Inside Windows 7 User Account Control. User Account Control. Inside Windows 7 User Account Control. ![]() ![]()
![]() ![]() ![]() If you're getting a "The User Profile Service failed the logon" message in Windows 7 or Vista, don't panic - we show you how to fix it. Mark Russinovich. At a Glance: Standard user accounts. User account control. Standard user accounts provide for better security and lower total cost of ownership in both home and corporate environments. This recipe will explain how to hide accounts from the Windows Welcome / Login screen. This can be handy for when an application or service account is created for. User Account Control (UAC) is a technology and security infrastructure introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a. When users run with standard user rights instead of administrative rights, the security configuration of the system, including antivirus and firewall, is protected. This provides users a secure area that can protect their account and the rest of the system. For enterprise deployments, the policies set by desktop IT managers cannot be overridden, and on a shared family computer, different user accounts are protected from changes made by other accounts. However, Windows has had a long history of users running with administrative rights. As a result, software has often been developed to run in administrative accounts and take dependencies, often unintentionally, on administrative rights. ![]() ![]() ![]() To both enable more software to run with standard user rights and to help developers write applications that run correctly with standard user rights, Windows Vista introduced User Account Control (UAC). UAC is a collection of technologies that include file system and registry virtualization, the Protected Administrator (PA) account, UAC elevation prompts, and Windows Integrity levels that support these goals. I've talked about these in detail in my conference presentations and Tech. Net Magazine. UAC internals article. Windows 7 carries forward UAC's goals with the underlying technologies relatively unchanged. However, it does introduce two new modes that UAC's PA account can operate with and an auto- elevation mechanism for some built- in Windows components. In this post, I'll cover the motivations behind UAC's technologies, revisit the relationship between UAC and security, describe the two new modes, and explain how exactly auto- elevation works. Note that the information in this post reflects the behavior of the Windows 7 release candidate, which is different in several ways from the beta. UAC Technologies. The most basic element and direct benefit of UAC's technology is simply making Windows more standard- user friendly. The showcase example is the difference between the privilege requirements of setting the time zone on Windows XP and Windows Vista. On Windows XP, changing the time zone—actually, even looking at the time zone with the time/date control panel applet—requires administrative rights. That's because Windows XP doesn't differentiate between changing the time, which is a security- sensitive system operation, from changing the time zone, which merely affects the way that time is displayed. In Windows Vista (and Windows 7), changing the time zone isn't an administrative operation and the time/date control panel applet separates administrative operations from the standard user operations. This change alone enables many enterprises to configure traveling users with standard user accounts, because users can adjust the time zone to reflect their current location. Windows 7 goes further, making things like refreshing the system's IP address, using Windows Update to install optional updates and drivers, changing the display DPI, and viewing the current firewall settings accessible to standard users. File system and registry virtualization work behind the scenes to help many applications that inadvertently use administrative rights to run correctly without them. The most common unnecessary uses of administrative rights are the storage of application settings or user data in areas of the registry or file system that are for use by the system. Some legacy applications store their settings in the system- wide portion of the registry (HKEY. The PA account was designed to encourage developers to write their applications to require only standard user rights while enabling as many applications that share state between administrative components and standard user components to continue working. By default, the first account on a Windows Vista or Windows 7 system, which was a full administrator account on previous versions of Windows, is a PA account. Any programs a PA user executes are run with standard- user rights unless the user explicitly elevates the application, which grants the application administrative rights. Elevation prompts are triggered by user activities such as installing applications and changing system settings. These elevation prompts are the most visible UAC technology, manifesting as a switch to a screen with an allow/cancel dialog and grayed snapshot of the desktop as the background. Accounts created subsequent to the installation are standard user accounts by default that provide the ability to elevate via an . This facility enables a family member sharing a home computer or a more security- conscious user using a standard user account to run applications with administrative rights, provided they know the password to an administrative account, without having to manually switch to a different user logon session. Common examples of such applications include installers and parental control configuration. When UAC is enabled, all user accounts—including administrative accounts—run with standard user rights. This means that application developers must consider the fact that their software won't have administrative rights by default. This should remind them to design their application to work with standard user rights. If the application or parts of its functionality require administrative rights, it can leverage the elevation mechanism to enable the user to unlock that functionality. Generally, application developers need to make only minor changes to their applications to work well with standard user rights. As the E7 blog post on UAC shows, UAC is successfully changing the way developers write software. Elevation prompts also provide the benefit that they . For example, if a software package that the user doesn't trust or want to allow to modify the system asks for administrative rights, they can decline the prompt. Elevations and Malware Security. The primary goal of UAC is to enable more users to run with standard user rights. However, one of UAC's technologies looks and smells like a security feature: the consent prompt. Many people believed that the fact that software has to ask the user to grant it administrative rights means that they can prevent malware from gaining administrative rights. Besides the visual implication that a prompt is a gateway to administrative rights for just the operation it describes, the switch to a different desktop for the elevation dialog and the use of the Windows Integrity Mechanism, including User Interface Privilege Isolation (UIPI), seem to reinforce that belief. As we've stated since before the launch of Windows Vista, the primary purpose of elevation is not security, though, it's convenience: if users had to switch accounts to perform administrative operations, either by logging into or Fast User Switching to an administrative account, most users would switch once and not switch back. There would be no progress changing the environment that application developers design for. So what are the secure desktop and Windows Integrity Mechanism for? The main reason for the switch to a different desktop for the prompt is that standard user software cannot . The alternate desktop is called a . The use of another desktop also has an important application