Windows 7 User Account Control

by Gaj Kumar.
Share
|
Homepage | Submit your article | Contact | TOS
More articles on windows  

You are here: Categories » Computers and technology » Windows

One area where Microsoft justifiably received a great deal of criticism over the past 15 years or so was its handling of security. Windows 95, 98, and Me had no security scheme at all—any user could modify any file or program.

Windows NT, 2000, and XP did have the necessary structure to secure the operating system. The way Windows security works, any program that a user runs gains the privileges associated with the user’s logon account; this determines what folders the user can save files in, what settings the user can change, and so on. Computer Administrator accounts, in particular, have the capability to change any system setting, change any file, or install any software.

Unfortunately, in Windows XP, all user accounts were by default created as Computer Administrator accounts, and it took a lot of effort and training to work with Windows any other way. So, for most home and small office users, Windows security was essentially bypassed. The consequences of this were, in turn

• Any program run by hundreds of millions of Windows 95, 98, Me, and XP users had complete access to the computer.

• When anyone was duped into running bad software downloaded from the Internet or received a bogus program by email, that software also had the complete run of the computer.

• Some tens of millions of Windows computers are, as a result, infected with spam-sending software, unbeknown to their owners.

• Criminals remotely control those computers and use them to send about 80% of more than 100 billion or so spam emails that are sent every day. So, the next time you clear out your email inbox, consider that most of the spam in there got there because for 15 years Microsoft made no effort to make Windows Internet-secure “out of the box,” meaning, as delivered to the consumer. And few people knew how to take the complex steps needed to tighten things up. Windows Vista and now Windows 7 change that in a big way. Out of the box, Windows 7 and Vista enforce security through several means, including these:

• The disk on which Windows is installed uses the NTFS disk formatting system so that access to files and folders can be tightly controlled.

• As initially installed, the security system is actually used and ensures that users do not have the ability to randomly create, delete, or modify files in the Windows program folders. This protects Windows not only from accidents but also from rogue software.

• Programs and system control panels that can make changes that have security implications use a special feature called User Account Control to ensure that changes can’t be made without your knowing it.

Windows programs run with the permissions associated with a user account. Permissions include things such as the ability to create or modify files in each folder, change settings on features such as networking and hard disk management, install software and hardware device drivers, and so on. Computer Administrator accounts can do any of these things. What changed starting with Windows Vista is that programs run even by users with Administrator accounts don’t automatically get all those privileges. The potential is there, but by default, programs run with a reduced set of privileges that lets them modify files in the user’s own folders but not in the Windows folder or the Program Files folder. Likewise, by default, programs run even by a Computer Administrator cannot change networking settings, install applications, install device drivers, or change system software services.

Instead, you have to take a special step to run a program with elevated privileges—that is, with the full complement of Computer Administrator privileges. And, on Vista, whenever you try to do this, Windows requires that you confirm that you actually do want to run that specific program with elevated privileges. Windows displays a dialog box, and you have to click a yes or no response before the program is allowed to run (or not). On Windows 7, as we’ll explain shortly, this mechanism is still there, but Windows requires this sort of confirmation in fewer circumstances. What is important is that when this “go or no go” dialog box is displayed, it’s displayed by Windows in a secure way, from a deep, protected part of Windows, and there is no way for rogue software to bypass it, block it, or fake your approval. Thus, there is no way for rogue software to install itself without your consent. This is called User Account Control (UAC), and it’s the most important distinction between Windows 7 and Vista and any of their predecessors.

Another important feature of the UAC prompt is this: If you are logged on using a Computer Administrator account, Windows just asks you to consent to running the program. However, if you logged on using a Standard User account, Windows can still run the administrative program—the UAC prompt asks you to select the username and enter the password of a Computer Administrator account. All this makes Windows more secure and usable. It makes it safer to let people have and use Computer Administrator accounts. And, it is now reasonable to set up Standard User accounts for everyday use, for anyone, and especially for people whom you’d rather not be asked to judge which programs should run—for example, children or non-computer-literate employees. Should they actually need to change some setting that brings up a UAC prompt, you can simply reach over their shoulders, type in a privileged account name and password, let them make the one change, and poof!—they’re back to being a limited-privilege user.

Of course, this type of intervention is required only for programs that involve security-related settings. And this brings us to the reason that the new Control Panel and other Windows management tools are so complex and fractured.

