UAC can be configured with nine different group policy settings (ten if you add the one we discussed previously). This section covers each setting and our recommendation for how to use it.
User Account Control: AdminApproval Mode for the Built-in Administrator Account
This setting controls whether or not to build a filtered token for the built-in Administrator account. By default the setting is disabled, which means that the built-in Administrator account always logs on with a full administrative token. Note that this setting has no bearing on whether the built-in Administrator account can be used or not. If the built-in Administrator account is disabled, its logon ability is controlled as we mentioned previously. This setting only controls how the token is created if the account is allowed to log on.
We recommend that you ensure that the built-in Administrator account is disabled and not used. If you do, this setting will not matter.
User Account Control: Behavior of the Elevation Prompt for Administrators in Admin Approval Mode
By default, all administrators, except for the built-in Administrator account, are in admin-approval mode. Also by default, they get a consent prompt when they try to execute an administrative task. This setting changes whether they get a consent prompt or not. If this setting is set to "Elevate without prompting," the elevation is automatic. This means that the user is never prompted for elevation. This setting may be used in environments that wish to turn off UAC. The reason is that it gets rid of the prompt, but retains the other benefits of UAC, including the low-rights Internet Explorer. If UAC is disabled, entirely low-rights IE no longer works either. As a result, the relatively weak process isolation that existed between administrative and non-administrative processes is completely removed.
The third option in this setting is to prompt for credentials. This makes the elevation prompt behave the same for administrators and non-administrators.
We recommend that you leave the default setting.
User Account Control: Behavior of the Elevation Prompt for Standard Users
This setting is used to bar elevation for standard users. The options are "Prompt for credentials" and "Automatically deny elevation requests." The latter option is used in environments where you wish to provide no avenue for elevation at all for standard users. Note that if you configure this to deny elevation requests, you will break many Remote Assistance scenarios, as outlined previously.
We recommend that you leave this setting at its default. Your site security policy and risk management philosophy should govern whether you provide users with administrative credentials or not. We will point out, however, that you may want to consider the cost of a helpdesk call in this decision. If you leave the setting at its default and your users are standard users, they will effectively be told to call the helpdesk each time a web page asks to install an ActiveX control. If you configure this setting to "Automatically deny elevation requests," they will be told, essentially, that the policy is stopping them from doing something. This latter option may result in fewer helpdesk calls.
User Account Control: Detect Application Installations and Prompt for Elevation
This setting enables heuristic detection of installers. UAC has been programmed to detect the most common application installers and automatically prompt for elevation when one of them is launched. It is set to be enabled by default. Organizations that wish to, may set it to disable, which will have the effect of disabling most installers as they more or less universally require admin privileges.
This setting has a minimal impact on security. If a user does not have administrative privileges, this setting has no impact anyway.
Note that the explanation for this setting indicates that it is set to Disabled in the enterprise. This is not correct.
User Account Control: Only Elevate Executables that Are Signed and Validated
This setting can be used to disable elevation of unsigned executables. Doing so may be worthwhile, but will break a substantial number of existing applications. Therefore, it is turned off by default.
We recommend that you evaluate your risks and the applications you run. If you can get away with breaking unsigned applications you should, but doing so will cause significant pain for users. If you have the ability to do so, you can sign everything that you want elevated, turn this setting on, and then configure silent elevation. That will effectively get rid of all UAC prompts, but at the cost of a lot of work signing applications.
User Account Control: Only Elevate UIAccess Applications that Are Installed in Secure Locations
Applications may be configured to allow User Interface access (UIAccess) from applications with lower privileges. This permits an application running with a standard user or filtered admin token to programmatically drive UI for an app running with a full administrative token on the same desktop or to send window messages to applications on the secure desktop. Permitting this opens a substantial security hole. Therefore, this setting allows you to control, to some extent, which applications can do this. By leaving this setting at enabled, which is the default, only applications in %ProgramFiles% and %SystemRoot% may launch with UIAccess turned on. This, presumably, limits it to applications that are trusted and installed in trusted locations.
We recommend that you leave this setting at its default: enabled.
User Account Control: Run All Administrators in Admin Approval Mode
This setting disables UAC entirely. Its name is a bit misleading, indicating that UAC is still there, but if this setting is set to disabled, all UAC behavior functions the same way it did in Windows XP. This means, for example, that if an administrator launches IE, it will launch with a full administrative token.
We recommend you leave this setting at its default: enabled.
User Account Control: Switch to the Secure Desktop when Prompting for Elevation
This setting was discussed previously. Setting it to disabled causes UAC prompts to show up on the user's desktop instead of the secure desktop. This permits applications to more easily spoof the prompts and even drive input to and from them.
We recommend that you leave this setting at its default: enabled.
User Account Control: Virtualize File and Registry Write Failures to Per-User Locations
We discussed virtualization earlier. This setting can be used to disable virtualization system wide. Doing so will cause applications that request write access to protected locations to fail just like they did in Windows XP.
We recommend that you leave this setting at its default: enabled.
