Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
Windows Vista

Configuring Windows Vista Security : Understanding User Account Control (part 2)

- Windows 10 Product Activation Keys Free 2019 (All Versions)
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
4/14/2011 3:12:47 PM

Enabling and Disabling UAC

To ensure security of new Windows Vista installations, the UAC feature is enabled by default. When users log on to the computer, they start launching processes under the context of a standard user.

There are several different ways to control the behavior of the UAC feature. In some cases, customers might ask you for information about how to disable the feature altogether. You can access the Use User Account Control (UAC) To Help Protect Your Computer check box from within Control Panel . This check box is available by clicking User Accounts And Family Safety and then clicking User Accounts. You can also access this check box by searching for UAC in Control Panel. As shown in Figure 6, the dialog box provides a single check box that determines whether UAC is enabled.

Figure 6. Viewing details related to the status of the UAC feature

Note: Questioning the decision to disable UAC

When a customer asks how he or she can completely disable UAC, it’s a good idea to get some more information about why he or she is making this request. Is the customer frustrated with the frequency of elevation and consent prompts? Is he or she having difficulty running certain applications? Often, users don’t understand the value of the UAC feature and therefore see it as only an annoyance. As a Consumer Support Technician, explain the purpose and function of UAC, including how it can help prevent security issues and increase system reliability. It’s quite likely that customers might decide that disabling the feature completely is too much of a risk and that changing various settings might be a much better overall solution. Remember, your goal should be to strike a balance between security and usability.

After selecting to enable or disable UAC, you are prompted to reboot your computer, which is necessary to make the changes effective. When you disable UAC, users receive a notification of this whenever they log on to the computer or access security-related settings in Control Panel. This is done to remind users that they are at risk of potential security issues. You’ll look at ways in which you can fine-tune the behavior of UAC later in this lesson.

Managing UAC Settings with Local Security Policy

In addition to the default behavior of UAC, there are several different options that you can use to control the specific way in which this feature works. You define these settings by using policy settings on the computer. To access them, open the Local Security Policy console from the Start menu. The utility is available in the Administrative Tools program group (if the Start menu options are set to display it) or by searching for Local Security Policy. The default interface shows several different groups of settings, each of which has dozens of available options.

To access the properties of the UAC functionality, expand Local Policies, and then select the Security Options folder. The right side of the console shows all of the available policy options along with their current settings. UAC-related policies are prefixed by the text User Account Control (see Figure 7).

Figure 7. Viewing Local Security Policy settings

Each of the settings pertains to some aspect of system behavior or permissions. For example, you can use the Accounts: Guest Account Status option to specify whether the built-in Guest account is enabled. To make changes to a policy setting, double-click the item in the list. For most options, the first tab that is shown, Local Security Setting, provides the options for the setting (see Figure 8).

Figure 8. Viewing options for a policy setting

It’s often difficult to understand the exact purpose of every available option. Fortunately, the Local Security Policy console also includes details about specific options on the Explain tab. The text that is displayed here (see Figure 9) provides background information about the policy, along with details about the effects of these settings. Most explanations also include details about the default setting for the option. This can be very helpful in troubleshooting configuration issues. In some cases, links to more information are provided. Overall, this can help you determine the purpose and function of each setting.

Figure 9. Viewing explanatory text for a policy setting

Note: Resisting the urge to tweak

With all of the options available in the Local Security Policy console, it might be tempting to try to change configuration settings just to see what happens. Although this can be a good method for learning, it’s important to make these changes on noncritical systems (such as a test computer). Keep in mind that it is possible to “break” certain functionality with improper settings.

In relation to controlling the behavior of UAC, there are nine different settings that you can configure manually. These are as follows:

  • User Account Control: Run All Administrators In Admin Approval Mode This setting can be considered a “master switch” that determines whether UAC is enabled on the local computer. The default setting is Enabled. The status of this setting corresponds to the Turn User Account Control (UAC) On Or Off setting in Control Panel. When the status is set to Disabled, Admin Approval Mode, file system and registry virtualization, and all related settings are effectively disabled. It is important to keep in mind that the other settings might appear to be properly configured, but they do not have any effect when this setting is disabled.

    Exam Tip

    Instead of memorizing the names of each of the UAC-related Group Policy settings, concentrate on the meanings and effects of each. On the exam, you’ll be expected to understand how the settings are used, but you won’t be tested on the exact wording of each setting.

  • User Account Control: Admin Approval Mode For The Built-In Administrator Account This setting specifies the UAC options for the built-in Administrator account. By default, this setting is set to Disabled, which means that users who log on with the Administrator account have full permissions on the system. In general, it is recommended that the default Administrator account not be used. If you do have a need to enable the Administrator account, you can add security by enabling this policy setting.

  • User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode This setting specifies the type of elevation prompt that will be presented to administrative users when a program or process requests additional privileges. The settings include:

    • Prompt For Consent (the default).

