UAC: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode UAC: The Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode policy functions in a
Trang 1the built-in Administrator account using the Accounts: Administrator Account Status policy,
which is also located in the Security Options node The default setting of this policy is Disabled
If you enable the built-in Administrator account, privilege elevation occurs automatically
without a UAC prompt If you enable the policy and the built-in Administrator account, the
built-in account receives UAC prompts when attempting tasks that require privilege elevation
UAC: Behavior Of The Elevation Prompt For Administrators
In Admin Approval Mode
UAC: The Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode
policy functions in a similar way to the User Account Control Settings dialog box that was
covered earlier in this lesson It allows you to configure how intrusive UAC is for users
that log on to a client running Windows 7 with administrative privileges Unlike the UAC
Settings dialog box, which has four settings, the UAC: Behavior Of The Elevation Prompt For
Administrators In Admin Approval Mode policy, shown in Figure 9-4, has six settings
FIgUre 9-4 Elevation prompt for administrators
These settings work as follows:
n elevate Without prompting This is the least secure setting and is the equivalent of
disabling UAC Requests for elevation are approved automatically
n prompt For Credentials On the Secure Desktop UAC always prompts the administrator
for a password, as shown in Figure 9-5, on the Secure Desktop
Trang 2FIgUre 9-5 Prompt for credentials
n prompt For Consent On the Secure Desktop UAC always prompts the administrator
for consent on the Secure Desktop, as shown in Figure 9-6 This setting does not require the user to enter a password
FIgUre 9-6 Consent prompt
n prompt For Credentials The user must enter a password The Secure Desktop is used
only if the UAC: Switch To The Secure Desktop When Prompting For Elevation policy is enabled (that policy’s default setting)
n prompt For Consent This policy prompts for consent The Secure Desktop is used
only if the UAC: Switch To The Secure Desktop When Prompting For Elevation policy is enabled (that policy’s default setting)
n prompt For Consent For Non-Windows Binaries This is the policy’s default setting
UAC prompts only when an application that is not a part of the Windows operating system requests elevation Applications that are a part of the Windows operating system and that request elevation do not trigger a UAC prompt
Trang 3UAC: Behavior Of The Elevation Prompt For Standard Users
The UAC: Behavior Of The Elevation Prompt For Standard Users policy, shown in Figure 9-7,
determines whether and how Windows prompts a user who does not have administrative
privileges for privilege elevation The default option automatically denies elevation requests
Windows does not provide the user with any direct indication that this denial has occurred,
though they can infer it by the fact that they are unable to do whatever they were trying to
do that prompted the attempt at elevation in the first place The other options are to prompt
for credentials on the Secure Desktop or to prompt for credentials Credentials are required
because another user account, one that has administrative privileges, is necessary to approve
any elevation request
FIgUre 9-7 Elevation requests for standard users
UAC: Detect Application Installations And Prompt For Elevation
The UAC: Detect Application Installations And Prompt For Elevation policy determines
whether an application installer is able to request an elevation of privilege The default setting
is enabled, allowing the installation of software once consent or appropriate credentials have
been provided This policy is often disabled in enterprise environments where software is
distributed through Group Policy and the direct use of application installers is not necessary
UAC: Only Elevate Executables That Are Signed And Validated
When you enable the UAC: Only Elevate Executables That Are Signed And Validated policy,
UAC provides an elevation prompt only for executable files that have digital signatures from
a trusted certificate authority (CA) If an application has no digital signature, or has a signature
Trang 4from a CA that is not trusted, UAC does not allow elevation This policy is disabled by default and should be used only in environments where all applications that require elevation are digitally signed
UAC: Run All Administrators In Admin Approval Mode
The UAC: Run All Administrators In Admin Approval Mode policy dictates whether Windows provides UAC for users with administrative privileges when they perform a task that requires elevation The default setting of the policy is Enabled When this policy is disabled, users with administrative privileges are elevated automatically when they perform a task that requires elevation Disabling this policy disables UAC for all users with administrative rights
UAC: Switch To The Secure Desktop When Prompting For Elevation
The UAC: Switch To The Secure Desktop When Prompting For Elevation policy determines whether the UAC prompt is displayed on the Secure Desktop when a user is prompted for elevation Secure Desktop dims the screen and requires that a user respond to the UAC prompt before being able to continue using the computer This functions as a security measure, ensuring that malware is unable to disguise the appearance of a UAC prompt as
a way of tricking an administrator into providing consent This policy is enabled by default
If this policy is disabled and the UAC: Behavior Of The Elevation Prompt For Administrators
In Admin Approval Mode policy is set to either the Prompt For Consent or Prompt For Credentials setting on the Secure Desktop, Secure Desktop is still used
UAC: Virtualize File And Registry Write Failures To Per-User Locations
Many older applications attempt to write data to the Program Files, Windows, or Windows\ System32 folder, or the HKLM\Software\ registry area Windows 7 does not allow applications
