6 User Account Control Windows Vista Policies


This weeks BLOG will examine the 6 User Account Control (UAC) security policies that will be exposed in Windows Vista Beta2.  For each policy a brief summary of the configuration options and expected defaults for the home and enterprise desktops are provided.


User type Taxonomy: 
   1) Standard User: member of the “users”  group
   2) Consent Admin: member of the “local administrators” group, who logs on with a “filtered” standard user but has the potential to elevate privilege to administrator.
       — Note: There are 14 different types of “Consent Admins” ranging from local administrator to restore operator.


The following is a screen shot of the Windows Vista Beta 2 UAC policies which are located in the Local Security Settings Microsoft Management Console (secpol.msc):



1) User Account Control: Behavior of the elevation prompt for administrators
2) User Account Control: Behavior of the elevation prompt for standard users
3) User Account Control: Elevate on application installs
4) User Account Control: Run all users, including administrators, as standard users
5) User Account Control: Validate signatures of executables that require elevation
6) User Account Control: Virtualize file and registry write failures to per-user locations


1) User Account Control: Behavior of the elevation prompt for administrators



Configuration options:




 


Prompt for consent: Default (home and enterprise): An operation that requires elevation of privilege will prompt the Consent Admin to select either “Permit” or “Deny”.  If the Consent admin selects Permit the operation will continue with their highest available privilege.  “Prompt for consent” removes the inconvenience of requiring that users enter their name and password to perform a privilege task.


Prompt for credentials: An operation that requires elevation of privilege will prompt the Consent Admin to enter their user name and password.  If the user enters valid credentials the operation will continue with the applicable privilege.


No Prompt: This option allows the Consent Admin to perform an operation that requires elevation without consent or credentials.  Note: this scenario should only be used in the most constrained environments -we will be blogging on this in the future.


 


2) User Account Control: Behavior of the elevation prompt for standard user



Configuration options:





Prompt for credentials: Default (home): An operation that requires elevation of privilege will prompt the user to enter an administrative user name and password.  If the user enters valid credentials the operation will continue with the applicable privilege.


No Prompt (Default for enterprise): This option results in an “access denied” error message being returned to the standard user when they try to perform an operation that requires elevation of privilege.  Most enterprises running desktops as standard user will configure the “No prompt” policy to reduce help desk calls.



3) User Account Control: Elevate on application installs



Configuration options:





Enabled: Default (home): Application installation packages that require an elevation of privilege to install will be heuristically detected and trigger the configured elevation prompt UX.


Disabled: (Default for enterprise): Enterprises running standard users desktops that leverage delegated installation technologies like Group Policy Software Install (GPSI) or SMS will disable this feature. In this case, installer detection is unnecessary and thus not required.


 


4) User Account Control: Run all users, including administrators, as standard users



Configuration options:





Enabled: Default (home and enterprise):  This policy enables the “Consent Admin” user type while also enabling all other UAC policies.  Changing this setting requires a system reboot.


Disabled: Disabling this policy disables the “Consent Admin” user type.  Note: The security center will also notify that the overall security of the operating system has been reduced and gives the user the ability to self enable.



5) User Account Control: Validate signatures of executables that require elevation



Configuration options:



      


Disabled: Default (home and enterprise): This policy is disabled by default.  Note: we will be blogging on this in the future.
 
Enabled: This policy will enforce PKI signature checks on any interactive application that requests elevation of privilege.  Enterprise administrators can control the admin application allowed list thru the population of certificates in the local computers Trusted Publisher Store.


 


6) User Account Control: Virtualize file and registry write failures to per-user locations



Configuration options:



      


Enabled: Default (home and enterprise): This policy enables the redirection of legacy application write failures to defined locations in both the registry and file system.  This feature mitigates those applications that historically ran as administrator and wrote runtime application data back to either %ProgramFiles%, %Windir%; %Windir%\system32 or HKLM\Software\….


