A Closer Look at Windows Vista, Part I: Security Changes

Malware refers to any software that secretly infiltrates and damages a computer system without the informed consent of the owner. Despite the use of anti-virus and anti-spyware software, malware can still affect even careful users. One of the stated goals of the Microsoft Windows Vista release is to greatly improve the overall security of the Windows operating system and curb the impact of malware. To this end, Microsoft redesigned both the least user and administrative accounts on Vista; the result is perhaps the most secure version of Windows in the age of the Internet.

1. Traditional Windows User Privilege Model
2. User Account Control Security Model
3. Windows Vista Standard User Privileges
4. File System and Registry Virtualization
5. Virtualization Example 
6. Advantages of UAC
7. Disadvantages of UAC

Traditional Windows User Privilege Model

The concept of least user or standard user accounts has been a part of Windows releases for many years. However, interacting with the Windows operating system as a standard user has historically been difficult. Standard users cannot install or uninstall software, change security settings, or even perform seemingly innocuous tasks such as adjusting computer power settings or time zone.

In addition, many software applications created over the past decade require administrator access to run because they access protected directories and registry keys, such as C:\Program Files, C:\Windows, or HKEY_Local_Machine . Security-minded individuals who attempted to run Windows XP or previous versions of Windows using only standard accounts quickly realized that it was an exercise in futility.

As a result, most users of Windows XP or earlier Windows versions run as members of the Windows Administrators group. This is problematic because providing a user with complete control of a computer also provides every application and service on that computer with the same amount of access. If a computer is compromised by malware, that malevolent code has complete access as well; this is one of the chief reasons that Windows computers have long been susceptible to external attack.

User Account Control Security Model

To reduce the effects of malware, Windows Vista includes a new security model known as User Account Control (UAC), which represents a major shift from the traditional Windows user privilege model and affects nearly every Windows user. UAC is designed to improve the least user (i.e. standard user) experience, ultimately reducing the risk of malware.

Under UAC, all Windows Vista users, including those with administrative rights, interact with their PCs as standard users most of the time. The Windows standard user account continues to have no administrative privileges, which prevents malware inadvertently downloaded by such an account from silently installing itself on the computer. Malware that somehow infiltrates a PC cannot access protected directories or registry entries.

When you attempt to perform a task that requires administrative privileges, such as installing software or changing the status of the Windows firewall, Windows Vista explicitly prompts you to supply permission or credentials before temporarily elevating you to the administrative level to complete that single task. For a standard user, that means supplying a username and password that belong to a member of the Administrators group (see Figure 1).

Figure 1. Standard users must supply appropriate credentials under UAC to perform security-related tasks.

If you are already an administrator, you simply click a Continue button to proceed (see Figure 2).

Figure 2. Administrators are only prompted to confirm an action.

Note that the permissions and credentials dialogs shown above provide information on the program or process attempting to do something that could impact your computer’s security. These UAC dialogs are an effective way to:

• Show you which tasks require administrative privileges
• Prevent you from accidentally altering the computer security in a negative way
• Temporarily allow standard users to perform administrative tasks with the express permission of an administrator with the correct credentials

Windows Vista Standard User Privileges

In Windows Vista, standard user accounts have been amended under UAC to provide additional privileges for performing common tasks. With the new permissions available in Windows Vista, standard Windows users can:

• View system clocks and calendars
• Change time zones
• Change power management settings
• Add printers that have the required drivers installed on the computer
• Create and configure Virtual Private Network connections
• Install critical Windows Updates

In previous versions of Windows, a non-administrator could not easily understand which actions they were allowed to perform. Windows Vista uses a shield icon to help you understand which tasks only administrators can perform (see Figure 3).

Figure 3. The shield icon indicates that changing the date and time requires administrator privileges.

File System and Registry Virtualization

As mentioned previously, many legacy Windows applications were created so you could access parts of the file system and registry that are now locked in Windows Vista, and many of these applications are not being immediately updated. However, Microsoft has devised an interesting solution within Windows Vista to provide backward compatibility so that legacy software still works.

If legacy applications attempt to access protected portions of the file system and registry without the proper permissions, UAC virtualization services silently redirect read and write operations from protected portions of the file system and registry to unprotected user-specific locations. This process is transparent to legacy software and occurs automatically.

