The Basics of UAC

First published on TECHNET on Feb 20, 2007

One of the new features of Windows Vista that has caused a little bit of confusion is User Account Control (aka UAC).  Ever since the days of Windows NT 3.1, user rights have been a bit of an all or nothing proposition.  Users were divided into Standard Users, or Administrators.  The Power Users group, which sought to bridge the gap between the two groups was infrequently used because there were too many limitations even for that group (such as the inability to install local printer drivers)  All too often, users were granted local administrative rights because many applications require that level of privilege to run properly.  Even changing the time zone was impossible without administrative privileges!

The end result for many IT departments was an inconsistent user environment, where the security settings often varied wildly from machine to machine.  The additional administrative overhead was reflected in more instances of reported malware, an increase in helpdesk calls, the necessity to reconfigure (or even worse, re-image) user machines, restore data on a more frequent basis and so on.

The first step in implementing UAC was to revamp how User Accounts worked in Windows Vista.  When looking at a basic clean install of Windows Vista, there are four basic users / groups to consider:

• Built-In Administrator:  This is the standard built-in Administrator account that is a member of the Local Administrators group.  The only account that runs with full access by default
  
• Administrator account created during setup:  An administrative level account created during setup that runs with Standard User privileges by default, but can self-elevate to complete administrative tasks
  
• Local Administrators group:  The Administrators group has full access to the system
  
• Standard Users group:  Unable to make system-wide changes, such as installing applications or changing settings without Administrative credentials being provided.

OK - looking at the list above, it's very easy to get confused about what's going on with User Accounts.  By default, all users (except the Built-In administrator) run as Standard users on Windows Vista.  Only the Built-In Administrator runs with unrestricted access.  By the way - in Windows Vista,  the built-in Administrator account is disabled by default!  By disabling the Built-In Administrator account, one of the most common attack vectors against poorly configured systems is mitigated.  Something to note at this point is that with the Built-In Administrator account disabled, you cannot use that account to log into safe mode.  Also, if the Built-In administrator is the only active local administrator account detected on the system during an upgrade from Windows XP to Windows Vista, this account remains enabled.  However, the account will be put into Admin Approval mode, which means that it is subject to UAC restrictions.

Therefore,Windows Vista requires you to create an Administrative account during the setup process.  When you log on to Windows Vista with this account, two versions of the account's access token are created.  The first one, is the administrative level token that has the full rights and privileges.  The second token is a standard user token that has no administrative rights.

So what happens when a user with Administrative rights wants to perform an Administrative task on the system?  In previous versions of Windows, Standard users would have either had to log off or invoke RunAs to pass administrative credentials.  However, with UAC, Administrative users are prompted to provide confirmation when they attempt to perform administrative tasks.  This is known as the Elevation Prompt.  The image below shows the basic Consent Prompt.  However, based on the way that the Local Security Policy / Group Policy is configured, Administrative users can also be prompted to re-enter their credentials.  Several customers that I have worked with have implemented this policy as a means to guard against apathy and automatically clicking through the Consent prompt without verifying the actions.

To quickly wrap up this introduction to UAC, here's a quick summary of the way that the UAC prompting behavior can be configured.  The settings can be configured either locally or via GPO:

1. Click the Start button, click Run, type secpol.msc, and then click OK.
   
2. At the User Account Control dialog box for the Microsoft Management Console, click Continue.
   
3. In Local Security Settings, expand Local Security Settings, expand Local Policies, and then expand Security Options.
   
4. Right click the User Account Control: Behavior of the elevation prompt for standard users setting and select Properties.
   

   The following table describes the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode and the User Account Control: Behavior of the elevation prompt for standard users settings.

Setting	Description	Default Value
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode	There are three possible values: No prompt – The elevation occurs automatically and silently. Prompt for consent – UAC asks for consent before elevating. Prompt for credentials – UAC requires valid administrator credentials are entered before elevating. This policy is only in effect when UAC is enabled.	Prompt for consent
User Account Control: Behavior of the elevation prompt for standard users	There are two possible values: No prompt – No elevation prompt is presented and the user cannot perform administrative tasks without using Run as administrator or by logging on with an administrator account. Prompt for credentials – UAC requires that valid administrator credentials are entered before elevating.	Prompt for credentials

OK - that's all for this post.  I know that there's a lot of information to digest here, but once you get a good handle on UAC and how it impacts Windows Vista you've made a giant leap forward in really understanding the Operating System!

Additional Resources:

• Getting Started with UAC on Windows Vista
  
• 926183 The Administrator Account does not appear on the Windows Vista Welcome screen

- CC Hameed