In this article we will talk about “User Account Control”, which was based on the principle of the least privileged user. Compared to Windows Vista and Server 2008, Windows 7 and Server 2008 R 2 have several improvements in its functionality. We'll also go into detail about access tokens and the login process.
Most security problems in latest versions Windows problems were caused by one main reason: most users ran Windows with administrator rights. Administrators can do whatever they want with a computer running Windows control: install programs, add devices, update drivers, install updates, change registry settings, run utilities, and create and modify user accounts. Although this is very convenient, having these rights leads to a huge problem: any spyware that has entered the system will also be able to work with administrator rights, and thus can cause enormous damage to both the computer itself and everything that is connected to it.
Windows XP tried to solve this problem by creating a second level of accounts, called restricted users, which had only the most necessary permissions, but had a number of disadvantages. Windows Vista tried to fix this problem again. This solution is called "User Account Control", which was based on the principle of the least privileged user.
The idea is to create an account level that has no more rights than it needs. These accounts cannot make changes to the registry or perform other administrative tasks. User Account Control is used to notify the user before making changes that require administrator rights.
With the advent of UAC, the access control model has changed in a way that can help mitigate the effects of malware. When a user tries to start certain system components or services, an Account Control dialog appears, which gives the user the choice of whether to continue the action to gain administrative privileges or not. If the user does not have administrator rights, then he must provide the administrator account information in the appropriate dialog to run the program he needs.
UAC settings only require administrator approval to apply, so unauthorized applications will not be able to install without the administrator's explicit consent. This article describes in detail how User Account Control works in the Windows 7 operating system.
Compared to Windows Vista and Windows Server 2008 in the Windows 7 and Windows Server 2008 R2 operating systems, the following improvements appeared in the User Account Control functionality:
The number of tasks that a regular user can perform without requiring administrator approval has increased;
A user with administrator rights is allowed to configure the UAC level from the Control Panel;
Exist additional settings local politics security that allows local administrators to change the behavior of UAC messages for local administrators in administrator-approved mode;
There are additional local security policy settings that allow local administrators to change the behavior of UAC messages for standard users.
Most users do not need such a high level of access to the computer and operating system. Most often, users are unaware that they are logged in as administrators when they check email, surf the web, or launch software. Malware installed by an administrator can damage the system and affect all users. Because UAC requires administrator approval for installation, unauthorized applications will not be automatically installed without the express consent of the system administrator.
Due to the fact that UAC allows users to run applications as normal users:
IT departments can be confident in the integrity of their environment, including system files, audit logs, as well as system settings;
Administrators no longer have to spend a lot of time defining permissions for tasks on individual computers;
Administrators are given more effective control over licensing software, since they can ensure that only authorized applications are installed. They no longer have to worry about their networks being compromised by unlicensed or malicious software.
UAC Specifications
Access token. Access tokens contain login session security information that identifies the user, user groups, and privileges. The operating system uses the access token to control access to protected objects and controls the user's ability to perform various system-related operations on the local computer. UAC access tokens are a special type of access token that define the minimum privileges required to operate - the default interactive access privileges for Windows user on a system with UAC enabled. The second token, the full administrator access token, has the maximum privileges allowed for the administrator account. When a user logs in, an access token is generated for that user. The access token contains information about the level of access that is issued to the user, including security identifiers (SIDs).
Administrator approval mode. Administrator approval mode is a User Account Control configuration in which a user combined access token is created for the administrator. When an administrator logs into a Windows computer, they are assigned two separate access tokens. If administrator approval mode is not used, the administrator receives only one access token, which gives him access to all Windows resources.
Request for consent. The consent prompt appears when a user attempts to perform a task that requires administrator rights. The user gives consent or refuses by clicking on the “Yes” or “No” button.
Request for credentials. Standard users are prompted for credentials when they attempt to perform a task that requires administrator access. The user must provide the name and password of an account that is a member of the local administrators group.
How UAC works
User Account Control (UAC) helps prevent malware from infecting your computer, helping organizations deploy desktop applications more efficiently.
With UAC, applications and tasks always run in a secure area under a non-administrator account, as long as the administrator grants administrative access rights to the system.
The UAC Control Panel allows you to choose from four options:
Notify on every change made to the system: this behavior is present in Vista - the UAC dialog appears every time the user tries to make any change to the system (setting up Windows, installing applications, etc.);
Notify only when applications try to make changes to the system: in this case, the notification will not appear when changes are made in Windows, for example through the Control Panel and Snap-ins;
Notify only when applications attempt to make changes to the system without using Secure Desktop: Same as point 2, except the UAC dialog appears as a traditional dialog rather than in Secure Desktop mode. While this may be useful if you are using certain graphics drivers that make switching between desktops difficult, this mode is a barrier to applications that mimic UAC behavior;
Never notify: this setting completely disables UAC.
