The Windows Vista and Windows Server 2008 Developer Story: Windows Vista Application Development Requirements for User Account Control (UAC)
Windows Vista和Windows Server 2008開發者故事:Windows Vista應用程序的開發中,對應UAC(User Account Control, 用戶帳戶控制)的開發需求
Contents
Introduction 介紹
Why User Account Control? 意圖
How UAC Works UAC如何工作
Will UAC Affect Your Application? UAC對應用程序的影響
Designing Applications for Windows Vista 設計Windows Vista應用程序
Deploying and Patching Applications for Standard Users
爲Standard Users部署和升級應用程序
Troubleshooting Common Issues 一般問題解決
References 參考
Conclusion 結語
Introduction 介紹
This article is intended to assist application developers with designing Windows Vista capable applications that are User Account Control (UAC) compliant. Detailed steps about the design process are included, along with code samples, requirements, and best practices. This article also details technical updates and changes to the user experience in Windows Vista.
本文算幫助應用開發人員設計服從UAC的Windows Vista應用程序。包含設計過程的詳細步驟,代碼樣例,需求,以及最優方法。本文也詳述了Windows Vista中的技術更新和用戶體驗。
Why User Account Control? 意圖
Application developers have consistently created Microsoft Windows applications that require excessive user rights and Windows privileges, often requiring that the executing user be an administrator. As a result, few Windows users run with the least user rights and Windows privileges required. Many enterprises, seeking to balance ease of deployment and ease of use with security, have often resorted to deploying their desktops as administrator due to standard user application compatibility problems.
應用程序開發人員一貫創建需要過多用戶權限和視窗特權的應用程序,經常要求程序執行用戶是管理員身份。結果,幾乎沒有Windows用戶運行於最小用戶權限和特權下。許多企業爲平衡部署簡易和安全使用簡易,常常部署爲管理員身份,以對應在標準用戶下運行時的兼容性問題。
The following list details additional reasons it is difficult to run as a standard user on computers running operating systems earlier than Microsoft Windows Vista.
以下條目詳述了更多原因,爲什麼在運行着Windows Vista以前版本系統的計算機上使用標準用戶存在困難。
1. Many Windows applications require that the logged on user be an administrator, but these applications do not actually require administrator-level access. These applications perform a variety of administrator access checks before being permitted to run, including:
許多Windows應用程序要求登錄用戶是管理員,但是實際上並不需要管理員級別的訪問權。這些程序在被允許運行前,會進行多種管理員訪問權檢查,這包括:
a. Administrator access token checks.
管理員訪問令牌檢查。
b. "All access" access requests in system protected locations.
系統保護單元需要”All access”訪問權限。
c. Data writing to protected locations, such as %ProgramFiles%, %Windir%, and HKEY_LOCAL_MACHINE/Software.
向保護區域(如:%ProgramFiles%,%Windir%及HKEY_LOCAL_MACHINE/Software)寫數據。
2. Many Windows applications are not designed with the concept of least-privilege and do not separate user and administrator functionality into two separate processes.
許多Windows應用程序沒有按最小權限原則進行設計,並且沒有把用戶和管理員的功能劃分開。
3. Windows 2000 and Windows XP create every new user account as administrator by default; therefore, key Windows components, such as the Date and Time and the Power Management control panels do not work well for a standard user.
Windows 2000和Windows XP默認創建管理員身份的新用戶帳戶;Windows核心組件(如Data and Time, Power Management)控制面板在普通用戶下不能很好地運行。
4. Windows 2000 and Windows XP administrators must create two separate user accounts—one for administrative tasks and a standard user account to perform day-to-day tasks. Therefore, users must log off their standard user accounts and log in again as an administrator, or use Run As to perform any administrative tasks.
Windows 2000和Windows XP管理員必須創建兩個分立的用戶帳戶——一個完成管理員級別任務,另一個完成日常事務。因此,用戶必須登出標準用戶帳戶並登入管理員級別賬戶,或者直接運行在管理員賬戶上,以完成任何管理員級別的任務。
With User Account Control (UAC), Microsoft provides a technology to simplify deploying standard user desktops in the enterprise and at home.
微軟依靠UAC(用戶帳戶控制)來提供技術,簡化在企業和家用版系統上對標準用戶桌面的部署。
Building off of the Windows security architecture, as originally designed in the Microsoft Windows NT 3.1 operating system, the UAC team sought to implement a standard user model that was both flexible and more secure. In previous versions of Windows, one access token was created for an administrator during the logon process. The administrator's access token includes most Windows privileges and most administrative security identifiers (SIDs). This access token ensures that an administrator can install applications, configure the operating system, and access any resource on the computer.
