Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Windows Server 2012 : Software and User Account Control Administration (part 5) - Maintaining application integrity - Configuring run levels

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
1/28/2015 8:34:43 PM

Configuring run levels

By default, only applications running with a user’s administrator access token run in elevated mode. Sometimes, you’ll want an application running with a user’s standard access token to be in elevated mode. For example, you might want to start the Command Prompt window in elevated mode so that you can perform administrator tasks.

In addition to application manifests discussed previously, Windows Server provides three different ways to set the run level for applications. You can choose to perform one of the following:

  • Running an application once as an administrator You can run an application once as an administrator by pressing and holding or right-clicking the application’s shortcut or menu item and then selecting Run As Administrator, as shown in Figure 5. If you are using a standard account and prompting is enabled, you are prompted for consent before the application is started. If you are using a standard account and prompting is disabled, the application will fail to run. If you are using an administrator account and prompting for consent is enabled, you are prompted for consent before the application is started.

    Run an application as an administrator from the shortcut menu.
    Figure 5. Run an application as an administrator from the shortcut menu.
  • Always running an application as an administrator Windows Server also enables you to mark an application so that it always runs with administrator privileges. This is useful for resolving compatibility issues with legacy applications that require administrator privileges. It is also useful for compliant applications that normally run in standard mode but that you use to perform administrative tasks. You cannot mark system applications or processes to always run as an administrator. Only nonsystem applications and processes can be marked to always run as an administrator. You can mark an application to always run as an administrator by pressing and holding or right-clicking the application’s shortcut and then selecting Properties. In the Properties dialog box, tap or click the Compatibility tab. Under Privilege Level, select the Run This Program As An Administrator check box, as shown in Figure 6, and then tap or click OK.

Note

If the Run This Program As An Administrator option is unavailable, it means that the application is blocked from always running as elevated, the application does not require administrative credentials to run, or you are not logged on as an administrator.

The option to always run a program as an administrator.
Figure 6. The option to always run a program as an administrator.

Controlling application installation and run behavior

In Group Policy under Local Policies\Security Options, five security settings determine how application installation and run behavior works. Table 2 summarizes these security settings.

Table 2. Security settings related to application installation and run behavior

Security Setting

Description

User Account Control: Allow UIAccess Applications To Prompt For Elevation Without Using The Secure Desktop

Determines whether User Interface Accessibility (UIAccess) applications can bypass the secure desktop to increase usability in certain instances. By default, this setting is disabled. When enabled, UIAccess programs are allowed to respond to elevation prompts on the user’s behalf (which increases the risk that the prompt could be manipulated by a malicious program). This setting primarily applies to Remote Assistance scenarios because this is the key UIAccess program in use. To avoid problems, be sure to have users select Allow IT Expert To Respond To User Account Control Prompts when making a remote assistance request.

User Account Control: Detect Application Installations And Prompt For Elevation

Determines whether Windows Server automatically detects application installation and prompts for elevation or consent. Because this setting is enabled by default, Windows Server automatically detects application installations and prompts users for elevation or consent to continue the installation. If you disable this setting, users are not prompted—in which case, the users will not be able to elevate permissions by supplying administrator credentials.

User Account Control: Only Elevate Executables That Are Signed And Validated

Determines whether Windows Server allows the running of only executables that are signed and validated. By default, this setting is disabled. When enabled, Windows enforces the public key certificate change validation of an executable before permitting it to run.

User Account Control: Only Elevate UIAccess Applications That Are Installed In Secure Locations

Determines whether Windows Server validates that UIAccess applications are secure before allowing them to run. By default, this setting is disabled. When enabled, only UIAccess applications in secure locations on the file system are allowed to run. Secure locations are limited to subdirectories of Program Files, including Program Files directories specifically for x86 or x64.

User Account Control: Switch To The Secure Desktop When Prompting For Elevation

Determines whether the elevation request prompt is displayed on the secure desktop to isolate the prompt from all other processes, which enhances security by preventing the password from being read by any other (and possibly malicious) program. By default, this setting is enabled. This means the prompt is displayed on the secure desktop (and requires a response before a user can do anything else). If you disable this setting, the prompt is displayed without switching to the secure desktop (and a user’s desktop isn’t locked while waiting for a response).

User Account Control: Virtualize File And Registry Write Failures To Per-User Locations

Determines how Windows Server notifies users about application write errors. Because this setting is enabled by default, error notifications and error logging related to virtualized files and registry values show the virtualized location rather than the actual location to which the application was trying to write. If you disable this setting, error notifications and error logging related to virtualized files and registry values show the actual location to which the application was trying to write.

For workgroup configurations or for a special case, you can configure these security settings on a per-computer basis using local security policy. To access local security policy and configure UAC settings, follow these steps:

  1. Select Local Security Policy on the Tools menu in Server Manager. This starts the Local Security Policy console.

  2. In the console tree, under Security Settings, expand Local Policies and then select Security Options.

  3. Double-tap or double-click the setting you want to work with to display its properties dialog box.

  4. All settings related to application installation and run behavior can be defined and then configured. Make any necessary changes, and then tap or click OK. Repeat this procedure to modify the related security settings as necessary.

In a domain environment, you can use Microsoft Active Directory–based Group Policy to apply the desired security configuration to a particular set of computers. Simply apply the desired settings to a Group Policy Object (GPO) that applies to those computers.
Other -----------------
- Microsoft Sharepoint 2013 : Understanding app patterns (part 5) - Building MVC apps - Introducing MVC4
- Microsoft Sharepoint 2013 : Understanding app patterns (part 4) - Building MVC apps - Understanding web form challenges
- Microsoft Sharepoint 2013 : Understanding app patterns (part 3) - Building MVVM apps - Utilizing promises
- Microsoft Sharepoint 2013 : Understanding app patterns (part 3) - Building MVVM apps - Utilizing promises
- Microsoft Sharepoint 2013 : Understanding app patterns (part 2) - Building MVVM apps - Introducing knockout
- Microsoft Sharepoint 2013 : Understanding app patterns (part 1) - Building MVVM apps - Understanding JavaScript challenges
- Microsoft Sharepoint 2013 : Working with documents - Checking documents in and out
- Microsoft Sharepoint 2013 : Working with documents - Requiring and displaying document check out
- Microsoft Sharepoint 2013 : Working with documents - Uploading multiple documents
- Microsoft Sharepoint 2013 : Working with documents - Customizing document templates
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server