to write data to these secure locations To support these applications, Windows 7 allows applications to believe that they have successfully written data to these locations, when in reality, Windows 7 has redirected this data to virtualized per-user locations When the UAC: Virtualize File And Registry Write Failures To Per-User Locations policy is disabled, Windows blocks applications from writing data to protected locations This policy is enabled by default
UAC: Allow UIAccess Applications To Prompt For Elevation
Without Using Secure Desktop
User Interface Accessibility (UIAccess) programs are a special type of program that can interact with Windows and applications on behalf of a user Examples include on-screen keyboard and Windows Remote Assistance The UAC: Allow UIAccess Applications To Prompt For Elevation Without Using Secure Desktop policy determines whether UIAccess applications, which are identified as such by the properties of the application, are able to issue a UAC prompt without using Secure Desktop The default setting for this policy is Disabled
You should enable this policy when it is necessary for remote assistance helpers to respond
to UAC prompts that occur during a remote assistance session During normal operation,
Trang 5if a UAC prompt is triggered during a remote assistance session, the remote computer
displays the UAC prompt on the Secure Desktop Unfortunately for the helper, the Secure
Desktop is not available to them when they are connected over a remote assistance session
The only way that a helper can respond to these UAC prompts is if Secure Desktop is not
invoked when using UIAccess applications This policy is only necessary if UAC prompts
are configured for standard users If this policy is not enabled, elevation is not possible for
standard users so the helper will not get an opportunity to provide credentials
UAC: Only Elevate UIAccess Applications That Are Installed
In Secure Locations
The UAC: Only Elevate UIAccess Applications That Are Installed In Secure Locations policy
applies only to applications that request execution with the UIAccess integrity level
The default setting for this policy is Enabled, which means that only applications that are
installed in the Windows\System32 folder and the Program Files\ folder and its subdirectories
are able to request execution with this special integrity level Disabling this policy allows
programs that are installed in any location to request execution with the UIAccess integrity
level Programs requesting execution with UIAccess integrity level must have a digital
signature issued by a trusted CA independent of this policy setting
Secpol and Local Security Policy
The Local Security Policy console (also known as Secpol msc), shown in Figure 9-8, is available
in the Administrative Tools section of the Control Panel The console displays a subset of
the policies available in the Local Group Policy editor You can use the Local Security Policy
console to edit what appears in the Computer Configuration\Windows Settings\Security
Settings node of the Local Group Policy editor The advantage of the Local Security Policy
console over the Local Group Policy Console is that the Local Security Policy console is
focused specifically on security settings Every task that you can accomplish with the Local
Security Policy console, you can also complete using the Local Group Policy Editor
FIgUre 9-8 Local Security Policy
Trang 6You can use both the Local Group Policy Editor and the Local Security Policy console to import and export security-related Group Policy settings You can use this import and export functionality to apply the same security settings to stand-alone computers that are not part
of a domain environment Exported security files are written in Security Template inf format
As well as using Local Group Policy Editor and the Local Security Policy console to import policies that are stored in inf format, you can apply them using the Secedit exe command-line utility You use the Local Group Policy Editor in the practice which follows
eXaM tIP
Understand the difference between prompt for consent and prompt for credentials.
UAC can be configured to better meet the needs of the administrators and users in your environment In this practice, you configure different UAC options and evaluate them to get
a better idea of what configuration options are available
exercise 1 Configuring UAC Settings
In this exercise, you configure UAC settings and take note at how different settings influence the function of UAC
1 Log on to computer Canberra using the Kim_Akers user account
2. Click Start In the In the Search Programs And Files text box, type User accounts Click
the User Accounts item on the Start menu
3 Click the Manage Another Account item Note that you are not prompted by UAC to start the Manage Accounts control panel Click Go To The Main User Accounts Page
4 Click the Change User Account Control settings item Note that you are not prompted
by UAC when clicking this item
5 On the Choose When To Be Notified About Changes To Your Computer page, move the slider to Always Notify Click OK
6 At the User Account Control prompt, click Yes
7 Click the Manage Another Account item Note that this time, you are prompted by UAC and that the screen is dimmed, indicating that the Secure Desktop feature is active Click No to cancel the UAC prompt
8 Click the Change User Account Control settings item Note that you are now prompted
by UAC with the Secure Desktop when you click this item Click Yes
9 On the Choose When To Be Notified About Changes To Your Computer page, return the slider to the Default – Notify Me Only When Programs Try To Make Changes To My Computer setting Click OK Click Yes when prompted by the UAC prompt
10 Close the User Accounts control panel
Trang 7exercise 2 Configuring and Exporting UAC Policies
In this exercise, you configure User Account Control policies using the Local Security Policy
editor
1 If you have not done so already, log on to computer Canberra using the Kim_Akers
user account
2 Using Windows Explorer, create the C:\Export folder
3. In the In the Search Programs And Files text box, type edit group policy Click the Edit
Group Policy item
4 Ensure that the Computer Configuration\Windows Settings\Security Settings node is
