User Account Control

Over the years, the most common security threats have changed from viruses to worms and, most recently, to spyware and Trojan horses. To help protect users from these types of malicious software, Microsoft recommends using accounts with limited privileges (known as standard user accounts in Windows Vista or Limited user accounts in Windows XP). Standard user accounts help prevent malware from making system-wide changes, such as installing software that affects multiple users—if a user lacks permission to install a new application to a shared location, such as %SystemRoot%\Program Files, any malware the user accidentally runs is also prevented from making those changes. In other words, malware run in the context of the user account has the same security restrictions as the user.

Although standard user accounts do improve security, using standard user accounts with Windows XP and earlier versions of Windows results in two major problems:

• Users cannot install software, change the system time or time zone, install printers, change power settings, add a WEP key for wireless settings, or perform other common tasks that require elevated privileges.

• Many poorly written applications require administrative privileges and do not run correctly with limited privileges.

Although logging on to your computer as a standard user offers better protection from malware, working with this type of account has been so difficult in the past that many organizations choose to give users administrative privileges on their computers. User Account Control (UAC) is a set of features first introduced in Windows Vista that offers the benefits of standard user accounts without the unnecessary limitations. First, all users (including administrators) run with limited privileges by default. Second, Windows Vista allows standard user accounts to change the time zone (but not the time) and perform other common tasks without providing administrative credentials, which enables organizations to configure more users with Standard accounts. Third, UAC enables most applications—even those that require administrative privileges on Windows XP—to run correctly in standard user accounts.

When Windows Vista was first released, many users struggled with the application compatibility and with the frequency of UAC prompts generated by applications. Over time, application developers have modified their applications so that they run correctly with standard user privileges and thus do not require a UAC prompt. This was one of the original goals of UAC—to motivate application developers to comply with security best practices.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

No comments:

Cloud storage is for blocks too, not just files

One of the misconceptions about cloud storage is that it is only useful for storing files. This assumption comes from the popularity of file...