Windows 7 User Access Control From Internet Sources Page 1 of 9
Inside Windows 7 User Account Control Mark Russinovich
Standard user accounts provide for better security and lower total cost of ownership in both
home and corporate environments. When users run with standard user rights instead of
administrative rights, the security configuration of the system, including antivirus and firewall, is
protected. This provides users a secure area that can protect their account and the rest of the
system. For enterprise deployments, the policies set by desktop IT managers cannot be
overridden, and on a shared family computer, different user accounts are protected from changes
made by other accounts.
However, Windows has had a long history of users running with administrative rights. As a
result, software has often been developed to run in administrative accounts and take
dependencies, often unintentionally, on administrative rights. To both enable more software to
run with standard user rights and to help developers write applications that run correctly with
standard user rights, Windows Vista introduced User Account Control (UAC). UAC is a
collection of technologies that include file system and registry virtualization, the Protected
Administrator (PA) account, UAC elevation prompts, and Windows Integrity levels that support
these goals. I've talked about these in detail in my conference presentations
and TechNet
MagazineUAC internals
article.
Windows 7 carries forward UAC's goals with the underlying technologies relatively unchanged.
However, it does introduce two new modes that UAC's PA account can operate with and an auto-
elevation mechanism for some built-in Windows components. In this post, I'll cover the
motivations behind UAC's technologies, revisit the relationship between UAC and security
,
describe the two new modes, and explain how exactly auto-elevation works. Note that the
information in this post reflects the behavior of the Windows 7 release candidate, which is
different in several ways from the beta.
UAC Technologies
The most basic element and direct benefit of UAC's technology is simply making Windows more
standard-user friendly. The showcase example is the difference between the privilege
requirements of setting the time zone on Windows XP and Windows Vista. On Windows XP,
changing the time zone—actually, even looking at the time zone with the time/date control panel
applet—requires administrative rights.
That's because Windows XP doesn't differentiate between changing the time, which is a security-
sensitive system operation, from changing the time zone, which merely affects the way that time
is displayed. In Windows Vista (and Windows 7), changing the time zone isn't an administrative
operation and the time/date control panel applet separates administrative operations from the
standard user operations. This change alone enables many enterprises to configure traveling
users with standard user accounts, because users can adjust the time zone to reflect their current
location. Windows 7 goes further, making things like refreshing the system's IP address, using
Windows Update to install optional updates and drivers, changing the display DPI, and viewing
the current firewall settings accessible to standard users.
File system and registry virtualization work behind the scenes to help many applications that
inadvertently use administrative rights to run correctly without them. The most common
unnecessary uses of administrative rights are the storage of application settings or user data in
下载后可阅读完整内容,剩余8页未读,立即下载
jtls
- 粉丝: 8
- 资源: 9
我的内容管理
展开
最新资源
- 李兴华Java基础教程:从入门到精通
- U盘与硬盘启动安装教程:从菜鸟到专家
- C++面试宝典:动态内存管理与继承解析
- C++ STL源码深度解析:专家级剖析与关键技术
- C/C++调用DOS命令实战指南
- 神经网络补偿的多传感器航迹融合技术
- GIS中的大地坐标系与椭球体解析
- 海思Hi3515 H.264编解码处理器用户手册
- Oracle基础练习题与解答
- 谷歌地球3D建筑筛选新流程详解
- CFO与CIO携手:数据管理与企业增值的战略
- Eclipse IDE基础教程:从入门到精通
- Shell脚本专家宝典:全面学习与资源指南
- Tomcat安装指南:附带JDK配置步骤
- NA3003A电子水准仪数据格式解析与转换研究
- 自动化专业英语词汇精华:必备术语集锦
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
