Understanding User Account Control (UAC) in Windows Server 2008 and Windows 7

User Account Control (UAC) helps prevent unauthorized changes/access to a computer by asking privileged password. When a user designated with elevated privilege logs on to Windows 7 and Windows Server 2008, two access tokens are issued: a full access token and a filtered standard user access token. The filtering process removes the administrative privileges and disables the Administrative group Security Identifiers (SIDs), resulting in a filtered standard user access token. The standard user token is then used to start the Windows desktop (explorer.exe) and all subsequent child processes. Consequently, all applications run with the standard user token by default and only when an administrator with granted privileged permission can run specific application with a full access token. These internal processes happens in an Windows 7 and Windows 2008 operating systems to provide you with extra security so that you can make sure what you doing before it applied into operating systems.

When you log on to a computer, it verifies with Microsoft Active Directory RID master about your roles/privileges/authority in an Active Directory infrastructure and provide you with necessary pre-defined attributes assigned in Microsoft Active Directory and Group Policy Object. For Example: Domain Admins, Schema Admins, Enterprise Admins, Account Operator, Administrator, Power Users, Domain users, users, Cert Publisher and many more. If you log on to a standalone computer, Windows 7 and Windows server 2008 still verify with local account policies whether you are a power user, administrator or user.

The Credential Prompt (asking username and password)  and consent prompt (allow/disallow user to perform a task) are two components of UAC. Even though if you are a member of domain admins or administrator you will ask your consent to perform task like changing date/time, modify registry, running application, modifying any OS related tasks. A standard user can perform installation task in windows 7 and windows server 2008 unless user is part of Admin group.

Running registry in elevated command prompt

Start menu>run> type runas /user:domain\username cmd.exe.

Provide Password

In the new Command Prompt window that opens up, type regedit.exe.

Respond to the UAC elevation prompt.

UAC Group Policy Settings

Microsoft GPO support management of UAC through group policy object. GPO settings are available in Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

Benefits of UAC

Stop malware add schedule task

Stop Spam sites and spyware to run installer

Stop malware to run command, script

Create a local windows firewall to protect windows systems despite having top level firewall like ISA or squid

Prevent running inappropriate application as a standard user

Prevent modification of registry key

If you still don’t like UAC then you can disable UAC completely from Control Panel>User Account>UAC>uncheck UAC>OK>restart

To Disable from Registry

go to Start menu>run>type regedit.exe

Go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system

create a DWORD named LocalAccountTokenFilterPolicy with a value of 1 and reboot computer.

Screenshots

   Keyword: User Account Control, Windows 7 and Windows Server 2008, GPO