Microsoft Windows Vista UAC Is Not A Copy Of Unix Access Control Functionality

When Microsoft introduced user Account Control in Windows Vista, the obvious similarities with the access control functionality in Unix were brought into the spotlight. However, the parallelism between Vista UAC and Unix access control stops when it comes down to the "setuid root" capabilities of the latter. Vista, unlike Unix or Mac OS X for […]

When Microsoft introduced user Account Control in Windows Vista, the obvious similarities with the access control functionality in Unix were brought into the spotlight. However, the parallelism between Vista UAC and Unix access control stops when it comes down to the "setuid root" capabilities of the latter. Vista, unlike Unix or Mac OS X for example does not incorporate "functionality shortcuts" such as setuid/suid or sudo. This was an express decision of the designers working on Microsoft's latest operating system and not an accident. There is no way for third-party developers to bypass UAC prompts with their software on Vista. Essentially, the UAC is not set in place to provide a security boundary, which it doesn't by the way, but to train both end users and developers to run, and build programs  that run, with standard user privileges as opposite to administrative rights. This is one aspect that critically separates Windows Vista from its predecessor, Windows XP.

"It is with the release of Windows Vista that the first major move in that direction is achieved. Indeed, the primary purpose of the technologies that comprise UAC is to enable "standard user" to be the default for Windows, encouraging software developers to create applications that do not require admin. The move to standard user is a new paradigm and creates the need for software developers to write applications that do not require admin privileges. Creating a shift in the ecosystem will take a long time due to the large deployed base of legacy applications, and UAC is a good first step," revealed Aaron Margosis, Senior Consultant, Microsoft Consulting Services.

Vista does not allow code to be pre-approved for elevation of privileges. An elevation prompt via the UAC is always necessary to grant administrative privileges. Additionally, there is no way to allow either the user, the developer or any other third-party to set up criteria for code to silently elevate. Margosis explained that Microsoft learned from the mistakes made on Unix. "The complexity and risk compounds when you consider how many apps have extensibility points that load code that you or your IT admin may not be aware of, or that can load code or consume data from user-writable areas with minimal if any validation. Privilege escalation due to setuid and sudo has plagued Unix-like systems for many years, and continues to do so," Margosis added.

The conclusion is simple. Windows Vista will help shift the entire ecosystem built around the Windows platform from administrative to standard user privileges. Of course that where there's a will there's a way. And Microsoft did enable users to turn off UAC. In the same manner, there also is a workaround for the UAC prompt. "There is a Local Security Policy option to change the behavior of the elevation prompt for Administrators to "elevate without prompting". With this option selected, anything that requests elevation gets elevated without prompting the user. (The default setting is "prompt for consent"; the third option is "prompt for credentials". Note that "elevate without prompting" is available only for members of the Administrators group. The options for standard users are "prompt for credentials" and "automatically deny elevation requests")," Margosis said.

Microsoft, Windows Vista, UAC, Vista UAC, Unix, Unix Access Control

Source:→ softpedia