6 User Account Control Windows Vista Policies

  • Article

This weeks BLOG will examine the 6 User Account Control (UAC) security policies that will be exposed in Windows Vista Beta2. For each policy a brief summary of the configuration options and expected defaults for the home and enterprise desktops are provided.

User type Taxonomy:
1) Standard User: member of the “users” group
2) Consent Admin: member of the “local administrators” group, who logs on with a “filtered” standard user but has the potential to elevate privilege to administrator.
-- Note: There are 14 different types of “Consent Admins” ranging from local administrator to restore operator.

The following is a screen shot of the Windows Vista Beta 2 UAC policies which are located in the Local Security Settings Microsoft Management Console (secpol.msc):

1) User Account Control: Behavior of the elevation prompt for administrators
2) User Account Control: Behavior of the elevation prompt for standard users
3) User Account Control: Elevate on application installs
4) User Account Control: Run all users, including administrators, as standard users
5) User Account Control: Validate signatures of executables that require elevation
6) User Account Control: Virtualize file and registry write failures to per-user locations

1) User Account Control: Behavior of the elevation prompt for administrators

Configuration options:

 

Prompt for consent: Default (home and enterprise): An operation that requires elevation of privilege will prompt the Consent Admin to select either “Permit” or “Deny”. If the Consent admin selects Permit the operation will continue with their highest available privilege. “Prompt for consent” removes the inconvenience of requiring that users enter their name and password to perform a privilege task.

Prompt for credentials: An operation that requires elevation of privilege will prompt the Consent Admin to enter their user name and password. If the user enters valid credentials the operation will continue with the applicable privilege.

No Prompt: This option allows the Consent Admin to perform an operation that requires elevation without consent or credentials. Note: this scenario should only be used in the most constrained environments -we will be blogging on this in the future.

 

2) User Account Control: Behavior of the elevation prompt for standard user

Configuration options:

Prompt for credentials: Default (home): An operation that requires elevation of privilege will prompt the user to enter an administrative user name and password. If the user enters valid credentials the operation will continue with the applicable privilege.

No Prompt (Default for enterprise): This option results in an “access denied” error message being returned to the standard user when they try to perform an operation that requires elevation of privilege. Most enterprises running desktops as standard user will configure the “No prompt” policy to reduce help desk calls.

3) User Account Control: Elevate on application installs

Configuration options:

Enabled: Default (home): Application installation packages that require an elevation of privilege to install will be heuristically detected and trigger the configured elevation prompt UX.

Disabled: (Default for enterprise): Enterprises running standard users desktops that leverage delegated installation technologies like Group Policy Software Install (GPSI) or SMS will disable this feature. In this case, installer detection is unnecessary and thus not required.

 

4) User Account Control: Run all users, including administrators, as standard users

Configuration options:

Enabled: Default (home and enterprise): This policy enables the “Consent Admin” user type while also enabling all other UAC policies. Changing this setting requires a system reboot.

Disabled: Disabling this policy disables the “Consent Admin” user type. Note: The security center will also notify that the overall security of the operating system has been reduced and gives the user the ability to self enable.

5) User Account Control: Validate signatures of executables that require elevation

Configuration options:

      

Disabled: Default (home and enterprise): This policy is disabled by default. Note: we will be blogging on this in the future.

Enabled: This policy will enforce PKI signature checks on any interactive application that requests elevation of privilege. Enterprise administrators can control the admin application allowed list thru the population of certificates in the local computers Trusted Publisher Store.

 

6) User Account Control: Virtualize file and registry write failures to per-user locations

Configuration options:

      

Enabled: Default (home and enterprise): This policy enables the redirection of legacy application write failures to defined locations in both the registry and file system. This feature mitigates those applications that historically ran as administrator and wrote runtime application data back to either %ProgramFiles%, %Windir%; %Windir%\system32 or HKLM\Software\....

Disabled: Virtualization facilitates the running of pre-Vista (legacy) applications that historically failed to run as Standard User. An administrator running only Windows Vista compliant applications may choose to disable this feature as it is unnecessary.

