User Account Control

User Account Control (UAC) is a new security component of WindowsServer2008 and WindowsVista operating systems.

What is the role of User Account Control?

 

UAC allows administrators to enter creden。 during non-administrator user sessions to execute temporary management tasks without switching users, logging out, or using the Run as command.

UAC also requires the Administrator to approve the application in a special way, so that the system Scope change is performed before these applications are run, even in administrator user sessions.

Who will be interested in this function?

 

Understanding UAC operations is important to the following:

• Administrator
• IT security professionals
• Developer who creates an application for Windows Server or Windows Vista

Are there other special considerations?

 

Initially, users may encounter a large number of UAC prompts, because many system range changes are required during the first configuration of the operating system. However, the frequency of these types of changes will decrease over time.

When UAC appears in Windows Server and Windows Vista, the default configuration is different in the following aspects:

• By default, the Administrator Approval Mode (AAM) is not enabled for the Built-in Administrator account in Windows Server2008 or Windows Vista ).
• By default, the Built-in Administrator account is disabled in Windows Vista, and the first user account created is placed in the Local Administrators Group, and AAM is enabled for this account.
• By default, the Built-in Administrator account is enabled in Windows Server. Disable AAM for this account.

What new functions does this function provide?

 

UAC includes multiple features and security improvements.

Administrator Approval Mode

 

The Administrator Approval Mode (AAM) is a UAC configuration used to create a sharding user access token for the administrator. When the Administrator logs on to a Windows Server-based computer, two separate access tokens are assigned to the Administrator. Without AAM, an administrator account receives only one access token and grants the Administrator the permission to access all Windows resources.

Why is this feature very important?

 

AAM helps prevent malicious programs from being installed without prompt without being noticed by administrators. It also helps prevent unexpected system range changes. Finally, it can be used to enforce higher level of compatibility. In this case, the Administrator must voluntarily agree or provide creden。 for each management process.

How does one work?

 

In Windows Server, standard users are not administrators. The difference is that users have different levels of access permissions to the protected core area of the computer. Administrators can change the system status, disable the firewall, configure security policies, install services or drivers that affect each user on the computer, and install software programs for the entire computer. Standard Users cannot perform these tasks.

When AAM is enabled, the Administrator receives a full access token and a second access token called "filtered access token. During logon, the authorization and access control components marked as administrators are deleted or disabled to create filtered access tokens. Then, use the filtered access token to start assumer.exe. This process creates and owns the user's desktop. Because applications generally inherit the access token from the processes that start them in this case, they also run through the filtered access token.

Remarks
When a standard user logs on, only one user access token is created. The access permission granted by the full access token of a standard user is the same as the access permission granted by the access token filtered by the Administrator.

After the Administrator logs on, the full access token of the Administrator is not used unless the administrator attempts to perform management tasks.

Important
You can use the Local Group Policy Editor (secpol. msc) and Group Policy Management Console (GPMC) (gpedit. msc) to configure the user experience, so there is no single UAC user experience.

According to the nature of the server, in addition to the terminal server, the frequency of administrator login to the server is much higher than that of administrator login to the client workstation. Therefore, by default, AAM with the Built-in Administrator account in Windows Server is disabled. By default, AAM is enabled for other accounts that are members of the local Administrators Group.

How to solve all problems?

 

If the operating system does not properly identify the management application, it may not run properly because it does not use a full access token.

For more information about how to configure an existing application, see other resources described later in this topic.

What preparations should be made for this change?

 

For more information about the plan, see what preparations should be made to deploy this function later in this topic ?.

Upgrade standard User Permissions

 

When the standard user does not have the required permissions for the tasks to be executed by the standard user, a prompt is displayed for permission escalation. However, in this case, you are prompted to enter the management creden.

Why is this feature very important?

 

UAC allows administrators to enter creden。 during standard user sessions to execute temporary management tasks without switching users, logging out, or using the Run as command.

How does one work?

 

If you do not have UAC, the application will attempt to run it, but it will fail when trying operations that require administrator permissions. Some applications can detect this situation normally, while some programs cannot.

In some cases, the request creden。 prompt may confuse users or generate additional technical support calls. Therefore, you may not want the user to see these prompts and simply prevent the application from being started.

How can we solve these problems?

 

You can use the Local Group Policy Editor (secpol. msc) and the Group Policy Management Console (GPMC) (gpedit. msc) to configure this standard user notification behavior.

