deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-05-24 16:21:03 -04:00
parent c2345a0fcd
commit e9ef8b59c4
4 changed files with 25 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
windows/security/application-security/application-control/user-account-control/how-user-account-control-works.md
View File

@ -4,19 +4,24 @@ description: User Account Control (UAC) is a fundamental component of Microsoft'
ms.collection:
- highpri
- tier2
ms.topic: article
ms.date: 09/23/2021
ms.topic: conceptual
ms.date: 05/24/2023
---
# How User Account Control works
User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
## UAC process and interactions
Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.
Each application that requires the *administrator access token* must prompt for consent. The only exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same *integrity level*.
To better understand how this process happens, let's look at the Windows logon process.
Windows protects processes by marking their integrity levels. Integrity levels are measurements of trust:
- A *high integrity application* is one that performs tasks that modify system data, such as a disk partitioning application
- A *low integrity application* is one that performs tasks that could potentially compromise the operating system, like as a Web brows
Applications with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.
To better understand how this process works, let's take a closer look at the Windows logon process.
### Logon process

15
windows/security/application-security/application-control/user-account-control/index.md
View File

@ -5,23 +5,24 @@ ms.collection:
- highpri
- tier2
ms.topic: conceptual
ms.date: 05/23/2023
ms.date: 05/24/2023
---
# User Account Control overview
User Account Control (UAC) is a Windows security feature designed to protect the system from unauthorized changes, reducing the impact of malicious software executions. When changes to the system require administrator-level permission, UAC notifies the user, giving the opportunity to approve the change. UAC improves the security of your device by limiting the access that malicious code has to execute with administrator privileges. UAC empowers users to make informed decisions about actions that may affect the stability and security of their device.
User Account Control (UAC) is a Windows security feature designed to protect the operating system from unauthorized changes. When changes to the system require administrator-level permission, UAC notifies the user, giving the opportunity to approve or deny the change. UAC improves the security of Windows devices by limiting the access that malicious code has to execute with administrator privileges. UAC empowers users to make informed decisions about actions that may affect the stability and security of their device.
Unless you disable UAC, malicious software is prevented from disabling or interfering with UAC settings. UAC is enabled by default and can only be disabled by a user with administrator privileges.
Unless you disable UAC, malicious software is prevented from disabling or interfering with UAC settings. UAC is enabled by default, and can be configured or disabled by a user with administrative privileges.
## Benefits of UAC
UAC allows all users to log on to their computers using a **standard user account**. Processes launched using a *standard user token* may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by opening a shortcut) also run with the standard set of user permissions. Most applications, including those that are included with the operating system, are designed to work properly in this way.
UAC allows all users to sign in their devices using a **standard user account**. Processes launched using a *standard user token* may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Any applications that are started using Windows Explorer (for example, by opening a shortcut) also run with the standard set of user permissions. Most applications, including the ones included with the operating system, are designed to work properly this way.\
Other applications, especially those that weren't designed with security settings in mind, may require more permissions to run successfully. These applications are referred to as *legacy apps*.
Other applications, especially those that were not specifically designed with security settings in mind, may require additional permissions to run successfully. These types of applications are referred to as *legacy apps*. When a user attempts to perform an action that requires administrative privileges, such as installing software, changing system settings, or modifying critical files, UAC triggers a **consent prompt**. The prompt notifies the user that a change is about to occur, asking for their permission to proceed:
When a user attempts to perform an action that requires administrative privileges, such as installing software, changing system settings, or modifying critical files, UAC triggers a **consent prompt**. The prompt notifies the user that a change is about to occur, asking for their permission to proceed:
- If the user approves the change, the action is performed with the highest available privilege
- If the user does not approve the change, the action is not performed and the application that requested the change is prevented from running
- If the user doesn't approve the change, the action isn't performed and the application that requested the change is prevented from running
:::image type="content" source="images/uacconsentprompt.png" alt-text="UAC prompt in Windows 11.":::
@ -33,6 +34,6 @@ When an app requires to run with more than standard user rights, UAC allows user
Learn more about UAC in the following articles:
- [How UAC works](how-user-account-control-works.md)
- [How User Account Control works](how-user-account-control-works.md)
- [User Account Control policy settings](user-account-control-security-policy-settings.md): you can configure UAC using group policy or MDM
- [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md): list of UAC group policy, CSP, and registry key settings that your organization can use to manage UAC