SolutionBase: Dealing with Windows Vista User Access Control

One of the key new features to Windows Vista is User Access Control. In this article, Scott Lowe takes a close look at UAC and shows you how to change how it works.

Microsoft's advertising has stressed the new security features found in Windows Vista. From the user perspective, one such feature, User Access Control, is arguably the most noticeable enhancement. User access control is a mechanism by which users -- even administrators -- perform common Windows tasks with non-administrative rights, or as a standard user. Before administrative tasks can be performed, users must actively approve actions that could be potentially dangerous to the computer.

In this article, I'll give you a complete look at User Access Control's inner workings and show you some ways you can change the behavior of this new feature.

How does User Access Control work?

The inner workings of User Access Control reveal a lot about how this feature protects your computer. First, let's talk about why User Access Control was developed.

The problem: Windows XP and silent installations

In pre-Vista versions of Windows, upon login, a user was assigned an access token. A non-administrative user was assigned a token that granted him access to resources that did not require administrative rights. Users that were members of an administrative group were assigned a single token that granted them full rights to all of the resources on the local computer.

From an ease-of-use perspective, this level of authority was great. However, from a security perspective, it's not so great; even for IT pros. Consider the potential for "drive-by" spyware installation. A drive-by installation happens when you visit, either accidentally or intentionally, a site containing malicious code that you don't know about. While spyware scanners have significantly improved over the past couple of years, there's not a single solution on the market that will protect against every known threat. Even if there was such a product, there would still be the issue of unknown threats. New spyware pops up every day and it takes vendors time to discover these new nuisances and update their products.

If you're logged in to Windows XP as a user with administrative privileges at the time the drive-by takes place, spyware may get installed to your computer with absolutely no notice to you. This spyware could be anything from a fairly innocuous tool to a key logger that keeps track of everything you type and sends the results to a predetermined location. You might end up with the installation of a back door that allows a hacker to make his way into your system at some point in the future to achieve his nefarious goals.

Worse, the deeper spyware is embedded into your system, the more difficult it is to remove, short of a complete system rebuild, which can take hours.

Note: When you install Windows XP, the Setup Wizard assigns administrative rights to all local accounts.

Now, you might tell yourself you already know all of this; but, in your organization, you're forced to allow users to run as a local administrator for any number of reasons. For example, many users (with the backing of management) feel it is vital that they have the ability to install new applications on their desktop. Unfortunately, they're often right. Doing business on the Web often means having to install a new ActiveX control or other type of application. While not the safest behavior, allowing people to do their jobs is preferable to paying people to sit in a chair doing nothing under the unyielding thumb of IT.

The solution: Windows Vista and User Access Control

Windows Vista's introduction of User Access Control aims to tame this beast and bring some order back to chaos. Under Vista, when an administrative user logs in to the system, he is granted not one, but two access tokens: an administrative access token and a standard user access token. The standard access token is used to start the user's desktop. The end result is that the administrator is running a system with more limited rights than he would have received upon login under Windows XP. Until there is a need, the second token -- the one with administrative rights -- is not used.

This situation takes place, for example, when the administrative user starts a control panel applet and tries to change a setting, Windows Vista's User Access Control feature pops up a window indicating that permission is necessary to continue. When you choose to allow an administrative action to take place using the administrative token, you are allowing that application to run with elevated privileges. Figure A gives you a look at a typical User Access Control dialog box. If you want to allow the action, press the Continue button.

Figure A

User Access Control asks if you want to proceed with the action.

If you've seen the Mac v. PC commercials on Apple's Web site, you'll recognize this dialog box as being the point of discussion between the PC and the Mac with a security guard standing behind the PC to verify every communication with the Mac. In reality, the situation is not quite that bad. In fact, although annoying from time to time, the situation is much better as the new system provides a visual cue that something is going on and gives a user an opportunity to decline an action.

Annoyance is one of the results I will try to help you with in this article. I'll show how you can disable User Access Control altogether, and how to indicate that specific applications should always run in an elevated state.

