Configuring User Account Control

Most users sign in to their computers with a user account that has more privileges to run their applications and access their data files than required. Using an administrative user account for day-to-day user tasks poses significant security risks.

Windows 10 provides UAC to simplify and help secure the process of elevating your account rights. However, unless you know how UAC works and how it can affect your users, you might have problems when you attempt to carry out typical end user support tasks. This section introduces how UAC works and how you can configure UAC notifications.

Understanding User Account Control

The User Account Control security feature provides a way for users to raise their privilege status from a regular user account to an Administrator account, without allowing them to sign into or switch user profiles. UAC is a collection of features, not just a prompt. Such features, which include File and Registry Redirect, Installer Detection, UAC prompt, ActiveX Installer Service, and others, allow Windows users to work with user accounts that are not part of the Administrators Group.

Such accounts, typically called standard users, are commonly described as having the least privileges to work with. The most important fact is that the experience is usually much more secure and reliable when users sign in with regular user accounts.

With Windows 10, as opposed to older operating systems, the number of applications and activities requiring the elevation of administrator rights is lower. This helps normal users do more while receiving fewer prompts for elevation, and increases compatibility with UAC while maintaining high safety standards.

When you need administrator-level permissions to make changes to your computer, UAC will notify you, as follows:

• If you're an administrator, then click Yes to proceed.
• If you're not an administrator, then the person on the machine with an Administrator account must enter their password so that you can begin or resume executing the task at hand.

The following screenshot shows the User Account Control prompt/pop-up window:

Figure 7.1 - The User Account Control elevation prompt

If you are a standard user, providing administrative credentials gives you administrator rights to complete the task. When you complete the task, permissions revert to those that a standard user has.

This means that no one can make changes to your device without your permission, even if you use an Administrator account. This helps prevent malicious users from installing spyware and malware on your computer or making changes to it.

We will now see how UAC works.

Knowing how UAC works

Windows 10 offers two types of user accounts: standard users and administrative users. UAC simplifies users' abilities to operate as standard users and perform all necessary daily tasks. Administrative users also benefit from UAC, because administrative permissions are only available after UAC requests permission from the user for that instance.

Once you allow UAC, Local Administrators group members run the same access token as regular users. A process can only use the full access token of an administrator once authorized by a member of the current Administrators group.

This method forms the basis of the Admin Approval Mode principle. Users are only elevated to perform tasks requiring access via an administrator token. UAC asks the user to enter appropriate credentials for an Administrator account when a regular user tries to perform an administrative function. An example of a UAC prompt for end users is shown in Figure 7.2. This dialog box is the user prompt for the default standard behavior.

The prompt for elevation shows contextual information regarding the current executable task, which requests elevation. The meaning varies according to whether Authenticode Technology signs the application. There are two variations of the elevation prompt: the consent prompt and the credential prompt.

Elevation entry points do not remember that elevation has occurred, such as when you return from a shielded location or task. As a result, the user must re-elevate to enter the task again.

The Windows 10 Operating System (OS) reduces the number of UAC elevation prompts for a standard user who performs everyday tasks. There are times, however, when it is appropriate to return an elevation prompt. For example, you don't need elevation to view Firewall settings. Changing the settings does, however, require elevation as the changes have a system-wide impact.

Most of the time, you should sign into your computer with a standard user account. Without an Administrator account, you can browse the internet, send emails, and use a word processor. You do not need to move/log into an Administrator account if you want to perform an administrative function, such as installing a new program or modifying a setting that will affect other users.

Before performing the task, you will be asked by the Windows OS for permission or an administrator password. The best practice is to create standard user accounts for all of the people that use your computer. Now, let's learn about standard user accounts.

Understanding standard users

In previous versions of the Windows OS, many users were configured to use administrative permissions rather than standard user permissions. This was because previous Windows versions required users to have administrator permissions to perform basic system tasks, such as adding a printer or configuring a time zone. In Windows 10, many of these tasks no longer require administrative permissions.

