Understanding UAC (User Account Control)

UAC is a security feature of Windows 7 that informs you when the action that you want to take to undertake requires an elevation of privileges. It is a common practice, actually a bad practice to log in with a user account that has administrator privileges. For instance, a user account that is a member of the local administrators group is used as a normal user account in the day to day operations such as, Internet browsing! Administrative user accounts are intended for tasks related to administration and running your computer in this mode for ever presents a security risk because any program run by the user in this mode runs with the rights and privileges of an administrator.

UAC resolves this problem by allowing a user that is a member of the local administrators group to run as a standard user most of the time and to briefly elevate their privileges so that they are running as administrators when they attempt to perform specific elevated tasks. To understand UAC you need to grasp the following concepts:

Privilege elevation: Normal users running Windows 7 run with the rights of a standard user. When a standard user attempts a task that requires administrative privileges, such as creating a new user account, his/her rights need to be raised from those of a standard user to those of an administrative user. This increase in rights is termed privilege elevation. UAC allows users who are members of the local administrators group to have administrative rights, but ensures that the person is aware of such elevation of privileges! This occurs only for specific tasks while each task executed at the same time generates its own UAC prompt.

Admin Approval mode: Admin approval mode is when an administrator must give explicit approval for elevation to occur by responding to the UAC prompt. The UAC prompt might require either clicking yes, referred to as prompting for consent or entering a user name and password which is referred to as prompting for credentials.

Secure Desktop: Secure Desktop ensures that malware is unable to alter the display of the UAC prompt as a method of tricking you into allowing administrative access. When you configure UAC to use the secure desktop, the desktop is unavailable when a UAC prompt is triggered. You must respond to the UAC prompt before you can interact with the computer. If you do not respond to a UAC prompt on a Secure Desktop within 150 seconds, Windows automatically denies the request for privilege elevation and the computer returns to the standard desktop.