Steve Lamb's Blog

Security Matters

Blogs

What is User Account Protection in Windows Vista, how does it help reduce administrative access

  • Comments 6
  • Likes

For many organisations the challenge of reducing the number of people with administrative rights and the number of instances when those rights are used is a huge challenge. The authors of the majority software seem to assume that the user will be logged on with the same rights as they have - administrator. Getting developers to code in a non-privileged environment for the majority of the time helps them produce software which can run with normal user privilege. For some time we have used the term Limited User Access (LUA) as epitomised by Aaron Margosis's Blog which provides practical advice upon how to make applications work better whilst running with non-administrator rights.

Just for a change we have introduced a new term with a new operating system - in this case Windows Vista implements a brand new privilege architecture to support the goals of LUA - it's called User Account Protection (UAP). UAP enables rights to be used just for the tasks that need them rather than all of the time even if logged in as an administrative user. When a user wishes to make a configuration change then they will be prompted to enter the credentials of an administrative user - afterwards the user will continue as before with normal privilege. UAP must be manually enabled at Beta 1 of Windows Vista.

A summary of UAP is provided here - this is a good link for those of you who are also interested in the development aspects of Windows Vista as it explains about WinFX (next generation of the .net framework), Windows Communication Foundation (formerly known as "indigo") and Windows Presentation Foundation (formerly known as "Avalon").

A more technical overview is provided in the security white paper that I linked to a couple of days ago which you can access here.

The developers of Windows Vista have also realised that a user shouldn't require administrative rights simply to change the system clock!

Comments
  • So are you saying that the LUA user CAN change the system clock? Not that I want them to; they NEED to be able to change the time zone as they travel and they sure as heck CANNOT in Beta 1. See my blog for testing details on that. I'm planning to bug it - but maybe you're saying in Beta 2 they will be able to change the time zone?

  • Is there any chance of something like this - even a limited functionality version - finding it's way into XP or is this core to Vista?

  • Andy> As far as I can tell it's core to Windows Vista. Check out Aaron Margosis's Blog for some really good ways to deal with this problem on Windows XP.

  • Jerry> OK time to confess - I haven't tried this myself yet. Steve Hiskey gave the change of time zone without admin rights as an example in his talk @ TechEd 2005. Steve is a Lead Program Manager in the Windows Security Access Control group at Microsoft.

  • Hey great news! If youre an MSDN subscriber you can download Windows Vista Beta 1 today otherwise TechNet...

  • John Howard has chased the TechNet folk @ corp to find out why there's a delay between Windows Vista Beta 1 availability compared to MSDN.

    Browse to: http://blogs.technet.com/jhoward/archive/2005/07/28/408300.aspx#comments

    to find out what happened.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment