When an application (whether a user program or an OS background service) is in operation, a copy of it is running in memory as a defined process, a temporary container of memory space. All processes allow the application to perform operations of some kind through the use of threads to execute its magic. And most importantly, all processes work in the context of some kind of account.

In other words, everything happening within the system is managed and tracked by some kind of account definition. When a user logs into the machine, she does this by presenting account information that's assigned to her. When the operating system itself needs to do its job scrubbing the floors of the digital environment, it has to do this using one of three built-in machine accounts. These ingrained, permanent machine accounts are:

- Local System
- Local Service
- Network Service

And just like any organization, every employee in the business has different levels of access or privilege. The three accounts above cannot be invoked by a human user, which is why Windows comes with some pre-defined accounts such as Administrator and Guest. Furthermore, Windows has several pre-defined groups (such as Administrators, Power Users, Backup Operators, Users, Guests), each with a different set of privileges. If you create an account and make it a member of, say, Power Users, then that new account inherits all the privileges of that group.

Privilege level is extremely important in computer security since it affects exactly how much damage can be caused or prevented through the use of an account. If a user logs into the computer with an account that's a member of the Administrators group, then every application the user launches runs as that account. For example, if the user launches Internet Explorer, then Windows only sees that as, "the account xyz launched this application and it's now running as a process with administrator-level privileges." The OS doesn't see the human user - it only sees and cares about the account in question and its privilege level. This is why it's a bad idea to share an account between two more people. If multiple people use the same account, there's no way to track the individual human and what she did. As far as the computer's concerned, it's user account xyz.

Really old Windows versions such as 95, 95 OSR2, 98, 98 SE, and ME didn't have this type of account distinction as it was essentially a "consumer, home user platform" with everything running in memory as one global generic user and not carefully tracking or auditing actions. In the business world of the 1990s, Windows NT had this so-called "New Technology" architecture which featured this account separation, kernel mode vs. user mode, etc.. This eventually evolved to Windows 2000, then XP, then Server 2003, then Vista, and now Windows 7. Most users of Windows 9x and ME eventually migrated onto an NT-based platform: XP. All minor versions of each OS version (such as "Home" vs. "Professional") share the same architecture design.

In virtually all cases these days when a user buys or sets up a computer with Windows, the first account she logs in with is a member of the Administrators group. This group essentially has complete access to the operating system and can shine a light to almost every dark corner in the depths of the virtual environment. While this full level of access feels convenient, it also proves dangerous when the user performs operations without understanding the complex underlying set of automated of tasks involved and the risks they entail. A simple mistake can be costly - for example, accidentally formatting a drive.

In the computer security industry, there exists a fundamental concept known as "least privilege." This means that you are granted only the ability to perform the work you need to do and nothing more. Military folks can relate to this since the chain of command has a natural structure to allow low-level individuals only a small level of clearance while senior staff can access large-scale information. On the other hand, there may also exist mechanisms to ensure senior staff can't accidentally leak highly-classified information. This level of containment is important in the security field.

Back in the computing world, this same concept of security boundaries exist to define limits on what users can and can't do. Running as an administrator all the time has potentially dangerous consequences, many of which aren't noticeable up-front since, for example, web browsers automate a lot of tasks when rendering a web page, obey the wishes of the websites, etc., without giving the user a chance to make decisions for each individual step along the way. If the user were prompted to decide on each individual action, it would take a long time to get through rendering a single web page because of all the human decision-making required.

This is why creating and using restricted accounts are an important first step when establishing a more secure environment within Windows. Since the environment is so complex and virtually all users don't have enough information to weigh the risks on different aspects of computer usage when pressing a button involves light-speed transactions, it's better to ensure least-privilege rather than running with a fully-privileged account and eventually shooting yourself in the foot. Although the term "limited account" implies the obvious, the terminology within the Microsoft world may be a bit inconsistent. In Windows XP, the term "restricted account" was used while Windows Vista and 7 uses "standard user." They're the same thing.

So we know that applications and services run as processes which are mapped to accounts which are themselves mapped to a set of can-and-can't-do privileges. This all works based on a invisible concept called a security token. When a user boots the computer, logs into the machine, and sees the desktop environment, a number of things happen in the background during that whole process.

1. The computer boots, loads the operating system environment including the various subsystems into memory, and then presents an authentication dialog of some sort. In Windows NT 4.0, 2000, and XP, this was referred to as the GINA (Graphical Identification and Authentication) dialog. Vista and 7 use an extensible architecture referred to as Credential Providers. Home users might not see this if they have one account defined on the machine with no password and the desktop environment is loaded automatically, which is effectively analogous to leaving the front door wide open to the house.

2. The user enters in credentials. Windows has a subsystem called the Local Security Authority (LSA) which checks the username / password combination to see if they "match" against the internal accounts database known as the Security Accounts Manager (SAM). I say "match" (with quotes) because the actual password string isn't stored in its original form, but instead a hash. Assuming the password is correct, the OS then checks that the account is allowed to log on interactively to the desktop. In the home computing world, this is almost always the case.

3. As the user is logging into the desktop environment but before the Windows Explorer shell loads with the Start menu, task tray, etc., the LSA generates a security token for the user account. This is like an all-day pass to your favorite theme park. It checks the group the account is a member of (Administrators, Power Users, etc.) and lists the privileges assigned to that account. It then writes this information into the security token that will be used for this logon session. Basically, the LSA is attaching the all-day pass to your t-shirt to show the park employees what rides you're allowed to go on.

4. The desktop environment loads. More specifically, the Winlogon component of the LSA launches the userinit.exe process under the user account security context which in turns launches other processes which creates your desktop environment. For example, explorer.exe, applications which are designed to run when you log into your desktop account such as chat clients, etc.. Therefore, from the operating system's perspective, these applications are running in the privilege / security context of your account.

5. Whenever you attempt to perform a operation such as changing the time or creating another user account, the LSA first intercedes like a checkpoint guard and says, "Papers, please." If it sees that you have the privilege of changing the time, it will let you. If not, it stamps "Access denied" in your face lovingly.

6. The same thing occurs with modifying objects on the file system. If you try to access a file on an NTFS filesystem (common in Windows), the LSA will intercede to check your group membership listed on your security token, compare it against the access-list on the file or folder you're trying to read or write, and determine whether you have the permission to do so.

Let's be frank - everyone talks about User Account Control with passionate hate. However, based on what I've read, most of these folks usually don't understand UAC nor why it's necessary with an architecture such as Windows.

While most home users may view Windows as an operating system being a simple utility, the design of any NT-based platform is more geared for large business environments where centralized policy enforcement is a big necessity. It no longer makes sense for Microsoft to create a completely separate codebase for the home consumer market vs. the large enterprise, therefore the products (while marketed differently with slightly different editions such as Home Basic, Home Premium, Busness, Enterprise, and Ultimate) are essentially the same. Most editions are considered "retail" while Enterprise edition can only be obtained through business-related software assurance licensing agreements.

UAC was designed to introduce the whole idea of least-privilege to the masses who were already accustomed to having full control of everything at their fingertips. Some learning curve was inevitable while Mac OS X and other Unix users have been doing this for a long time. Traditionally, having such high levels of access by Windows users translated to all kinds of havoc caused by the user. Technically (and software bugs aside), many security problems are the user's fault since tracing an installed virus is caused by a website download which in turn was performed by a browser which in turn was launched by a user who launched it and assigned a complete system-wide access privilege to it. While no user sees this actually happening, this is what happens underneath the hood all the time through what's called "token impersonation."

UAC has a setting called Admin Approval mode (which doesn't apply to the disabled local Administrator account by default). This means any account that is a member of the Administrators group runs under this mode and when a user logs in with such an account, the LSA assigns a split-token for the logon session. This is essentially a two-sided access badge. One side has a limited privilege set which says, "I'm just the janitor, I need to get into the bathroom" while the other side says, "I'm really an FBI agent, let me into the server room."

