Vista User Access Control - FAQ
There have been lots of questions on UAC (User Access Control) coming in to me over the past couple of months, so I thought I would put together a FAQ on UAC:
If I was to run all users as administrators, what is the difference with these two configurations:
-
- Disable UAC all together
- Enable UAC but change the “UAC: Behaviour of elevation prompt for administrators in Admin Approval Mode” to “Elevate without prompting”
Option 1 will disable UAC for standard users and Administratrors and is essential running in XP style security mode - so if you are an admin, then every process is run an admin. If you are a standard user, every process you launch is standard. You would lose all the security and compatibility advantages of UAC.
Option 2 enables UAC but automatically “consents” for all members of the Administrators group. Applications would run unelevated if they had the "runAsInvoker" marking (such as CMD). Anything marked as "HighestAvailable" or "RequireAdministrator" or apps heuristically detected (like setup.exe) would be automatically elevated without user knowledge. This means that you still have some of the benefits of UAC but you could still be vunerable.
Would both of these settings accomplish the same thing? Or is there a benefit in having UAC enabled without prompting the administrator?
No. Running with Option A disables UAC entirely. Running with Option B causes standard users to receive UAC prompts and hides their presence for members of the Administrators group. Users who have roles such as backup operators, etc) will be required to enter their details in the UAC dialog.
What is the added benefit of setting up the aforementioned Group Policy to “Prompt for Credentials” rather then “Prompt for consent”?
This GP is offered for our high security clients requiring additional confirmation that the logged on user is actually who they claim to be. This creates a strong audit trail. If the GP setting was configured to “prompt for consent”, then there is no guarantee a legitimate admin hasn’t walked away (or otherwise incapacitated…) after logging on to the machine. In that scenario, an attacker could alter machine configurations by virtue of the logged on users session.
I've heard UAC is going to be really painful for Administrators?
You must be referring to our Beta 2 build. Since releasing that, we've taken on board a lot of feedback and made lots of improvements in RC1 and RC2, which include:
- File operations, reducing the prompts caused by adding, deleting, or editing files in protected directories. For example, administrators can delete shortcuts from the public desktop without receiving a prompt. And the user should no longer receive a prompt when copying files to a newly formatted storage drive.
- Re-architecting several Control Panel applets so that they no longer prompt when opened. Examples include the Firewall applet, Scanners and Cameras applet, and the Software Explorer of Windows Defender.
- Reducing prompts when creating new network connections.
- ActiveX installer service enables standard users to install approved ActiveX controls.
- UAC prompts will not “steal focus” from the user’s task. If the operating system cannot determine that the prompt was generated from the foreground window the current user is using, we will alert the user with a highlighted operation in the taskbar that an application is requesting elevated privileges. The user can select to elevate at his or her convenience and not be disrupted by an unplanned application elevation.
- Elevations are now blocked in the user's logon path. Applications improperly elevating during each and every logon were a significant source of feedback from the Beta 2 release, and based on that feedback, we are disallowing elevations during logon.
- The command prompt window will now read “Administrator” in the title bar if run with elevated permissions.
- Improved performance when switching to the secure (dimmed) desktop to display the prompts. We received significant feedback that the small delays during switching were disruptive, and we have worked with the video and display teams to enhance the user experience in this area.
More UAC Resources
UAC Virtual Lab - experience it for yourself
https://www.microsoft.com/technet/windowsvista/security/uacppr.mspx
https://www.microsoft.com/technet/windowsvista/library/0d75f774-8514-4c9e-ac08-4c21f5c6c2d9.mspx