Login process in Windows 7
The following figure shows how the login process for an administrator differs from that of a standard user. 
To ensure security, by default, access to system resources and applications, standard users and administrators is granted in standard user mode. When a user logs in, an access token is created for him. The access token contains information about the access level that is assigned to the user, including security identifiers (SIDs).
When an administrator logs in, two separate user tokens are created: a standard user access token and a full administrator access token. Standard user access contains the same user information as a full administrator access token, but without administrative privileges and SID. The standard user access token is used to run applications that do not perform administrative tasks. Standard user access is used only to display the desktop (explorer.exe). Explorer.exe is a parent process from which the user can launch other processes that inherit its access token. As a result, all applications run as a standard user, except in cases where the application requires administrative access.
A user who is a member of the Administrators group can sign in to view web pages and read messages Email when using a standard user access token. When an administrator needs to perform a task that requires him to provide a token administrative user Windows 7 will automatically show a notification to use administrative rights. This notification is called a credential prompt, and its behavior can be configured using the Local Security Policy snap-in (Secpol.msc) or Group Policies.
Every application that requires an administrator access token must be launched with administrator consent. The exception is the relationship between parent and child processes. Child processes inherit the user access token from the parent process. Both parent and child processes must have the same level of integration.
Windows 7 protects processes by marking integration levels. Levels of integration are measured by trust. "Highly" integrated applications are applications that perform tasks that can modify system data. And applications with "low" integration are tasks that can potentially cause damage to the operating system. Applications with more low level integrations cannot modify data in highly integrated applications.
When a standard user tries to run an application that requires an administrator access token, UAC requires the user to provide administrator credentials.
UAC Custom Features
When UAC is enabled, the user experience is different from the administrator experience in administrator approval mode. There is an even more secure method of logging into Windows 7 - creating a primary account with regular user rights. Working as a regular user maximizes security. With the built-in permissions component of UAC, standard users can easily perform administrative tasks by entering local administrator account credentials.
An alternative option for running applications as a standard user is to run applications with elevated administrator rights. Using the built-in credentials component of UAC, members local group Administrators can easily perform administrative tasks by providing approval details. By default, the built-in credential component for an administrator account in approval mode is called prompt consent. The UAC credential prompt can be configured using the Local Security Policy snap-in (Secpol.msc) or Group Policy.
With UAC enabled, Windows 7 prompts for consent or local administrator credentials before running a program or task that requires a full administrator access token. This request does not guarantee that spyware can be installed in silent mode.
The consent prompt appears when a user attempts to perform a task that requires an administrator access token. Below is a screenshot of the UAC consent prompt.
You are prompted for credentials when a standard user attempts to run a task that requires an administrator access token. This request for a standard user can be configured using the Local Security Policy snap-in (Secpol.msc) or Group Policy. Prompting for credentials can also be configured for administrators by changing the User Account Control: Elevation prompt behavior for administrators in Admin Approval mode with the value Prompt for credentials.
The following screenshot shows an example of a UAC permission request.
UAC elevation requests
UAC elevation prompts are color-coded for specific applications, allowing you to immediately identify potential security risks. When an application tries to run with a full administrator access token, Windows 7 first analyzes the executable file to determine the publisher. First of all, applications are divided into 3 categories of executable file publishers: Windows 7, verified publisher (signed), unverified publisher (unsigned). The following image shows how Windows 7 determines which promotion prompt color to display to the user.
The color coding for elevation requests is as follows:
A shield icon appears on a red background: the application is blocked by Group Policy or blocked due to an unknown publisher.
A golden shield icon is displayed on a blue background: the application is administrative Windows application 7, such as "Control Panel".
A blue shield icon appears on a blue background: the application is signed and trusted on the local computer.
A yellow shield icon appears on a yellow background: the application is unsigned, or signed but not trusted on the local computer.
Elevation prompts use the same color coding as dialog boxes in Windows Internet Explorer 8.
Shield icon
Some Control Panel items, such as Date and Time, contain a combination of administrative and standard user operations. Regular users can see the time and change the time zone, a full administrator access token is required to change the system date and time. Below is a screenshot of the Date and Time dialog in the control panel.
The shield icon on the Change Date and Time button indicates that this process requires a full administrator access token and will prompt you for UAC elevation.
