Configure UAC in Vista

Before you start

Objectives: learn how to configure User Account Control (UAC) feature in Vista

Prerequisites: you have to know what is UAC in Windows.

Key terms: user, uac, administrator, account, credentials, prompt, uac, token, privileges


Access Token

When a user logs on to the system, an access token is generated for the user. The access token controls the type of actions that the user can perform on the system. The access token identifies the user account as either a standard user or an administrator. Certain actions can only be performed by a user with an administrator access token.

Let’s say that we log on to Windows Vista as a standard user and we try to install some application or edit some important system settings. Let’s go to Start, right-click Computer and then select Manage. We will get UAC prompt asking us to provide Admin password. The standard user token is used to attempt to perform all tasks for both standard users and administrators. If standard user rights are not sufficient to perform the task, the system requests privilege elevation. The standard user is prompted to provide administrator user credentials (username and password). This process is referred to as Prompt for credentials.

Admin Password

Image 231.1 – Admin Credentials

If we install some application with admin credentials, it does not mean that we can run it without admin credentials. Notice the window shield icon on the System Restore shortcut telling us that we are going to be prompted.

 System Restore Icon

Image 231.2 – System Restore Icon

Any time we see that shield we will be prompted. Also, we are prompted for admin password every single time we use a particular piece of software. Instead of double-clicking the software we can also right-click it and select Run as Administrator. It is the same thing.

Run as Administrator

Image 231.3 – Run as Administrator

If we log on to Vista as an administrator, UAC acts a little bit differently. The difference when we are administrator is that we are prompted for consent and not for credentials. This is called Admin Approval Mode. The administrator user is asked whether the administrative token should be used to perform the task. Because the administrator has already logged on with the username and password, this is a simple Continue or Cancel question. This process is referred to as Prompt for consent.

Approval Mode

Image 231.4 – Admin Approval Mode

In our case we tried to run System Configuration. All we have to do is click Continue. As administrators we still see the shield icon and we are prompted for credentials. This feature of UAC helps protect the system when an administrator user account is used by running all processes using the least administrative privileges necessary.

Secure Desktop

Prompting for credentials or consent activates the Secure Desktop. With the Secure Desktop, the Desktop and all active applications are darkened, and the prompt appears over the shaded desktop. We must respond to the prompt before we can continue with the requested operation or return to the desktop.

Turn UAC Off

UAC can be turned off, but it is not recommended. To turn it off we can go to Control Panel > User Accounts and Family Safety > User Accounts.

User Accounts

Image 231.5 – Admin User Account

Here we have an option to turn User Account Control on or off. If we turn it off here it will be turned off for all users on the machine.

UAC Behaviour

We can change how UAC acts in our Local Group Policy. To open group policy editor enter ‘gpedit.msc’ in Run menu and hit Enter. Let’s go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Here we can find UAC options.

Security Settings

Image 231.6 – Security Options

We scrolled down to the bottom and we can see 9 different UAC settings. As administrators we can control the behavior of the elevation prompts for standard users and administrators. We can select, for example, to elevate without prompting or to only elevate files that are signed and validated.

Remember

UAC is a feature in Vista that helps minimize the dangers of unwanted actions or unintended software installations. We will see Prompt for credentials when a standard user tries to install some application or tries to edit some important system setting. If we log on as an administrator we will be prompted for consent and not for credentials. Prompting for credentials or consent activates the Secure Desktop which forces us to respond to the prompt. UAC can be turned off, and we can edit UAC behavior trough Group Policy.