Last week I finished my ramblings about Power Management and Group Policy. I decided to change this week’s discussion…sort of. My earlier blogs were about new registry-based policy settings. However, this week I want to focus on security policy settings, specifically security policy settings regarding User Account Control.
User Account Control in Windows Vista requires all users run in a standard user mode, Its purpose; to limit the user’s ability from changing critical operating system files or expose their computer and network to viruses and malware. Windows Vista displays an authorization dialog box when a task requires administrative privileges, such as opening the Microsoft Management Console (MMC). You, the administrator, provide administrative credentials to “elevate” your privileges for the specific process (You can read more about User Account Control, on the Microsoft Windows Vista TechNet site http://www.microsoft.com/technet/windowsvista/security/uacppr.mspx).
Windows Vista provides you with nine security policy settings to control how User Account Control behaves. You can locate these security policy settings under Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options. These security policy settings are Windows Vista policy settings and apply only to computers running Windows Vista., these policy settings can co-exist in GPOs applicable to clients earlier than Windows Vista. Operating systems other than Windows Vista will ignore the settings
Before I begin, I want to tell you about another Windows Vista feature with security policy settings. This valuable feature is a little hard to find. Each security policy setting has explain text similar to registry-based policy settings (Windows Vista RC1). Simply double-click on the security policy setting and then click on the Explain tab to view detailed information about the security policy setting; enabled and disabled behavior; and default values. I digress a little however; I believe this is absolutely worth mentioning. Now, on to the User Account Control policy settings.
Windows Vista provides nine security policy settings to control the behavior of User Account Control. You can enable these security policy settings in Local Computer and Domain-based Group Policy objects. Each security policy setting starts with “User Account Control” and then the actual name of the policy settings. The Group Policy Object Editor lists security policy settings in alphabetical order, so just scroll to the end.
The first of these policies controls the Admin Approval Mode for the built-in administrators account. When enabled, the Admin Approval mode is on for the built-in administrator account causes Windows prompts the administrators for any operations requiring an elevation in privilege. The prompt gives the administrator the choice to Permit or Deny the request for elevation. When disabled, Admin Approval mode is off. The built-in administrator account runs all applications using full administrative privileges and does not prompt for elevation.
The next two security policy settings control the type of prompt for User Account Control uses. These security policy settings are Behavior of the elevation prompt for administrators in Admin Approval Mode and Behavior of the elevation prompt for standard users. Behavior of the elevation prompt for administrators in Admin Approval Mode security policy setting provides three choices
- Prompt for Consent –provides a dialog box asking you to either Permit or Deny the request for elevation.
- Prompt for Credentials –provides an authentication dialog box asking you to provide administrative credentials to permit the request for elevation.
- Elevate without Prompting –automatically permits the request for elevation without prompting the administrator.
The Behavior of the elevation prompt for standard users security policy setting provides two choices. Prompt for Credentials and Automatically deny elevation requests where Windows denies all requests for elevation and displays an Access Denied error message.
When enabled, the Detect application installation and prompt for elevation security policy setting causes Windows to detect heuristically for installation packages that require an elevation of privilege and triggers a User Account Control prompt for elevation. Disabling this security policy setting disables detection process.
Enabling the security policy setting Only elevate executables that are signed and validated enforces Windows Vista to validate the Public Key Infrastructure (PKI) certificate chain before permitting it to run. Disabling this security policy setting does not enforce validation of the PKI certificate chain.
The next security policy setting listed is, Only elevate UIAccess applications that are installed in secure locations. UIAccess applications are applications designed specifically to assist with user accessibility. These applications typically send information to other applications. The on-screen keyboard is an example of a UIAccess application. When enabled, Windows enforces UIAccess application to run from a secure location. These secure locations include:
- …Program Files... including all sub folders.
- …Program Files (x86)... including all sub folders (64-bit versions).
Your desktop appearance changes when Windows Vista prompts you for elevation. Windows displays a gradient shade of gray over your existing desktop and then you see the prompt for elevation, in color. Actually, Windows switches your desktop to a secure desktop before prompting you for elevation. This describes the enabled behavior of the security policy setting Switch to the secure desktop when prompting for elevation. When disabled, Windows prompts for elevation on your existing desktop.
Some applications read or write registry information or files to locations that Windows protects from normal users. This usually requires the user to run the application as an administrator until an application upgrade becomes available. Windows Vista helps by providing virtualized file and registry writes to areas previously protected from normal users. This feature redirects writes destined for protected locations to locations where users have write access. The security policy setting Virtualize file and registry write failures to per-user locations provides this behavior, when enabled. When you disable this security policy setting, applications attempting to write in protected locations fail as with earlier versions of Windows.
The last security policy setting controlling User Account Control behavior is probably the most important one. Run all users, including administrators, as standard users is a security policy setting the affects all other User Account Control security policy settings. Enabling this policy turns on Admin Approval Mode and enables all other User Account Control polices to their default values. Disabling this policy turns off Admin Approval Mode and disables all related User Account Control security policy settings. Lastly, changing this security policy setting requires a reboot.
So, when you are evaluating your security policy during your Windows Vista deployment, look at the explain text for each security policy setting. Make sure you fully understand its impact before changing a security policy setting. Then, do not forget to include User Account Control policy settings in your security policy. These security policy settings can help you keep your computer, network, and data safe and secure.
NEXT WEEK: User Profile policy settings
Mike Stephens, Technical Writer, Group Policy