Windows Vista – User Account Control

Presently, users of the Microsoft Windows™ operating system have had to face several challenges to secure the integrity of the data residing on their computer. Users have had to cope with the vast slew of malware, including viruses, spyware, and root-kits, which typically cause damage to data and/or applications residing on the user’s desktop pc. As quickly as anti-virus vendors release tools to prevent the threat of virus attack or spyware installation, hackers and script-kiddies release newer and smarter versions to work around the safeguards. Microsoft is constantly battling to produce patches and updates to close security vulnerabilities in their operating systems and applications, and now we live in a time where third-party developers are required to embed security aware code in their applications.

Prior to Windows XP Service Pack 2, the Windows platform did little to protect the user from malware. It was up to the initiative of individual users to install anti-virus and anti-spyware applications, and to keep up to date with the Windows patches and updates. Microsoft heard the cries of its customers, and in 2004 announced the release of Windows XP Service Pack 2. SP2 brought a number of security enhancements to the Windows platform in the flavor of enhanced firewall, Internet Explorer popup blocker, automatic updates, and security warnings about the execution of ActiveX controls from the web.

The existence of Windows XP SP2 was not enough to protect the end-user; SP2 went further to alert the user to suspicious activity from malware, but did not protect the users from their own mistakes. For example, many users fail to acknowledge the importance of the message contained in security prompts and blindly ignore the warnings to accomplish their task. Third party applications and web browsers not taking advantage of SP2 security constraints are still able to download malware from the Internet without detection. In 2005, Song BMG Music Entertainment installed root kit software on their audio CDs to circumvent piracy and to provide Sony with music listener statistics – users running Windows full administrator privileged accounts were susceptible to the root-kit from simply inserting these audio CDs in their CDROM tray.

Most of aforementioned problems with malware have one thing in common – they all operate on the assumption that the interactive user is running with full administrator privileges. By default, Windows XP installs a default “Administrator” account, and most users perform their day-to-day tasks under this account. Use of administrator accounts alleviates execution problems with poorly written applications – software that unnecessarily uses privileged areas of the operating system, provides the convenience of on the spot installation of applications without switching accounts (and sometimes a reboot), and gives the user total control over the operating system. The first step in the direction of securing the Windows platform is to restrict the everyday user to least user privilege – LUA.

Converting to LUA is only half of the battle – many applications (non-XP certified) will not execute properly without administrative privileges. Services and third-party background processes still act as security vulnerability because they execute in higher privileged contexts, and can provide a security hole for hackers to exploit. Microsoft has stepped up to the plate and has provided a potential solution to lessen the security concerns from users of its Windows platform – enter Windows Vista and User Access Control.

Windows Vista – Providing a more secure environment

Security is not a process – it is a mentality, and must be considered from the initial development of software applications, though to user execution. Developers writing software atop the .NET Framework can take advantage of Code Access Security – restrictions applied to code elements for different execution contexts – to protect the user at the application level, and now Microsoft have taken the next step and added enhanced security restriction at the operating system level in the form of User Access Control on the Vista platform.

What is UAC?

 Regardless of whether a particular user has administrator rights, all users logging on to the Vista platform receive a “filtered token” at login time, which prevents access to security sensitive operations. When the time comes to execute a privileged operation, the user must elevate to a higher level of operation.

What does this mean to the end user?

Users without administration rights attempting to execute a privileged operation observe a request for administration credentials. This is akin to the “run-as” operation on Windows XP/2003 where a user can execute a process as another user, except UAC enables elevation for particular privileged operations, not just the execution of an application.

Microsoft refers to this process of elevation request as “over-the-shoulder” credentials.

Users with administration rights also experience the effects of UAC. Since all users, administrators included, login with a filtered token UAC will prompt administrators with a consent dialog before promoting to an elevated token for secure execution.

It is worth noting that Windows determines elevation requirements before a process is executed and if elevation is required the entire process is elevated to the privileged level upon successful OTS credential or administrator consent.

UAC consists of more than just elevation. Effectively, UAC does away with the “Power Users” group, which provided users with administrative privileges to perform basic system tasks while running applications. UAC now enables standard users to perform standard configuration tasks and Windows will prompt for elevation for specific privileged operations.

UAC provides a short-term solution for legacy applications operating in “XP compatibility” mode with a virtual file system and registry. When a legacy application requires write permission to a protected area of the file system or registry, the changes affect a virtual copy allowing the legacy application to function without hurting the operating system. Microsoft intends this solution as short-term as developers begin to author UAC aware applications.

Windows prompts for elevation via a secure desktop to prevent malicious applications from tricking users into requesting elevation without their knowledge – whilst the consent/credential dialog is visible; the user is operating within a secure desktop, preventing any software applications from interacting with the user interface.