How Windows 7 UAC shapes enterprise security

Microsoft designed UAC to control the elevated “administrator” privilege that is so dangerous from an IT security perspective. UAC debuted in Windows Vista to help reduce privilege levels of all users, non-IT and IT employees alike, when tasks were being performed that did not require elevation. Despite these good intentions, however, Vista’s UAC received a tremendous amount of negative feedback due to the number of “pop-up” windows that occur during routine use of the desktop. Windows 7 features a new approach to UAC, providing a “slider” to control how often UAC pop-ups occur and for which actions they are monitoring. The questions these changes raise include:

• What exactly does UAC do?
• How should UAC be set in order to protect your desktops?
• Is the “slider” a good decision?

What UAC is designed to do
When UAC is enabled in either Vista or Windows 7 the goal is the same - to protect the user from unknown malware and viruses running in the background, as well as from unauthorized changes to the operating system files and Registry.

When a task is triggered that causes a protected part of the operating system to be modified, UAC will prompt the user for consent (if an administrator) or prompt the user for the credentials necessary for the privilege to perform the action (if the user is a standard user).

For standard users, UAC is not an ideal solution. With the prompt for credentials that UAC provides, there are only two possible solutions to allow the action to be performed. The first is the “over the shoulder input from an IT employee” when there is a prompt, which is not feasible due to mere logistics. The second is to give the user alternate credentials, which in essence grants the user administrative privileges to the entire computer. Both options provide poor solutions to the issue.

However, for administrators, UAC provides an excellent solution for protecting the computer against actions that were not launched by the user, but were launched from malicious code running in the background. Without consenting to the prompt, the administrator is simply a standard user and the malicious code has no chance at modifying the OS files or Registry.

This separation of allowed and denied tasks within Windows 7 is controlled by a “slider” allowing different levels of security and actions to be set on each desktop. The slider provides 4 levels of security control:

Level 1 - Always notify on every system change. This is Vista behavior – a UAC prompt results when any system-level change is made (Windows settings, software installation, etc.)

Level 2 - Notify me only when programs try to make changes to my computer. This setting does not prompt when users change Windows settings, such as control panel and administration tasks.

Level 3 - Notify me only when programs try to make changes to my computer, without using the Secure Desktop. This is the same as #2, but the UAC prompt appears on the normal desktop instead of the Secure Desktop. While this is useful for certain video drivers which make the desktop switch slowly, note that the Secure Desktop is a barrier to software that might try to spoof your response.

Level 4 - Never notify. This turns off UAC altogether.

Effect on enterprise security with Windows 7 UAC
For this discussion, let’s first talk about the effect of Windows 7 UAC with regard to administrators. The overall goal of UAC in Windows 7 is to allow administrators control over which tasks and actions UAC will monitor. In essence, if the task is a “well known” Microsoft task, then it will not be monitored. However, the task is also running with administrative privileges at all times.

Unfortunately, when UAC was set below level 1, it was compromised within a few weeks by researchers. There is no need to go into the details, you can read all about the compromise here. However, if anything less than Level 1 of the UAC in Windows 7 has already been compromised, is there any other discussion required to see the effect on enterprise security?

Next, let’s consider how giving a non-IT user had control over a UAC slider would affect the enterprise security. When it comes to security, non-IT users should not have a say. Security regulatory requirements, such as HIPAA, FDCC, and more, clearly indicate that employees should be standard users and not administrators for their desktop. The reason is that non-IT users are typically not educated on security best practices for their computer and cause more damage than good when configured as an administrator.

Finally, there needs to be a solution for both IT and non-IT users. UAC, for both Vista and Windows 7, provides additional security over malicious applications running in the background and should be enabled for both types of users. If running Windows 7, the slider needs to be set at Level 1. IT users just need to cope with the pop-ups. Non-IT users should have UAC set to silently deny the applications to run, instead of prompting for credentials.

However, the best solution is to allow dynamic elevation of the application, granting the user the ability to run the application without prompts, but still running UAC for security protection. Microsoft recommends using BeyondTrust Privilege Manager for this solution. For non-IT users, implementing a solution like BeyondTrust Privilege Manager to elevate applications requiring administrative privileges in addition to enabling UAC provides a rock solid security and production solution.

biography
Derek Melber (MCSE, MVP) is an independent consultant and speaker, as well as author of the Microsoft Press Group Policy Resource Kit. Derek educates and evangelizes Microsoft technology, focusing on Active Directory, Group Policy, Security, and desktop management. Derek is president of BrainCore.Net which develops end-to-end solutions regarding Group Policy and security for companies. Derek provides Windows security training through MISTI and also delivers custom training and speaking on nearly all Windows topics.