user. Thanks to UAC, even if you're logged on using an administrator account, changes can't be made to your computer without you knowing about it, which can significantly help prevent malware from being installed or making changes to your computer.

UAC is based on a fundamental change that Microsoft made to the Windows authorization logic. Starting with Vista, Microsoft changed the process of creating access tokens for administrator account users. An access token contains a user's privileges; it's attached to a user logon session, and Windows uses it to determine a user's permissions to Windows objects such as programs, file-system objects, and so forth. When a user with an administrator account logs on to Windows, the OS creates two tokens: a filtered token and a full token. The filtered token, which is used as the default token, contains only the user's standard user account privileges. The full token contains all the user's administrator account privileges. Windows attaches the full token to the filtered token only when the user needs to perform an administrative task or launch an application that requires privileged access -- and as soon as the task is complete, Windows removes the full token and returns to using the filtered token.

Another fundamental UAC-related change is that starting with Vista, Microsoft redefined what a standard account user can and can't do. For example, on Vista, a standard account user can change the system's time and time zone settings, change display properties, install additional fonts, and change power-management options. Tasks that still require a privileged account are software installation and disk repartitioning.

Microsoft clearly shows which actions require administrator-level privileges and which don't in the UI. All operations that require administrator-level privileges are marked with a shield icon. Figure 2 shows the Windows 7 Date and Time dialog box. Note that only the Change Date and Time button requires administrator-level privileges; any user can change the time zone settings.

Figure 2: Dialog box showing the UAC shield icon

Administrative buttons that are marked with a shield icon are also called unlock buttons. In typical enterprise environments, only Help desk personnel will use unlock buttons -- for example, when they need to control desktops remotely. In typical home environments, only parents will use the unlock buttons -- for example, to make configuration changes for children. This circumstance means that a Help desk operator or parent can, for example, unlock a Control Panel applet without an employee or child needing to log off first. Standard account users can't use an unlock button because they don't know the password of an administrator account.

Microsoft refers to the UAC behaviour described above as Admin Approval Mode (AAM). Thanks to AAM, users and administrators can honor least privilege security in a single logon session.

Switching back and forth between standard account and administrator account logon sessions is no longer necessary. UAC dialog boxes, such as the one in Figure 1, can appear multiple times during a user's logon session, appearing whenever a user chooses an action marked with a shield icon. Windows doesn't remember previous elevations to administrator-level privileges. The elevated privileges that are linked to a particular task (for example, the installation of a new software package) automatically expire when the task is finished. For this reason, AAM significantly reduces the Windows attack surface. AAM also presents an important advantage for administrative users, who can now -- rest assured -- perform their day-to-day work as regular users and switch to administrative privileges only as necessary or when prompted.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.