Tidbits - Vista's UAC
 | |  | |  | |  |
ISSUE
One thing that has been swept under the Vista carpet, is the total revamp to user security
that Vista ushers in. Consequently, suddenly you find that Vista is putting out all these
annoying pop ups asking for your consent, and programs that you bring across from XP no
longer work. You even experience problems printing in Internet Explorer 7 (IE7) due to
permission issues, which is suppose to be Vista compliant! The main source for these
problems is the introduction by Vista of User Access Control (UAC) which suddenly brings
technical administrative tasks and file permissions in Vista to the foreground.
MY TAKE
Microsoft has woken up, and decided to take the mass market onto a more secure
computing model – good. It has decided that the business model of computing, as
employed by business styled operating systems like UNIX will be the go – hmmm. Vista is
the test model of how Microsoft should roll out this new computing model – not good.
In Vista, Microsoft has finally acknowledged that the practice of combining full access to the
root directory (C:\) and core system files with standard user activities is bad practice. This is
what currently occurs in XP where users and all related activities are granted full
administration rights. Microsoft has finally adopted what UNIX has done long ago in
segregating root and core system file access (administrative rights) with the users’ need to
run applications.
The only problem is that UNIX is run by people who actually spend years studying this
operating system and make a living administering UNIX on behalf of users. Whereas Vista
is for the mass market that may not:
Security demands has pushed Microsoft to expose the innards of operating system
administration to end users, along with all the upgrade hassles, could well be the catalyst
for bringing the full client era to an end. Google and SUN must be rubbing their hands in
glee as thin clients go into the fore, where all you need is a web browser and a fast
broadband connection for all your computing needs. Personally, I was in shock that I had to
spend over 3 hours in research just to understand why IE7 could not print in protected mode
because UAC prevented the creation of the required temporary files (see below)! In the
process I also discovered how potentially disruptive UAC was in the performance of many
other “everyday” tasks!
This is technically a very complex area, which is hard to explain in plain English. There are
methods to ensure we have the best of both worlds, but get this, only subscribers to Vista
Business and Ultimate editions will be able to do this. Vista home users need to take an all
or nothing approach. They only have the option to either have UAC or disable UAC in total.
So here goes …
To begin, we need to understand a key component of Vista that underlies UAC. That’s
Windows Integrity Control (WIC). WIC basically is the engine that drives UAC. WIC runs
security based on 3 principles:
By way of example the end result is if you visit a website that places a piece of malware on
your computer:
In both cases the malware will be prevented from modifying any directory that contains
system files as these files are assigned either a high or system integrity level by Vista.
The internet is full of resources how Vista achieves this in detail. You may search Vista +
UAC or Vista + WIC. OK, now that the high speed overview of UAC and WIC is complete, we
move to the bottom line impact of UAC:
A good example of the last issue is the workings of IE7 in protected mode. For example, if
you perform a mass delete on IE’s temporary internet files (under
Users\<username>\AppData\Local\Temp). The \Low directory is deleted. Suddenly you find
IE7 cannot print as it returns an error. You find it’s unable to create the relevant temporary
file. Under XP, this would be a 0 step process with XP as XP just recreates the file structure
by itself. Under Vista, fixing this becomes a 2 step process, and step 2 takes some
research to discover:
Of course you could just run IE7 in unprotected mode, but this defeats the whole purpose of
UAC, by increasing risk. All in all, too much information !
For those users on Vista Starter, Home Basic or Home Premium, your choice is simple.
You put up with all the above hassle for some additional security, and leave UAC enabled.
Alternatively you take a longing look at your XP setup which never had UAC, you continue to
run the full internet security suite from one of the majors, and never really experienced any
problems. In this case, go to the Control Panel – Administrative Tools - Local Security Policy
and disable UAC. Suggestion is you use UAC selectively.
For those Vista users who have the Business or Ultimate edition, you have choice.
Depending on how much fiddling you are prepared to do, you can have the best of all
worlds. Below, I analyse the hassle Vista’s creates and classify them into 3 categories:
a) No Brainer Consents
This is where you (the user) have initiated a request from a trusted source (e.g. device
manager, or a legacy application that you regularly use) and Vista pops up the consent box
every time.
This is plain annoying behaviour from Vista, and would be the main cause for users to revert
to old habits and completely disable UAC. You would think that the Vista developers would
have borrowed some ideas from the Explorer team in allowing the user to specify a trusted
application list, where Vista would automatically consent to the request for any user who
belongs to an administrator group.
b) 50:50 Consents
This is where you want to install and run an application, usually a utility, and you are unsure
whether you can trust the application. Currently, the only guidance you have on this is
whether the application has been properly signed by the developer, where in the majority of
cases it hasn’t.
