For Geeks @nd the not so Geeky

User Account Control (UAC) Settings

Windows 7 User Account Control

User account control, first introduced in Windows Vista is aimed at protecting your computer against viruses, Trojans, rootkits and other malware. It protects your PC against malicious programs trying to gain system privileges and thereby compromising your computer’s safety.

The user account control in Vista prompts came so often that most users turned it off simply because it was too annoying to have to enter administrator credentials to even perform the simplest of tasks like renaming a file. This of course completely annihilated the UAC computer protection purpose in Vista. User Account Control Software

Windows 7 User Account Control Settings

UAC – User Account control has in this sense greatly improved in Windows 7 and is also easier to configure.

UAC basically uses two tokens to identify user rights in combination with 2 integrity levels for programs.

  • Standard user token – used for all actions not requiring admin privileges
  • Administrator token – when full admin privileges are require
  • Low Integrity – Tasks that are less likely to compromise the OS
  • High Integrity – Tasks that could compromise the OS like installing drivers or programs

Low integrity apps cannot modify data from high integrity applications

The shield icon is displayed when running a task requiring administrative privileges. Unlike windows Vista an administrator can perform most critical tasks without receiving a user account control UAC prompt. When receiving a prompt Windows dims the desktop which means it is running in secure desktop mode which is similar to pressing ctrl alt del when logging on.

Users that are not part of the administrator group will have to provide admin credentials every time they want to run a program that requires elevated privileges.

Windows User Account Control – Different Application Activation Prompts

  • High-Risk Blocked Programs – red shield and title bar indicating that the program comes from a blocked publisher and cannot be run
  • Programs Signed by Windows – yellow shield and blue title bar, provide admin credentials if required
  • Unsigned Programs from Verified Publisher – simple prompt
  • Unsigned Programs from Non-Verified Publisher – Depends on the presence of a digital signature including name and publisher of the program

You can configure a program’s shortcut to always require administrative privileges by checking the run as administrator checkbox in the advanced properties dialog box. Remember that the default administrator account created when installing Windows 7 account never gets any UAC prompts. It is therefore best practice to keep this account this account disabled like it is by default.

User account control can be configured through control panel system and security. Settings can be fine-tuned through group policy at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. Never disable the Run all administrators in Admin Approval Mode setting as this will completely disable UAC.

If you configure UAC to use Secure Desktop, an administrator has to respond to the prompts in order to keep on using the computer
I can be configured to prompt for credentials or just prompt for consent.

By default, Windows 7 does not prompt standard users so you must configure a policy for prompting if you want to allow these users to let programs run that require administrative privileges

User Account Control in Windows 7 –  Logging on Authentication and Authorization

The majority of users provide a username and password before they can log on to Windows. I an AD DS environment you will have to press ctrl alt del to get access to the secure desktop. Windows 7 also supports smart card login through including driver that support

Personal Identity Verification(PIV)

Credential Manager

Windows 7 uses the credential manager utility in group policy for user logon to resources that require authentication such as file servers, terminal services and web site credentials. These credentials are stored in the Windows vault and can be backed up to restore on other computers by choosing the Backup Vault and Restore Vault items in credential manger.

Keep in mind that EFS certificates are not stored in the Windows vault and require another method to be transferred or backed up. You can add credentials prior to accessing resources and at the same time all credentials get transferred to the Windows vault whenever you choose the “Remember my credentials” option.

 Run As command

You can use the run as command to run programs as another user with different credentials as long as the target user account is not configured to prompt for consent or prompt for credentials. Run as can be executed by right clicking a program shortcut and choosing run as from the drop down menu or from the command line
Runas /user:Domain\username “application.exe ”

user account control runas

If you need to access EFS encrypted files you can use the /profile switch which will load the target user’s profile enabling you to to have access to the EFS certificates stored in the user’s profile. The /savecred switch allows you to store the credentials in the Windows Vault for future use.

  • Windows Credentials – standard Windows authentication using Kerberos or NTLM
  • Certificate-Based Credentials
  • Generic Credentials – customized credentials

User Account Control Settings – Certificate Console/Manager (certmgr.msc)

  • Allows you to view and manage and configure different types of certificates
  • You can use the Local Security Policy console or the Local Group Policy Editor to edit
    Security-related group policies
  • You can use Certmgr.msc, Cipher.exe, or the Manage File Encryption Certificates tool to back up EFS

Comments are closed.