Microsoft had to go through all the Windows settings and adjustments and decide which ones could pose security risks and which were benign. For example, installing a device driver is a risky task, and selecting a desktop background picture is benign. Risky and benign settings had to be put into separate programs or Control Panel elements. The benign ones are packaged as nonprivileged programs so that they can be run by any user. The risky ones have been put into separate programs that are marked as requiring elevated privileges. So, Control Panel items that used to have dozens of settings on one dialog box had to be split into many smaller pieces. This seemed to us to be a small price to pay for such a huge increase in security. But, Vista got a bad rap because these pop-ups popped up fairly often, especially in the first few weeks of using a new computer, when lots of software and hardware changes take place. It annoyed people who were used to the “Wild West” days of Windows 98. We think the bad rap was completely unjustified, but it stuck.

So, for Windows 7, Microsoft has softened UAC somewhat. By default, Windows now automatically grants elevated privileges to many less-risky Control Panel programs and dialog boxes, and pops up the confirmation box in only two situations: if it’s not sure that the requested program is absolutely safe, or if you are not using a Computer Administrator account, in which case an administrator’s password is needed. And, you can control how rigid UAC is, from turning it off entirely to requesting the Windows Vista–style of prompting before every change.

A program can be run with elevated privileges in three ways:

• Some programs are “marked” by their developers as requiring elevated privileges. These programs display the UAC prompt whenever you try to run them.

• You can right-click any program’s icon and select Run As Administrator. Generally, you need to do this only if you attempt some task and are told that you don’t have permission. This can happen, for instance, if you try to delete some other user’s document from the printer’s queue.

• If you have an old program that you find doesn’t work correctly with UAC, right-click its icon and select Properties. On the Shortcut tab, click the Advanced button, and check Run As Administrator. This will make the program run with elevated privileges every time you run it.

So…that was a long explanation for something that will help you tremendously but in practice won’t take up much of your time. Let’s go on with the tour.

If you aren’t looking at the Control Panel, now, click Start, Control Panel. Click on System and Security, and notice that some of the tasks are shown with a small shield icon. This is the indication that a task requires elevated privileges. By default, on Windows 7, most of these items will not bring up a UAC prompt; Windows will elevate most management tools automatically.

If you are currently logged on to a Computer Administrator account, you see dialog box. The dialog shows the name and the origin of the program, if it can be determined. You can click Show Details to see more information about the program file, if any is available.

If you are logged on to a Standard User account, Windows displays dialog box. Here, you can also click Show Details to see more information about the program that caused the UAC pop-up. To proceed, you (or someone else) must select one of the Administrator account names and enter its password.

Share
Leave a comment or ask a question
Total comments: 0

Windows Disclaimer

  • The e-articles directory is not responsible for any and all copyright infringements by writers and authors. If you suspect the information contained by this page for any copyright infringements, please contact us to investigate the issue
Shrink/Extend a Partition on Windows 7 Hard Drive - If you use multiple partitions on your hard drive, you may want to shrink or extend one of them-after realizing you want more space on another one of the partitions. ( Create a New Partition.) (more...)
Windows 7 Schedule Defragmentation - Defragmentation helps speed up access to data on your drive. In this tutorial, you'll learn how to schedule defragmentation so you don't have to worry about ensuring your drive is defragmented. (more...)
Reduce Windows 7 Boot Time - Does your computer boot slowly? If you shut your computer down regularly, this can be a real pain. Anything more than about 45 seconds tests my patience and I've used computers tha (more...)
Windows 7 Change Account Picture - Your account picture is used for the login screen, your start menu, windows meeting space, and more. When you first set up your account, you can choose one of the default images. In this tutorial, (more...)
Windows7 Device Stage - Device Stage is a new technology in Windows 7 that helps you interact with any compatible device connected to your computer. Device Stage lets you see device status and run common tasks. This a cur (more...)
Windows7 Action Center - Windows Action Center is an improved version of Vista's Security Center. The action center alerts you to problems with your PC and lets you know how you can resolve them. Notifications are delivere (more...)
Enhance SATA Disk Performance in Windows7 - You can improve the performance of your SATA hard drive by enhancing write caching. If you are not sure whether or not you have an SATA drive in your computer, please check with your manufa (more...)
Speed up Your External Hard Drives in Windows7 - The default setting in Windows 7 disables write caching for external drives. This is done so that you can remove an external drive at any time without data loss. If you are willing to eject your dr (more...)
Use Windows7 ReadyBoost to Speed up Programs - Using Windows ReadyBoost is a great way to improve the performance of your computer when doing your day-to-day tasks. What is ReadyBoost? ReadyBoost uses a USB thu (more...)
Make Windows7 Shut Down Faster - As you install programs on your computer, it slows down-we all know that. However, what you may not know is that the programs install services. Windows is "kind" enough to patiently wait for these (more...)
 
free content
    Copyright © 2006 - 2012 e-articles.info.
The texts, articles and tutorials in the directory are property of their respective owners and authors.