Windows 7 : Configuring User Account Control

9/28/2011 5:52:44 PM
Most administrators have had to wrestle with the balance between security and enabling applications to run correctly. In the past, some applications simply would not run correctly under Windows unless the user running the application was a local administrator.

Unfortunately, granting local administrator permissions to a user also allows the user to install software and hardware, change configuration settings, modify local user accounts, and delete critical files. Even more troubling is the fact that malware that infects a computer while an administrator is logged in is also able to perform those same functions.

Limited user accounts in Windows XP were supposed to allow applications to run correctly and allow users to perform necessary tasks. However, in practical application, it did not work as advertised. Many applications require that users have permissions to write to protected folders and to the Registry, and limited user accounts did not allow users to do so.

Windows 7's answer to the problem is User Account Control (UAC). UAC enables non-administrator users to perform standard tasks, such as install a printer, configure a VPN or wireless connection, and install updates, while preventing them from performing tasks that require administrative privileges, such as installing applications.

1. Managing Privilege Elevation

UAC protects computers by requiring privilege elevation for all users, even users who are members of the local Administrators group. As you have no doubt seen by now, UAC will prompt you for permission when performing a task that requires privilege elevation. This prevents malware from silently launching processes without your knowledge.

Privilege elevation is required for any feature that contains the four-color security shield. For example, the small shield shown on the Change Date And Time button in the Date And Time dialog box in Figure 6.17 indicates an action that requires privilege elevation.

Figure 6.17. Date And Time dialog box

Now let's take a look at how to elevate privileges for users.

1.1. Elevated Privileges for Users

By default, local administrators are logged on as standard users. When administrators attempt to perform a task that requires privilege escalation, they are prompted for confirmation by default. This can require administrators to authenticate when performing a task that requires privilege escalation by changing the User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode policy setting to Prompt For Credentials. On the other hand, if you don't want UAC to prompt administrators for confirmation when elevating privileges, you can change the policy setting to Elevate Without Prompting.

Non-administrator accounts are called standard users. When standard users attempt to perform a task that requires privilege elevation, they are prompted for a password of a user account that has administrative privileges. You cannot configure UAC to automatically allow standard users to perform administrative tasks, nor can you configure UAC to prompt a standard user for confirmation before performing administrative tasks. If you do not want standard users to be prompted for credentials when attempting to perform administrative tasks, you can automatically deny elevation requests by changing the User Account Control: Behavior Of The Elevarion Prompt For Standard Users policy setting to Automatically Deny Elevation Requests.

The built-in Administrator account, though disabled by default, is not affected by UAC. UAC will not prompt the Administrator account for elevation of privileges. Thus, it is important to use a normal user account whenever possible and use the built-in Administrator account only when absolutely necessary.

Complete the following exercise to see how UAC affects administrator and non-administrator accounts differently.

Exercise 1: Seeing How UAC Affects Accounts

  1. Log on to Windows 7 as a non-administrator account.

  2. Select Start => Control Panel => Large Icons View => Windows Firewall.

  3. Click the Turn Windows Firewall On Or Off link on the left side. The UAC box should prompt you for permission to continue. Click Yes. You should not be allowed access to the Windows Firewall Settings dialog box.

  4. Log off and log on as the Administrator account.

  5. Select Start => Control Panel => Large Icons View => Windows Firewall.

  6. Click the Turn Windows Firewall On Or Off link.

  7. You should automatically go to the Windows Firewall screen. Close the Windows Firewall screen.

Let's now take a look at elevating privileges for executable applications.

1.2. Elevated Privileges for Executables

You can also enable an executable file to run with elevated privileges. To do so, on a onetime basis, you can right-click a shortcut or executable and select Run As Administrator.

But what if you need to configure an application to always run with elevated privileges for a user? To do so, log in as an administrator, right-click a shortcut or executable, and select Properties. On the Compatibility tab, check the Run This Program As An Administrator check box. If the Run This Program As An Administrator check box is unavailable, the program is blocked from permanently running as an administrator, the program doesn't need administrative privileges, or you are not logged on as an administrator.