Ensuring an elevation request
The elevation process provides direct requests to protect the desktop. Prompts for consent and credentials are displayed by default in Windows 7 to help ensure system security. Only system processes can gain full access to the secure workspace. To achieve a higher level of security, it is recommended to enable group policy User Account Control: Switch to the secure desktop when prompted for elevation.
When executable files request elevation, the interactive desktop, also called the desktop, switches to the secure desktop. The secure desktop dims the user's desktop and displays an elevation prompt in which the user must make a decision to continue with the task. When the user clicks on the Yes or No button, the desktop switches back to the user's desktop.
Malicious software can imitate a secure desktop, but when the User Account Control policy is enabled: Elevation prompt behavior for administrators in Administrator Approval mode set to Prompt Consent malware will not be able to obtain elevated rights even if the user clicks on the "Yes" button. If the policy setting is set to "Prompt for credentials", malware will be able to collect user credentials.
Quite often there are situations when several people use one computer. In this case, you may need to allow some users one thing and others another. For example, you can allow some users to install programs on your computer, but not others. In addition, you can allow some users to use a program or file, while denying others. And finally, you can make sure that each computer user has his own settings and design for the Desktop, windows, and Windows in general.
To make all this possible, it is necessary to register each of the intended users in the system - create an account for them. It's like a record card in the HR department.
When the system boots, the Welcome window displays a list of registered users who are allowed to log in to the system. To continue, you will need to indicate which user you are going to work under and enter the appropriate password. After this, the system will finally boot, taking into account the user’s individual settings.
Create an account
To create a new account, go to Control Panel (Start Control Panel) and click on the icon
User accounts. As a result, a dialog box of the same name will appear on the screen (see Fig. 5.1), in which you can perform various operations on your own account, under which you work in the system in this moment. We will learn how to edit accounts in the next section, but now let's find out how to create a new account.
Rice. 5.1. User Accounts Dialog Box
After this, go to another window shown in Fig. 5.2. This window is the most general and allows you to edit not only yours, but also other accounts. However, we are now interested in the Create an account link. Click on it with your mouse. The first thing you will need to indicate is the type of account being created, that is, the access rights that the owner of the account being created will have to have (Fig. 5.3). There are two possible values:
Rice. 5.2. Existing accounts in the system
Administrator – in this case, the user with this account will have administrator rights. He will have full control over system resources and will be able to change any settings and perform all possible actions.
Normal access - in this case, the rights of the user who owns this account will be significantly reduced. He will not have access to basic system settings, and will also not be able to use some programs. It will also not be able to install most programs.
Additionally, you need to enter the name of the new account in the box located at the top. To create an account, click on the Create account button. After this, the account will be created and will appear in the User Accounts window (Fig. 5.3).
Rice. 5.3. Creating a new account - set access rights and name
All that remains now is to configure it (by default it does not have its own password).
Setting up and editing your account
To set up an account, you must first click it in the User Accounts window (Figure 5.2). After this, you will see a list possible settings and operations that can be performed with this account (Fig. 5.4):
Name change.
Create a password (or change your password).
Changing the picture.
Changing the account type.
Deleting an account.
Setting up parental controls
Rice. 5.4. Editing your account
Setting an account password
In the future, you can perform any of the above actions, but immediately after creating a new account, the first thing you need to do is set a password for it. Therefore, click on the Create a password link and in the window that appears (Fig. 5.5) enter the password twice, and at the bottom - a hint. However, you don't have to enter a hint.
When finished, click on the Create password button.
Changing your account picture
It may be a good idea to change the picture used to identify your account. To do this, after you select an account in the User Accounts window (Fig. 5.2), click on the Change picture link.
Rice. 5.5.Creating a Password
Rice. 5.6. Set a new picture for the account
As a result of these “super complex” actions, a set of drawings will appear on your screen that can be assigned to an account (Fig. 5.6). Select the one you like and click on the Change picture button. If none of the standard designs offered appeals to you, you can indicate your own design. To do this, click on the Search for other pictures link and indicate what kind of picture you want to use.
Deleting an account
To delete an account, first select it in the User Accounts box (Fig. 5.2), and then in the account property (see Fig. 5.4) click on the Delete account link. After this, you will be asked whether you want to save personal files belonging to the user with the account being deleted (Fig. 5.7). If you agree to delete, the Documents, Pictures, etc. folders will be deleted, and therefore everything that was placed in these folders when the user with this account was working on the computer.
