Before you start
Objectives: Learn what is UAC and why it ensures a more secure environment in Windows.
Prerequisites: no prerequisites.
Key terms: uac, user, administrative, account, standard, rights, privileges, prompt, credentials
Definition of UAC
UAC will alert us whenever a task or some operation requires administrative privileges on the system. The purpose of User Account Control (UAC) is to reduce the exposure and attack surface of the operating system by requiring all users to run in a standard user mode instead of using administrator credentials. This way user is logged on with least privilege. If the user needs to do something with administrative privilege they will receive a UAC prompt that will provide a way to elevate our status from a standard user to administrator. That way we don’t have to log off the computer, and switch to administrator account to do tasks that need administrative privileges. Privileges are escalated for that one instance.
On older Windows versions, if our user account was an Administrator account or was a member of administrator group, we were able to do anything automatically without being prompted permissions. This was very convenient, but at the same time this was a security risk. The risk is the fact that any program can be run by the logged in user will automatically have administrative rights. UAC takes care this problem by enabling users that have local administrative rights to run and work as a standard user and briefly elevate to administrative rights when they need to carry out certain tasks that need those rights.
In Windows which has UAC enabled, all users run with standard user rights (administrators too). When a user needs to perform certain task which requires administrative rights, his standard user rights have to be elevated to administrative rights. That increase in user rights is called privilege elevation. The users which are members of the Administrators group will be prompted and informed that their action requires administrative rights. Users which are administrators will simply be prompted for consent (Continue or Cancel question). For users which are not members of the Administrators group, we will have to enter administrative credentials (administrator user name and credentials).
When a UAC prompt is triggered, our computer enters a Secure Desktop mode. In this mode the desktop and all active applications are darkened, and we only see the UAC prompt over the darkened desktop. When the Secure Desktop mode is active, users can’t perform any other action until they respond to the UAC prompt. UAC prompt will be displayed for 150 seconds. If the user doesn’t respond to the prompt in that time, the elevation will automatically be denied.
UAC minimizes the ability for users to make changes that could destabilize their computer. Also UAC protects from malware. With administrative privileges a virus or a trojan can execute under our administrative credentials. By having users logged in as standard users the malware can not install it self because it does not have administrative credentials. With UAC, standard users are able to do only a certain amount of task on the system that do not require privilege elevation. We can also configure the sensitivity of the UAC in Control Panel. Here we can adjust different levels of UAC notifications.
If we try to do something sensitive on the system we will see a Windows shield icon that tell us that a UAC prompt is coming in which we will be asked for admin credentials. This is sometimes called “over the shoulder authentication” because the administrator can type their password for the user for that one instance.
A standard user account is an account that has the least amount of user privileges required to perform most basic tasks. Standard users have been improved from previous operating systems. Additional privileges have been granted to standard users in Windows to make it easier for them to use their system. For example we now no longer need elevated credentials to view and modify system clock, calendar, time zone, install WEP to connect to a wireless network, change power option settings, add printers and other devices that require installation (if a driver installation is not required), install ActiveX controls, create and configure a VPN connection and install Windows updates. Those additional privileges also attempt to reduce the number of UAC prompts. Because of those additional privileges Power Users group now exists only for backward compatibility.
Administrators can perform any action on the computer and are members of the local Administrators group. Each local computer has a built-in administrator account that exists by default. During a new installation, the first user account we create is an administrator account. Subsequent user accounts are standard users. The Built-in Administrator account is then disabled. For upgrades, the built-in administrator account is enabled if it is the only user account with administrative privileges, otherwise it is disabled. If the system has at least one administrator account, the built-in administrator account cannot be used to log on to Safe Mode. Safe Mode log on using the built-in administrator account is never allowed for computers that are members of a domain.
When we log on with administrative account we still run as a standard user. When we log on, two tokens are generated. Those tokens are user and administrative token. The user token is used unless a UAC prompt has been approved. Administrative token is used only when UAC prompt has been approved and only for one particular instance.
When we as an administrator try to do something that requires admin privileges we are prompted for consent. We don’t have to type our credentials again, but we can enable that in security options if we like.
The mode which regulates the process of using the standard user token and elevating to administrative token is called Admin Approval Mode. In Admin Approval Mode we actually give the consent or enter credential in order to use elevated privileges.
Before Vista, application installations were problematic. Now all applications run with least privilege. If they need escalation, UAC will prompt the end user. If needed, we can run an application with administrative privileges by right-clicking the application and selecting the Run as an administrator option. We can always run an application with administrative privileges by checking the “Run this program as an administrator” box on the Compatibility tab. Of course, users are not used to have all those prompts coming up but if they know why it is happening they will accept it more easily.
Example Usage and Configuration
We have separate articles in which we describe how UAC works in different versions of Windows: