Problem solve Get help with specific problems with your technologies, process and projects.

The keys to locking down Windows Vista User Account Control

Windows Vista's User Account Control feature can effectively lock down users' desktops and prevent malicious processes and applications from executing. However, it's not exactly the perfect defense strategy. Windows Vista security expert Peter H. Gregory explains how UAC works, and where it could work better.

User Account Control, or UAC, is the latest in Microsoft's arsenal of antimalware weaponry. UAC blocks all user-initiated and malware-initiated actions on a workstation that require administrative privileges. Is UAC all you need to fight malware? As usual, malware defense isn't quite that simple.

What is User Account Control?
UAC is a new user safety mechanism. Simply put, it alerts the user when a privileged operation is about to take place, preventing the operation until the user consents. When Windows is aware that a privileged operation has been requested, it displays a UAC alert, like what is shown here:

Before the operation may proceed, the user must click Continue.

The intention of UAC is to make users aware of all privileged operations on the system, including any that are initiated without their knowledge by malware.

UAC goes a step further. If a non-privileged user wishes to perform a privileged action, such as edit the system registry, UAC will not only alert the user, but also provide a means to enter privileged user credentials (like a cash register supervisor override) that will permit the privileged operation to take place. This is shown here:

In this example, the user is requested to enter Denise's password in order to perform the privileged function. The user may also choose another administrative account by clicking "Use another account."

By default, UAC is turned on. If you're using Vista already, you no doubt noticed it when using Vista for the first time.

How to configure User Account Control
Configuring UAC is simple; all you can do is turn it on or off. You can see the status in the Windows Security Center. If UAC is off, the Windows Security Center has a button to turn it on, like the figure below:

Click the image above to enlarge

Follow this procedure to access UAC's configuration:

  1. Open the Control Panel > User Accounts and Family Safety > User Accounts.
  2. Select Turn User Account Control on or off. If UAC is on, you'll be asked for permission to continue.

  3. Check or uncheck Use User Account Control (UAC) to help protect your computer.

That's all there is to it.

Despite its drawbacks, generally speaking, it's a good idea to keep UAC turned on; otherwise it's like driving a car without your seat belts. Yes, UAC may be a pain because of the many pop-up windows and confirmations that users will encounter, and the interruptions may slow users down, especially when performing a lot of administrative work on a system. But turning off UAC means essentially betting that malware will never, ever infect your system and try to perform any privileged operation.

As for me, I always use a safety net when I'm walking the tightrope. It's just good sense. For Windows Vista, UAC is that safety net.

In an environment where the goal is to prevent users from performing privileged functions, give users regular, non-administrative accounts, and turn off UAC. They won't be able to perform any privileged actions either way.

Vista malware defense in depth
UAC should not be considered the only means of malware and virus protection for Vista systems. It's essential to also rely upon the following:

  • Antivirus software -- AV software is essential for all desktops. The only exception would be for non-networked systems that never, ever receive any data from the outside world. If you've upgraded to Vista from an older version of Windows, make sure your antivirus software runs properly on Vista; if there appear to be compatibility questions, consult your antivirus vendor for information.
  • Antispyware -- Use Windows Defender (bundled with Vista), or better yet, a good third-party anti-spyware program. Increasingly, anti-spyware is just another feature in your antivirus suite, and that's a good thing, because it's one less program to maintain.
  • Firewall -- Use the Windows Firewall for good inbound protection, or get a third-party firewall for inbound and outbound protection, but regardless of the product you use, read up on its features to ensure that you get the features you need (i.e. read the label before you buy).
  • Use common sense -- The best way to stop malware dead in its tracks is simply by maintaining an alert defensive posture. Ensure that your users avoid Web sites of unknown reputation, steer clear of strange emails, and don't ever open unsolicited email attachments.

The future of UAC
I'm hoping that Microsoft will improve UAC's functionality in the future by including the ability for UAC to "remember" which programs or functions a user considers "okay" and enables them to take place without user interruption. If Microsoft exposes the API for UAC, then there's a chance that third-party tools will improve on UAC in ways we haven't thought of yet. Until then, despite its drawbacks, UAC still represents a step forward in malware defense for Windows Vista.

About the author:
Peter H. Gregory, CISA, CISSP, is the author of several books including Solaris Security, Computer Viruses For Dummies, Blocking Spam and Spyware For Dummies and most recently Securing the Vista Environment. Gregory has spoken at numerous industry conferences, including the RSA Conference, SecureWorld Expo, InfraGard, and West Coast Security Forum. Gregory is a security strategist at a financial management software company located in Redmond, Wash. He is a member of the advisory board, as well as an advisory board member of the University of Washington's Center for Information Assurance & Cybersecurity, and a board member of the Evergreen State Chapter of InfraGard.


Dig Deeper on Microsoft security threat management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.