Disabled: Virtualization facilitates the running of pre-Vista (legacy) applications that historically failed to run as Standard User.  An administrator running only Windows Vista compliant applications may choose to disable this feature as it is unnecessary.          


Comments (38)

  1. Note: LUA (Least User Access) has been

    renamed UAC (User Access Control) which is a much better name…

  2. Jim Lewis says:

    This capability should go a long way towards improving Windows security!

  3. This is really good idea and i hope they devolop this in vista server as everyone could be a standard user and it could potientaly stop iruses from corropting system files and crashing systems

  4. Q says:

    I know you said you would be blogging on this in the future… but for option 5; I thought the idea was to ensure that permission was granted each time before anything automatically executes with admin priviledges. Why would you not want to enable this by default on either the Home or Enterprise?

  5. UAC says:

    I want to touch on two comments here:

    UAC actually stands for User Account Control. 🙂

    Setting 5 deals with the identification of signed binaries. There is different behavior for signed and unsigned executables. We’ll be posting a more thorough post for this soon!

    -Jenn

  6. Gaute says:

    A comment on the policy for 2) Behavior of the elevation prompt for standard user.

    I would like to have some other options in addition to Prompt for credentials/Prompt for consent/No Prompt:

    1) Prompt a configurable text box – e.g. requesting the user to call service desk for assistance.

    2) Open Remote Assitance directly to service desk.

    3) Open IE on a specified URL. On this site users could get local admin one time privilegies for e.g. a fee.

    It is all about communication properly with end users that do not have local admin priveligies. "Access denied"-messages does not help them nor does it explain anything.  

  7. UACBlog says:

    Imagine stopping at a gas station to fuel up your car, selecting Standard grade unleaded gasoline, and…

  8. RJakiel says:

    Interesting approach at security but how many home users do you really think are going to make use of this?  For that matter how many home users are actually going to come here or look up how to implement this properly?  My guess is the avg. home user which this OS is being marketed to is going to get frustrated, disable it all and go back to the standard windows security model, i.e.: NONE.  I just see this as too little too late for home users although corporate admins and users may find this appealing they won’t be migrating to Vista anytime soon.

  9. RMA says:

    This stuff is such a pain – because it does not "cache" common responses. Consider a sys admin – how many times must they be prompted to run task manager to view all processes ? the system should learn traits for a user – and at least autmatically answer common scenarios – or in effect it WILL be turned off. I find it infinately frustrating. You cant pass gass in VISTA without nanny prompting you for premission. I wonder what my MOM will do, she wont knopw what it is asking for and will jsut hit allow every time – or she wont be able to do things. Also note that many many install shield custom actions now operate in user context  – where they never did before. I estimate 90% of custom actions that expect to write registry entries or write to program files will fail now – and in some cases there is no work around ! even custom actions in VS 2005 projects cannot be set to run elevated !

  10. none says:

    another reason to try linux

  11. There has been a raging debate inside and outside of Microsoft about the new security feature in Windows…

  12. Abed says:

    I am currently playing with Vista and most of normal way of things have changed, some good others, too cumbersome to find. For example, it is not easy to switch the logon page. 2. How can i turn off the welcome page

    3.with xp if you have local admin rights, right clicking the start button gives you option to open all users. I understand this is Beta but some things need to be easy to navigate

  13. J Allen says:

    Abed:

    "It is not easy to switch the logon page"

    Are you referring to the text displayed on the actual logon page, or are you speaking about customizing the GINA?

    "How can i turn off the welcome page?"

    After you log on, the Welcome Center will appear. In the bottom left hand corner of the page, there is a checkbox marked "Run at Startup (Welcome Center can be found in Control Panel, System and Maintenance)." This box is checked by default. Uncheck it to stop the Welcome Center from appearing at startup.