Comments

  • Anonymous
    January 29, 2006

    Note: LUA (Least User Access) has been
    renamed UAC (User Access Control) which is a much better name...

  • Anonymous
    February 06, 2006
    This capability should go a long way towards improving Windows security!

  • Anonymous
    February 15, 2006
    This is really good idea and i hope they devolop this in vista server as everyone could be a standard user and it could potientaly stop iruses from corropting system files and crashing systems

  • Anonymous
    March 02, 2006
    I know you said you would be blogging on this in the future... but for option 5; I thought the idea was to ensure that permission was granted each time before anything automatically executes with admin priviledges. Why would you not want to enable this by default on either the Home or Enterprise?

  • Anonymous
    March 03, 2006
    I want to touch on two comments here:

    UAC actually stands for User Account Control. :-)

    Setting 5 deals with the identification of signed binaries. There is different behavior for signed and unsigned executables. We'll be posting a more thorough post for this soon!

    -Jenn

  • Anonymous
    March 08, 2006
    vista

  • Anonymous
    March 30, 2006
    The comment has been removed

  • Anonymous
    May 03, 2006
    Imagine stopping at a gas station to fuel up your car, selecting Standard grade unleaded gasoline, and...

  • Anonymous
    May 04, 2006
    Interesting approach at security but how many home users do you really think are going to make use of this?  For that matter how many home users are actually going to come here or look up how to implement this properly?  My guess is the avg. home user which this OS is being marketed to is going to get frustrated, disable it all and go back to the standard windows security model, i.e.: NONE.  I just see this as too little too late for home users although corporate admins and users may find this appealing they won't be migrating to Vista anytime soon.

  • Anonymous
    May 05, 2006
    The comment has been removed

  • Anonymous
    May 17, 2006
    another reason to try linux

  • Anonymous
    May 18, 2006
    There has been a raging debate inside and outside of Microsoft about the new security feature in Windows...

  • Anonymous
    May 22, 2006
    I am currently playing with Vista and most of normal way of things have changed, some good others, too cumbersome to find. For example, it is not easy to switch the logon page. 2. How can i turn off the welcome page
    3.with xp if you have local admin rights, right clicking the start button gives you option to open all users. I understand this is Beta but some things need to be easy to navigate

  • Anonymous
    May 25, 2006
    The comment has been removed

  • Anonymous
    May 25, 2006
    The comment has been removed

  • Anonymous
    June 23, 2006
    i think the UAC is a good feature but missing one important facet. as a developer i regularly have to drop dll's and such into the system path and after some testing delete them or remove them or hey even edit some types and thier is no way to do that. do i have to reinstall windows to delete an inf or dll or ocx that i had to experiment with?

    No a common user should not have this ability.
    YES a developer or true admin level should.
    YES this means that the ability to do this should be in place for every owner of a machine. warn them that its dangerous and not supported. warn them with all the popups you need to. make it so that that level access is not installed without going to add/remove and adding the feature or just a user account type not used unless user specifically goes there.

    i cannot express how important that is.

  • Anonymous
    June 26, 2006
    The comment has been removed

  • Anonymous
    July 07, 2006
    I guess I'm a little late coming to this particular party - but I just found out about UAC.

    How to console based applications work with UAC? Does the GUI prompt appear for them too when they are launched?

  • Anonymous
    August 05, 2006
    The comment has been removed

  • Anonymous
    September 03, 2006
    User account control is awful.  It's horribly annoying.  I'm turning it off.

  • Anonymous
    September 08, 2006
    I think this may be missing the main practical corporate requirement.

    Many standard users have requirements for particular admin tasks where they Always need the permission to do the work - ie. changing the system clock.. or performing an ipconfig /release..

    This is what I would like as an admin to grant them to be able to do without them having to hassle me each time..

