User Account Control
Windows 7, Windows Vista, Windows Server 2008, Windows Server 2008 R2 have a new security feature User Account Control (UAC). UAC was created to prevent unauthorized changes to the operating system configuration or file system.
In Windows XP and earlier versions of Windows, malicious software programs can exploit that most user accounts are configured as members of the local computers administrators group.
If a user attempts to start an administrator task or service, the User Account Control dialog box asks the user to click either Yes or No before full administrator access can be used. If the user is not an administrator, the user must provide an administrators credentials to run the program.
So UAC helps standard users and administrators protect their computers by preventing programs that may be malicious from running,and UAC helps enterprise administrators protect their network by preventing users from running malicious software.
Windows 7 and Windows Server 2008 R2, UAC improvements
Increases the number of tasks that the standard user can perform that do not prompt for administrator approval. Allow a user with administrator privileges to configure the UAC experience in the Control Panel. Provide additional local security policies that enable a local administrator to change the behavior of the UAC messages for local administrators in Admin Approval Mode. Provide additional local security policies that enable a local administrator to change the behavior of the UAC messages for standard users. The built-in Administrator account in Windows Server 2008 R2, which is the first account created on a server, does not run in Admin Approval Mode. The built-in Administrator account is disabled by default in Windows 7 and cannot log on to the computer in Safe Mode.
Computers that are not domain controllers
If you have at least one configured local administrator account, the disabled built in Administrator account cannot log on in Safe Mode. Instead,use any local administrator to log on. If the last local administrator account is demoted, disabled, or deleted, Safe Mode allows the disabled built in Administrator account to log on for disaster recovery. If the built-in Administrator account is the only administrator account on Windows Vista, when upgrading to Windows 7, Safe Mode allows the disabled built in Administrator account to log on to create at least one administrator account.
Computers that are domain controllers
The disabled built-in Administrator account in all cases cannot log on in Safe Mode. A user account that is a member of the Domain Admins group can log on to the computer to create a local administrator if none exists. If the domain administrator account has never logged on to the client computer, you must start the computer in Safe Mode with Networking to cache the credentials on the client computer. Windows Vista has two levels of UAC protection on or off. Windows 7 and Windows Server 2008 R2 introduce additional prompt levels that are similar to the Internet Explorer security zone model. If you are logged on as a local administrator, you can enable or disable UAC prompts, or choose when to be notified about changes to the computer. There are four levels of notification to choose from:
Never notify me.
Only notify me when programs try to make changes to my computer.
Always notify me.
Always notify me and wait for my response.
If you are logged on as a local administrator, you can change the behavior of UAC prompts in the local security policies for local administrators in Admin Approval Mode.
Elevate without prompting.
Prompt for credentials on the secure desktop.
Prompt for consent on the secure desktop.
If you are logged on as a local administrator, you can change the behavior of UAC prompts in the local security policies for standard users.
Automatically deny elevation requests. Prompt for credentials on the secure desktop. Because of the changes to UAC, when upgrading from Windows Vista to Windows 7, UAC settings are not transferred.
Group Policy is the best way to confgure UAC in AD DS environments.In workgroup environments, administrators can confgure UAC on a single computer using the Control Panel.
You can configure UAC using local or Active Directory Domain Services (AD DS) Group Policy
settings located in the following node:
Computer Confguration\Policies\Windows Settings\Security Settings\Local Policies \Security Options. You can confgure the following settings:
User Account Control: Change this setting to Prompt For Credentials to cause Admin Approval Mode UAC prompts to behave like prompts for standard users, requiring the user to type an administrative password instead of simply clicking Continue. Change this setting to Elevate Without Prompting to provide administrative privileges automatically, effectively disabling UAC for administrative accounts. This reduces the security protection provided by Windows 7 and might allow malicious software to install or make changes to the system without the administrators knowledge.
User Account Control: Admin Approval Mode For The Built in Administrator Account. Applies only to the built-in Administrator account and not to other accounts that are members of the local administrators group. If you enable this policy setting, the built-in Administrator account has UAC Admin Approval Mode enabled, just like other administrative accounts. If you disable the setting, the built-in Administrator account behaves just like it does in Windows XP.
User Account Control: Detect Application Installations And Prompt For Elevation. This setting is enabled in workgroup environments and disabled in domain environments. When enabled, UAC will prompt for administrator credentials when the user attempts to install an application that makes changes to protected aspects of the system. When disabled, the prompt will not appear.
User Account Control: Only Elevate Executables That Are Signed And Validated.
If your environment requires all applications to be signed and validated with a trusted certifcate, you can enable this policy. When enabled, Windows Vista will refuse to run any executable that is not signed with a trusted certifcate. All software with the Certifed For Windows Vista logo must be signed with an Authenticode certifcate, This setting is disabled by default,which allows users to run any executable, including potentially malicious software.
User Account Control: Allow UIAccess Applications to Prompt For Elevation Without Using The Secure Desktop. This setting controls whether User Interface Accessibility (UIAccess) programs can automatically disable the secure desktop By default, this setting is disabled When enabled, UIAccess applications (such as Remote Assistance) automatically disable the secure desktop for elevation prompts Disabling the secure desktop causes elevation prompts to appear in the standard desktop.