    "With xp if you have local admin rights, right clicking the start button gives you option to open all users"

    This is also the behavior in Windows Vista. If you right-click the Start button in Beta 2, you get the following options:

    -Open

    -Explore

    -Search…

    -Properties

    -Open All Users

    -Explore All Users

    -Jenn

  14. UAC says:

    I wanted to address the post by RJakiel and by RMA here:

    It may be true that users find these UAC prompts to be too complex or frustrating to deal with for a while, but the default state of “UAC On” and “2nd User is a Standard User” will drive something very important in the industry:  writing software that by default works as Standard User.  We are definitely in a state of “pain” at the moment with the number of elevation prompts that you are seeing in FebCTP and (somewhat better) in Beta2.  But we believe that the OS elevations will be reduced dramatically for the HOME user by the time we ship Windows Vista.  

    We hope that the reality will become:  

    1. You rarely see an elevation prompt.  

    2. You understand that if you see an elevation prompt, it is because you just asked the system to run setup on something

    3. You understand that if you did NOT initiate the action that caused the elevation prompt, that you should cancel the elevation.

    4. You understand that signed apps are better than unsigned apps because they give you more information about the reason for the elevation.

    The home user may see prompts during their initial setup as they reload their applications, but after that, they should only see OS elevation prompts when they do something that changes the system… such as changing Parental Control settings etc.

    Note that Linux already has this model… the advantage that Linux currently enjoys is that ISVs automatically have to understand and respect the difference between a “Standard User” account and an “admin” account.

    We also hope that if UAC really is annoying, you won’t turn UAC off, that instead you will set it to a state where you silently elevate.  This isn’t a good state because malware can also silently elevate on your behalf (thus breaking item 3 above), but at least your Explorer, Messenger, email client, Browser etc will run as non-admin which will provide some barrier.

    Now on to the caching of common responses.  This is dangerous.  We have not ruled it out yet, but are resisting due to the threats that it brings up.  For example, if everybody knows that home uses have MMC marked as “silently elevate” because they set the “silent” bit during the install phase, then malware, running as a non-elevated application can start MMC and give it parameters that will drive it without user consent.  You would in effect be able to create an admin account or change policy.  If we added the “silent” bit, it would probably only be for 3rd party (non-OS) software.

    Where does that leave the enterprise admin though?  Some of the frustration from multiple elevation prompts can be mitigated by the enterprise admin starting an admin window (cmd.exe) first and then launching admin apps from that window.  Admin apps have admin children without an additional elevation prompt.

    Hopefully by the time your Mom uses Vista, we will have many of the annoying elevations in the OS gone.  For example, Mom will be able to “get all critical updates” without elevation and will be able to delete icons off the public desktop without elevation.  We are also busily shimming and fixing the top 1000+ applications so that they run correctly out of the box for Mom.  

    Don’t give up on the feature yet.  We are working to change the way EVERYBODY runs Windows.  That will take some restarts, rethinking, pain for the ISV (internal MS and external MS) and some pain for the user as we re-educate them on the issue and what to do with the elevation dialog.

    I was explaining what I do at work to my uncle.  He is a retired lawyer.  After I explained what an administrator was and why, on XP, our default state runs IE as administrator just so it can browse web pages with potential malicious intent, he response was “why are you letting me run that way??!?”  Microsoft is trying to take the high road here to change the way 800 million people run Windows.  Help us out by finding the bugs, filing them, pushing on your favorite ISV to run well as Standard User etc.

    Thanks for your post!

    Steve

  15. Robert says:

    i think the UAC is a good feature but missing one important facet. as a developer i regularly have to drop dll’s and such into the system path and after some testing delete them or remove them or hey even edit some types and thier is no way to do that. do i have to reinstall windows to delete an inf or dll or ocx that i had to experiment with?

    No a common user should not have this ability.

    YES a developer or true admin level should.

    YES this means that the ability to do this should be in place for every owner of a machine. warn them that its dangerous and not supported. warn them with all the popups you need to. make it so that that level access is not installed without going to add/remove and adding the feature or just a user account type not used unless user specifically goes there.

    i cannot express how important that is.

  16. John Reid says:

    I installed BETA2 and was a little disappointed to find that Windows insists that the first account is the administrator – and there is no way around this.

