Does this site look plain?

This site uses advanced css techniques

Vista too, mostly

This Tech Tip was written exclusively for the Windows 7 experience, but most of it applies to Vista as well.

In addition, this paper describes workgroup or standalone machine setups only; it does not address the more complex enterprise environments for domain-joined machines.

Windows 7 is now in Release Candidate status (build 7100, May 2009), and many are trying this new operating system. Those who skipped past Vista from XP are finding a new experience and an entirely new security paradigm: User Account Control.

Table of Contents

UAC was introduced with Vista and was widely maligned due to its in-your-faceness, and though it's calmed down some as Vista has been updated, it seems to have really hit its stride in Windows 7. I like UAC a lot.

But even in its imperfect form, it was a good idea, attempting to brighten the terribly blurry line between administrative tasks and user tasks that has plagued Windows since the early days.

Much of this is due to the early consumer operating systems Win95, Win98, and WinME, which maintained no technical distinction between these roles: everybody was always an administrator, and software developers had no way of even thinking about a separation of roles.

But even with the more modern NT-based systems Windows 2000 and Windows XP, it was so painful to really get your work done as a non-administrative user that most people simply gave up and ran with an admin account. This was almost entirely due to poor habits by software developers: they themselves ran as admins, and simply wrote sloppy code that assumed everybody was one too.

Microsoft has been trying very hard to counter this everybody-is-an-admin mentality, and UAC was their attempt at compromise: if you're going to run as admin, at least we can make you aware of the role differences. This is what UAC is attempting to do.

User Account Control explained

User Account Control works by guarding access to administrative rights, and this involves elevations of privilege: when attempting to perform admin tasks, the operating system either auto-elevates to admin rights, or requests some kind of consent or credentials to do so.

Windows 7 recognizes three broad classes of users:

The built-in "Administrator" account
This account is special for a number of reasons, and is disabled by default in Vista and Windows 7. Because this account explicitly turns off some important security features — such as IE Protected Mode, as well as UAC — it's a really bad idea to use Administrator for anything.
I strongly urge leaving the Administrator account disabled!
Keeping this account disabled (which means you won't be tempted to actually use it) will help keep you safer!
An account with administrative rights
Though the user has the ability to elevate to admin rights due to its membership in the local Administrators group, UAC interposes itself at key times with prompts that confirm your intentions:
User Account Control prompt
This is Prompt-for-Consent Mode, and upon clicking [Yes], it will elevate the task and run it as an administrator.
For performing administrative tasks, always use this kind of custom admin account instead of the built-in Administrator.
Windows 7 introduces a slider to the UAC settings that allows for changing the level of UAC prompts, including a setting to disable it entirely (admin-approval mode).
A standard/limited user
"Don't run as root"

UNIX/Linux systems have never had the confusion between what's an administrative task and what's a user task - it was simply always apparent which was which. what.

What's more, the culture of this role distinction is best illustrated by behavior in the newsgroups back in the eighties. If a user posted messages from his root account (the machine's administrator), he would be chastised: "Don't run as root".

These accounts simply do not have the power to perform administrative tasks directly, nor do they have the ability to elevate with a mere confirmation: they instead require credentials such as a password or a smartcard. This is requested via a prompt to the user:
Prompting for SteveAdmin's password
This is informally known as Over-the-Shoulder Mode (where somebody can lean over the user's shoulder to type a password and elevate an approved task).

I strongly believe in limited user accounts!

I've been doing so since XP Service Pack 2, including my laptop and main software-development workstation. It's been painful at times, but it's dramatically lowered the attack surface of my system and has contributed to my Windows machines never suffering a compromise.

Stepping into Windows 7, I of course wanted to run as a limited user, but because I didn't know how it worked (in Win7 or in Vista), I essentially locked myself out of my own machine (see below).

So after figuring it out (and reinstalling a couple of times), I created this Tech Tip to assist a security-minded user to do the safe thing.

This paper presents two procedures: one for a first-time install of the operating system, and one for retrofitting an already-installed system where the main user is a custom admin.

Method 1: New OS installation

A new install is the easiest to get right because there's no prior setup to work around, and the illustration uses two Windows accounts:

The built-in Administrator will not be used in any way, and will remain disabled.

Take these steps to set up Windows 7:

Create SteveAdmin user Install Windows 7, creating a initial user "SteveAdmin"
This should be the usual install-from-DVD process, and the initial parts take some time (and at least one reboot) before asking any questions related to setting up of users.
When prompted, name the first user SteveAdmin; it's automatically created as an administrative account.
If you choose to give the account a password, be sure to remember it: it will be required for all administrative duties on your machine.
Complete the Windows 7 installation
This includes configuring Automatic Updates, addition of required drivers, configuring the network, and the like.
This is all done as the administrative user SteveAdmin.
Create limited user Steve Create a new account "Steve" as a standard user
While logged in as SteveAdmin, navigate to the Control Panel:
  • Click the Start icon
  • Click Control Panel
  • Click Add or remove user accounts under "User Accounts and Family Safety"
  • Click Create a new account underneath the list of current accounts
  • Populate the dialog box with the new user name — Steve — and click the Standard User radio button.
  • Click the [Create Account] button to make it so

Make changes to Steve's account Assign a password to the new user "Steve" (if desired)
Once the account has been created, a list of current users appears with the caption: "Choose the account you would like to change". Click the icon for newly created Steve account, which should be listed as a Standard User.
Click Create a password, and enter a password (twice!), along with a password hint if you like. Note that since you're changing the password for a different user than yourself (Steve versus SteveAdmin), it will present an ominous message:
Ominous message that can be disregarded:

If you do this, Steve will lose all EFS-encrypted files, personal certificates and stored password for Web sites or network resources.

