SMB Access
Windows Vista can, as all previous versions of Windows, act as a server for Server Message Block (SMB) sharing. Connecting to a computer running Windows Vista that is acting as a server while using domain accounts for authentication will work exactly as in Windows XP. If the domain account is a local administrator, the impersonation token used on the server to perform access checks is a full administrative token. However, if you authenticate with a local account that is a member of the Administrators group, you will get a filtered token, just as if you were logging on locally with that account. The difference, of course, is that in the SMB case, you cannot elevate.
The reason tokens are filtered in stand-alone environments is to stop a worm from propagating over network connections. Malware that infects one computer and becomes an administrator there could spread to a different computer if that computer has an administrative account using the same user name and password. However, if administrators get a filtered token when they connect, the exploit will likely fail. Computers in a domain environment do not get a filtered token because it would break too many remote management tools.
This behavior can be changed using a registry hack:
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
Value: LocalAccountTokenFilterPolicy
Type: REG_DWORD
Data: 0 (default) - Build filtered token
1 - Build elevated token
You can add this setting to the Group Policy Security Options interface by using the technique documented in Microsoft Knowledge Base Article 214752. On the Web site for the book you will find an updated sceregvl.inf file that contains the new setting.
Remote Desktop and Remote Assistance
Remote Desktop, also known as Windows Terminal Services, works just like an interactive session for the purposes of UAC elevation. Remote Assistance (RA), however, poses certain new challenges.
RA is a feature first included in Windows XP. It allows an "expert" to assist a user in troubleshooting by opening a remote connection to a user's logon session and interacting with that session. This permits the user to very easily show the expert what is happening.
UAC has an interesting side effect on RA. The prompt shows up on the secure desktop, but the secure desktop is not available over RA. The end user that is being helped can answer the prompts, but not if the end user is not an administrator and does not have credentials for an administrator. In this case, the only option is to disable the setting to show the UAC prompt on the secure desktop. To do so, you may set this registry key:
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
Value: PromptOnSecureDesktop
Type: REG_DWORD
Data: 0- Elevation prompt goes on the
1 (default) - Elevation prompt goes on the secure desktop
You would need to make this change before establishing the remote assistance session. This can be done using the following command line command:
reg add \\\HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Policies\system /v PromptOnSecureDesktop /t REG_DWORD /d 0 /f
You would need to replace < remote computer name > with the name of the remote computer you are connecting to. After you are done with your RA session you can revert the system to its original state using this command:
reg add \\\HKLM\SOFTWARE\Microsoft\Windows
\CurrentVersion\Policies\system /v PromptOnSecureDesktop
/t REG_DWORD /d 1 /f
This setting is also available in Group Policy.
If the policy is set to deny elevation requests for non-administrator, the elevation will be denied automatically and no prompt is ever shown. In that case, that policy needs to be turned off before launching the RA session. Alternatively, the expert can launch an administrative command prompt using the runas.exe command as an administrator. This command prompt will be running with a filtered token, but now the elevation is subject to the elevation policy for administrators, not users, so the prompts will be shown, subject to the policy on where to put them. Keep in mind, if you use this approach, that if the user requesting help pulls the network cable from the computer at this point, the user is left with an administrative command prompt running as someone else.