Completely disabling User Access Control

I'll preface this section by saying I don't recommend you take this action, even on your own computer. Much as I am loathe to admit it, even though I preach the dangers of the "blind click" on a pop-up and the resulting spyware that ensues to students and users, I sometimes forget my own advice. Last summer, when I was in a hurry to complete a task, I got what appeared to be a system dialog box and pressed the OK button. Just as I released the mouse button, I realized that the "OK button" I had just pressed was actually a pop-up from a Web site. Just hours later, my system was infested with spyware.

The lesson here is this: Even those of us that do this for a living fall victim to spyware. With User Access Control, at least there is one more barrier between us and them.

But, if you find that User Access Control is seriously debilitating, you can disable it and move on. There are a number of ways to disable User Access Control. I'll show you how to do so using the Control Panel, the Registry Editor, and Group Policy.

All of the solutions in this article require that you log on as a user with administrative rights. For most solutions, however, you cannot use the local administrator account. This account is not subject to administrative approval. Use another account that is a member of the local administrators group.

Disable User Access Control using MSConfig

For a few machines, you can use MSConfig to change the behavior of User Access Control:

  1. Go to Start | All Programs | Accessories | Run.
  2. In the Run box, type "msconfig", and press [Enter].
  3. From the System Configuration window, choose the Tools tab, as shown in Figure B.
  4. In the Tool Name column, look for the Disable UAC option.
  5. Press the Launch button.
  6. Reboot the system.

Figure B

The System Configuration window Tools tab.

Disable User Access Control via the Control Panel

If you have just a couple of machines, the easiest way to disable User Access Control is to disable the feature via the Control Panel. Follow these steps to achieve this goal:

  1. Go to Start | Control Panel.
  2. Viewing the Control Panel in "Classic" mode, choose the User Accounts applet. This opens the screen shown below in Figure C.

Figure C

The User Accounts control panel applet.

  1. Choose the "Turn User Account Control on or off" option. Note that this applet has a little shield next to it. This shield indicates that this function is itself protected by User Account Control.
  2. Deselect the checkbox next to Use User Account Control (UAC) To Help Protect Your Computer. See Figure D.

Figure D

The User Accounts control panel applet.

  1. Press OK.
  2. Reboot your computer for the changes to take effect.

Disable User Access Control via the Registry Editor

A second way to disable User Access Control involves the use of the registry editor. By changing a specific key on each Vista machine, you can disable User Access Control. Here are the steps:

  1. Start the Registry Editor.
  2. Browse to the following key: HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System.
  3. Change the value of the EnableLUA entry to "0" If you ever want to re-enable User Access Control, follow these instructions, but change the value of the EnableLUA entry to "1". See Figure E for a look at the screen.
  4. When you are done, reboot the computer for the change to take effect.

Figure E

The EnableLUA key in the Registry Editor.

Manage/Disable User Access Control via Group Policy

If you have a lot of computers and you want to change User Access Control behavior across all of them, your best bet is to use Group Policy. The Group Policy method is also the most granular of the bunch and allows you to set a variety of parameter related to User Access Control. I'll show you how to accomplish this using the local group policy administrative tool.

  1. Go to Start | All Programs | Accessories | Run.
  2. In the Run box, type "secpol.msc" and press [Enter].
  3. When User Account Control asks for permission to continue, press the Continue button.
  4. Browse to Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options. You'll see the screen shown in Figure F.
  5. Select the group policy object you wish to modify and change the setting to the desired value. The list below provides you with a look at all of the group policy settings associated with User Access Control.

Figure F

The Group Policy Object Editor.