Here Vista needs to adopt business computing standards, by providing a sandbox, similar
to a test environment, which a user can play in. Once confirmed that the application is what
the user wants, it can then be transferred to the “real” environment. There are some
software vendors that do this under the monika of virtual computers.
c) Deny At All Costs
If you are reading the newspaper on the internet, and suddenly Vista wants you to approve
an administrative request, this is the time to say no! This is what UAC is trying to assist in,
stopping malware from lodging itself onto your computer.
SOLUTIONS
To minimise the impact of UAC on your Vista experience, you can take the following actions:
a) Throw the Baby Out With the Bath Water
You can revert to old ways and run under the XP style of full administrative accounts, and
disable UAC completely. The current literature says not a good idea, but if you use other
tools to harden your computer’s defences, then this is a very simple solution.
b) Be Selective in Which UAC Alerts You Receive
When you go to Control Panel – Administration Tools – Local Security Policy – User Access
Control, you’ll notice that you have options. Research on the internet would suggest that
setting you would most like change would be:
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval
Mode to No Prompt.
c) Ultimately, be Even More Selective
Option (b) is too wild for you, feeling exposed ? Do it application by application then. If you
trust the application, then exempt it from UAC. This is fiddly, and all I am giving is a
Microsoft knowledge base link on this topic for you to read through http://technet.microsoft.
com/en-us/windowsvista/aa905117.aspx. Knock yourself out.
One thing that has been swept under the Vista carpet, is the total revamp to user security
that Vista ushers in. Consequently, suddenly you find that Vista is putting out all these
annoying pop ups asking for your consent, and programs that you bring across from XP no
longer work. You even experience problems printing in Internet Explorer 7 (IE7) due to
permission issues, which is suppose to be Vista compliant! The main source for these
problems is the introduction by Vista of User Access Control (UAC) which suddenly brings
technical administrative tasks and file permissions in Vista to the foreground.
MY TAKE
Microsoft has woken up, and decided to take the mass market onto a more secure
computing model – good. It has decided that the business model of computing, as
employed by business styled operating systems like UNIX will be the go – hmmm. Vista is
the test model of how Microsoft should roll out this new computing model – not good.
In Vista, Microsoft has finally acknowledged that the practice of combining full access to the
root directory (C:\) and core system files with standard user activities is bad practice. This is
what currently occurs in XP where users and all related activities are granted full
administration rights. Microsoft has finally adopted what UNIX has done long ago in
segregating root and core system file access (administrative rights) with the users’ need to
run applications.
The only problem is that UNIX is run by people who actually spend years studying this
operating system and make a living administering UNIX on behalf of users. Whereas Vista
is for the mass market that may not:
- Understand what “Root access” is.
- Have the time, resources or skills to administer their computer in a secure and
professional manner.
Security demands has pushed Microsoft to expose the innards of operating system
administration to end users, along with all the upgrade hassles, could well be the catalyst
for bringing the full client era to an end. Google and SUN must be rubbing their hands in
glee as thin clients go into the fore, where all you need is a web browser and a fast
broadband connection for all your computing needs. Personally, I was in shock that I had to
spend over 3 hours in research just to understand why IE7 could not print in protected mode
because UAC prevented the creation of the required temporary files (see below)! In the
process I also discovered how potentially disruptive UAC was in the performance of many
other “everyday” tasks!
This is technically a very complex area, which is hard to explain in plain English. There are
methods to ensure we have the best of both worlds, but get this, only subscribers to Vista
Business and Ultimate editions will be able to do this. Vista home users need to take an all
or nothing approach. They only have the option to either have UAC or disable UAC in total.
So here goes …
To begin, we need to understand a key component of Vista that underlies UAC. That’s
Windows Integrity Control (WIC). WIC basically is the engine that drives UAC. WIC runs
security based on 3 principles:
- Items (directories/ containers and files/ objects) that have been assigned low
integrity cannot modify or write to any item with a higher integrity (note, user created
items are assigned medium integrity be default).
- All items are given integrity levels from low (for files sourced from the internet) right
through to high/ system (for core system files and drivers). Integrity levels are
assigned by Vista and the relevant application. For example, IE7 in protected mode
is designed to place low integrity on all of its web files, whereas FireFox places
medium integrity on all of its web files as it has yet to be designed to utilise this Vista
security feature. Disabling protected mode in IE7 makes IE7 works like FireFox, by
assigning medium integrity to all web items sourced from the internet.
- WIC integrity overrides NTFS permissions. This is important, because when you
right click on a folder in Explorer and click on the Security tab, you are dealing with
NTFS permissions only and not WIC integrity levels. WIC integrity levels can only be
viewed and managed through the command line (see below). To me, overlaying
and segregating WIC and NTFS permissions was a dumb move. Microsoft made
something that was tough to understand, almost impossible to understand.
By way of example the end result is if you visit a website that places a piece of malware on
your computer:
- IE7 protected mode will allocate this malware as being low integrity, and the
malware can only impact those directories that have been earmarked as of low
integrity. There are only a handful of directories on your computer that are
designated for the capture of low integrity items. Basically, this is what UAC and WIC
is designed for.
