Friday, July 1, 2022
  • Home

Want to learn more about UAP (User Account Protection) in Windows Vista?

October 1st, 2005 by Jabez Gan [MVP]

As usual, you will be receiving latest developments about Windows Vista/IE7. You will learn about Vista’s new feature, called User Account Protection (UAP).

Here’s an introduction to UAP:
In XP, we are encouraged to use Limited User to surf the internet etc, but because Limited User has too much restrictions, home users opt not to use Limited User, instead most people prefer to use user accounts with administration priviledge.

In Vista, you can turn on UAP on any user account. By default (on the beta 2 branch 5219 build), UAP is enabled on administrator’s account. With UAP enabled, when users are trying to install a program that change any system files, it will prompt for the administrator’s password.

Here are some Q&A about UAP (Compiled from Private Beta chat of UAP):

Q: What exactly is UAP?

Q: what are the advantages of UAP????
A: MASSIVE reduction in attack surface. fix the OS to feel like it was designed for the Standard User. auto-fix legacy apps to run as Standard User. MASSIVE reduction in enterprise cost because the users cannot easily break things anymore. Put the admin back in control of the machine

Q: How is UAP related to the Trusted Installers group?
A: Both UAP and Trusted Installer are dealing with the integrity of the system… Trusted Installer is more about making sure that ONLY the OS is allowed to update the OS. UAP is about making sure that the apps that people run get the smallest amount of priv while still working.

Q: Which types of applications are expected to affected the most from UAP?
A: That’s a very general question, so I’ll give you a general answer… If your application works on XP as Standard User then it will work on Vista; If your application requires the user to an administrator on XP because it writes to %programFiles% or HKLM but doesn’t actually perform administrative tasks then most likely UAP file/registry redirection will facilitate that application to run on Vista as Standard User; If you application is a “true” admin app then you must define/mark that application in order for the OS to give the correct elevation path/UX

Q: Does UAP help people that are running as limited users, instead of “protected administrators”?
A: Yes, we are continuing to unblock “common” user tasks in Windows Vista, this includes everything from users being able to set the TimeZone, to facilitating a better “in context” elevation path. For the Standard user we provide Over the Shoulder (OTS) elevation –this means that if the Standard user wants to install an all users application they can have the admin enter their credentials over the users shoulder.

Q: How will UAP effect setups?
A: We still expect Setups to be Admin for per-machine installations. We think the industry will start pushing more into per-user setups especially for web-games etc… So let me highlight with a scenario. Toby, the kid, puts a game install CD into the drive. Toby is a Standard User (so that Mom can apply parental controls). When the OS reads the CD and starts the setup, Toby will get a UAP elevation consent prompt that says (in effect) “go get mom to type her password here”. The setup is then invoked via RunAs with Mom’s creds.

Q: How will keep the average user from being instructed to bypass UAP by a piece of malware? For example malware might put up a window saying “just enter your password at the UAP prompt to continue install”
A: good question. Spoofing is definitely a problem that we are taking seriously. For the admin on the box, we remove the spoofing by only putting a consent dialog up in front of the user. in other words, just an OK dialog… so spoof away. However, we still have a problem for the Standard User asking for consent from an admin… we need the creds of the admin. Personally, I think that we can train people to use the UAP Consent Policy that says “you much press ctrl-alt-del to answer this elevation question”… what do you think?

Q: How does Internet Explorer 7 on Windows Vista take advantage of UAP?
A: As the Windows Vista desktop runs as Standard User by default so to does IE7 –getting better… The new restircted mode of IE7 will run with less privilege in the internet than IE running in the intranet. When IE7 needs to perform an admin taks like installing an ActiveX control it passes that request to the Admin broker who then requests administrative consent before continuing.

Q: Is UAP is for just the users side of control or does it also limit the system account from doing tasks?
A: With UAP on, all admins, other than the build-in Administrator account, run as “protected admins” which means they will have to elevate applications as well.

Q: what is the goal of user access protection?
A: in a nutshell “reduce the privs needed to do every day operations.” You should have to Chat as an admin. are you right now? If I send you the wrong string right NOW, can I exploit this app and modify how your system boots? that’s crazy!

Q: What’s the functional difference between confirming actions that require administrative rights versus requesting administrative credentials (i.e. username and password)?
A: First only the Protected Administrator (the user who has potential to elevate) can be presented with a “consent” prompt, because of new protection mechanisms in Vista we can “protect” this input. Now if a piece of malware invoked a “spoofed” consent dialog the at most they would get a mouse “OK” click and could not use this to run an elevated process. Now the Standar user who has no potential to elevate would be presented with a “credential prompt” and have to enter admin credentials. To secure this operation from physing attacks we have the Secure desktop credential mode.

Q: Is there going to be a way to exclude known and trusted applications so that a prompt really means something and the user pays attention?
A: If you run an enterprise and deploy software with technologies like GPSI or SMS then you will not see prompts. If you try to manually install an All Users application and UAP is enabled you will get an elevation prompt.

Q: Is there going to be any kind of system support, help or automatic popups where UAP detects what you are trying to do or app you are trying to install and uses your (MS’s) experience to do the right thing?
A: good question. we are working on technology to help with scenarios such as this. I am not certain we will solve all of the issues though. For example, say we dont detect a setup… and the setup runs as Standard User… UAP will refuse to put the exe into Program Files. We _might_ be able to catch that and ask the user “was that a setup? can we help you elevate that?”

Q: Given a choice between running as Admin with UAP, and running as a genuine normal user, which would you recommend? Given that I’m used to the two accounts approach, will I be better off or worse of with UAP?
A: Big question — because I’m a security person the answer is run as Standard User –always. Now in the home that might mean that you retain the Admin password on paper and enter it on demand….

Q: How can developers ensure that their apps are in the AppCompat database if necessary?

Q: How is UAP handled in a home network on MCE to access media files on another device?
A: Cheers… good docs:

Q: What is “auto-fix”, what are you really doing?
A: Here is the scenario. LoBapp1.exe drops a log file into Program Files\LoBApp1\log.txt. Under the covers, CreateFile is about to return an Access Denied. a Filter Driver catches that access denied, moves the filename to be “Users\\Virtual Store\Program Files\LobApp1\Log.txt” and tries again.

Posted in Windows Vista | Comments Off on Want to learn more about UAP (User Account Protection) in Windows Vista?

This entry was posted on Saturday, October 1st, 2005 at 12:47 pm and is filed under Windows Vista. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.