With Windows Vista, Microsoft has finally moved the Windows platform to a security model that competing operating systems such as Mac OS X and Linux have employed for years. Now, even administrators run most applications and system services with Standard User privileges by default, providing a smaller "attack surface" for electronic attacks and increasing the overall security of the system. This feature is called User Account Control.
Secret: UAC was previously called User Account Protection and Limited User Account during the Windows Vista beta process.
User Account Control is necessary because Microsoft architected previous Windows versions such that it was too easy for most users to configure their accounts with administrator privileges, providing them with complete and open access to the system. As a result, most Windows applications created over the past decade have been written to assume that users have administrator access. But when a user has this level of system access, every application and service that runs on the system does so with complete administrative privileges as well. If your system is compromised by a worm, Trojan, virus, or other form of malware, that malicious code then runs with administrator privileges too. That's how PCs get "owned."
Security-minded individuals who attempted to run Windows XP or previous Windows versions using only Limited User (or similar) account types quickly came to understand that it was next to impossible to do so. Despite some features built into the system, such as Run As, which were designed to temporarily escalate the current user's privilege level to administrator so that certain poorly-written applications would run currently, many applications, in fact, just won't work in such a configuration. So even those few hardy people who tried to do the right thing found themselves stymied by the poor security model employed by previous Windows versions.
Using User Account Control
In Windows Vista, Microsoft has finally overcome this problem by rearchitecting Windows in a number of ways. There are technologies built into Windows Vista designed specifically to lock down the system but still provide hidden compatibility features that let legacy applications continue to load and run as they always did. The key technology in this group is User Account Control, which accomplishes two basic goals. First, UAC segregates the tasks you can accomplish in Windows into two groups, those tasks that can be accomplished by standard users and those that can only be accomplished by administrators. Second, UAC silently causes even administrator accounts to run as standard accounts most of the time; when an admin-level task is attempted, the user will receive a UAC prompt so that they can temporarily elevate their privileges in order to complete just that single task.
So what tasks belong in each group? Installing a new application, changing the system date or time, or accessing many Control Panel applets falls into the administrator-level task group. Meanwhile, nondestructive tasks like changing power management settings or adding a new printer can be completed by any user. Microsoft applies a Windows Shield icon to most user interface elements that, when clicked, will require account escalation. This icon can be seen in the following screenshot; here, you can change the time zone without getting prompted, but if you try to change the date or time, you'll need to provide your consent.
UAC works differently depending on which type of account you have. Standard users, when attempting to perform an admin-level task, will be confronted by a credentials dialog that asks for an administrator's user name and password (or other similar method of obtaining admin-level credentials). Here's what this prompt looks like:
Meanwhile, administrator-type users, who now run in what Microsoft calls Administrator Approval Mode by default, receive a slightly different (and somewhat less intrusive) user experience called a consent dialog. The consent dialog simply asks you whether you'd like to continue with the task you've attempted to launch. This dialog looks like so:
There's also a third type of UAC dialog, which appears whenever you attempt to run an application that has not been digitally signed or validated. This dialog, by design, is bigger, more colorful, and more prominent than the other UAC dialogs, and it will appear whether you are an admin or not. Here it is:
Tip: Administrator-level users who would like to configure the system for better security can, in fact, configure Windows Vista to always prompt for a user name and password, just like a standard user account. I'll discuss the ways in which you configure (and, yes, disable) UAC in the next section below.
In all cases, the screen will flash briefly and come to a dead halt until you've dealt with the UAC dialog. What's really happening here is that the system takes a screenshot of your desktop, jumps into a malware-hardened mode called Secure Desktop (which is also utilized by Vista's Welcome/logon screen), and then provides you with a modal UAC dialog box. You cannot do anything else with your PC until you've dealt with this dialog. The screen will resemble the following:
There are two reasons why Microsoft doesn't simply pop-up a normal dialog that doesn't lock up the rest of the PC. First, the company's security researchers recognized that it might be possible to spoof the version of UAC it originally developed, which did indeed appear as a normal dialog box onscreen. Second, if the user has a lot of windows open simultaneously, it would be possible for the UAC consent dialog to get buried under other windows. In such a case, the user might not realize that authorization was required for certain tasks, and the user might assume that the task she had requested was completing silently in the background when, in fact, it was waiting for the user to interact with it.
User Account Control is new and unique in Windows Vista: There is no analog to this feature in Windows XP. The aforementioned Run As command does provide a way for the user to manually elevate certain tasks to administrator privileges. But the XP shell doesn't know anything about Run As per se, and can't automatically prompt the user when a task fails to run under standard user privileges. In Vista, UAC provides a solution that is both more elegant and more integrated with the entire OS. Indeed, one of the best features of UAC is that it makes it possible for parents to configure standard user accounts for their kids. When their children need to install an application, for example, a parent can review the application first and then provide her credentials for the install only when she's sure it's safe.
Under the covers, UAC also provides some interesting features related to backwards compatibility. On a typical Windows XP system, applications are almost always granted complete control over the system they are installed to, so it's possible for them to read and write information anywhere in both the Registry and the file system. In Windows Vista, the Registry and file system are locked down, however. So UAC provides Registry and file system virtualization services that silently redirect read and write operations from protected portions of the Registry and file system to unprotected places located with the user's profile.
UAC evolved somewhat dramatically over the course of the Windows Vista beta. When I wrote When Vista Fails, the fifth part of my Windows Vista February 2006 CTP/Build 5342 review, UAC was popping up consent dialogs far too frequently. Also, there was a bug in UAC that resulted in certain consent dialogs appearing repeatedly with no way to authenticate certain tasks. The proliferation of dialogs and aforementioned bug were later fixed in Windows Vista Beta 2, and Microsoft made further changes to UAC over the remainder of the beta program to further reduce the number of times users will have to provide consent. In short, what was once aggravating is now quite bearable. The security benefits of UAC far outweigh whatever annoyances its dialogs might cause, and users will notice that UAC calms down quite a bit after you've installed applications and configured the system to your liking.
Configuring and Disabling User Account Control
That said, certain users will want to configure UAC in particular ways or even turn it off all together. My advice here is simple: Leave UAC alone and adapt to its presence because the system is more secure with UAC enabled. However, if you're looking to change or even disable UAC, there are various ways to do so.
The most complete UAC configuration is available via the Local Security Settings console (assuming you're not connected to a domain). To access this console, open the Start Menu, type Local Security Policy, and hit ENTER. You'll see the following window appear:
Then, navigate to Local Policies, Security Options and scroll to the bottom of the list. You will see the following 8 UAC options listed:
User Account Control: Admin Approval Mode for the Built-in Administrator Account
Default setting: Disabled
What it does: Toggles Admin Approval Mode for the built-in administrator account only. When Admin Approval Mode is off, UAC is said to be in "quiet" mode.
Allow UIAccess applications to prompt for elevation without using the secure desktop.
Default setting: Disabled
What it does: Determines whether properly-installed applications that need to be run with administrative privileges can prompt for elevation without entering the secure desktop. "UIAccess" applications are applications that are installed in "trusted" shell locations such as the Windows directory or the Programs Files directory.
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
Default setting: Prompt for consent
What it does: Determines what type of prompt admin-level users will receive when attempting admin-level tasks. You can choose between a consent dialog box, a credentials dialog box, and no prompt.
User Account Control: Behavior of the elevation prompt for standard users
Default setting: Prompt for credentials
Determines what type of prompt standard users will receive when attempting admin-levels tasks. You can choose between a consent dialog box, a credentials dialog box, and no prompt.
User Account Control: Detect application installations and prompt for elevation
Default setting: Enabled
What it does: Determines whether application installs trigger a User Account Control elevation dialog box.
User Account Control: Only elevate executables that are signed and validated
Default setting: Disabled
What it does: Determines whether only signed and validated application installs trigger a User Account Control elevation dialog box.
Only elevate UIAccess applications that are installed in secure locations
Default setting: Enabled
What it does: Determines whether only applications that are installed in secure locations (like the Windows folder) are elevated to administrative priveleges.
User Account Control: Run all administrators in Admin Approval Mode
Default setting: Enabled
What it does: Determines whether all admin-level accounts run in Admin Approval Mode, which generates User Account Control consent dialogs for admin-level tasks. When Admin Approval Mode is off, UAC is said to be in "quiet" mode.
User Account Control: Control Switch to the secure desktop when prompting for elevation
Default setting: Enabled
Determines whether the Secure Desktop environment appears whenever a User Account Control prompt is initiated by the system. If disabled, UAC prompts appear on the normal Windows desktop.
User Account Control: Virtualize file and registry write failures to per-user locations
Default setting: Enabled
What it does: Determines whether User Account Control virtualizes the Registry and file system for legacy applications that attempt to read or write from private parts of the system. Do not disable this option.
If you just want to disable UAC on a per account basis, you can do so easily via the Control Panel. Navigate to Control Panel, User Account and Family Safety, User Accounts, Change Security Settings to disable UAC. This portion of the Control Panel resembles the following:
If you disable UAC in this fashion, Windows Security Center will trigger a warning. In the Other security settings section of UAC, you'll see an option for User Account Control that monitors whether this feature is enabled. If UAC is disabled, a Turn on now button will let you restart UAC (a system restart will be required).
Note: Microsoft made minor changes to User Account Control (UAC) in Windows Vista Service Pack 1 (SP1). However, these changes shouldn't be noticeable to the typical user as they only cause the UAC prompts to pop up slightly less often.
Secret: The behavior of User Account Control has led some to describe this feature as needlessly annoying. However, Windows Vista isn?t even the first OS to use this type of security feature: Mac OS X and Linux have utilized a UAC-type user interface for years now, for example. And unlike with other systems, User Account Control actually gets less annoying over time. That?s because most UAC dialog boxes will pop-up when you first get Windows Vista: This is the time when you?ll be futzing with settings and installing applications the most, and these two actions are, of course, the very actions that most frequently trigger User Account Control. The moral here is simple: Once your new Vista PC is up and running, User Account Control will rear its ugly head less and less frequently. In fact, after a week or so, User Account Control will be mostly a thing of the past. You?ll forget it was ever there. Seriously.