1. Traditional Windows User Privilege Model
The concept of least user or standard user accounts has been a part of Windows releases for many years. However, interacting with the Windows operating system as a standard user has historically been difficult. Standard users cannot install or uninstall software, change security settings, or even perform seemingly innocuous tasks such as adjusting computer power settings or time zone.
In addition, many software applications created over the past decade require administrator access to run because they access protected directories and registry keys, such as C:\Program Files, C:\Windows, or HKEY_Local_Machine . Security-minded individuals who attempted to run Windows XP or previous versions of Windows using only standard accounts quickly realized that it was an exercise in futility.
As a result, most users of Windows XP or earlier Windows versions run as members of the Windows Administrators group. This is problematic because providing a user with complete control of a computer also provides every application and service on that computer with the same amount of access. If a computer is compromised by malware, that malevolent code has complete access as well; this is one of the chief reasons that Windows computers have long been susceptible to external attack.
2. User Account Control Security Model
To reduce the effects of malware, Windows Vista includes a new security model known as User Account Control (UAC), which represents a major shift from the traditional Windows user privilege model and affects nearly every Windows user. UAC is designed to improve the least user (i.e. standard user) experience, ultimately reducing the risk of malware.
Under UAC, all Windows Vista users, including those with administrative rights, interact with their PCs as standard users most of the time. The Windows standard user account continues to have no administrative privileges, which prevents malware inadvertently downloaded by such an account from silently installing itself on the computer. Malware that somehow infiltrates a PC cannot access protected directories or registry entries.
When you attempt to perform a task that requires administrative privileges, such as installing software or changing the status of the Windows firewall, Windows Vista explicitly prompts you to supply permission or credentials before temporarily elevating you to the administrative level to complete that single task. For a standard user, that means supplying a username and password that belong to a member of the Administrators group (see Figure 1).
Figure 1. Standard users must supply appropriate credentials under UAC to perform security-related tasks.
If you are already an administrator, you simply click a Continue button to proceed (see Figure 2).
Figure 2. Administrators are only prompted to confirm an action.
Note that the permissions and credentials dialogs shown above provide information on the program or process attempting to do something that could impact your computer’s security. These UAC dialogs are an effective way to:
Show you which tasks require administrative privileges
- Prevent you from accidentally altering the computer security in a negative way
- Temporarily allow standard users to perform administrative tasks with the express permission of an administrator with the correct credentials
3. Windows Vista Standard User Privileges
In Windows Vista, standard user accounts have been amended under UAC to provide additional privileges for performing common tasks. With the new permissions available in Windows Vista, standard Windows users can:
- View system clocks and calendars
- Change time zones
- Change power management settings
- Add printers that have the required drivers installed on the computer
- Create and configure Virtual Private Network connections
- Install critical Windows Updates
In previous versions of Windows, a non-administrator could not easily understand which actions they were allowed to perform. Windows Vista uses a shield icon to help you understand which tasks only administrators can perform (see Figure 3).
Figure 3. The shield icon indicates that changing the date and time requires administrator privileges.
4. File System and Registry Virtualization
As mentioned previously, many legacy Windows applications were created so you could access parts of the file system and registry that are now locked in Windows Vista, and many of these applications are not being immediately updated. However, Microsoft has devised an interesting solution within Windows Vista to provide backward compatibility so that legacy software still works.
If legacy applications attempt to access protected portions of the file system and registry without the proper permissions, UAC virtualization services silently redirect read and write operations from protected portions of the file system and registry to unprotected user-specific locations. This process is transparent to legacy software and occurs automatically.
5. Virtualization Example
For example, take a legacy software application that attempts to write to a configuration INI file located in:
Windows Vista automatically detects that you do not have permission to save to that location. Windows Vista then copies the file (if it already exists) to:
Windows Vista then allows the write operation to succeed at the new file in the VirtualStore folder. Subsequent read and write operations for that file will always use the file copy located in the VirtualStore folder. However, the application will continue to believe that it is accessing the Program Files directory (see Figure 4).
Figure 4. Legacy software will believe it is accessing the Program Files directly while Vista silently redirects it elsewhere.
For most cases this solution is sufficient, but it is not perfect. Data that the application thinks is globally accessible now becomes private to the user and almost invisible to other applications unless they also have virtualization enabled (typically only other legacy applications). Some applications will see one file, and some the other. If the application later tries to delete the INI file, the delete will appear to succeed, yet the file will still exist in the Program Files directory and remain visible to the application. If it retries the delete, an access denied exception will be thrown.
Although the majority of legacy applications run with virtualization, it is a short-term measure, not a long-term solution. Microsoft has already warned that you should not depend on virtualization being a part of future Windows releases after Windows Vista.
6. Advantages of UAC
- Malware is less likely to infect a computer because standard user mode prevents software installation and locks down important parts of the PC
- Standard users now have additional capabilities not found in previous versions of Windows that simplify daily interaction with the operating system
- Users can clearly understand which tasks can only be performed by administrators by way of visual cues
7. Disadvantages of UAC
- UAC may prompt more companies to only give employees standard user accounts, which will be an adjustment for users accustomed to complete control of their PCs
- Virtualization may result in confusing or unintended behavior in legacy applications
Developers will almost certainly need to change their current development techniques and assume applications will have standard user access in the future While Windows Vista UAC will unquestionably help thwart viruses and other unwanted software from gaining control of your computer, it is a significant change for most Windows users. In the future, it is likely that the many Windows users will need administrator consent to perform tasks that are unrestricted today. Developers will need to take UAC into account when developing any new Windows software.
LabVIEW, National Instruments, ni, and ni.com are trademarks of National Instruments. Other product and company names listed are trademarks or trade names of their respective companies.