    Although you obviously need the admin account – shouldn’t home user’s be prompted to create a standard admin account password with a "remember this password: you’ll need it to install stuff" prompt, and THEN set up user accounts.

    Surely the point of UAC means that standard users are the norm – not administrators with big, nasty dialog boxes that allow the end user to say "Yeah, whatever" and click the ‘Allow’ button.

    Another thing I noticed – IE7+ brings up the UAC dialog before letting the user know what the 3rd party application is. Usually this is Flash, but you have to allow before you know what it’s going to be. A bit daft – but I imagine that will change before the release version.

    I just hope that it works in the Linux style, as opposed to being an annoyance that people switch off.

  17. Ian Edwards says:

    I guess I’m a little late coming to this particular party – but I just found out about UAC.

    How to console based applications work with UAC? Does the GUI prompt appear for them too when they are launched?

  18. Richard Carpenter says:

    A Typical Example of UAC in practice:

    I am trying to install a Microsoft Application "Windows Mobile 5.0 SDK for Smartphone". The messagebox that comes up displays "The system Administrator has set policies to prevent this installation".

    Firstly, "I AM THE BLOODY SYSTEM ADMINISTRATOR" and I NEVER set these policies. It is typical of Microsoft and Software in general that they know better than me. I have now disabled all UAC settings and the error is still there. It would actually be useful if it displayed what the offending policy was.

    What is needed is a simple "F*** Off" Button that left you alone instead of legislating for the lowest common demoninator approach that applies to all aspects of humanity.

  19. teknokratus says:

    User account control is awful.  It’s horribly annoying.  I’m turning it off.

  20. thegaddman says:

    I think this may be missing the main practical corporate requirement.

    Many standard users have requirements for particular admin tasks where they Always need the permission to do the work – ie. changing the system clock.. or performing an ipconfig /release..

    This is what I would like as an admin to grant them to be able to do without them having to hassle me each time..

  21. brave_the_storm says:

    I’ve been working with Vista RC1 for about a week now.  I have to say a lot of it I’m really enjoying.  Tabbed browing, Program Manager for Startup Applications, Gadgets, Improved networking, Windows Media functionality, and more.

    UAC is not one of the features I’m enjoying.  To me it reminds me of ‘dummed’ down sharing we learned how to turn off in XP.   If you want power users to use UAC please think about the following features:

    1)  Allow us to EASILY decide what should require elevation.  For instance I’m cool with installs asking for elevation.   I DON’T like having to elevate to COPY a txt file into the program files directory.  

    2)  If we get to do #1, then please let us decide if the ‘windows shield’ turns red or green.  My only option now is ‘Turn off Shield’ totally because it will always be red since UAC is off.  I really like the shield feature in XP since it tells me VERY useful feedback like someone hasn’t updated the virus scanner or the firewall is down.  

    The concepts outlined above seem very nice for a user –if– as promised the elevate goes away.  The problem I’ve had with RC1 is I have to do it a LOT and run a LOT of programs with Administrator rights to even get them to work.  

  22. John says:

    I’d like to see a per-application setting that allows the user to select the desired elevation level, similar to the opt-in settings for IE browser hosts. I really would like to launch Visual Studio with a double-click, like I used to do, rather than right-click and "Run as administrator." (Without full access rights, VS can’t self-register DLLs that it compiles.)

    I don’t care if there isn’t a pretty UI for this feature. In fact, I would rather have it hidden in the bowels of the Security Policy Manager. But, the fact that some of the applications that I use every day will always require extra privileges, means that I will always need to remember to launch them from a right-click…and click again to respond to UAC.

    Windows Vista–building new habits of interaction.

  23. John says:

    Follow-up: I just discovered that you can modify the short-cut properties to always run the application as an administrator. Select Properties of the shortcut, click the Advanced button, and check the "Run as administrator" check box. Click OK…

    It still pops the UAC dialog, but I never have to remember if I launched the app properly!