    • Elevate Without Prompting.

    • Prompt For Credentials.

    The default setting provides a balance between security and usability. To improve security, you can require that administrators provide a user name and password to elevate permissions. Alternatively, you can choose to eliminate the prompt altogether.

  • User Account Control: Behavior Of The Elevation Prompt For Standard Users This setting determines how elevation prompts will be shown to standard users. The default setting, Prompt For Credentials, requires the user to provide logon information for an Administrator user every time an application or process requests elevated permissions. In some cases, you might want to prevent elevation from occurring at all. That’s the purpose of the Automatically Deny Elevation Requests option.

  • User Account Control: Detect Application Installations And Prompt For Elevation When users attempt to install an application, Windows Vista automatically attempts to elevate privileges. This is a useful feature, because most setup and installation programs require access to the file system and other protected areas of the computer. The default setting for consumer-focused editions of Windows Vista is for this option to be enabled. This means that users automatically see an elevation prompt whenever they launch an installer. The Disabled option is primarily used in company network environments in which IT staff can control the installation of software, using centralized methods.

  • User Account Control: Only Elevate Executables That Are Signed And Validated One important potential security risk related to working with applications and software is in trusting the publisher of the application. Malware could easily create a new executable or shortcut that appears to be a familiar application (such as Microsoft Word), but that actually launches malicious code that could damage the system. One way to validate a program is to use a method based on Public Key Infrastructure (PKI) technology. This method allows trusted third parties to validate whether the publisher of the software is who it claims to be.

    This option is set to Disabled, by default, because PKI technology has dependencies on other services such as a Certificate Server. Home and small-business users are unlikely to have the necessary infrastructure to do this.

  • User Account Control: Only Elevate UIAccess Applications That Are Installed In Secure Locations Some applications might need to run with elevated privileges on Windows Vista. Developers of these applications can create a setting that instructs the operating system to prompt for elevated privileges automatically whenever the program is launched. One potential problem is for malware (such as programs downloaded from the Internet) to request full permissions and then make undesired changes to the system. This setting specifies that only applications that are located within known secure file system locations (such as the Program Files folder and subfolders of the Windows folder) are able to request elevation. This helps ensure that only properly installed programs are able to run with elevated permissions. The setting can be disabled, although this will reduce overall security.

  • User Account Control: Switch To The Secure Desktop When Prompting For Elevation One method that malware authors have at their disposal is the possibility of tricking a user into providing sensitive information to a program. For example, a program could be designed to look very similar to the standard UAC elevation prompt. A user might provide a user name and password for privilege escalation, but the application itself is recording or sending this information elsewhere. To help prevent this type of intrusion, the default setting in Windows Vista is to use a secure desktop when an elevation prompt is presented. When this occurs, the entire desktop background is dimmed, and only the prompt is shown. Other applications will be unable to overwrite the prompt or create new windows that take the focus. When you disable this option, the UAC prompt appears like any other window. However, it is then possible for other applications to create a false UAC prompt.

  • User Account Control: Virtualize File And Registry Write Failures To Per-User Locations This setting is designed to provide compatibility with legacy applications that request direct access to the file system or to the registry. When a program attempts to perform one of these actions, Windows Vista automatically redirects the request to a safe, virtual location. The benefit is that the program can still run successfully, but all write operations occur safely. When you disable this setting, earlier applications are prevented from directly writing to file system and registry locations. In most cases, this means that the applications fail to run correctly.

Note: Educating customers

When supporting customers who are attempting to understand the purpose of various security settings, you might be tempted just to make various changes on their behalf. It’s important, however, that you keep the customer informed of the effects of your modifications. After all, if a security issue or malware infection were to occur on customers’ systems due to a change you made, you want to ensure that the user agreed with it. Generally, the more educated customers are with relation to security, the more likely they are to exercise good judgment.

Other -----------------
- Configuring Windows Vista Security : Managing User Accounts
- Using Windows Security Center (part 3) - Configuring Malware Protection
- Using Windows Security Center (part 2) - Configuring Automatic Updating
- Using Windows Security Center (part 1) - Overview of Windows Security Center & Configuring Windows Firewall
- Configuring Parental Controls (part 4) - Managing Application Restrictions & Reviewing Activity Reports
- Configuring Parental Controls (part 3) - Defining Computer Time Limits & Configuring Game Settings
- Configuring Parental Controls (part 2) - Defining Web Restrictions
- Configuring Parental Controls (part 1) - Understanding Parental Controls
- Working with Mobile Devices (part 2) - Using Windows Sync Center
- Working with Mobile Devices (part 1) - Using Windows Mobility Center
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
Celebrity Style, Fashion Trends, Beauty and Makeup Tips.
Windows Vista
Windows 7
Windows Azure
Windows Server