There are a number of options related to User Access Control:

  • User Account Control: Behavior of the elevation prompt for the built-in Administrator account -- This setting determines the behavior of User Access Control when used with the built-in Administrator account.
    • Enabled: When running an application that needs administrative rights, the built-in Administrator account will be subject to User Access Control.
    • Disabled (default): The built-in Administrator account will run all applications without further prompting.
  • User Account Control: of the elevation prompt for administrators in Admin Approval Mode -- This setting determines what takes place when administrators (besides the built-in Administrator account) run a privileged application.
    • Elevate without prompting: This is the most dangerous setting and should be used only in very secure environments. Restricted applications are run with administrative rights without intervention.
    • Prompt for credentials: The user is prompted to provide the user name and password for a user with local administrative rights.
    • Prompt for consent (default): This is the normal behavior for User Access Control and asks the user (assuming the user has administrative rights) to permit or deny running an application with administrative rights.
  • User Account Control: Behavior of the elevation prompt for standard users -- This setting determines what takes place when standard users try to run a privileged application.
    • Prompt for credentials (Default for Home editions): The user is prompted to provide the user name and password for a user with local administrative rights.
    • Automatically deny elevation requests (Default for Enterprise editions): The user will receive a message indicating that access to the application has been denied.
  • User Account Control: Detect application installations and prompt for elevation -- How will the User Access Control system respond to requests for the installation of new programs?
    • Enabled (Default for home): Application installations that require administrative privileges will trigger the User Access Control prompt.
    • Disabled (Default for enterprise): Since many application installations are handled via Group Policy, user intervention and approval is not necessary.
  • User Account Control: Only elevate executables that are signed and validated -- Do elevated applications require a valid PKI certificate chain?
    • Enabled: Requires that an application has a valid PKI certificate chain before it is allowed to run.
    • Disabled (default): Does not require that an application be signed in order to run.
  • User Account Control: Only elevate UIAccess applications that are installed in secure location -- Applications that request execution with a UIAccess integrity level must reside in a secure area of the system.
    • Enabled (default): An application with UIAccess integrity with launch only if it resides in a protected area of the system.
    • Disabled: An application with UIAccess integrity will launch regardless of the location of the executable.
  • User Account Control: Run all administrators in Admin Approval Mode -- Run all users, including administrators, as standard users. This effectively enables or disables User Access Control. If you change this setting, you must reboot the system.
    • Enabled (default): Administrative Approval Mode and User Access Control is enabled.
    • Disabled: Disable User Access Control and Admin Approval Mode.
  • User Account Control: Switch to the secure desktop when prompting for elevation -- When User Access Control is enabled and displays an elevation prompt, change Windows Vista to the secure desktop as opposed to the standard user's desktop.
    • Enabled (default): Elevation requests are directed to a secure desktop.
    • Disabled: Elevation requests are directed to the standard desktop.
  • User Account Control: Virtualize file and registry write failures to per-user locations -- This setting enables the redirection of legacy application write failures to defined locations in both the registry and file system, mitigating those applications that historically ran as administrator and wrote runtime application data back to %ProgramFiles%, %Windir%; %Windir%\system32 or HKLM\Software\. In short, this key helps to maintain backward compatibility with legacy applications that do not like to run as a standard user.
    • Enabled (default): Applications writing data to protected areas will be redirected to other locations.
    • Disabled: Applications writing data to protected areas will fail.

Selectively disabling User Access Control

Not all applications are marked in such a way as to trigger a User Access Control warning when executed. However, many applications need to be run with administrative rights enabled in order to function as intended. In order to accommodate this situation, you can mark an application so it runs with administrative rights each time the application is executed. To do so:

  1. Right-click the executable associated with the application.
  2. From the shortcut menu, choose the Properties option.
  3. From the Properties page, select the Compatibility tab.
  4. Under the Privilege Level heading, select the checkbox next to "Run this program as an administrator", as seen in Figure G.
  5. Press OK.

Figure G

The application's Compatibility tab.

For some applications, the "Run this program as an administrator" option may not be available. There can be a number of reasons for this:

  • You are not logged in as a user with administrative rights.
  • The application is not capable of being run with elevated rights.
  • The application is a part of the operating system. OS applications cannot be modified in this manner.

Annoying, but worth it

User Access Control might be an annoying way to achieve system security, but it's actually pretty welcome when it comes to maintaining system security, especially for home users. Mac and Linux users have long had to deal with the same basic security scheme, but it's new to Windows users. Once Windows users get used to it, they'll appreciate the added security it provides.