Many applications that are installed on a Windows 7 machine need to have access to the Registry. Windows 7 protects the Registry from non-administrator accounts. Let's take a look at how this works.

2. Registry and File Virtualization

Windows 7 uses a feature called Registry and File Virtualization to enable non-administrator users to run applications that previously required administrative privileges to run correctly. As discussed earlier, some applications write to the Registry and to protected folders, such as C:\Windows and C:\Program Files. For non-administrator users, Windows 7 redirects any attempts to write to protected locations to a per-user location. By doing so, Windows 7 enables users to use the application successfully while it protects critical areas of the system.

Next we will look at other areas of security.

  •  Windows 7 : Managing and Applying LGPOs (part 3) - Using Local Policies
  •  Windows 7 : Managing and Applying LGPOs (part 2) - Using Account Policies
  •  Windows 7 : Managing and Applying LGPOs (part 1) - Configuring Local Security Policies
  •  Windows 7 : Managing Security
  •  Windows 7 : Creating and Managing Groups
  •  Windows 7 : Managing User Properties
  •  Windows 7 : Working with User Accounts (part 2)
  •  Windows 7 : Working with User Accounts (part 1)
  •  Windows Server : Designing a Software Update Infrastructure (part 2)
  •  Windows Server : Designing a Software Update Infrastructure (part 1)
  •  Securing Windows Server 2008 in the Branch Office
  •  Windows 7 : Configuring Network Connectivity - Configuring DirectAccess
  •  Windows 7 : Configuring Network Connectivity - Understanding BranchCache
  •  Windows 7 : Configuring Remote Management
  •  Configuring Windows 7 on a Network
  •  Windows Server : Branch Office Deployment - Branch Office Services (part 2)
  •  Windows Server : Branch Office Deployment - Branch Office Services (part 1)
  •  Windows Server : Planning Application Virtualization
  •  Windows 7 : Understanding TCP/IP (part 2)
  •  Windows 7 : Understanding TCP/IP (part 1) - Basics of IP Addressing and Configuration
    Top 10
    Ultrabook Supertest (Part 2) - Acer Aspire Timeline U M5
    Ultrabook Supertest (Part 1) - Acer Aspire Timeline U M3
    Ultrabook Supertest (Part 8)
    Ultrabook Supertest (Part 7) - Lenovo U310
    Ultrabook Supertest (Part 6) - HP Envy 6
    Ultrabook Supertest (Part 5) - HP Envy 4
    Ultrabook Supertest (Part 4) - Dell Inspiron 14z
    Ultrabook Supertest (Part 3) - Asus Zenbook Prime UX31A
    How To Make The Most Of Dropbox (Part 2)
    How To Make The Most Of Dropbox (Part 1)
    Most View
    Windows 7: Managing Software Once It’s Installed (part 1) - Assigning Default Programs
    Business Intelligence in SharePoint 2010 with Business Connectivity Services : External Content Types (part 2) - Defining the External Content Type
    Rosewill RNX-N600UBE
    300 Lumen LED Flash For iPhone
    Razer Electra Headphone Review
    Upgrade Website With Mysql On Linux (Part 1) - Access MySQL from PHP
    iPhone Application Development : Making Multivalue Choices with Pickers - Using Date Pickers (part 2) - Adding a Date Picker
    BenQ XL2420T FPS Gaming Monitor - Extreme Display for Extreme Gaming
    Leveraging and Optimizing Search in SharePoint 2010 : Uninstalling FAST Search Server 2010 for SharePoint
    Building Android Apps: Create an Android Virtual Device
    Windows Phone 7 Development : Creating a Cloud Service to Access the Cloud Database (part 2) - Implementing a WCF Service to Access the SQL Azure Database
    A Not So New Competitor
    Sony Xperia Ion LTE Battery Test
    Sand, Sea And Samsung (Part 3) - Camera, Ultrabooks
    NightCap for iPhone
    Algorithms for Compiler Design: THE NFA WITH ∈-MOVES
    NuForce Air Analog DAC Review
    Building Android Apps: Creating a Dynamic Manifest File
    Canon 650D's Autofocus Is Similar To One Of Nikon 1
    The best browser hacks (part 1) - Mozilla Firefox