You can see the differences in privilege by opening a command prompt and typing in:

whoami /all

USER INFORMATION
----------------

User Name       SID                                         
=============== ============================================
mypc01\jsmith   S-1-5-21-129390034-790986113-1427260136-1376


GROUP INFORMATION
-----------------

Group Name                             Type             SID                                          Attributes                                                     
====================================== ================ ============================================ ===============================================================
Everyone                               Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group             
BUILTIN\Users                          Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group             
BUILTIN\Administrators                 Alias            S-1-5-32-544                                 Group used for deny only                                       
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4                                      Mandatory group, Enabled by default, Enabled group             
CONSOLE LOGON                          Well-known group S-1-2-1                                      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group             
LOCAL                                  Well-known group S-1-2-0                                      Mandatory group, Enabled by default, Enabled group             
                                       Unknown SID type S-1-5-21-129390034-790986113-1427260136-512  Mandatory group, Enabled by default, Enabled group             
                                       Unknown SID type S-1-5-21-129390034-790986113-1427260136-520  Group used for deny only                                       
                                       Unknown SID type S-1-5-21-129390034-790986113-1427260136-2383 Group used for deny only                                       
                                       Unknown SID type S-1-5-21-129390034-790986113-1427260136-518  Mandatory group, Enabled by default, Enabled group             
                                       Unknown SID type S-1-5-21-129390034-790986113-1427260136-519  Group used for deny only                                       
                                       Unknown SID type S-1-5-21-129390034-790986113-1427260136-1299 Group used for deny only                                       
                                       Unknown SID type S-1-5-21-129390034-790986113-1427260136-1301 Mandatory group, Enabled by default, Enabled group, Local Group
                                       Unknown SID type S-1-5-21-129390034-790986113-1427260136-572  Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192                                  Mandatory group, Enabled by default, Enabled group, Local Group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State   
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

Note the listed privileges. Now open an elevated command prompt and try the same thing and see the difference. Since the command prompt is now elevated, the whoami command reflects the privilege levels reflecting the elevated access badge.

USER INFORMATION
----------------

User Name       SID                                         
=============== ============================================
mypc01\jsmith   S-1-5-21-129390034-790986113-1427260136-1376


GROUP INFORMATION
-----------------

Group Name                           Type             SID                                          Attributes                                                     
==================================== ================ ============================================ ===============================================================
Everyone                             Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group             
BUILTIN\Users                        Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group             
BUILTIN\Administrators               Alias            S-1-5-32-544                                 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\INTERACTIVE             Well-known group S-1-5-4                                      Mandatory group, Enabled by default, Enabled group             
CONSOLE LOGON                        Well-known group S-1-2-1                                      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\This Organization       Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group             
LOCAL                                Well-known group S-1-2-0                                      Mandatory group, Enabled by default, Enabled group             
                                     Unknown SID type S-1-5-21-129390034-790986113-1427260136-512  Mandatory group, Enabled by default, Enabled group             
                                     Unknown SID type S-1-5-21-129390034-790986113-1427260136-520  Mandatory group, Enabled by default, Enabled group             
                                     Unknown SID type S-1-5-21-129390034-790986113-1427260136-2383 Mandatory group, Enabled by default, Enabled group             
                                     Unknown SID type S-1-5-21-129390034-790986113-1427260136-518  Mandatory group, Enabled by default, Enabled group             
                                     Unknown SID type S-1-5-21-129390034-790986113-1427260136-519  Mandatory group, Enabled by default, Enabled group             
                                     Unknown SID type S-1-5-21-129390034-790986113-1427260136-1299 Mandatory group, Enabled by default, Enabled group             
                                     Unknown SID type S-1-5-21-129390034-790986113-1427260136-1301 Mandatory group, Enabled by default, Enabled group, Local Group
                                     Unknown SID type S-1-5-21-129390034-790986113-1427260136-572  Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                 Mandatory group, Enabled by default, Enabled group, Local Group


PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege         Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled

The whoami.exe command is native to Vista and 7, but for earlier versions of Windows a resource kit download is required.

By default, everything the admin-level account does uses the first side of the badge. Surfing the web, eating virtual pizza, whatever. However, sometimes the user tries to perform a particular operation which the OS feels a bit sensitive about. The LSA then steps in and says, "I need to verify that you have clearance to this area." That's when the elevation prompt flashes over the Secure Desktop (which is a layer underneath the prompt which prevents trojans from pressing Continue without your knowledge; it looks like a darkened desktop in Vista). If the user approves and presses Continue, then the OS allows the process to continue but invokes the account's other side of the badge and elevates the process.