  • Anonymous
    September 24, 2006
    The comment has been removed

  • Anonymous
    October 10, 2006
    I'd like to see a per-application setting that allows the user to select the desired elevation level, similar to the opt-in settings for IE browser hosts. I really would like to launch Visual Studio with a double-click, like I used to do, rather than right-click and "Run as administrator." (Without full access rights, VS can't self-register DLLs that it compiles.) I don't care if there isn't a pretty UI for this feature. In fact, I would rather have it hidden in the bowels of the Security Policy Manager. But, the fact that some of the applications that I use every day will always require extra privileges, means that I will always need to remember to launch them from a right-click...and click again to respond to UAC. Windows Vista--building new habits of interaction.

  • Anonymous
    October 10, 2006
    The comment has been removed

  • Anonymous
    October 31, 2006
    The comment has been removed

  • Anonymous
    November 27, 2006
    I agree, UAC is &^%#^%#(@^%(@%^@. One should be able to this of with just one setting somewhere. It's not up to MS to decide what I do on my system. I wonder how common user are going to experience this, al this extra clicking around, I wonder if this will generate more RSI .......................... Microsoft, please solve this issue, at least for system admins. Bert

  • Anonymous
    November 27, 2006
    I agree, UAC is &^%#^%#(@^%(@%^@. One should be able to this of with just one setting somewhere. It's not up to MS to decide what I do on my system. I wonder how common user are going to experience this, al this extra clicking around, I wonder if this will generate more RSI .......................... Microsoft, please solve this issue, at least for system admins. Bert

  • Anonymous
    December 04, 2006
    PingBack from http://itsvista.com/2006/12/learn-how-to-disable-vistas-uac-and-why-you-shouldnt/

  • Anonymous
    January 01, 2007
    How can I off in Vista all administrative polices for Running program and work with program as Administrator.

  • Anonymous
    January 11, 2007
    Please tell me why i am not able to create folder inside program files using "mkdir" command in command prompt which i was able to do earlier with XP , 2000 ... I am facing real Problems even if i have logged in as administrator its saying access denied ... So all my applications are going for a toss now ..... Will it be changed in near future???

  • Anonymous
    January 19, 2007
    The sad thing is that there is a perfectly good model for doing this on other operating systems already. In reinventing UAC Microsoft decided to go with the "Lets annoy the user until they turn the feature off" design. Why not do what everyone else does. Ask the user to Authenticate (password required) and then allow all activity for the next X (usually 5) minutes to work at Admin level. This avoids 90% of the problems that users encounter. See how much easier that is? Is there a requirement at MS to only implement solutions that treat the users as idiots?

  • Anonymous
    February 12, 2007
    every time I want to download and install something a window pops up asking for the administrator password. My sister won't give me the password so each time I have to bother her to type it in. It's annoying and I'd like to know how to turn it off.

  • Anonymous
    February 14, 2007
    I'm a setup developer, so this is a pain in my neck professionally, but it isn't much better personally. After having used Vista for a just an hour or so, I was already completely fed up with the UAC features.  There are entirely too many prompts!  Just to create a text file on C: (a logfile, I believe) and then delete it a moment later, I had to clear four warning dialogs.  If I know myself, it won't take long before I stop seeing or reading those dialogs, click "Allow" to everything, and sooner or later defeat the whole purpose of this exercise in security. Shannon:  The root of the C: drive has never been a good place to write files.  A lot of apps fail to work correctly as standard user because the developer thought it was always safe to write files there.  Try creating the log file in the current user's Documents or Temp folders instead. HTH -- Aaron Margosis

  • Anonymous
    February 24, 2007
    The comment has been removed

  • Anonymous
    February 24, 2007
    John:  Try running secpol.msc. HTH -- Aaron Margosis

  • Anonymous
    February 25, 2007
    Aaron, Thanks for the reply. After looking into it further I found out that secpol.msc is not availiable on the home editions of vista. I am able to turn UAC on and off though. I have read mixed reviews on turning it off altogether though. I am pretty computer savy but far from an expert. UAC is quite annoying especially when you get a warning every time you try to copy files. Am I missing somthing about UAC? or is it really necessary.

  • Anonymous
    February 25, 2007
    The comment has been removed

  • Anonymous
    February 28, 2007
    PingBack from http://www.ghacks.net/2007/02/28/vista/