Configure User Account Protection

25 September 2005 by Snakefoot | Comment » | Trackback Off
Many users give themselves Administrator rights even for daily tasks, so if attacked by malicious software then it will also get Administrator rights.
User Account Protection (UAP) is an attempt to solve this problem, by introducing two modes:
  • Admin Approval Mode, when logged in as local administrators, then one has to give consent to allow an application to perform administrative tasks.
  • Standard User Mode, when logged in as standard user, then one has to provide credentials for administrator account to allow an application to perform administrative tasks.
When UAP is enabled, then the desktop (Explorer.exe) is launched with Standard User priviledges (Aka. secure desktop), and all application launched from the desktop inherits the same priviledges. Only through the Application Information Service (AIS) an application can be given an administrator token either through consent or by credentials.

Virtualization is part of UAC and ensures that applications are redirected into the VirtualStore folder of the user-profile, when they try to modify files or registry keys on a system level. Even if an application is allowed to modify the registy, then this registry change will only affect the local user. This should prevent an application from messing up the entire system, but only affect a single user account. Applications are only virtualized when UAC is enabled, so disabling UAC also disables the protection of virtualization.

When requesting for consent or credentials, then UAP switches to secure desktop mode (black dimmed background) where only processes with SYSTEM privileges can interact. This prevents applications from messing with the consent dialog (ex. pressing the Continue-button for the user).

To configure whether UAP should be enabled or not:
  1. Press Start and execute the following command:

    control userpasswords

  2. Click "Turn User Account Control on or off" and uncheck "Use User Account Control (UAC) to help protect your computer"

    Should be reflected in this registry key:

    [HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \Policies \System]
    EnableLUA = 1 (Default = 1; Disabled = 0)

    Note when disabled Security Center will display a balloon message at every boot warning that User Account Control is turned off.

To configure UAP to request credentials instead of just a consent dialog:
  1. Start the Local Security Policies snapin
  2. In the tree-view go to "Local Policies" -> "Security Option"
  3. Modify the option "User Account Protection: Behavior of the elevation prompt for administrators"
    • No Prompt (0)
    • Prompt for credentials (2)
    • Prompt for consent (1)
    This should be reflected in this registry key:

    [HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \Policies \System]
    ConsentPromptBehaviorAdmin = 2 (Default = 1; Disabled = 0)

To configure whether UAP should switch to secure desktop when asking for consent or credentials:
  1. Start the Local Security Policies snapin
  2. In the tree-view go to "Local Policies" -> "Security Option"
  3. Modify the option "User Account Control: Switch to the secure desktop when prompting for elevation"

    Should be reflected in this registry key:

    [HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \Policies \System]
    PromptOnSecureDesktop = 1 (Default = 1; Disabled = 0)

Note by default when launching application from the desktop, they will not be given Administrator rights. There are different ways to launch an application with Administrator privileges:
  • Right-click the shortcut to the application and choose the "Run as Administrator" option.
  • Press the Start Orb and ex. type "cmd", but instead of pressing ENTER, press CTRL+SHIFT+ENTER and it will be launched as an Elevated Command Prompt with Administrative rights.
  • Use RunAs to launch as Administrator (Will have to supply the password), consider the option /noprofile for faster load:

    C:\Windows\System32\runas.exe /user:administrator "cmd %L"

  • Extend the context menu for the filetype (file-extension) with the option to open the file with administrator rights (Ex. start msi-installer with administrator rights):

    REGEDIT4

    [HKEY_CLASSES_ROOT\Msi.Package\shell\runas]
    @="Install &as..."

    [HKEY_CLASSES_ROOT\Msi.Package\shell\runas\command]
    @="msiexec /i "%1""

Related Script Elevation PowerToys for Windows Vista

Credits TweakVista.com
Tags:
Category:

Updated: 15 June 2008

Leave a comment


You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>