Feb 23 2007

Inside Vista's User Account Control

Protecting users from themselves.

If you have ever used a personal firewall application such as ZoneAlarm, you are probably familiar with seeing cryptic alert messages pop up on your screen. Essentially, any time a new or unknown process or application attempts to access the network from your computer, a message pops up to alert you and ask for permission to allow the communication to occur. With Windows Vista and UAC (User Account Control), you will see many similar pop-up alerts.

The whole point of UAC is to protect users, and their computer systems, from themselves. The standard user often does not have broad enough permissions for many purposes, which leads to users running with Administrator privileges. Without some other control or security measure in place, a user running as Administrator can install software or make system changes that have an adverse impact. Malware that compromises the system typically runs in the same context as the logged-in user, meaning that the malware could also install software and make system changes with Administrator privileges.

With UAC, even Administrators are greeted with the Consent User Interface, or Consent UI. Consent UI is just a catchy name for the pop-up box that appears to confirm that you really want to execute the program in question. Most of the time, you will see the Consent UI alert message immediately after you try to execute or install some software. Since you initiated the action, the Consent UI seems more like an annoyance than a security measure.

What’s in It For Me?

While it may be a nuisance at times, UAC is beneficial overall. Once they’re properly educated and conditioned, users can recognize that the Consent UI alert means something is going on. If they did not consciously initiate such an action, they will hopefully think twice about proceeding rather than blindly clicking OK.

UAC is of particular benefit to Administrators, though. Standard users are generally not allowed to install programs on the computer, anyway. So, Consent UI alerts might serve as a warning of some suspicious or malicious activity, but won’t necessarily provide increased security. Administrators gain the benefit of some protection from malware, or even simple operator error, by being forced to confirm that they truly intended for the application in question to execute.

It is safer than running in pure Administrator mode, a la Windows 2000 or Windows XP, where power is almost limitless and mistakes or malware could wreak havoc on a system, but significantly more productive than logging in as a user, where the functionality is so limited that it is difficult to get anything administrative done. UAC and the Consent UI allow a user with Administrator privileges to install software and execute applications, but with an added layer of security.

What Can Standard Users Do?

By default, the standard user is quite limited in functionality. A standard user account is permitted to do the following five tasks:

  • Shut down the system (SeShutdownPrivilege)
  • Access and work with a file or folder they have permissions for, even if it is nested within a folder, or folders, they do not have access to (SeChangeNotifyPrivilege)
  • Dock or undock a notebook from its base station (SeUndockPrivilege)
  • Increase the amount of memory allocated to a given program or process (SeIncreaseWorkingSetPrivilege)
  • Change time zone (SeTimeZonePrivilege)

Administrators can expand or modify the standard user privileges on an individual account basis or for entire groups through Group Policy. There are 34 additional user privileges, of which 25, such as the ability to load device drivers, or to back up and restore files and folders, can be added to a standard user account. 

The remaining nine privileges are blocked by UAC and require privilege elevation to execute. An Administrator account is actually two accounts in one. The base account has the 30 privileges that are allowed (the standard five plus the 25 additional privileges). However, even an Administrator account will receive the Consent UI alert when trying to perform one of the nine restricted tasks. For an in-depth, detailed look at UAC privileges and configuration, you can download Windows Vista Application Development Requirements for User Account Control Compatibility.

Taking a Look Behind the Scenes

Would you like to know what privileges your user account has? When working with user accounts and trying to troubleshoot problems or identify why it is that the user is unable to accomplish certain tasks, it would be helpful to be able to view the information behind the scenes on the user account token and see what rights and privileges are configured on it. Thankfully, Microsoft included a utility that lets you do just that.

The command line program whoami.exe (aka “Who Am I?”) allows you to reveal the details associated with a given user token. Simply type ‘whoami /user’, to display token information for your user account that will look something like this:

User Name   SID
==========  ==============================================
vista\tony  S-1-5-21-3628148529-3107952122-3701915511-1000

There are a number of switches that can be used with the whoami.exe utility to reveal more detailed information about the user token. You can display the groups that the user account belongs to, the security privileges of the user account, or the logon ID of the user account, and you can customize the format of the output. For example, typing ‘whoami /groups /fo csv /nh’ will display the group memberships and attributes for the current user account in a CSV format with no column headers.

Elevating Privileges With ‘Run As Administrator’

Windows Vista still has the Run As command listed on a context menu that pops up when you right-click on a program, but it is changed some from what you are used to from Windows 2000 or Windows XP. Rather than letting the user specify what user account credentials to use when running the program, the Vista version of Run As is actually called Run As Administrator.

As the name implies, Run As Administrator simply runs the program in question under the context of the Administrator. The functionality still exists to execute programs under the context of different user credentials, but it can only be accessed from the command line and not from the context menus.

When you select Run As Administrator from the context menu for a program, the screen will gray out and the Consent UI alert will appear, asking you to confirm that you actually want to elevate the privileges of the account being used to initiate the program. Assuming that your account has the authority to access Administrator privileges, clicking Continue will execute the program with the expanded account privileges of an Administrator.

Adapting to the UAC Culture

At first, UAC may seem like nothing more than an annoyance. Most of the time, the Consent UI alert appears in response to an action that you initiated. Obviously you want to Continue, or you wouldn’t have initiated it. Having to stop and confirm that you really mean it all the time can seem like a silly nuisance.

It is possible to alter the behavior of UAC, or to disable UAC entirely, but that is not recommended. That nuisance is there for a reason. Rather than turn it off, it is better to recondition yourself to exist in the new UAC culture. Learn, and teach your users, to stop and think before blindly clicking Continue on the Consent UI alerts. That brief pause to confirm your actions may one day save your computer system.

Mike Van Cleave is a security engineer with CDW Corp., a $6.7 billion technology services provider based in Vernon Hills, Ill.