S 4.340 Use of Windows User Account Control UAC in Windows Vista and higher

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, IT Security Officer

The User Account Control (UAC) is a security mechanism in Windows which is available on clients in Vista and higher, and on servers in Server 2008 and higher. The UAC realises the principle of least-privileged user accounts to restrict the capabilities for misusing administrative authorisations. It supports in particular the implementation of the safeguard S 2.32 Establishment of a restricted user environment for normal users and administrators.

With the User Account Control enabled, all users work in general as standard users. Administrators, too, first perform their tasks as standard users. The UAC recognises when a user needs more rights and either grants or denies these rights depending on how it has been configured. The UAC only has an effect on local user sessions (also remote desktop sessions). It has no effect on the logins of users via the network starting from other computers (e.g. access to file shares) when domain accounts are used.

With the UAC enabled, local accounts are not compatible with all network-based administration/management services, for example when accessing the WMI interface (Windows Management Interface) of the IT system via the network. Administration/management services and activities should therefore always be carried out using domain accounts.

Certain tasks require more rights within the local session, which are not available to standard users. Such tasks include, for example, installing applications, writing data to system directories, older specialist applications or running certain operating system programs and administrative scripts. However, malicious software almost always makes also use of more rights. When accounts with administrator authorisations are used on the IT system, the UAC should always be enabled. In Windows Vista and Windows Server 2008, this is the default setting.

In Windows 7 and Windows Server 2008 R2, the UAC is set by default in a less secure form. Administrative accounts can continue to operate with unrestricted authorisations without the desktop being faded out. To ensure that the protective functions of the UAC are effective against attackers and malicious software, they must be configured to Always inform (Control Panel | User Accounts | Change the Setting of the User Account Control).

Effects on the user environment

Before a normal user can perform a task requiring more rights, a protected user login screen of an administrator appears in which the authentication data is to be entered. On the one hand, this can make the normal user insecure or instigate them to make errors. On the other hand, a type of "over-the-shoulder" situation might occur in which service employees will have to enter a password several times with the user being present. This has the effect that the password can be compromised accidentally. It is recommended to configure the local security option User Account Control: Behaviour of the elevation prompt for standard users to the setting Automatically deny elevation requests (under gpedit.msc | Security Settings | Local Policies | Security Options). In Windows 7 / Windows Server 2008 R2 and higher, this security option is called: User Account Control: Behaviour of the input elevation prompt for standard users. As a result, standard users only receive a normal error message. Administrators can still use the commands runas ... when they require more rights for a task. If the computers are used in environments with high or very high security requirements, this option should always be enabled.

Before a member of the Administrators group can perform a task requiring more rights, a simple confirmation window of the UAC appears. Here, other authentication data does not have to and cannot be entered.

In Windows Server 2008, the "Administrators" default account which, in general, is not restricted by the User Account Control is an exception (in Vista, login using the "Administrators" account is not possible).

The confirmation window itself can unreasonably increase the number of steps which an administrator has to perform for their regular tasks. If administrative consoles are often required, they should be bundled in a MMC console (mmc.exe, Microsoft Management Console) in order to avoid multiple disruptive requests. Other options of bundling administrative operations are task scheduling, administrative tools from third-party providers as well as the command line window (Powershell with more rights, "DOS-Box" etc.).

It is recommended to evaluate the effects of the additional steps and the bundling options together with the corresponding administrators. If the ability of the administrators to perform their tasks is too highly impaired, the confirmation window can be disabled. It is disabled by setting the GPO policy User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode to Elevate without prompting. As a result, the UAC elevates the rights of the administrator in the background, meaning without requiring any interaction with the administrator. The described setting requires you to strike a balance between operability and security and must be documented.

The most common example for this setting is workstation computers which are used in a restricted user environment. If an administrator has to carry out maintenance work on these computers, then they only log in on them for a short period of time and complete the maintenance work as quickly as possible. They use normal user applications either not at all or only to a very low extent.

A counter example showing a situation in which the above setting must not be used are administrative accounts for normal users, under certain circumstances also second accounts, which are regularly used or made available on mobile computers.

For workstations of administrators, it should be specified in a policy (S 2.325 Planning the Windows XP, Vista and Windows 7 security policies) whether parts of the administration must be carried out in a restricted user environment. This should depend above all on the tasks, the administration/management software and the security level required. If a restricted user environment is foreseen, the secure desktop and the confirmation messages should not be disabled in compliance with this policy.

If no restricted user environment is foreseen for the respective administration area, it is recommended to disable the UAC completely. A UAC with less secure settings would hardly achieve a protective effect. On the other hand, there are still the compatibility problems of the UAC, for example with WMI scripts.

All accounts with administrator rights should be documented regardless of how the UAC is configured. The necessity of having the administrator rights granted should be checked regularly and adapted accordingly when necessary (which also means withdrawing these rights) (see S 2.8 Granting of (application/data) access authorisations).

Secure desktop

The confirmation message of the UAC or the additional login screen are protected against attackers and malicious software as long as they are displayed on the secure desktop. The group policy above includes a series of additional settings which bypass or disable the secure desktop. The secure desktop, however, may not be bypassed or disabled.

Protected Mode in Internet Explorer

User Account Control must be enabled on the system in order to use the Protected Mode of Internet Explorer 7, which is the case in the default configuration of Windows Vista and Windows 7. When User Account Control is disabled, Internet Explorer 7 immediately (and without the operating system issuing a warning) loses its ability to operate in the Protected Mode.

Review questions:

© Federal Office for Information Security. All rights reserved.