selected Open the Action menu and then choose Export Policy
5 Save the exported policy as C:\Export\Base_policy inf
6 Within Security Settings, select the Local Policies\Security Options node Double-click
the User Account Control: Behavior Of The Elevation Prompt For Administrators In
Admin Approval Mode policy
7 Select the Prompt For Credentials On The Secure Desktop setting, as shown in
Figure 9-9, and then click OK
FIgUre 9-9 Prompt For Credentials On The Secure Desktop
8. Click Start In the In the Search Programs And Files text box, type gpupdate /force
and press Enter
9. Click Start In the In the Search Programs And Files text box, type User accounts Click
the User Accounts item on the Start menu
Trang 810 Click the Change User Account Control Settings item Note that you are required to enter your user name and password on the Secure Desktop, as shown in Figure 9-10 Enter your password and then click Yes
FIgUre 9-10 Entering credentials
11 Notice that the User Account Control Settings slider has been set to the most secure option rather than the default setting that you set it to in the previous exercise Click Cancel to dismiss the dialog box
12 Ensure that the Computer Configuration\Windows Settings\Security Settings node is selected Open the Action menu and then click Import Policy Import the C:\Export\ Base_policy inf policy If you receive an error, click OK
13. In the In the Search Programs And Files text box, type gpupdate /force
14 In the User Accounts control panel, click the Change User Account Control Settings item Note that the User Account Control Settings opens and that you do not have to enter credentials You should also note that the slider has been returned to the default position
15 Close all open windows and log off
Lesson Summary
n You can use the Local Security Policy console or the Local Group Policy Editor to edit security-related group policies
n When UAC is configured to use Secure Desktop, an administrator must respond directly to the prompt before being able to continue using the computer
n UAC can be configured to prompt for consent or prompt for credentials Prompting for consent requires that the administrator simply assents to the elevation Prompting for credentials requires the administrator to his password to allow elevation
Trang 9n By default, Windows 7 does not prompt standard users You can configure UAC to
prompt standard users for credentials They must then provide the credentials of a user
that is a member of the local administrators group
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 1,
“Managing User Account Control ” The questions are also available on the companion CD if
you prefer to review them in electronic form
note aNSWerS
Answers to these questions and explanations of why each answer choice is correct or incorrect
are located in the “Answers” section at the end of the book
1 Which policy setting should you configure to ensure that the Windows 7 built-in
Administrator account must respond to a UAC prompt before elevating privileges?
a UAC: Behavior Of The Elevation Prompt For Administrators In Admin Approval
Mode: Elevate Without Prompting
B UAC: Admin Approval Mode For The Built-In Administrator Account: Enabled
c UAC: Admin Approval Mode For The Built-In Administrator Account: Disabled
D UAC: Behavior Of The Elevation Prompt For Administrators In Admin Approval
Mode: Prompt For Consent For Non-Windows Binaries
2 Which of the following policy settings should you configure to ensure that users that
are not members of the local Administrators group on a client running Windows 7 are
prompted for credentials when they perform an action that requires the elevation of
privileges?
a User Account Control: Behavior Of The Elevation Prompt For Standard Users:
Automatically Deny Elevation Requests
B User Account Control: Behavior Of The Elevation Prompt For Standard Users:
Prompt For Credentials
c User Account Control: Behavior Of The Elevation Prompt For Administrators In
Admin Approval Mode: Prompt For Credentials
D User Account Control: Behavior Of The Elevation Prompt For Administrators In
Admin Approval Mode: Prompt For Consent
3 You are responsible for managing a student lab that has 30 stand-alone clients running
Windows 7 These clients are not members of a domain, though are members of the
same HomeGroup You have configured a set of UAC policies on a reference computer
Trang 10You want to apply these policies to each of the 30 client computers in the lab Which of the following tools could you use to do this? (Choose all that apply )
a Local Group Policy Editor console
B. Computer Management console
C. User Account Control settings
D. Local Security Policy
4 You are in the process of phasing out older applications at your organization You want
to ensure that older applications that attempt to write data to protected locations such
as the \Windows\System32 folder fail and are not redirected by Windows into writing data elsewhere Which of the following policies should you configure to accomplish this goal?
a UAC: Only Elevate Uiaccess Applications That Are Installed In Secure Locations
B UAC: Only Elevate Executables That Are Signed And Validated
c UAC: Behavior Of The Elevation Prompt For Standard Users
D UAC: Virtualize File And Registry Write Failures To Per-User Locations
5 You want users that are members of the local Administrators group to be prompted for credentials when performing a task that requires elevation, but you do not want them to have to respond to this prompt on the Secure Desktop You have configured the User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval mode to Prompt for Credentials Users that are members of the local administrators group are being forced onto the Secure Desktop during the UAC process Which of the following policy settings should you configure to resolve this problem?
a UAC: Admin Approval Mode For The Built-in Administrator Account
B UAC: Behavior Of The Elevation Prompt For Administrators In Admin
Approval Mode
c UAC: Switch To The Secure Desktop When Prompting For Elevation
D UAC: Behavior Of The Elevation Prompt For Standard Users