What preparations should be made for this change?

 

For more information about the plan, see what preparations should be made to deploy this function later in this topic ?.

Firewall icon

 

Manage tasks and programs are marked with the new firewall icon.

Why is this feature very important?

 

Use the firewall icon in Windows Server to indicate that the management permission is required to start a specific task or program. This helps identify which task or program requires higher permissions, train users and administrators, and reduce technical support calls.

UAC file and registry Virtualization

 

Windows Server2008 includes file and registry Virtualization Technologies for the following applications: applications that do not support UAC and applications that may require an administrator's access token to run properly.

Why is this feature very important?

 

UAC virtualization helps ensure that even applications that do not support UAC are compatible with Windows Server2008.

How does one work?

 

When a management application that does not support UAC tries to write a protected directory such as Program Files, UAC uses the write-on-write replication policy to provide the application with its own virtualization view of the resources being modified. Virtual replication is maintained in the user's configuration file. Therefore, create a copy of a single virtualization file for each user running an application that does not support UAC.

Virtualization Technology ensures that applications that do not support UAC will not run automatically and fail to run because of inconsistent and difficult-to-solve errors.

Remarks
Virtualization is not applicable to applications that require full access tokens.

How can we solve these problems?

 

With the virtualization function, most application tasks will operate normally. However, UAC virtualization is a short-term repair of applications, rather than a long-term solution. Application developers should modify their applications as soon as possible to support UAC, instead of relying on files, folders, and Registry virtualization to temporarily repair applications.

For instructions on how to design applications to support UAC, see other resources.

Remarks
Virtualization of Windows 64-bit applications on the local machine is not supported. These applications need to work with UAC and write data to the correct location.

Remarks
If a program contains a list of applications with the required execution-level attributes, virtualization is disabled for the application.

What preparations should be made for this change?

 

For more information about the plan, see what preparations should be made to deploy this function later in this topic ?.

Which settings have been added or changed?

 

The following system settings control UAC behavior in Windows Server2008. You can configure these settings by using the Local Group Policy Editor (secpol. msc) or GPMC (gpedit. msc.

In"Local Policy"Of"Security Options"In"Security Settings"You can find the following settings.

 