compatibility purpose: while built- in accessibility software, like the On Screen Keyboard, works well on a desktop that's running applications owned by different users, there is third- party software that does not. That software won't work properly when an elevation dialog, which is owned by the local system account, is displayed on the desktop owned by a user. The Windows Integrity Mechanism and UIPI were designed to create a protective barrier around elevated applications. One of its original goals was to prevent software developers from taking shortcuts and leveraging already- elevated applications to accomplish administrative tasks. An application running with standard user rights cannot send synthetic mouse or keyboard inputs into an elevated application to make it do its bidding or inject code into an elevated application to perform administrative operations. Windows Integrity Mechanism and UIPI were used in Windows Vista for Protected Mode Internet Explorer, which makes it more difficult for malware that infects a running instance of IE to modify user account settings, for example, to configure itself to start every time the user logs on. While it was an early design goal of Windows Vista to use elevations with the secure desktop, Windows Integrity Mechanism, and UIPI to create an impermeable barrier—called a security boundary—between software running with standard user rights and administrative rights, two reasons prevented that goal from being achieved, and it was subsequently dropped: usability and application compatibility. Figure 1 Showing the executable fi le’s name. First, consider the elevation dialog itself. It displays the name and publisher of the primary executable that will be granted administrative rights. Unfortunately, while greater numbers of software publishers are digitally signing their code, there are those that aren't, and there are many older applications that aren't signed. For software that isn't signed, the elevation dialog simply shows the executable's file name, which makes it possible for malware already running in a users account and that's watching for an elevation of an unsigned Setup. Setup. exe without the user being able to tell (see Figure 1). Second, the dialog doesn't tell the user what DLLs the executable will load once it starts. If the executable resides in a directory under the user's control, malware running with the user's standard rights can replace any associated DLLs in the location that the software will use. How to access the true Administrator account in Windows Vista. In early June, Computerworld published the story, . For instance, the Administrator account does not have User Account Control enabled. There may also be differences in the ability to remove restrictive file operations and object permissions, but Microsoft is still working out those details and does not expect to reveal them until RC1 and beyond. Finally, by default, the Administrator account is present, but it's hidden and disabled on all clean installs of the operating system. But the MMC- based Computer Management section of the Administrative Tools Control Panel does give you access to the Administrator account. By default, the account is disabled, but you can enable it there. Your obvious conclusion might be that all you need to do is enable the Administrator account, restart Windows and then log into the Administrator account. But that doesn't work. There's an added step that Microsoft hasn't documented and that isn't all that intuitive: Not only do you have to enable the Administrator account, you also have to disable all other accounts with computer- administrator privileges. And since Vista's clean- install setup program forces you to create a new user account with computer administrator privileges, everyone has to cross this hurdle in finding the built- in Administrator. The result of the bug is that you will be completely locked out of your Windows Vista installation. So, please follow the directions to the letter. I will show you how to safely add a password to your Administrator account. Open the Administrative Tools Control Panel. Double- click the Computer Management item to open it. Authorize UAC by clicking the Continue button. Double- click . Click the Users folder. On the right side of Computer Management, you should see icons for all of the user accounts created on your computer. The ones that have small red circles with an . Remove the check mark from the . You'll need to restart your computer and follow one of the following two methods to access Administrator. Accessing Administrator: Method 1. For this method, you press F8 as Windows is starting up when the character mode part of the boot- up says something to the effect of . Once the boot menu is showing, paused for your operating system selection, use the arrow or tab keys to select . Don't press Enter; instead, press the F8 key, and you'll progress to the Safe Mode boot screen. Choose the first option, . Click the Administrator icon. But for quick access to the Administrator account, this is about as good as it gets in Vista Beta 2. Accessing Administrator: Method 2. The second method allows you to log into the Administrator account just as you would any normal account. So you get the full- fledged Administrator privileges in a normal boot mode, not Safe Mode. There's a trick you need to know to make it work. And also something you need to watch out for. Look for account icons that lack the red disable mark. You should find at least one with computer administrator privileges. Follow the same steps to open Properties, but this time, click to add a check mark in the box labeled . Close Computer Management and restart Windows. When it comes back up, it will just load the Administrator account, since you haven't set a password. Your Administrator account should not be left enabled without a password. So, have a look around, but don't move in. And when you're done, I strongly urge you to re- enable your user account(s) and promptly disable the Administrator account. Open the User Account Control Panel. Click the link there that reads . On the subsequent screen, you'll find an easy way to turn off UAC. Living Dangerously. There is another possible wrinkle on Method 2. It is possible to set a password for your Administrator account. The bug with setting the Administrator account is in the Computer Management part of the Administrative Tools Control Panel. But there's another way to manage user accounts: the User Accounts Control Panel. But once you're booted into Administrator, it lets you set a password for it without any negative effects. So this is a work- around if you'd like to leave your Administrator account enabled. Enable it in Computer Management, and then set a password for it in the User Accounts Control Panel. It's important to protect it with a password that's not easy to guess or arrive at by trial and error. Conclusions. Despite what it may seem to some people, Microsoft's decision to disable and lightly hide the Administrator account in Windows was a very good one. Millions of people have for many years been living in this account - - many without even having set a password for it. Doing so makes it easy for malware and hackers to waltz into an account that has unlimited access to the operating system. By changing the name for the account on your computer that has administrative privileges, and by setting a password for it, Windows security is raised considerably. Microsoft has designed UAC in a way that keeps you from having to reboot between changes, but there are still too many nuisance UAC prompts. There's still development time to go on Vista's User Account Controls. Online editorial director Scot Finnie has been an editor for a variety of IT publications for more than 2. This article was adapted from the July 2. Scot's Newsletter and is used by permission.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
September 2017
Categories |