Lesson 1: Managing User Account Control CHAPTER 9 483 the built-in Administrator account using the Accounts: Administrator Account Status policy, which is also located in the Security Options node. The default setting of this policy is Disabled. If you enable the built-in Administrator account, privilege elevation occurs automatically without a UAC prompt. If you enable the policy and the built-in Administrator account, the built-in account receives UAC prompts when attempting tasks that require privilege elevation. UAC: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode UAC: The Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode policy functions in a similar way to the User Account Control Settings dialog box that was covered earlier in this lesson. It allows you to configure how intrusive UAC is for users that log on to a client running Windows 7 with administrative privileges. Unlike the UAC Settings dialog box, which has four settings, the UAC: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode policy, shown in Figure 9-4, has six settings. FIGURE 9-4 Elevation prompt for administrators These settings work as follows: n Elevate Without Prompting This is the least secure setting and is the equivalent of disabling UAC. Requests for elevation are approved automatically. n Prompt For Credentials On The Secure Desktop UAC always prompts the administrator for a password, as shown in Figure 9-5, on the Secure Desktop. 4 8 4 CHAPTER 9 Authentication and Account Control FIGURE 9-5 Prompt for credentials n Prompt For Consent On The Secure Desktop UAC always prompts the administrator for consent on the Secure Desktop, as shown in Figure 9-6. This setting does not require the user to enter a password. FIGURE 9-6 Consent prompt n Prompt For Credentials The user must enter a password. The Secure Desktop is used only if the UAC: Switch To The Secure Desktop When Prompting For Elevation policy is enabled (that policy’s default setting). n Prompt For Consent This policy prompts for consent. The Secure Desktop is used only if the UAC: Switch To The Secure Desktop When Prompting For Elevation policy is enabled (that policy’s default setting). n Prompt For Consent For Non-Windows Binaries This is the policy’s default setting. UAC prompts only when an application that is not a part of the Windows operating system requests elevation. Applications that are a part of the Windows operating system and that request elevation do not trigger a UAC prompt. Lesson 1: Managing User Account Control CHAPTER 9 485 UAC: Behavior Of The Elevation Prompt For Standard Users The UAC: Behavior Of The Elevation Prompt For Standard Users policy, shown in Figure 9-7, determines whether and how Windows prompts a user who does not have administrative privileges for privilege elevation. The default option automatically denies elevation requests. Windows does not provide the user with any direct indication that this denial has occurred, though they can infer it by the fact that they are unable to do whatever they were trying to do that prompted the attempt at elevation in the first place. The other options are to prompt for credentials on the Secure Desktop or to prompt for credentials. Credentials are required because another user account, one that has administrative privileges, is necessary to approve any elevation request. FIGURE 9-7 Elevation requests for standard users UAC: Detect Application Installations And Prompt For Elevation The UAC: Detect Application Installations And Prompt For Elevation policy determines whether an application installer is able to request an elevation of privilege. The default setting is enabled, allowing the installation of software once consent or appropriate credentials have been provided. This policy is often disabled in enterprise environments where software is distributed through Group Policy and the direct use of application installers is not necessary. UAC: Only Elevate Executables That Are Signed And Validated When you enable the UAC: Only Elevate Executables That Are Signed And Validated policy, UAC provides an elevation prompt only for executable files that have digital signatures from a trusted certificate authority (CA). If an application has no digital signature, or has a signature 4 8 6 CHAPTER 9 Authentication and Account Control from a CA that is not trusted, UAC does not allow elevation. This policy is disabled by default and should be used only in environments where all applications that require elevation are digitally signed. UAC: Run All Administrators In Admin Approval Mode The UAC: Run All Administrators In Admin Approval Mode policy dictates whether Windows provides UAC for users with administrative privileges when they perform a task that requires elevation. The default setting of the policy is Enabled. When this policy is disabled, users with administrative privileges are elevated automatically when they perform a task that requires elevation. Disabling this policy disables UAC for all users with administrative rights. UAC: Switch To The Secure Desktop When Prompting For Elevation The UAC: Switch To The Secure Desktop When Prompting For Elevation policy determines whether the UAC prompt is displayed on the Secure Desktop when a user is prompted for elevation. Secure Desktop dims the screen and requires that a user respond to the UAC prompt before being able to continue using the computer. This functions as a security measure, ensuring that malware is unable to disguise the appearance of a UAC prompt as a way of tricking an administrator into providing consent. This policy is enabled by default. If this policy is disabled and the UAC: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode policy is set to either the Prompt For Consent or Prompt For Credentials setting on the Secure Desktop, Secure Desktop is still used. UAC: Virtualize File And Registry Write Failures To Per-User Locations Many older applications attempt to write data to the Program Files, Windows, or Windows\ System32 folder, or the HKLM\Software\ registry area. Windows 7 does not allow applications to write data to these secure locations. To support these applications, Windows 7 allows applications to believe that they have successfully written data to these locations, when in reality, Windows 7 has redirected this data to virtualized per-user locations. When the UAC: Virtualize File And Registry Write Failures To Per-User Locations policy is