When users have administrative permissions on their computers, they can install additional software. Despite organizational policies against installing unauthorized software, many users still do it, which can make their systems less stable.

When you enable UAC and a user needs to perform a task that requires administrative permissions, UAC prompts the user for administrative credentials. In an enterprise environment, the help desk can give a user temporary credentials that have local administrative permissions to complete a task. The default UAC setting allows a regular user to complete the following tasks without receiving a request from UAC:

• Installing Windows Update updates
• Installing Windows Update drivers, or drivers included with the OS
• Viewing Windows Settings, though a standard user is asked for elevated permissions
• Pairing Bluetooth equipment with the computer
• Resetting the network adapter and conducting other testing and maintenance functions on the network

Earlier, we mentioned that there are two different elevation prompts. A standard user account gets the credential prompt. The credential prompt pops up when the standard user account needs to perform an administrative task:

Figure 7.2 - The UAC credential prompt

As shown in the previous screenshot, the standard user account needs to enter an administrative user's password. In this example, this is to run the Command Prompt in Administrator mode.

Understanding Administrative users

Besides the standard user account, there are also administrative user accounts. Administrative user accounts already have the following permissions:

• Read/write/enact permissions for all resources
• All Windows permissions

Although it may seem obvious that not all users can read, modify, and delete any Windows resource, many enterprise IT departments that run older versions of Windows operating systems have no other option but to assign all of their users to the Local Administrators Group.

One of the benefits of UAC is that it allows users with administrative permissions to operate as standard users most of the time. When users with administrative permissions perform a task that requires administrative permissions, UAC prompts the user for permission to complete the task. When the user grants permission, the task is achieved by using full administrative rights, and then the account reverts to a lower level of permission.

The following screenshot shows us the administrator consent prompt for the Windows Command Prompt:

Figure 7.3 - The UAC consent prompt

When an administrative user account wants to perform an administrative task, then the consent prompt pops up. This administrative user does not need to enter a password because this user is already logged in with an Administrator account.

We will now move on and learn about the different types of elevation prompt.

Understanding the types of elevation prompt

As well as there being two different variations of elevation, there are also different types of elevation prompt. When permission or a password is necessary to complete a task, UAC notifies you with one of three different types of dialog boxes.

The different types of dialog boxes that users see and provide guidance on how to respond to them are described as follows:

• A setting or function that is part of Windows requires your permission to start executing
• Software that is not part of Windows needs your permission to run
• A program with an unknown publisher requires your consent to start

We will now move on and learn how to configure UAC notifications.

Configuring UAC notifications

In Windows 10, you can set UAC so that it notifies you when changes are made to your computer. You have four settings of the elevation prompt experience that you can customize. These are as follows:

• Never notify me: You never want to be notified when programs attempt to update apps or make adjustments to your computer, and when you make changes to Windows settings, you never want to be informed.
• Notify me only when apps try to make changes to my computer (do not dim my desktop): You only want to be notified when programs want to make changes to your computer, without dimming the desktop, and when you make adjustments to Windows settings, you don't want to be notified.
• Notify me only when apps try to make changes to my computer (default): You only want to be notified when programs want to make changes to your computer and when you make adjustments to the Windows settings, you don't want to be informed.
• Always notify me: You always need to be alerted when programs attempt to install software or make changes to your computer, as well as when adjustments are made to Windows settings.

If you wish to change how your UAC notifications work, follow these steps:

1. Click on Start.
2. Type UAC.
3. Click on Change User Account Control settings.
4. Use the slider to determine how Windows will prompt you.
5. Click on OK and in the UAC dialog box, click Yes:

Figure 7.4 - The User Account Control Settings window

As shown in the previous screenshot, you can move the slider up and down. The default setting is Notify me only when apps try to make changes to my computer. Did you notice the little shield next to the OK button? This means that if you press OK, a UAC prompt will pop up to acknowledge your user rights to perform this change.

In this section, you learned what User Account Control is, how it works, and how you can configure the notification settings of UAC. In the next section, you will look at how to set threat protection and learn about different advanced protection methods.