Advanced Control of UAC

Here in this lesson, we’ll learn some useful techniques for controlling the UAC (User Access Control).

What is User Access Control?

User Access Control (UAC) is a feature of Windows that can help prevent unauthorized changes to your computer. UAC does this by asking you for permission or an administrator password before performing actions that could potentially affect your computer’s operation or that change settings that affect other users.

By default, Administrator users do not have administrative privileges. Every Windows process has two security tokens associated with it, one with normal user privileges and one with admin privileges. With applications that require administrative privileges, the user can elevate the application to run with Administrator rights. And that process is called Elevation.

User can elevate an application either by clicking “Run as Administrator” from the context menu of the application icon, or by editing the Compatibility tab in the properties of the application file.
Also, while an application is running, it can ask the user to provide administrative permission to complete a specific operation (a good example is switching to the All Users mode in Task Manager.)

Disabling or Enabling UAC

You can disable or enable the UAC simply from the Control Panel from the User Accounts configuration.

By clicking the “Turn UAC on or off” option, you can disable or enable the UAC.

Advanced Control of UAC

You can control every aspect of UAC using the Local Security Policy MMC snap-in. You can open this snap in from Administrative Tools in the Control Panel.

After opening Local Security Policy utility, step down to the Local Policies, then to the Security Options node.

From the right, you can find a list of security policies that you can take control of.

We are interested in the nine policies that are applied to the UAC, and these policies are:

Admin Approval Mode for the Built-in Administrator account

This policy specifies whether to enable Admin Approval Mode for the built-in Administrator account or not.
Admin Approval Mode means requiring the user via the UAC messages to approve administrative operations. In other words, it means enabling the elevation process.
This policy is disabled by default.

Behavior of the Elevation Prompt for Administrators in Admin Approval Mode

This policy defines the behavior for the administrators while in Admin Approval Mode (while the previous policy is enabled.)
You can set this policy to one of three options:

• Prompt for consent (default):

  Ask the user to provide the permission by clicking either Allow button (sometimes Continue) or Cancel button.

• Prompt for credentials:

  Ask the user to enter his password.

• Elevate without prompting:

  Grant the permission without asking the user.

Behavior of the Elevation Prompt for Standard Users

This policy defines the behavior for standard users (non-Administrator users) while elevation.
This policy can have one of two options:

• Prompt for credentials (the default for home editions):
  Asking the user to provide administrator username and password.
• Automatically deny elevation requests (the default for enterprise editions):
  Do not ask the user and automatically deny the elevation request.

Detect Application Installations and Prompt for Elevation

This policy defines whether to prompt for elevation for application installations or to allow them without asking.
By default, this policy is enabled for home editions, and disabled for enterprise editions.

Only Elevate Executables that are Signed and Validated

This policy defines whether to elevate only the applications from known vendors (like Microsoft of course), or prompting for elevation for all applications.
This policy is disabled by default.

Only Elevate UIAccess Applications that are Installed in Secure Locations

If the application requests execution with the UIAccess integrity level, this policy defines whether to allow the application if it resides in secure locations (like Program Files), or not.
This policy is enabled by default.

Run All Administrators in Admin Approval Mode

This policy defines the behavior of all UAC policies for the entire system.
If this policy is enabled, all administrators will run in Admin Approval Mode and you will be asked for elevation. Conversely, if this policy is disabled, then all administrators will be granted the permission by default.
This policy is enabled by default.

Switch to the Secure Desktop when Prompting for Elevation

This policy defines whether all elevation requests will go to the Secure Desktop or the Interactive Desktop.

Secure Desktop is the default option, and that means that you will not have the ability to interact with other applications until you allow or deny the elevation request. Interactive Desktop means that you have the ability to interact with other applications while you are asked for the elevation.

Virtualizes File and Registry Write Failures to Per-user Locations

This policy defines whether to use File and Registry Virtualization or not. File and Registry Virtualization means that applications that are not running in administrator mode will be redirected to a specific location if they try to write or read from/to a specific locations like the Program Files and Windows directories for the File Virtualization, and HKLM for the Registry Virtualization.

This policy is enabled by default.

Read about File and Registry Virtualization and see them in action.

Last Word

For security reasons, it is recommended that you leave the UAC enabled and leave its default options. But, you must be very wise if you are going to change UAC options -or other security policies of course.-

Posted in Windows Vista
Tagged: CodeProject, Security, UAC, Windows, Windows Vista