2. User Account Control
User
Account Control (UAC) is one of the most important security-related
technologies in Windows Vista and Windows Server 2008. UAC provides
control over the level of privilege that a user or administrator has
when routinely using the computer. UAC forces the privilege level to be
a standard user until elevated privileges (typically administrative)
are required.
Two different scenarios are
important to understand when using UAC. First, when a user is logged on
with administrative privileges, the level of privilege is a standard
user until a task needs to be run that requires elevation. When
elevated privileges are required, a dialog box asks the user whether he
or she wants to continue to run the application or task with elevated
privileges, as shown in Figure 1.
This
is an excellent security measure, because any application requiring
elevated privileges will be denied processing until approved. This is
important, because many viruses and malware require elevated privileges
to run.
The second scenario is when a
standard user is logged on and attempts to run an application that
requires elevated privileges. In this case, the user is prompted, but
not with the same prompt given to the user logged on with
administrative privileges. Instead, the user is prompted with the
dialog box shown in Figure 2.
UAC
also has many control settings that allow you to alter how applications
and tasks that require administrative privileges are handled. Table 2 summarizes the settings available for controlling UAC in a GPO.
Table 2. UAC Settings
| Full Policy Name | Computer or User |
|---|
| Enumerate administrator accounts on elevation | Computer |
| Require trusted path for credential entry | Computer |
| Detect application failures caused by deprecated Windows DLLs or COM objects | Computer |
| Detect application install failures | Computer |
| Detect application installers that need to be run as administrator | Computer |
| Detect applications unable to launch installers under UAC | Computer |
| Notify blocked drivers | Computer |
| User Account Control: Admin Approval Mode for the Built-in Administrator account | Computer |
| User Account Control: Allow UI Access applications to prompt for elevation without using the secure desktop. | Computer |
| User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Computer |
| User Account Control: Behavior of the elevation prompt for standard users | Computer |
More Info
Table 2
summarizes the majority of the UAC settings that can be configured in a
GPO. The policy name is listed in the table. If you are having trouble
finding the policy within the GPME, you can download and refer to
spreadsheet, WindowsServerGroupPolicy Settings.xls, from the Microsoft
Download Center at http://www.microsoft.com/Downloads/. |
