Vista User Account Control: Lose a Little, Gain a Lot
There's good news, and there's bad news. Let's start with the bad. Vista has removed the ability to use "runas" with Windows Explorer. The nice little work around explained in our last article on running your desktop as a non-admin in WinXP has been squashed. The good news? What Microsoft calls "User Account Control (UAC)" in Vista is an earth-shattering improvement for least user privilege (LUA) in Microsoft-land.
Assuming that our previous article has convinced you to run your desktop as a non-admin, let's begin by discussing UAC.
The core of UAC is a separation of administrator rights from the administrator. By default, when members of the local administrators group logs onto their desktops in Vista, they're actually operating with a standard (non-admin) user security token. If users need to perform an administrative task or install software, Vista will prompt them for approval to use their administrator security tokens. There are various forms of approval for providing access to use the administrator token. By default, Vista will prompt members of the administrators group with an OK/Cancel style dialog box, no credentials required. You can also configure Vista to ask users for their credentials each time they want to use the administrator token. For a standard user, Vista can be configured to simply deny administrator level tasks, or it can be configured to prompt for an administrator's credentials. These options can be configured from Start -> Control Panel -> Administrative Tools -> Local Security Policy -> Local Policies -> Security Options.
The administrator token approval process takes place in what Microsoft calls the "secure desktop." You can tell you are in the secure desktop when everything disappears from the screen and the only thing remaining is an approval prompt. According to Microsoft, "the secure desktop can only receive messages from Windows processes, which eliminates messages from malicious software." This is an important feature because it means that users may actually be more secure with a prompt for the administrator token without requiring credentials. Malicious code could try to simulate the look of the secure desktop and grab credentials from a user's own keystrokes.
LThere are pros and cons to each of the UAC configurations. For what it's worth, I run Vista desktop as a standard domain user under standard local user privileges. When a local administrator token is needed, an elevated domain account that has been added to the local administers group is used. This protects against attacks from remote users who may have obtained the standard domain user credentials from an unsecured workstation. Ever checked your e-mail at a friend's house?
With all of our options for elevating local privileges on the table, let's examine how to actually instantiate the approval process. It's quite simple; many control panel forms have been modified to show basic information by default. They add a link or button with a little shield icon to prompt for elevation and open the modifiable administrative tool. Vista also tries to be "smart" and automatically prompts for an elevated token when it thinks users are running an install program. Finally, users can always right-click on an object on choose "Run as administrator."
It's worth noting that UAC is much more user friendly than trying to run as a restricted local user in XP. I recently installed Thunderbird 2.0 in the hopes that it would fix an LDAP address lookup bug in Thunderbird 1.x running on Vista. In XP, installing programs is sometimes painful because the installation generally runs under an elevated account's profile. Icons are created in the wrong place, etc. With UAC, clicking on the installer immediately prompted for elevated credentials and Thunderbird installed without any quirks. And in case you were wondering, the LDAP lookup bug was fixed!
While UAC does a great job protecting local system resources from user error and malware, it does not do anything to protect network resources. For this reason it is important to logon to our desktops as a standard domain user. Unfortunately, Vista removes some of the tools available in XP that made it easier to elevate domain credentials when necessary. We can no longer run an elevated Windows Explorer window. We've also lost the ability to right-click and use "Run as..." through the GUI. This option has been replaced by "Run as administrator" in Vista. While this is great for local account elevation, it doesn't help us with domain account elevation. We can no longer right-click on Active Directory Users and Computers or Command Prompt and choose "Run as..." to perform administrative tasks.
Just when you think that it couldn't get any worse, try installing the Windows Server 2003 Service Pack 1 Administration Tools Pack. You'll find that it doesn't register icons in the start menu, and you won't have any luck trying to run the .msc files directly from the windows\system32 folder. All is not lost however, check out this article for a fix and some additional idiosyncrasies.
This translates into two choices for systems administrators. Become a command line geek or run Windows XP on Virtual PC 2007. For the command line option, it's helpful to create a shortcut opening your command prompt with an elevated domain account. The following is an example shortcut target:
%SystemRoot%system32runas.exe /env /user:DOMAINAdminAccount "cmd /t:4f"
The "/t:4f" will change the background color to red for distinguishing it as an elevated window. Once the shortcut is created you will need to right-click and choose "Run as administrator" to use it. From here you can spawn administrative tools such as AD Users and Computers by typing "admgmt.msc". See a complete list of tools by browsing to Windows\System32 and typing "dir *.msc".
The Windows XP virtual PC option is nice for several reasons. First, it provides a good container for running multiple administrative tools. Second, the administrative tools pack will install and run without any trouble. Third, users can drag and drop files from their regular desktops to the virtual PC. They can also use remote desktop protocol (RDP) to connect to another XP system, but will lose the ability to drag and drop files.
Now that we have Vista there is really no excuse for running our desktops as a local administrator. Though it seems like Microsoft actually made it more difficult to run as a standard domain user, virtual PC provides a good alternative to "runas" with Windows Explorer.