…with contributions from Aaron Gierak, Voltaire Toledo, and Jeremy Pavlov.
The User Account Control (UAC) Challenge
It is commonly known that in XP you have to give end users Administrator privileges in order to do even the most simple routine tasks; like changing the system clock, plugging in a USB drive, running a defrag, updating software, or even running security products. Of course you can use the RunAs command, but that still requires having an Administrator password – which defeats the security purpose of a limited user account. And just when we thought moving to Windows 7 would eliminate this security privilege nightmare, enter UAC…
User Account Control (UAC) is a technology aimed to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges, and malware should be kept from compromising the operating system. In other words, a user account may have Administrator privileges assigned to it, but the applications that the user runs do not inherit those privileges unless they are approved beforehand, or the user explicitly authorizes it.
It is possible to turn off UAC while installing software, and re-enable it at a later time. However, this is not recommended since File & Registry Virtualization is only active when UAC is turned on – and if UAC is switched off, user settings and configuration files may be installed to an unintended location (i.e. a system directory rather than a user-specific directory). Also Internet Explorer 7’s “Protected Mode” – whereby the browser runs in a sandbox with lower privileges than the standard user – relies on UAC; and will not function if UAC is disabled.
The Application Virtualization Question
So is application virtualization the solution? If a virtualized package runs at the kernel level, does it eliminate having to give an XP user Administrator rights? When you repackage an application that you have been running in XP – in order to port to Win7 – does the app skate by UAC in a way that allows you to keep UAC turned on?
By default, UAC virtualizes requests for protected resources to provide compatibility with applications not developed for UAC. This is important because many applications written for Windows XP and earlier operating systems assume that the user has administrative privileges and attempt to write to protected resources such as the Program Files or System folders. The first time an application makes a change to a virtualized resource, Windows copies the folder or registry key to the location within the user’s profile. Then, the change is made to the user’s copy of that resource. UAC virtualization is designed to allow already-installed applications to run successfully with standard user privileges, even if they store temporary files or logs in a protected folder.
Installs, Upgrades, and Updates
Many of the problems with UAC come from application installs or upgrades/updates where a new driver or an action that requires UAC acceptance is needed. With application virtualization – especially a tool like Symantec’s Workspace Streaming where you package from the kernel level – you can bundle the drivers *inside* the virtual app. As a result, nothing would ever be required of the end-user since nothing is ever “installed”.
However, another issue that bumps against UAC is what we commonly call the “Secondary Execution Event”, where a loaded executable decides to make a call on its own (outside of the one that the app designer intended). For instance, if a permitted/intended executable launched, and then it calls out to the manufacturer for an updated version, or the latest driver, that is not pre-bundled in the package. Examples of this are the Juniper VPN agent or the MS Security Center executable.
Panacea or Pariah?
The good news is that application virtualization absolutely does address UAC and elevation features by isolating areas that normally prevent non-elevated users from writing to them by creating a virtual HKLM registry hive, Windows and Program Files. Virtualizing applications also mitigates potential conflicts in a shared session environment like Remote Desktop Servers or XenApp.
However, is application virtualization the silver bullet to fix all elevation and UAC issues? The answer is “it depends”. If the application explicitly requires elevated privileges within its manifest, then it will always present a UAC prompt. In addition, if the application attempts to make a system change like a driver installation or some kind of self-updating feature, it will force Windows 7 to prompt you for elevation. These challenges can be further addressed with tools such as AppSense Application Manager, or Viewfinity Privilege Management (which elevate a user’s privilege on a per-executable basis), or SystemGuard (which can elevate privileges to write to the registry).
The bottom line is that application virtualization brings many advantages. In addition to extending the life of legacy applications, reducing deployment costs, and reducing user downtime caused by install/uninstall issues and application conflicts, many UAC issues can be mitigated with application virtualization, especially when coupled with effective use of user virtualization tools.
Next installment – Application Streaming…