構建Windows安全體系的設計始於Microsoft Windows NT 3.1系統,UAC小組尋求實現既靈活又安全的標準用戶模型。Windows以前的版本,爲管理員登錄過程提供訪問令牌,管理員的訪問令牌包括大多數視窗特權和大多數管理員級別安全標識符(SID)。這確保管理員能夠安裝應用程序、配置操作系統、以及訪問計算機的任何資源。
The UAC team took a drastically different approach to designing the access token creation process in Windows Vista. When an administrator user logs on to a Windows Vista computer, two access tokens are created: a filtered standard user access token and a full administrator access token. Instead of launching the desktop (the Explorer.exe process) with the administrator's full access token, the filtered standard user access token is used. All child processes inherit from this initial launch of the desktop, which helps limit the attack surface of Windows Vista. By default, all users, including administrators, log on to Windows Vista as standard users.
UAC小組在Windows Vista中採用完全不同的方式設計訪問令牌的創建過程。當一個管理員用戶登錄到Windows Vista系統的機器時,有兩個訪問令牌被創建:一個經過過濾的標準用戶令牌和一個完整的管理員訪問令牌。用過濾的標準用戶令牌代替管理員的完整訪問令牌來啓動桌面(即Explorer.exe進程)。所有子進程均繼承自此初始啓動桌面,這樣能有效限制Windows Vista的受攻擊面。所有用戶帳戶,包括管理員,都默認以標準用戶身份登錄Windows Vista系統。
Note There is one exception to the preceding statement: Guests log on to the computer with fewer user rights and privileges than standard users.
注意 以上情況有一個例外:以Guest身份登錄到計算機,比標準用戶擁有更少的用戶權限和特權。
When an administrator user attempts to perform an administrative task, such as installing an application, UAC prompts the user to approve the action. When the administrator user approves the action, the task is launched with the administrator's full administrator access token. This is the default administrator prompt behavior, and it is configurable in the local Security Policy Manager snap-in (secpol.msc) and with Group Policy (gpedit.msc).
當管理員用戶試圖執行一個管理員級的任務時,例如安裝應用程序,UAC會提示用戶批准此操作,任務才用管理員訪問令牌啓動。這是默認的管理員提升行爲,它可在本地安全管理插接(secpol.msc)和組策略(gpedit.msc)中進行配置。
Note An administrator account on a Windows Vista computer with UAC enabled is also called an administrator account in Admin Approval Mode. Admin Approval Mode identifies the default user experience for administrators in Windows Vista.
注意 UAC有效的Windows Vista上的管理員賬戶,也被稱爲“管理員許可模式的管理員賬戶”。管理員許可模式認定管理員爲默認用戶體驗。
Each administrative elevation is also process specific, which prevents other processes from using the access token without prompting the user for approval. As a result, administrator users have more granular control on what applications install while greatly impacting malicious software that expects the logged on user to be running with a full administrator access token.
每次管理員提升之間也是進程分離的,可以阻止其它進程在沒有得到用戶批准的情況下使用訪問令牌。這樣,管理員用戶對於應用程序的安裝就有更粒度化的控制,同時對那些期望登錄用戶使用完整的管理員訪問令牌運行的惡意軟件造成了極大的衝擊。
Standard users also have the opportunity to elevate within a task flow to perform administrative tasks by using the UAC infrastructure. When a standard user attempts to perform an administrative task, UAC prompts the user to enter valid credentials for an administrator account. This is the default standard user prompt behavior, and it is configurable in the local Security Policy Manager snap-in (secpol.msc) and with Group Policy (gpedit.msc).
標準用戶通過使用UAC機制,有機會在完成管理員級別的任務流中提升(權限)。當標準用戶試圖完成管理員級任務時,UAC會提示用戶輸入管理員賬戶的有效證明書(管理員用戶名及密碼)。這是標準用戶默認提示行爲,它可以在本地安全管理插接(secpol.msc)和組策略(gpedit.msc)中進行配置。
For detailed information about "Why User Account Control?" see the Windows Help file. To find this article in the Help file, expand Fundamentals, expand Secure Applications, expand Developing Secure Applications, and then click User Account Control (UAC).
想了解關於“爲什麼引入UAC?”的詳細信息,請參看Windows幫助文件。
未完待續...