Set	Description	Default Value
User Account Control: Built-in Administrator account approval mode.	There are two possible settings: Enabled-built-in Administrator runs as Administrator in Administrator Approval mode. Disabled-the administrator always runs with a full access token.	Disabled
User Account Control: indicates the promotion reminder behavior of the Administrator in administrator Approval mode.	There are three possible values: No prompt-the upgrade is automatically performed and no prompt is displayed. This option allows administrators in administrator Approval Mode to perform operations that require elevation without consent or creden. Remarks This solution is only applicable to the most restrictive environment. We recommend that you do not use it. Prompt for approval-operation requiring full access token prompt for administrator Selection in administrator Approval Mode"Continue"Or"Cancel". If the Administrator clicks"Continue"The Operation continues with the highest availability permission. Prompt to enter creden-operation prompt requiring full access token in administrator Approval Mode, the Administrator enters the administrator user name and password. If the credential entered by the user is valid, the operation continues with the applicable permission.	Request for consent
User Account Control: prompts for standard user escalation	Two possible values: No prompt-the elevation prompt is not displayed, and the user is not using"Run as administrator"Or you cannot execute management tasks when you log on to the Apsara stack console using an administrator account. Most enterprises running desktops as standard users will configure the "No prompt" policy to reduce technical support calls. Prompt to enter creden-operation requiring full access token prompts the user to enter the management user name and password. If the credential entered by the user is valid, the operation continues with the applicable permission.	Prompt to enter creden
User Account Control: detects application installation and prompts when upgrading	Two possible values: Enabled-when Windows detects the installation program, the user is prompted to agree or enter creden. Disabled-Allow running application installation, but deny them access to system-wide resources. This will lead to failure errors that may be difficult to solve. In an enterprise environment that uses standard user desktop or hosted installation technologies such as System Management Server (SMS), you do not need to install program detection, and you may want to disable this setting.	Enabled
User Account Control: only signed and verified executable files are upgraded.	Two possible values: Enabled-only signed executable files are run. This policy enforces a signature check based on the Public Key Infrastructure (PKI) for any interaction application requesting elevation. The enterprise administrator can control the list of applications allowed to be managed by filling in the certificates stored in the trusted Publishing Server of the local computer. Disabled-the signed and unsigned code will be run.	Disabled
User Account Control: only upgrade the UIAccess application installed in a secure location	Two possible values: The system will only grant UIAccess and user permissions to executable files started under % ProgramFiles % or % windir %. The access control list (ACL) on these directories ensures that executable files cannot be modified by the user; otherwise, Elevation of Privilege is allowed ). UIAccess executable files started from other locations run as "asInvoker" without additional permissions ). Disabled-the location check is not completed. Therefore, all UIAccess applications start on time using the user's full access token.	Enabled
User Account Control: allows the UIAccess application to prompt when upgrading without using a Secure Desktop	Two possible values: Enabled-The UIAccess program, including Windows Remote Assistance, can automatically disable the secure desktop for the upgrade prompt. This allows you to add functionality in some UIAccess solutions, including when remote assistance is provided to standard users. Disabled-Secure Desktop can only be disabled by administrators on computers or by group policies.	Disabled
User Account Control: Run all administrators in administrator Approval Mode	Two possible values: Enabled-the Administrator and standard user are prompted when a management operation is attempted. The prompt style depends on the policy. Disabled-UAC is actually disabled and the Application Information Service (AIS) service is disabled automatically. The Windows Security Center also notifies logged-on users that the overall security of the operating system has been reduced and the user is authorized to enable UAC. Remarks Changing this setting requires the system to restart.	Enabled
User Account Control: Switch to secure desktop when prompted	Two possible values: Enabled-The UAC upgrade prompt is displayed on the security desktop. Secure Desktop can only receive messages from Windows processes, eliminating the possibility of receiving messages from malware. Disabled-The UAC elevation prompt is displayed on the Interactive User desktop.	Enabled
User Account Control: Virtual files and registries cannot be written to the location of each user	Two possible values: Enabled-this policy enables redirect to the defined location of the Registry and file system for failed write of applications before Windows Vista. This function reduces the number of applications that run as administrators and write application data back to % ProgramFiles %, % Windir %, % Windir % \ system32, or HKLM \ Software. This setting should be enabled in an environment where UAC-compatible software is used. The Application List does not contain application compatibility database entries or the application that requires the execution level mark is not compatible with UAC. Disabled-virtualization is used to run legacy applications that were previously unable to run as standard users before Windows Vista. Administrators who only run Windows Vista-compatible applications may choose to disable this function because they do not need this function. If this setting is disabled, no UAC-compatible UAC applications that attempt to write % ProgramFiles %, % Windir %, % Windir % \ system32, or HKLM \ Software will prompt a failure.	Enabled

Do I need to change any existing code?

 

New applications written should be able to be used with UAC and should include an embedded list.

For more information, see other resources.

What preparations should be made to deploy this function?

 

UAC can significantly reduce the chances of exposure to malware and allow the use of standard user creden。 to run older versions of applications. To use UAC for maximum success, see the information listed in other resources.

Is this function available in all versions of Windows Server 2008?

 

In all versions of Windows Server2008, UAC is an essential part of the operating system. UAC is also part of the Windows Vista operating system.

Other resources

 

For more information about UAC, see the following:

• User Account Control Function information page) (http://go.microsoft.com/fwlink? LinkID = 82373) may be an English webpage)
• User Account Control Overview (http://go.microsoft.com/fwlink? LinkId = 89652) may be an English web page) use the User Account Control in the new Windows Vista operating system to limit the Administrator-level access to the authorized process, thus reducing the risk of leakage.
• Understand and configure User Account Control (http://go.microsoft.com/fwlink? LinkID = 79026) may be an English webpage) Understand how UAC works, including the deployment scheme and ensure the compatibility of old applications.
• Windows Vista User Account Control Step by Step Guide (http://go.microsoft.com/fwlink? LinkID = 53781) may be an English webpage) this step-by-step guide provides instructions for using User Account Control (UAC) in a test lab environment.
• Explore new User Account Control (http://go.microsoft.com/fwlink? LinkId = 89653) may be an English webpage. without installing Windows Vista User Account Control on your PC, you can gain practical experience using this application.
• User Account Control (UAC) Windows Vista application development requirements (http://go.microsoft.com/fwlink? LinkId = 89654) may be an English webpage) learn how to develop applications that work with UAC.

Original article address

View more articles