Since this user was just freshly created, there is no private data to lose, so we can ignore this message and proceed.
Dismiss the Control Panel dialogs, log out, and log in as Steve
At this point, Steve is a standard user.

Now that we're a standard user, attempts to perform admin tasks are greeted with a UAC prompt for SteveAdmin's password.

Method 2: Convert an already-installed admin user

This method is used if Windows 7 has been already set up, where the installer user (here: Steve) was automatically created with administrative rights. Though one could technically rename the account to SteveAdmin and make a new Steve as a limited user, this would play havoc with the user profiles, the desktop, and other personal configurations. It's possible to copy profiles around, but it's easier to just create a new admin account and demote this one.

These are the steps:

Create new SteveAdmin user Create a new SteveAdmin user
Login as Steve, who is still an administrative user, and navigate to the Control Panel to create a new user.
  • Click Start icon, nav to Control Panel
  • Click Add or remove user accounts under "User Accounts and Family Safety"
  • Click Create a new account underneath the list of current accounts
  • Populate the dialog box with the new user name — SteveAdmin — and click the Administrator radio button.
  • Click the [Create Account] button to make it so
Now we have a new SteveAdmin account — without a password yet! — and this system now has two admin users.
Setting SteveAdmin's password Assign a password to the new user SteveAdmin (if desired)
Once the account has been created, a list of current users appears with the caption: "Choose the account you would like to change". Click the icon for the new SteveAdmin user, which should be listed as an Administrator.
Click Create a password, and enter a password (twice!), along with a password hint if desired. Note that since you're changing the password for a different user than yourself (SteveAdmin versus your logged-in Steve account), it will present an ominous message:
Ominous message that can be disregarded:

If you do this, SteveAdmin will lose all EFS-encrypted files, personal certificates and stored password for Web sites or network resources.

Since this user was just freshly created, there is no private data to lose, so we can ignore this message and proceed.
This completes creation of the SteveAdmin account, leaving leaving two accounts on the machine with admin rights.
Do not dismiss the dialog yet! We'll be getting right into the next step from here.
Set standard user dialog Demote the user "Steve"
With the SteveAdmin account in good shape, it's time to demote the original installation user Steve from an administrator to a standard user. Since we're still in the Control Panel, we can easily pick up where we left off:
  • Click Manage another account
  • Click the icon on the Steve account
  • Click Change the account type
  • Click the Standard User radio button
  • Click the Change Account Type button
  • Dismiss the control-panel dialogs
The next time user Steve logs in, he'll have strictly standard user powers.
Log out as "Steve", then right back in
Logging out destroys the session token that still has admin rights, so the next login gets the new set of limited rights.

Once logged in as a limited user, attempts to perform admin tasks are greeted with a UAC prompt asking for credentials for the SteveAdmin user.

Disabling the Administrator account

At this point, one of the two procedures has set up a limited user Steve and a proper administrative account SteveAdmin, but some users might have previously enabled the built-in Administrator account as well.

I believe this is a bad idea, and recommend that the account be disabled. This won't be required if you've just installed Windows 7 freshly, or if Administrator does not appear on the login page as an icon for a user who can login.

If you're not sure, the steps to check and disable are almost the same:

Disabling the Administrator account Open the "Manage Users" applet
Enabling and disabling accounts is not done in the same place where you created a new user, so it requires navigating to a new place.
  • Click the Start Icon
  • Right-click on Computer and select Manage
  • Navigate as shown to Users
  • Double-click on the Administrator icon.
  • Insure that Account is disabled is checked (if it was already checked, you're done)
  • Dismiss the dialog boxes

At this point, the Administrator account is disabled and cannot be used to login or to approve UAC elevations. It's not necessary to change the account's password, as disabling the account overrides any password (even a blank one).

Picking a password

password prompt icon Curiously enough, it's not always necessary to have a password on an account. Since an account with a blank password cannot be accessed over the network, you can substantially reduce the attack surface of a machine this way.

But this requires that you have good control of physical security over the machine: if there are users on the machine (or in the environment) who are not allowed to perform administrative duties, it would be a poor idea to have a blank password because it would allow anybody to walk up to the computer and go to town.

In addition, a laptop that leaves the house is probably not a good candidate for a blank password because physical security is seriously problematic.

For most home users, it probably doesn't really matter that much how you choose your password schemes, but if you have any questions about this, please present your scenario to a trusted security adviser for guidance.

Be Careful! Securing yourself out of your own machine

As noted before, I'd not set up Vista before, so were unaware that the Administrator account was disabled by default. This lead to an uncomfortable surprise after demoting the installation account Steve.

After configuring our machine, I'd gone into the Control Panel to downgrade the Steve account to a Standard User. I had unknowingly removed the only remaining admin account, so after logging out and back in (to allow the account change to take effect in our session), the next UAC operation provided this prompt:

Prompt for password with no place to enter it

The careful reader will note there is no place to enter a password!, and to say that was maddening would be an understatement. Depending on your computer's configuration, there may be an invitation to use a Smart Card, but that won't likely do much good on a computer that's not had smartcards configured.

It seems like a poor user experience even though technically it was my own fault.

Special thanks to fellow MVP Susan Bradley and Microsoft smart guy Crispin Cowan, PhD for their invaluable assistance with this paper.

First published: 2009/05/27 (blogged)