SECURITY

UAC and Remote Access

7/28/2010 9:30:50 AM
UAC and Remote Access
UAC also impacts certain types of remote access to a computer running Windows Vista. Exactly how differs between access methods and account types.

SMB Access

Windows Vista can, as all previous versions of Windows, act as a server for Server Message Block (SMB) sharing. Connecting to a computer running Windows Vista that is acting as a server while using domain accounts for authentication will work exactly as in Windows XP. If the domain account is a local administrator, the impersonation token used on the server to perform access checks is a full administrative token. However, if you authenticate with a local account that is a member of the Administrators group, you will get a filtered token, just as if you were logging on locally with that account. The difference, of course, is that in the SMB case, you cannot elevate.

The reason tokens are filtered in stand-alone environments is to stop a worm from propagating over network connections. Malware that infects one computer and becomes an administrator there could spread to a different computer if that computer has an administrative account using the same user name and password. However, if administrators get a filtered token when they connect, the exploit will likely fail. Computers in a domain environment do not get a filtered token because it would break too many remote management tools.

This behavior can be changed using a registry hack:

Hive:    HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
Value: LocalAccountTokenFilterPolicy
Type: REG_DWORD
Data: 0 (default) - Build filtered token
1 - Build elevated token

You can add this setting to the Group Policy Security Options interface by using the technique documented in Microsoft Knowledge Base Article 214752. On the Web site for the book you will find an updated sceregvl.inf file that contains the new setting.

Remote Desktop and Remote Assistance

Remote Desktop, also known as Windows Terminal Services, works just like an interactive session for the purposes of UAC elevation. Remote Assistance (RA), however, poses certain new challenges.

RA is a feature first included in Windows XP. It allows an "expert" to assist a user in troubleshooting by opening a remote connection to a user's logon session and interacting with that session. This permits the user to very easily show the expert what is happening.

UAC has an interesting side effect on RA. The prompt shows up on the secure desktop, but the secure desktop is not available over RA. The end user that is being helped can answer the prompts, but not if the end user is not an administrator and does not have credentials for an administrator. In this case, the only option is to disable the setting to show the UAC prompt on the secure desktop. To do so, you may set this registry key:

Hive:    HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
Value: PromptOnSecureDesktop
Type: REG_DWORD
Data: 0- Elevation prompt goes on the
1 (default) - Elevation prompt goes on the secure desktop

You would need to make this change before establishing the remote assistance session. This can be done using the following command line command:

reg add \\\HKLM\SOFTWARE\Microsoft\Windows\Image from book CurrentVersion\Policies\system /v PromptOnSecureDesktop Image from book /t REG_DWORD /d 0 /f

You would need to replace < remote computer name > with the name of the remote computer you are connecting to. After you are done with your RA session you can revert the system to its original state using this command:

reg add \\\HKLM\SOFTWARE\Microsoft\Windows Image from book
\CurrentVersion\Policies\system /v PromptOnSecureDesktop Image from book
/t REG_DWORD /d 1 /f

This setting is also available in Group Policy.

If the policy is set to deny elevation requests for non-administrator, the elevation will be denied automatically and no prompt is ever shown. In that case, that policy needs to be turned off before launching the RA session. Alternatively, the expert can launch an administrative command prompt using the runas.exe command as an administrator. This command prompt will be running with a filtered token, but now the elevation is subject to the elevation policy for administrators, not users, so the prompts will be shown, subject to the policy on where to put them. Keep in mind, if you use this approach, that if the user requesting help pulls the network cable from the computer at this point, the user is left with an administrative command prompt running as someone else.


Other  
 
Top 10
Review : Sigma 24mm f/1.4 DG HSM Art
Review : Canon EF11-24mm f/4L USM
Review : Creative Sound Blaster Roar 2
Review : Philips Fidelio M2L
Review : Alienware 17 - Dell's Alienware laptops
Review Smartwatch : Wellograph
Review : Xiaomi Redmi 2
Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
REVIEW
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
VIDEO TUTORIAL
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8