disabled, Windows blocks applications from writing data to protected locations. This policy is enabled by default. UAC: Allow UIAccess Applications To Prompt For Elevation Without Using Secure Desktop User Interface Accessibility (UIAccess) programs are a special type of program that can interact with Windows and applications on behalf of a user. Examples include on-screen keyboard and Windows Remote Assistance. The UAC: Allow UIAccess Applications To Prompt For Elevation Without Using Secure Desktop policy determines whether UIAccess applications, which are identified as such by the properties of the application, are able to issue a UAC prompt without using Secure Desktop. The default setting for this policy is Disabled. You should enable this policy when it is necessary for remote assistance helpers to respond to UAC prompts that occur during a remote assistance session. During normal operation, Lesson 1: Managing User Account Control CHAPTER 9 487 if a UAC prompt is triggered during a remote assistance session, the remote computer displays the UAC prompt on the Secure Desktop. Unfortunately for the helper, the Secure Desktop is not available to them when they are connected over a remote assistance session. The only way that a helper can respond to these UAC prompts is if Secure Desktop is not invoked when using UIAccess applications. This policy is only necessary if UAC prompts are configured for standard users. If this policy is not enabled, elevation is not possible for standard users so the helper will not get an opportunity to provide credentials. UAC: Only Elevate UIAccess Applications That Are Installed In Secure Locations The UAC: Only Elevate UIAccess Applications That Are Installed In Secure Locations policy applies only to applications that request execution with the UIAccess integrity level. The default setting for this policy is Enabled, which means that only applications that are installed in the Windows\System32 folder and the Program Files\ folder and its subdirectories are able to request execution with this special integrity level. Disabling this policy allows programs that are installed in any location to request execution with the UIAccess integrity level. Programs requesting execution with UIAccess integrity level must have a digital signature issued by a trusted CA independent of this policy setting. Secpol and Local Security Policy The Local Security Policy console (also known as Secpol.msc), shown in Figure 9-8, is available in the Administrative Tools section of the Control Panel. The console displays a subset of the policies available in the Local Group Policy editor. You can use the Local Security Policy console to edit what appears in the Computer Configuration\Windows Settings\Security Settings node of the Local Group Policy editor. The advantage of the Local Security Policy console over the Local Group Policy Console is that the Local Security Policy console is focused specifically on security settings. Every task that you can accomplish with the Local Security Policy console, you can also complete using the Local Group Policy Editor. FIGURE 9-8 Local Security Policy 488 CHAPTER 9 Authentication and Account Control You can use both the Local Group Policy Editor and the Local Security Policy console to import and export security-related Group Policy settings. You can use this import and export functionality to apply the same security settings to stand-alone computers that are not part of a domain environment. Exported security files are written in Security Template .inf format. As well as using Local Group Policy Editor and the Local Security Policy console to import policies that are stored in .inf format, you can apply them using the Secedit.exe command-line utility. You use the Local Group Policy Editor in the practice which follows. eXaM tIP Understand the difference between prompt for consent and prompt for credentials. Practice Configuring User Account Control UAC can be configured to better meet the needs of the administrators and users in your environment. In this practice, you configure different UAC options and evaluate them to get a better idea of what configuration options are available. exercise 1 Configuring UAC Settings In this exercise, you configure UAC settings and take note at how different settings influence the function of UAC. 1. Log on to computer Canberra using the Kim_Akers user account. 2. Click Start. In the In the Search Programs And Files text box, type User Accounts. Click the User Accounts item on the Start menu. 3. Click the Manage Another Account item. Note that you are not prompted by UAC to start the Manage Accounts control panel. Click Go To The Main User Accounts Page. 4. Click the Change User Account Control settings item. Note that you are not prompted by UAC when clicking this item. 5. On the Choose When To Be Notified About Changes To Your Computer page, move the slider to Always Notify. Click OK. 6. At the User Account Control prompt, click Yes. 7. Click the Manage Another Account item. Note that this time, you are prompted by UAC and that the screen is dimmed, indicating that the Secure Desktop feature is active. Click No to cancel the UAC prompt. 8. Click the Change User Account Control settings item. Note that you are now prompted by UAC with the Secure Desktop when you click this item. Click Yes. 9. On the Choose When To Be Notified About Changes To Your Computer page, return the slider to the Default – Notify Me Only When Programs Try To Make Changes To My Computer setting. Click OK. Click Yes when prompted by the UAC prompt. 10. Close the User Accounts control panel. Lesson 1: Managing User Account Control CHAPTER 9 489 exercise 2 Configuring and Exporting UAC Policies In this exercise, you configure User Account Control policies using the Local Security Policy editor. 1. If you have not done so already, log on to computer Canberra using the Kim_Akers user account. 2. Using Windows Explorer, create the C:\Export folder. 3. In the In the Search Programs And Files text box, type Edit Group Policy. Click the Edit Group Policy item. 4. Ensure that the Computer Configuration\Windows Settings\Security Settings node is selected. Open the Action menu and then choose Export Policy. 5. Save the exported policy as C:\Export\Base_policy.inf 6. Within Security Settings, select the Local Policies\Security Options node. Double-click the User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode policy. 