- IE7 unprotected mode and FireFox will allocate this malware as being medium
integrity. This means the malware has the potential to modify anything that you have
created which had been assigned medium integrity by default.
In both cases the malware will be prevented from modifying any directory that contains
system files as these files are assigned either a high or system integrity level by Vista.
The internet is full of resources how Vista achieves this in detail. You may search Vista +
UAC or Vista + WIC. OK, now that the high speed overview of UAC and WIC is complete, we
move to the bottom line impact of UAC:
- Vista will request you confirm all system level, administrative, requests. This
includes:
- Simple system maintenance such as setting the system time or running any
hardware diagnostic functions, like device manager. - Installation of any new software.
- For legacy applications that do not comply with Vista’s new found segregation of
functions, depending on the severity of the break, Vista will either:
- Allow the application to run with administration rights (and ask for your
consent prior to running the application – every time). - Or not give permission for the application to run at all.
- Applications will stop working where integrity level on working directories has been
increased.
A good example of the last issue is the workings of IE7 in protected mode. For example, if
you perform a mass delete on IE’s temporary internet files (under
Users\<username>\AppData\Local\Temp). The \Low directory is deleted. Suddenly you find
IE7 cannot print as it returns an error. You find it’s unable to create the relevant temporary
file. Under XP, this would be a 0 step process with XP as XP just recreates the file structure
by itself. Under Vista, fixing this becomes a 2 step process, and step 2 takes some
research to discover:
- Manually reinstate the sub-directory. Not too difficult, as the error informs you of the
required name and location of the sub-directory. - Watch this:
- IE7 no longer automatically recreates the necessary directory sub-structure
for you. - IE7 in protected mode can only use the \Low sub-directory if it has been
classed as being low integrity. - When you did step 1, Vista by default assigned a medium integrity to the
recreated \Low sub-directory. Explorer will not inform you of this, nor can you
change the integrity level from Explorer. But you must change the integrity
level. - You go run command prompt in elevated mode (not normal mode).
- Run ICACLS C:\Users\<username>\AppData\Local\Temp\Low
/setintegritylevel (OI)(CI)low
Of course you could just run IE7 in unprotected mode, but this defeats the whole purpose of
UAC, by increasing risk. All in all, too much information !
For those users on Vista Starter, Home Basic or Home Premium, your choice is simple.
You put up with all the above hassle for some additional security, and leave UAC enabled.
Alternatively you take a longing look at your XP setup which never had UAC, you continue to
run the full internet security suite from one of the majors, and never really experienced any
problems. In this case, go to the Control Panel – Administrative Tools - Local Security Policy
and disable UAC. Suggestion is you use UAC selectively.
For those Vista users who have the Business or Ultimate edition, you have choice.
Depending on how much fiddling you are prepared to do, you can have the best of all
worlds. Below, I analyse the hassle Vista’s creates and classify them into 3 categories:
a) No Brainer Consents
This is where you (the user) have initiated a request from a trusted source (e.g. device
manager, or a legacy application that you regularly use) and Vista pops up the consent box
every time.
This is plain annoying behaviour from Vista, and would be the main cause for users to revert
to old habits and completely disable UAC. You would think that the Vista developers would
have borrowed some ideas from the Explorer team in allowing the user to specify a trusted
application list, where Vista would automatically consent to the request for any user who
belongs to an administrator group.
b) 50:50 Consents
This is where you want to install and run an application, usually a utility, and you are unsure
whether you can trust the application. Currently, the only guidance you have on this is
whether the application has been properly signed by the developer, where in the majority of
cases it hasn’t.
Here Vista needs to adopt business computing standards, by providing a sandbox, similar
to a test environment, which a user can play in. Once confirmed that the application is what
the user wants, it can then be transferred to the “real” environment. There are some
software vendors that do this under the monika of virtual computers.
c) Deny At All Costs
If you are reading the newspaper on the internet, and suddenly Vista wants you to approve
an administrative request, this is the time to say no! This is what UAC is trying to assist in,
stopping malware from lodging itself onto your computer.
SOLUTIONS
To minimise the impact of UAC on your Vista experience, you can take the following actions:
a) Throw the Baby Out With the Bath Water
You can revert to old ways and run under the XP style of full administrative accounts, and
disable UAC completely. The current literature says not a good idea, but if you use other
tools to harden your computer’s defences, then this is a very simple solution.
b) Be Selective in Which UAC Alerts You Receive
When you go to Control Panel – Administration Tools – Local Security Policy – User Access
Control, you’ll notice that you have options. Research on the internet would suggest that
setting you would most like change would be:
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval
Mode to No Prompt.
c) Ultimately, be Even More Selective
Option (b) is too wild for you, feeling exposed ? Do it application by application then. If you
trust the application, then exempt it from UAC. This is fiddly, and all I am giving is a
Microsoft knowledge base link on this topic for you to read through http://technet.microsoft.
com/en-us/windowsvista/aa905117.aspx. Knock yourself out.