Running as an administrator today can be very costly. When you run as an administrator, every application that you launch can potentially use your account’s privileges to write to system files and the registry and to modify system-wide data. Common tasks like browsing the Web and checking e-mail can become unsafe in this scenario.
Enterprises also face a daunting task of enforcing desktop standardization in an environment where most users continue to run as local administrators. Because each user can install/uninstall applications and adjust system and security settings at will, IT departments often cannot gauge the holistic health and security of their environments and thus increases their Total Cost of Ownership (TCO).
The Standard User account is an account that has no machine administrative privilege. This account type has been available in Windows NT-based operating systems since Windows NT 3.1, so why do people continue to run as administrator? Unfortunately, many applications today are unable to run with a Standard User’s privileges and require administrative access. Even some simple Windows tasks do not work if you are not an administrator, like changing the time zone.
How does User Account Control work?
Knowing this was a huge issue for customers and Microsoft as well, the User Account Control (UAC) team set out to find a way to make it easy for everyone to run as a Standard User. The first step was to identify which applications / tasks unnecessarily require administrator privileges. The UAC team has been working with different software companies to help them accomplish this task. All Microsoft applications and Windows features are also going through this same review process. This change takes a lot of collaboration and effort, but it is a big step in the right direction to help make Windows more secure.
The next step was to redesign the way that user accounts work in Windows. The following section lists Windows Vista user accounts and groups.
- Built-in Administrator account: The standard built-in Administrator account, and a member of the Local Administrators group. This account has full access throughout the operating system.
- Local Administrators group: This group’s members have the highest potential level of administrative access to the local computer but are always logon restricted.
- Standard Users group: This group’s members are unable to make system-wide changes, like installing applications and changing system settings, without an administrator providing his/her credentials during an Over the Shoulder (OTS) credential prompt. An OTS credential prompt occurs when a standard user attempts to perform a task that requires administrative privileges.
The Power Users group was deprecated from Vista since many tasks that formerly required privileges granted to this group are now available to the Standard Users group. For instance, Standard Users can now install printers and respond to Windows Firewall notifications.
What makes the UAC user account model different from previous models is that all users, Administrators and Standard Users, run with standard user access by default. Only the Built-in Administrator account runs with a full access token by default. When an administrator logs on to Windows Vista, two versions of the account’s access token are created: one with the full rights and privileges and another that is stripped of the administrative privileges. The latter is called the standard user access token and is used to initially invoke Explorer after the administrator logs on. Because most applications and processes are launched through Explorer, they inherit this Standard User access token and run with its limited privileges.
What happens when you need to change a system setting?
In previous versions of Windows, you would have had to either log off with your Standard User account and then log back in as a local administrator or to use some form of RunAs to invoke the application with an administrator account’s privilege. UAC, however, identifies which applications require administrative privileges and prompts you for confirmation –based on policy-- when you want to use those privileges. This process is called an elevation prompt. If you approve the prompt, your account’s full administrator access token is used to launch the application.
So, what about Standard Users? How do they install applications?
Standard Users can in context install applications and perform other administrative tasks if they are able to provide credentials for an account that is a member of the Local Administrators group. For instance, when a Standard User attempts to install an "all users" application, UAP launches an OTS credential prompt to ask the user to provide administrative credentials.
What are some User Account Control benefits?
UAC reduces the attack surface by ensuring that all users run with the least amount of privileges that they need to perform a task. By reducing the attack surface, you reduce the time and effort associated with managing a computer.
The following are also benefits of UAC.
-
Reduced impact of “spyware” and “malware”: Since rogue applications will require administrative privileges to install and perform their tasks, running with a standard user access token will help reduce their impact. If a software bug is exploited, the damage will be contained to the files and folders that the user has privileges to, and not to the entire computer.
-
Lower total cost of ownership: IT departments will notice reduced cost of ownership since they can now standardize and manage their desktops. On average, managed desktops cost 40% less annually than unmanaged desktops. Home users will also see a reduction in costs due to the reduction of impact that of “spyware” and “adware” that may have formerly wreaked havoc on their computer.
-
Greater parental control: Parents will be able to use Vista parental controls by running as a local administrator and having their children run with standard user accounts. Previously, if the children also had administrator accounts, parental controls could be easily circumvented.