7. Select the Prompt For Credentials On The Secure Desktop setting, as shown in Figure 9-9, and then click OK. FIGURE 9-9 Prompt For Credentials On The Secure Desktop 8. Click Start. In the In the Search Programs And Files text box, type gpupdate /force and press Enter. 9. Click Start. In the In the Search Programs And Files text box, type User Accounts. Click the User Accounts item on the Start menu. 4 9 0 CHAPTER 9 Authentication and Account Control 10. Click the Change User Account Control Settings item. Note that you are required to enter your user name and password on the Secure Desktop, as shown in Figure 9-10. Enter your password and then click Yes. FIGURE 9-10 Entering credentials 11. Notice that the User Account Control Settings slider has been set to the most secure option rather than the default setting that you set it to in the previous exercise. Click Cancel to dismiss the dialog box. 12. Ensure that the Computer Configuration\Windows Settings\Security Settings node is selected. Open the Action menu and then click Import Policy. Import the C:\Export\ Base_policy.inf policy. If you receive an error, click OK. 13. In the In the Search Programs And Files text box, type gpupdate /force. 14. In the User Accounts control panel, click the Change User Account Control Settings item. Note that the User Account Control Settings opens and that you do not have to enter credentials. You should also note that the slider has been returned to the default position. 15. Close all open windows and log off. Lesson Summary n You can use the Local Security Policy console or the Local Group Policy Editor to edit security-related group policies. n When UAC is configured to use Secure Desktop, an administrator must respond directly to the prompt before being able to continue using the computer. n UAC can be configured to prompt for consent or prompt for credentials. Prompting for consent requires that the administrator simply assents to the elevation. Prompting for credentials requires the administrator to his password to allow elevation. Lesson 1: Managing User Account Control CHAPTER 9 491 n By default, Windows 7 does not prompt standard users. You can configure UAC to prompt standard users for credentials. They must then provide the credentials of a user that is a member of the local administrators group. Lesson Review You can use the following questions to test your knowledge of the information in Lesson 1, “Managing User Account Control.” The questions are also available on the companion CD if you prefer to review them in electronic form. note ANSWERS Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book. 1. Which policy setting should you configure to ensure that the Windows 7 built-in Administrator account must respond to a UAC prompt before elevating privileges? a. UAC: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode: Elevate Without Prompting B. UAC: Admin Approval Mode For The Built-In Administrator Account: Enabled c. UAC: Admin Approval Mode For The Built-In Administrator Account: Disabled D. UAC: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode: Prompt For Consent For Non-Windows Binaries 2. Which of the following policy settings should you configure to ensure that users that are not members of the local Administrators group on a client running Windows 7 are prompted for credentials when they perform an action that requires the elevation of privileges? a. User Account Control: Behavior Of The Elevation Prompt For Standard Users: Automatically Deny Elevation Requests B. User Account Control: Behavior Of The Elevation Prompt For Standard Users: Prompt For Credentials c. User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode: Prompt For Credentials D. User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode: Prompt For Consent 3. You are responsible for managing a student lab that has 30 stand-alone clients running Windows 7. These clients are not members of a domain, though are members of the same HomeGroup. You have configured a set of UAC policies on a reference computer. 4 9 2 CHAPTER 9 Authentication and Account Control You want to apply these policies to each of the 30 client computers in the lab. Which of the following tools could you use to do this? (Choose all that apply.) a. Local Group Policy Editor console B. Computer Management console C. User Account Control settings D. Local Security Policy 4. You are in the process of phasing out older applications at your organization. You want to ensure that older applications that attempt to write data to protected locations such as the \Windows\System32 folder fail and are not redirected by Windows into writing data elsewhere. Which of the following policies should you configure to accomplish this goal? a. UAC: Only Elevate Uiaccess Applications That Are Installed In Secure Locations B. UAC: Only Elevate Executables That Are Signed And Validated c. UAC: Behavior Of The Elevation Prompt For Standard Users D. UAC: Virtualize File And Registry Write Failures To Per-User Locations 5. You want users that are members of the local Administrators group to be prompted for credentials when performing a task that requires elevation, but you do not want them to have to respond to this prompt on the Secure Desktop. You have configured the User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval mode to Prompt for Credentials. Users that are members of the local administrators group are being forced onto the Secure Desktop during the UAC process. Which of the following policy settings should you configure to resolve this problem? a. UAC: Admin Approval Mode For The Built-in Administrator Account B. UAC: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode c. UAC: Switch To The Secure Desktop When Prompting For Elevation D. UAC: Behavior Of The Elevation Prompt For Standard Users . Failures To Per-User Locations Many older applications attempt to write data to the Program Files, Windows, or Windows System32 folder, or the HKLMSoftware registry area. Windows 7 does not allow. applications, Windows 7 allows applications to believe that they have successfully written data to these locations, when in reality, Windows 7 has redirected this data to virtualized per-user locations setting). n Prompt For Consent For Non -Windows Binaries This is the policy’s default setting. UAC prompts only when an application that is not a part of the Windows operating system requests