Vista's User Account Control (UAC) protects against malware elevation of privileges, even when someone is logged on with an administrative account.
UAC is at the heart of Windows Vista's focus on security, but it is also one of Vista's most misunderstood new features. Love it or hate it, you'll need to learn more about it to balance security and user-friendliness in your Vista deployment. Let's take a look at 10 things you need to know about UAC before you roll out Vista, whether on an individual machine or throughout an organization.
UAC cuts the risk of logging on as an administrator:
It's a common problem: Users who have administrative accounts tend to log on with those accounts, even if they also have regular user accounts and realize that using a standard user account for routine tasks is a better security practice. It's just more convenient, and human nature puts a high priority on convenience.
With User Account Control, some of the risk of logging on as an admin is ameliorated because Vista performs most tasks with regular user privileges even when someone is logged on as an administrator.
The logon process has changed:
Although it appears the same to the user--you still enter your account name and password in the same way--the Vista logon process has changed under the hood. Now when you log on with an administrative account, you not only get an access token for that account, but you also get a standard user access token. The standard token is used to launch Explorer.exe, so all child processes will run with that token's privileges unless privileges are elevated by responding to a UAC prompt.
It's easier to tell which tasks require admin privileges:
Vista makes it easier to know which actions will require elevated privileges. Options in dialog boxes for which you must have administrative privileges are marked with a shield-shaped icon to indicate that if you select that option, you'll need to respond to the UAC prompt (or, if Group Policy is so configured, you may not be able to perform the operation at all when logged on as a standard user).
Administrator Approval Mode is the default:
By default, Vista runs with standard user privileges, even when you're logged on as an administrator. If a task requires administrative privileges, a dialog box asks for your permission to continue the action. This prevents malware from elevating privileges without your knowledge.
You can make it more secure:
You can change the behavior of UAC by editing Group Policy (the local security policy or domain policy). You can increase security by requiring that a user enter administrative credentials to elevate privileges, rather than just clicking the Continue button, even when already logged on as an administrator. Users logged on with standard user accounts will, by default, be prompted to enter administrative credentials when they try to perform a task that requires elevated privileges. In a domain environment, the default is to disallow the elevation of privileges. You can change these behaviors by editing Group Policy, too.
You can increase security even more:
By default, both signed and unsigned executable files will run with elevated privileges when you respond to the prompt. However, in a high security environment, this behavior can be changed by editing Group Policy so that Vista will elevate only executables that are signed and valid. When you enable this policy, Vista will check the executable's digital certificate whenever that application requests elevation of privileges.
You can make it less secure (but more convenient):
It's not recommended, but if you're in an environment that you're absolutely certain is free of malware, you can edit Group Policy to allow those logged on as administrators to perform tasks with elevated privileges without being required to respond to the UAC prompt. This essentially negates the extra security provided by UAC when logged on as an administrator and exposes the system to the same security threats that exist when you log on with an admin account in pre-Vista versions of Windows. However, it does do away with the sometimes annoying dialog boxes and makes it more convenient for admins who are, for example, installing a lot of software.
You can turn off UAC or the Secure Desktop:
When UAC prompts for permission to elevate privileges, the desktop is locked so that it can receive messages only from Windows processes. No other software can interact with the desktop at this time, and it goes dark to indicate this. By editing Group Policy, you can disable the Secure Desktop. The prompt will still pop up but will be displayed on the interactive desktop.
It's also possible (although not recommended) to turn off UAC completely. This is done by disabling the policy to Run All Administrators In Administrator Approval Mode.
Legacy applications may need to be marked:
Pre-Vista applications that were not written to be aware of UAC may have to be specially configured to work with Vista. If the programs need to perform tasks that require administrative privileges, you need to mark them with a requested execution level to prompt users for approval. This can be done with the Application Compatibility Toolkit, available as a free download from Microsoft. For more details, see TechNet's Windows Application Compatibility page.
UAC is not a substitute for other security measures:
UAC provides extra protection; for example, it makes it more difficult for malicious software to do harm. However, it's not a substitute for antivirus and anti-spyware programs, and you should still use a good, properly configured firewall. To be effective, security must be multi-layered, and UAC is only one element of a good client security plan.
No comments:
Post a Comment