Virtualization Example 

For example, take a legacy software application that attempts to write to a configuration INI file located in:

 C:\Program Files\<application>\Setup.ini

Windows Vista automatically detects that you do not have permission to save to that location. Windows Vista then copies the file (if it already exists) to:

 C:\Users\<your_account>\AppData\Local\VirtualStore\Program Files\<application>\Setup.ini

Windows Vista then allows the write operation to succeed at the new file in the VirtualStore folder. Subsequent read and write operations for that file will always use the file copy located in the VirtualStore folder. However, the application will continue to believe that it is accessing the Program Files directory (see Figure 4).

Figure 4. Legacy software will believe it is accessing the Program Files directly while Vista silently redirects it elsewhere.

For most cases this solution is sufficient, but it is not perfect. Data that the application thinks is globally accessible now becomes private to the user and almost invisible to other applications unless they also have virtualization enabled (typically only other legacy applications). Some applications will see one file, and some the other. If the application later tries to delete the INI file, the delete will appear to succeed, yet the file will still exist in the Program Files directory and remain visible to the application. If it retries the delete, an access denied exception will be thrown.

Although the majority of legacy applications run with virtualization, it is a short-term measure, not a long-term solution. Microsoft has already warned that you should not depend on virtualization being a part of future Windows releases after Windows Vista.

Advantages of UAC

• Malware is less likely to infect a computer because standard user mode prevents software installation and locks down important parts of the PC
• Standard users now have additional capabilities not found in previous versions of Windows that simplify daily interaction with the operating system
• Users can clearly understand which tasks can only be performed by administrators by way of visual cues

Disadvantages of UAC

• UAC may prompt more companies to only give employees standard user accounts, which will be an adjustment for users accustomed to complete control of their PCs
• Virtualization may result in confusing or unintended behavior in legacy applications

Developers will almost certainly need to change their current development techniques and assume applications will have standard user access in the future While Windows Vista UAC will unquestionably help thwart viruses and other unwanted software from gaining control of your computer, it is a significant change for most Windows users. In the future, it is likely that the many Windows users will need administrator consent to perform tasks that are unrestricted today. Developers will need to take UAC into account when developing any new Windows software.

LabVIEW, National Instruments, ni, and ni.com are trademarks of National Instruments. Other product and company names listed are trademarks or trade names of their respective companies.

62 Ratings | 3.94 out of 5

Read in  English French Spanish |  Print |  PDF

Reader Comments | Submit a comment »

XP not that bad
The author claims it is an "exercise in futility" to run as a normal user on XP. This is not my experience. I run typical business and desktop publishing software, I watch videos, etc., and have no problem running as a mere user. Of course I have to log in as admin to install things, and (annoyingly) I have to be admin to surf new wireless nets, but it's easier than cleaning up after a bot. Ooh, I just noticed - this is National Instruments, and they write driver software for lab instruments. I can believe that software developers in such an environment aren't inclined by nature to think about the security implications of doing everything as an admin. It's not just Microsoft who makes our systems vulnerable to attack, it's the vendors of privileged software (like drivers) who abet the problem.
- Rick Smith,Cryptosmith. rick@cryptosmith.com - Sep 17, 2007

So that's where my files are!
This article explains why our program mysteriously continues to run even when you delete the Program Files folder where it was installed.
- David Keeling,Simply Books. office@simplybooks.net - Jun 07, 2007

UAC Setting?
So where is the nearly hidden setting?
- Richard,. richard.dombrovski@google.com - May 24, 2007

Terrible
UAC is clumsy, cumbersome and above all, annoying. It's more annoying than most nagware. I've cleaned adware that didn't nag as much as the UAC. As far as prevention of malware goes, the effects are minimal at best. Sure, it prevents a fair amount of malware from entrenching itself on your system, but it doesn't stop idiot users from installing it, especially if they're too used to just clicking the "ok to proceed" box without reading it because it pops up 5 times a day. At least it prevents things from installing as administrator access level so they're easy to clean. If you're into IT, this is a headache you can elect to accept or reject with the flipping of a nearly hidden system setting, but for the most part, all Vista does on the security level is replace some inconveniences with others.
- Apr 03, 2007

That´s progress, I suppose...
Interesting fresh new name (UAC) for something that has existed in Linux for sometime...Now that´s what I call progress...
- Nov 23, 2006

Marketing-speak free!
Great. Unlike any MS information, this contains just clear information and zero waffle and marketing.
- Nov 22, 2006

Pithy precis
A succinct and lucid overview of how security vulnerabilities in Windows software are improved in the upcoming Vista OS.
- Nov 21, 2006

Clear, concise summary
This clear, concise summary hits the high points with minimal geek-speak - something I can simply forward along to colleagues without having to re-explain. Thanks.
- Nov 21, 2006