User Account Control: Only Elevate UIAccess Applications That Are Installed In Secure locations. This setting, causes Windows Vista to grant user interface access to only those applications started from Program Files, from \Windows\System32\, or from a subdirectory.This setting effectively prevents non-administrators from downloading and running an application because non-administrators will not have the privileges necessary to copy an executable file to one of those folders.
User Account Control: Run All Administrators In Admin Approval Mode:
This setting, causes all accounts with administrator privileges except for the local Administrator account to use Admin Approval Mode If you disable this setting, Admin Approval Mode is disabled for administrative accounts, and the Security Center will display a warning message.
User Account Control: Switch To The Secure Desktop When Prompting For Elevation: This setting, causes the screen to darken when a UAC prompt appears. If the appearance of the entire desktop changes,it is very diffcult for malware that has not been previously installed to impersonate a UAC prompt.
User Account Control: Virtualize File And Registry Write Failures To Per-User locations. This setting, improves compatibility with applications not developed for UAC by redirecting requests for protected resources.
Enumerate Administrator Accounts On Elevation:
By default, this setting is disabled, which causes the UAC prompt to list all Administrator accounts displayed when
a user attempts to elevate a running application If you enable this setting, users are
required to type both a user name and password to elevate their privileges.
Changes made while logged on as an administrator affect all administrators, and changes made while
logged on as a user affect all users. To change the default setting, follow these steps:
1.In Control Panel, click System And Security
2. Under Action Center, click Change User Account Control Settings
3. Select one of the four notifcation levels:
Always Notify Me: Users are notifed when they make changes to Windows settings and when programs attempt to make changes to the computer.
Notify Me Only When Programs Try To Make Changes To My Computer: Users are not notifed when they make changes to Windows settings, but they do receive notifcation when a program attempts to make changes to the computer.
Notify Me Only When Programs Try To Make Changes To My Computer (Do Not Dim The Desktop): Similar to the previous setting, but the secure desktop is not used.Only available to administrators.
Never Notify Me: Users are not notifed of any changes made to Windows settings or when software is installed: This causes all elevation-requests to be automatically accepted Available only to administrators.
4. Click OK Restart the computer
Configure auditing for privilege elevation
You can enable auditing for privilege elevation so that every time a user provides administrator credentials or an administrator clicks continue at a UAC prompt, an event is added to the Security Event Log. To enable privilege elevation auditing, enable success auditing for both the Audit Process Tracking and Audit Privilege Use settings in the Local Policies\Audit Policy node of Group Policy. Enable auditing only when testing applications or troubleshooting problems, auditing can generate an excessive number of events that affect computer performance. To enable auditing on a single computer, use the Local Security Policy console. To enable auditing on multiple computers within a domain, use Group Policy settings In Group Policy, auditing settings are located within Computer Confguration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy node. If you change auditing settings, you must restart the computer for the change to take effect. After enabling Audit Privilege Use, you can monitor Event IDs 4648 and 4624 in the Security Event Log to determine when users elevate privileges using the UAC consent dialog box.
After enabling Audit Process Tracking, you can monitor Event ID 4688 to determine when
administrators make use of Admin Approval Mode to provide full administrator privileges to processes.
Many events with Event ID 4688 will not be applications started by the user.
Most of these events are generated by background processes and services.
Besides security auditing, UAC provides two additional logs
within Event Viewer:
Applications and Services logs\Microsoft\Windows\UAC\Operational Logs UAC
errors, such as processes that fail to handle elevation requirements correct.
Applications and Services logs\Microsoft\Windows\UAC-FileVirtualization \Operational Logs UAC virtualization details, such as virtualized files that are created or deleted. Msconfg exe is a troubleshooting tool that can be useful for temporarily disabling UAC to determine whether UAC is causing an application compatibility problem.
UAC in Windows 8 and Windows Server 2012
Windows 7 made it easier to manage UAC than in Vista,this continues in Windows 8. Windows 8 allows only a single user account in the administrators group,all other accounts are members of standard users group.So now you only have one single administrators account and this always needs a password. If you run as a standard user and attempt a task that requires admin privileges Windows 8 uses an extra level of protection, instead of just prompt for consent it asks for the password for the main administrative account.
Configure UAC in Windows 8
1. Press Windows logo+W type UAC and click Change User Account Settings
2.Choose one of the settings
- Always notify
- No secure desktop
- Never notify
3.Click OK and enter UAC credentials to put settings in effect. Note:Windows Store apps cannot start when User Account Control is turned off. In Windows Server 2012 UAC functionality is improved to: Allow a user with administrator privileges to configure the UAC experience in the Control Panel.
Provide additional local security policies that enable a local administrator to change the behavior of the UAC messages for local administrators in Admin Approval Mode.
Provide additional local security policies that enable a local administrator to change the behavior of the UAC messages for standard users.
Changes in Windows Server 2012 UAC from previous Windows versions. The new setting will:
Keep the UAC service running.
Cause all elevation request initiated by administrators to be auto approved without showing a UAC prompt.
Automatically deny all elevation requests for standard users. The new slider will never turn UAC completely off.In order to fully disable UAC you must disable the policy User Account Control: Run all administrators in Admin Approval Mode.