Tech Support Forum Guide on UAC

UAC or User Account Control is a new security-related computer technology introduced with Microsoft Windows Vista. It now also comes with Windows 07 and Windows Server 2008.

In the UAC, when an administrator logs on to a computer running Windows, two distinct access tokens are granted to a user. Access tokens include a user’s group membership and data they are authorized to access. Before Windows Vista, an administrator account had only one access token that included data which the user was permitted to access. This one token access control model did not have any fail safe checks to verify that users truly wanted to perform a function that required their administrative access token. Consequently, malicious software could install on users’ computers without notifying the users. This is also sometimes called as “silent” installation. In this way, such malicious software has the potentiality to use administrator’s access control data to affect core operating system files. In some instances, it becomes nearly impossible to undo the harm.

Microsoft developed UAC feature to help prevent malicious software from installing silently and causing infection in the entire set of networked computers. Unlike past versions of Windows, now, when an administrator logs on to a computer running Windows Vista, administrator access token is split into two access tokens: a full administrator access token and a standard user access token. During the process of logon, authorization and access control features that identify an administrator are removed. The standard user access token is used to initialize the desktop, process. As all applications derive their access control input from the initial launch of the desktop, they all operate as a standard user only. When an administrator logs on, full administrator access token is not activated until the user attempts to perform an administrative task.

User Account Control allows administrators to carry day-to-day tasks as non-administrators. They are called standard users in Windows Vista. A standard user account is equivalent to a user account in Windows XP. It allows administrators without requiring switching users, use Run As, and log off. Local Administrators group can have number of user accounts as members. Such user accounts can run most applications as a standard user.

The key difference between an administrator and standard user in Windows Vista is the level of access the user has over core, protected areas of the computer system. Now, using Windows Vista or Windows 07, an administrator can reconfigure system state, configure security policy, turn off the firewall, and install a driver or a service which affects all users on the computer. An administrator can install software for the entire computer. Standard users cannot operate these tasks. They can only install per-user software.

You as an administrator need to make full use of UAC to further strengthen data security of your business entity. It is imperative that you make full use of it for providing you with a reliable computing platform. As an IT planner, you need to implement a sound security block that distinguishes between administrators and general users without compromising on security and work performance. Full implementation of UAC will certainly bring you one step closer to that.

User Account Control is an important feature that separates user and administrator functions without compromising security. It enhances productivity in multi-user computer settings.