Windows Vista User Account Control (UAC) New Security Module "User Account Control"

Source: Internet
Author: User

Microsoft will release a newVistaOperating system, we have seen a lot of problems in the past few months.VistaPowerful functions in the demo, and a mysterious and cool interface, convenient and quick search; but all Xuan cool will be flat, users are most concerned about the security of the system, availability.

User Account ControlUACMicrosoft isVistaThe operating system is a completely new security protection module designed to protect users from malware andCode.

If I ask how many people are using the Administrator account to log on to the computer, I would like80%The above answer will be: especially for you in front of the screenArticle). At least mineProgramUsers are using system administrator-level user names and have the highest permissions on the network. In fact, this is also normal. for developers, We need to access a lot of system resources at any time to quickly solve the problem. However, the programmer's computer installation rate may also be the highest, at least in the past3At least4Times. The reason is that our work environment is too insecure. If I use malware at work, it will obtain the highest permissions on my system and do what I want; all your system files and registries have become the meat of the case.

In response to this situation, Microsoft proposedUACSystem, it can ensure that anyone is running under the standard user permission when logging on to the computer, even if you are an administrator. The principle is actually very simple. When any user logs on to a computer,UACThe advanced permissions of the user are stripped, leaving only the standard permissions and starting the login process. In this way, the user can only use these standard permissions to start the computer. Further, the programs started by the user can only have these standard (secure) permissions.

What if I need higher permissions?VistaHere, we also provide a simple method to temporarily escalate permissions:

 

 

InVistaIn, we often encounter this dialog box, and will be more disgusted; but any security is costly. Another dialog box may not be seen much, that is, when you log on as a common user, you will encounter the following dialog box, requiring an administrator to authorize:


Note: The interface andRTMThere are nuances in,RTMThe version dialog box does not display the user name on the system, but must be entered by the user. This further protects administrator information. If your system supportsSmart CardIn this dialog box, the card selection option is displayed.

This is actually similar to the situation we often encounter in supermarkets. When the Cashier needs a refund, they usually need the authorization of the on-duty manager. We call this situation on-site authorization,VistaThis method is used for reference here, so that the administrator needs to log on again or useRunTo perform high-Permission operations.

VistaDifferent dialog boxes and colors are used to identify different security-level operations.VistaIdentifiable applications use relatively peaceful colors, such as blue (system operations), gray (identifiable applications), and orange (unrecognized applications ).


Orange: Unrecognized applications require permission escalation


Gray: identifiable applications require permission escalation

InVistaApplications running on the system should all use digital signatures,VistaThe system also uses digital signatures to identify applications and use different security warning levels.

InVistaTo remind users that the following operations require higher permissions, such as system time modification:


Note the highlighted part.

VistaThis flag must be used for all the parts that require permission escalation. This flag does not disappear because you have performed an escalation, so that the elevation of this permission is temporary and unlocked.

From the system architecture,VistaUse an independent process to run operations with higher permissions. For example, if you do not click a button in the processVistaWill start a new process to run the opened dialog box; this fundamentally ensures the independence of the High-permission process; and, in process management,VistaCommon processes in can not communicate with high-permission processes, further guaranteeing the security of these processes.


Two windows and two processes.

If notUACThen, you cannot obtain the Administrator permission. This means that the applications you write can only run in the low-Permission environment of common users. There are two solutions to this problem:

1) Use"Run as administrator"

For existing applicationsVistaYou can use this method to temporarily obtain administrator permissions.

You can right-click and select"Run administrator"To temporarily start the master process.

You can also identify the file to tell the system to start it like this every time:


Note: there are other options to configure more compatibility for the program.

 

2) UseManifestTo identify the running level (recommended)

This is the method recommended by Microsoft.VistaSupport for unidentified applications, but Microsoft plans to cancel these support in later versions.VistaTo use your application, you must have the following identifiers:

< Requestedprivileges >

< Requestedexecutionlevel = " Requireadministrator " />

</ Requestedprivileges >

BesidesRequireadministratorIn addition, we can also useAsinvoker,HighestavailableTwo options for identification.

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.