Rice. 5.7. Deleting an account
What is a user account? What types of accounts are there and how are they set up? About this and the advantages of connecting an account Microsoft records in Windows 7 we will tell you in this article.
Accounts in Windows OS are standard functionality that is designed to provide several users of one computer with comfortable work with it.
A personal account is a kind of personal space for a person, where he can most conveniently organize work with system settings, files and programs within the authority of the account type, thereby not interfering with exactly the same process of working with a computer for another user.
So, within a separate entry, each user can choose a theme, customize the arrangement of icons on the desktop, set the position of tiles on the start screen (in the case of Windows 8.1), configure the operation of the browser, media players or social resource applications. If different computer users have secrets from each other, they can protect their accounts with a password.
What types of accounts are there?
Administrator– this type of account is intended for users who have the right to make changes to the operation of the operating system (by their own individual actions or through software). Administrators have access to all computer files, all system services and installed programs, as well as all available accounts systems.
This is the first account that appears after installing Windows. Account administrator in organizations is used, as a rule, only by IT specialists to maintain the computer and take security measures to ensure the non-disclosure of trade secrets, while the employee using the computer entrusted to him performs his duties using a standard user account. Often, IT specialists, by order of management, use the administrator account to block employees’ computers from organizing games or visiting social networks so that they don't use work time for fun.
Standard is a personalized user account that provides full use of the computer, with the exception of the ability to make changes to operating system, change some of its settings or delete important files. The user can name such an account with his own name, set his photo as an avatar, and also protect the entry with a password.
Users of home computers and laptops often use a single administrator account, not even realizing that different accounts can be created for individual family members. Only a few users create separate accounts for children on their home computer with some restrictions - for example, using a shutdown timer if the time allowed by parents to use the computer has expired, or with restrictions on access to sites harmful to children. It is also better to create a separate standard account if you trust your computer device to an adult but inexperienced user. This minimizes the risk of unwanted changes being made to the system.
Guestbook– this is not a personalized account. It is the most limited in functionality and requires the user to temporarily work with the computer. You can transfer your computer to a guest account if you were asked to use it by strangers - guests who came to celebrate the holiday or nice employees from a neighboring department of the organization. They will be able to surf the Internet, work with some installed program, watch a video or listen to music. And no more - guests will not be able to install or remove anything without your knowledge.
Where are the system account settings located?
Change settings existing record, you can create a new one or delete an unused one in the case of Windows 7 through the Start menu. You need to get to the “User Accounts and Family Safety” section of the toolbar.
If you have Windows 8/8.1 installed, you can take advantage of the new interface: you need to call up the pop-up panel on the right, select “Settings”, then “Change computer settings - Accounts”.
Benefits of a Windows 8.1 Account
IN previous versions Windows OS - up to 7 inclusive - the binding to a Microsoft account was not so strict. When installing the system, you are asked to register on the software giant’s Internet resource, but you can skip this step and continue installing the system under a local computer account. At the same time, the lack of a Microsoft account to fully work with Windows systems XP, Vista or 7 won't make much difference.
In Windows 8 and its evolutionary continuation - version 8.1 - you, in principle, can also skip the step of registering or logging into an existing Microsoft account. But in the future, using only a local computer account, you will not be able to actively use the functionality of the Metro interface. You will need a Microsoft account to work with some standard Metro applications (Mail, Calendar, People, Messages) and the Windows 8/8.1 store.
If the Microsoft account connection step is skipped when Windows installation 8/8.1, you can return to it at any time. To do this, you need to go to the above-mentioned Metro settings path “Settings – Change computer settings – Accounts”.
What are the advantages of connecting a Microsoft account in Windows 8/8.1?
Single sign-on to Microsoft online services
A Microsoft account is a single key for using the Internet resources of the software giant, including: the Outlook.Com email service, cloud storage OneDrive, mobile OS service Windows Phone, the gaming and multimedia service Xbox LIVE. And, of course, the aforementioned Metro application store for Windows 8/8.1. To register a Microsoft account, you will need an electronic Mailbox, which will be your login in the future.
Data synchronization and Windows settings 8/8.1
When reinstalling or using this system on another device, connecting a Microsoft account and synchronizing data gives you a previously configured system - with update settings, with network settings, with the selected design theme, with language settings and so on.
Batch installation of applications from the Windows Store
In addition to synchronizing some standard applications, the Windows Store will display a list of applications that you previously installed in a separate “Account” section. From this list you can select all or some of them and activate their batch installation on your computer. Considering that applications install quickly, you can restore the desired state very quickly.