  24. David Bennett says:

    We have a pretty complex product developed under XP, and it installs just fine under Vista.

    Occasionally the product’s configuration needs tweaked by a console application.  The console application accepts command line parameters.  These command line parameters are needed to specify the required console application behavior.

    The application will “Run as Administrator”, if it is right clicked on in the file browser; however, I see no facility to pass command line arguments to the console application.

    What is the best way to handle this scenario?  

    Thanks much,

    David.

  25. Bert says:

    I agree, UAC is &^%#^*%#(@^%(*@%^@. One should be able to this of with just one setting somewhere. It’s not up to MS to decide what I do on my system. I wonder how common user are going to experience this, al this extra clicking around, I wonder if this will generate more RSI ……………………..

    Microsoft, please solve this issue, at least for system admins.

    Bert

  26. Bert says:

    I agree, UAC is &^%#^*%#(@^%(*@%^@. One should be able to this of with just one setting somewhere. It’s not up to MS to decide what I do on my system. I wonder how common user are going to experience this, al this extra clicking around, I wonder if this will generate more RSI ……………………..

    Microsoft, please solve this issue, at least for system admins.

    Bert

  27. Vadym says:

    How can I off in Vista all administrative polices for Running program and work with program as Administrator.

  28. Pragya says:

    Please tell me why i am not able to create folder inside program files using "mkdir" command in command prompt which i was able to do earlier with XP , 2000 …

    I am facing real Problems even if i have logged in as administrator its saying access denied …

    So all my applications are going for a toss now …..

    Will it be changed in near future???

  29. Steve says:

    The sad thing is that there is a perfectly good model for doing this on other operating systems already. In reinventing UAC Microsoft decided to go with the "Lets annoy the user until they turn the feature off" design.

    Why not do what everyone else does. Ask the user to Authenticate (password required) and then allow all activity for the next X (usually 5) minutes to work at Admin level. This avoids 90% of the problems that users encounter.

    See how much easier that is? Is there a requirement at MS to only implement solutions that treat the users as idiots?

  30. chris says:

    every time I want to download and install something a window pops up asking for the administrator password. My sister won’t give me the password so each time I have to bother her to type it in. It’s annoying and I’d like to know how to turn it off.

  31. Shannon says:

    I’m a setup developer, so this is a pain in my neck professionally, but it isn’t much better personally. After having used Vista for a just an hour or so, I was already completely fed up with the UAC features.  There are entirely too many prompts!  Just to create a text file on C: (a logfile, I believe) and then delete it a moment later, I had to clear four warning dialogs.  If I know myself, it won’t take long before I stop seeing or reading those dialogs, click “Allow” to everything, and sooner or later defeat the whole purpose of this exercise in security.

    Shannon:  The root of the C: drive has never been a good place to write files.  A lot of apps fail to work correctly as standard user because the developer thought it was always safe to write files there.  Try creating the log file in the current user’s Documents or Temp folders instead.

    HTH

    — Aaron Margosis

  32. John says:

    I cant seem to find the Local Security Settings as shown at the top of this blog. Searched for Local Security Settings and Local Security Policy, SEC. Using Vista Home Premium final retail. Is access to theses setting availiable only in Vista Ultimate?

  33. John:  Try running secpol.msc.

    HTH

    — Aaron Margosis

  34. John says:

    Aaron, Thanks for the reply. After looking into it further I found out that secpol.msc is not availiable on the home editions of vista. I am able to turn UAC on and off though. I have read mixed reviews on turning it off altogether though. I am pretty computer savy but far from an expert. UAC is quite annoying especially when you get a warning every time you try to copy files. Am I missing somthing about UAC? or is it really necessary.

  35. John says:

    Ok now I am really confused. I actually did find secpol.msc and was able to launch it but the error message "MMC could not create the snap-in" was displayed in the pane where the policys would normally be listed. Pehaps it is just crippled under the Home editions??? BTW I an logged in as a Administrator.