Understanding User Account Control (UAC)
Most (I’m actually tempted to
say the vast majority) security-related problems in versions of Windows
prior to Vista boiled down to a single root cause: Most users were
running Windows with administrator-level permissions. Administrators can
do anything
to a Windows machine, including installing programs, adding devices,
updating drivers, installing updates and patches, changing Registry
settings, running administrative tools, and creating and modifying user
accounts. This is convenient, but it leads to a huge problem: Any
malware that insinuates itself onto your system will also be capable of
operating with administrative permissions, thus enabling the program to
wreak havoc on the computer and just about anything connected to it.
Windows XP tried to solve the problem by creating a second-tier account level called the limited user, which had only very basic permissions. Unfortunately, there were three gaping holes in this “solution:”
XP
prompted you to create one or more user accounts during setup, but it
didn’t force you to create one. If you skipped this part, XP started
under the Administrator account.
Even
if you elected to create users, the setup program didn’t give you an
option for setting the account security level. Therefore, any account
you created during XP’s setup was automatically added to the
Administrators group.
If
you created a limited user account, you probably didn’t keep it for
long because XP hobbled the account so badly that you couldn’t use it to
do anything but the most basic computer tasks. You couldn’t even
install most programs because they generally require write permission
for the %SystemRoot% folder and the Registry, and limited users lacked that permission.
Windows Vista tried again
to solve this problem, and its solution was called User Account Control
(UAC), which used a principle called the least-privileged user.
The idea behind this is to create an account level that has no more
permissions than it requires. Again, such accounts are prevented from
editing the Registry and performing other administrative tasks. However,
these users can perform other day-to-day tasks:
The least-privileged
user concept arrives in the form of a new account type called the
standard user. This means that Windows Vista had three basic account
levels:
Administrator account— This built-in account can do anything to the computer.
Administrators group—
Members of this group (except the Administrator account) run as
standard users but can elevate their privileges when required just by
clicking a button in a dialog box (see the next section).
Standard Users group—
These are the least-privileged users, although they, too, can elevate
their privileges when needed. However, they require access to an
administrator password to do so.
Windows 7 carries on with UAC, but as you see a bit later, the implementation is much less intrusive.
Elevating Privileges
This idea of
elevating privileges is at the heart of the UAC security model. In
Windows XP, you could use the Run As command to run a task as a
different user (that is, one with higher privileges). In Windows 7 (as
with Vista), you usually don’t need to do this because Windows 7 prompts
you for the elevation automatically.
If you’re a
member of the Administrators group, you run with the privileges of a
standard user for extra security. When you attempt a task that requires
administrative privileges, Windows 7 prompts for your consent by
displaying a User Account Control dialog box similar to the one shown in
Figure 1.
Click Yes to permit the task to proceed. If this dialog box appears
unexpectedly, it’s possible that a malware program is trying to perform
some task that requires administrative privileges; you can thwart that
task by clicking Cancel instead.
If you’re running as a
standard user and attempt a task that requires administrative
privileges, Windows 7 uses an extra level of protection. That is,
instead of just prompting you for consent, it prompts you for the
credentials of an administrator, as shown in Figure 2.
If your system has multiple administrator accounts, each one is shown
in this dialog box. Type the password for any administrator account
shown, and then click Yes. Again, if this dialog box shows up
unexpectedly, it might be malware, so you should click Cancel to prevent
the task from going through.
Note, too, that in
both cases, Windows 7 switches to secure desktop mode, which means that
you can’t do anything else with Windows 7 until you give your consent or
credentials or cancel the operation. Windows 7 indicates the secure
desktop by darkening everything on the screen except the User Account
Control dialog box.
Note
It’s also
possible to elevate your privileges for any individual program. Do this
by right-clicking the program file or shortcut and then clicking Run as
Administrator.
You
might be wondering how secure Windows 7 really is if a standard user
can install programs. Doesn’t that mean that malware can install, too?
No, because in Windows 7, you need administrative privileges to write
anything to the %SystemRoot% folder (usually C:\Windows), the %ProgramFiles% folder (usually C:\Program Files), and the Registry. Windows 7 handles this for standard users in two ways:
During a
program installation, Windows 7 first prompts the user for credentials
(that is, Windows 7 displays one of the Windows Security dialog boxes
shown earlier in Figures 18.1 and 18.2). If they are provided, Windows 7 gives permission to the program installer to write to %SystemRoot%, %ProgramFiles%, and the Registry.
If the user cannot provide credentials, Windows 7 uses a technique called file and Registry virtualization, which creates virtual %SystemRoot% and %ProgramFiles% folders, and a virtual HKEY_LOCAL_MACHINE
Registry key, all of which are stored with the user’s files. This
enables the installer to proceed without jeopardizing actual system
files.