This is the same case when writing to protected areas of the system, such as performing delete operations within the C:\Program Files directory. When the admin user tries to delete something with the default lower-privilege badge side, the NTFS permissions match don't allow the operation. The OS however sees that a second side of the token exists and prompts to see if the user really invoked the operation. If the user validates this, then the real administrative side of the token is invoked and the operation continues.

A complimentary part of UAC which is not very widely known is a mandatory access control mechanism referred to as "integrity levels." Before Vista, Windows as an operating system relied on a discretionary access control mechanism, meaning that the owners of particular objects (such as files and folders) had the power to grant access to different accounts with different permission levels. For example, the user david could create a file and grant Modify permissions to the account kelly. While the Modify permissions might let the kelly account rename and delete the file, that account cannot take ownership of the file because Full Control permissions was not granted by david.

Integrity levels is a global, system-side policy which overrides any conflicting result of discretionary access set up by object owners. For example, even if the kelly account had been granted Modify permissions to that file, if the integrity level assignment was more restrictive than that the Modify permissions above, then the result would be lesser or no access for the kelly account.

There are six integrity levels:

- Installer
- System
- High
- Medium
- Low
- Untrusted

I've personally never dealt with Installer or Untrusted, and in most cases users would deal with Low, Medium, or High. In short, file system objects and processes are assigned integrity level labels such as Medium.

In operation, processes of various integrity levels can read file system objects of all integrity levels, but only write or modify ones that have an equivalent integrity level or lower. This is what's known as the "no write-up" policy.

One noticeable area with integrity levels with respect to users on a day-to-day basis is Internet Explorer. By default, IE runs at a Low integrity level in Vista and 7, also referred to as "Protected Mode." This essentially sandboxes the browser so that any downloaded objects that attempt to load itself into memory and wreak havoc across the system is contained since almost everything else is given a Medium integrity level or higher.

Although users won't encounter integrity level issues on a day-to-day basis, this feature is something to be aware about. Microsoft has finally caught up with other operating systems which have had these kinds of mechanisms in place for some time. For further observation regarding integrity levels, download Process Explorer and change the column settings to display it. You'll need to elevate the application to see information for processes running at a integrity levels higher than Medium.

The first step to achieve least-privilege in Windows is to create a user account that is only a member of the group Users. The Users group has very little privileges assigned to it, but it can allow common day-to-day tasks for member accounts that are constrained to its individual account environment. Using most applications, shutting the machine down, etc. is permitted. On the other hand, performing operations that affect the global configuration of the operating system such as installing applications, writing into sensitive areas of the OS, etc., are blocked, unless the application install only writes to the user's home directory and user-specific registry keys.

The direct way to do this via a GUI is to use the Local Users and Groups interface (lusrmgr.msc). An easier way to do this is via command line using one command:

net user jamessmith mybadpassword /add

and this creates an account called "jamessmith" with the password "mybadpassword" in the Users group. Vista and 7 users will have to use an elevated command prompt to execute this.

While using the Control Panel's User Accounts applet is common, the command line or the Local Users and Groups MMC snap-in allows much more granular control how accounts are created (with the exception of updating the account's picture).

There are some simple ways to go about seeing if your new so-called limited account really is limited. When you log into the desktop, everything looks the same as before, but here are some dead giveaways:

- Can you view the Security event log (eventvwr.exe)?
- Can you create a folder within C:\Windows?
- Can you open the Local Security Policy MMC (secpol.msc)?
- Can you create new user accounts?

If you're a Windows Vista or 7 user, by default a real standard user would have to now provide credentials of an admin-level account when elevating a process rather than simply hitting a button for confirmation.

If the Local Security Policy is set to deny elevation (secpol.msc » Local Policies » Security Options » User Account Control: Behavior of the elevation prompt for standard users), then elevation for limited user accounts is not even possible. This might be appropriate for accounts provided to children:

In any case, you've taken the major first step in preventing automated attacks to hijack your machine through social engineering, drive-by attacks through the browser, silent trojan installations, etc.. Keep in mind that while malicious code may not be able to as easily embed themselves into sensitive OS directories, they could still potentially write into your home directories if they're designed to attempt it.