ACCESS via Elevated Usage User Account Contrl

http://technet.microsoft.com/en-us/library/cc722159(v=ws.10).aspx
User Account Control Step-by-Step Guide

302 out of 507 rated this helpful - Rate this topicUpdated: April 20, 2011Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Storage Server 2008 R2, Windows VistaUser Account Control (UAC) is a security component that allows an administrator to enter credentials during a non-administrator's user session to perform occasional administrative tasks. This step-by-step guide provides the instructions that are necessary for using UAC in a test environment. You can use this guide to test how your line-of-business (LOB) applications run in Windows 7 and Windows Vista.

In this guide

What is User Account Control? Requirements for User Account Control Key scenarios for User Account Control Scenario 1: Request an application to run elevated one time Scenario 2: Configure an application to always run elevated Scenario 3: Configure User Account Control Troubleshooting and support Additional resources This guide is intended for the following audiences:IT planners and analysts who are evaluating the productSecurity architects who are responsible for implementing trustworthy computingAdministrators who need to control the behavior of UACThis document is not intended to provide a comprehensive, detailed description of UAC. Additional resources include the following:Users of this step-by-step guide will also be interested in Getting Started with User Account Control on Windows Vista and User Account Control in Windows 7.For additional information for IT professionals, see User Account Control in the Windows Server Technical Library.For information for developers and independent software vendors about how to develop applications for Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008, see The Windows Vista and Windows Server 2008 Developer Story: Windows Vista Application Development Requirements for User Account Control (UAC).

What is User Account Control?

User Account Control (UAC) is a security component that enables users to perform common tasks as non-administrators (called standard users in Windows Vista), and as administrators without having to switch users, log off, or use Run As. User accounts that are members of the local Administrators group run most applications as a standard user. By separating user and administrator functions, UAC helps users move toward using standard user rights by default.When an administrator logs on to a computer that is running Windows 7 or Windows Vista, the user is assigned two separate access tokens. Access tokens, which contain a user's group membership and authorization and access control data, are used by the Windows operating system to control what resources and tasks the user can access. The access control model in earlier Windows operating systems did not include any failsafe checks to ensure that users truly wanted to perform a task that required their administrative access token. As a result, malicious software could install on users' computers without notifying the users. (This is sometimes referred to as a "silent" installation.)Even more damaging, because the user is an administrator, the malicious software could use the administrator's access control data to infect core operating system files, and in some instances, become nearly impossible to remove.ImportantFor more information about the UAC changes in Windows 7, see What's New in User Account Control.The primary difference between a standard user and an administrator is the level of access that the user has over core, protected areas of the computer. Administrators can change the system state, turn off the firewall, configure security policies, install a service or a driver that affects every user on the computer, and install software for the entire computer. Standard users cannot perform these tasks, and they can only install per-user software.Unlike earlier versions of Windows, when an administrator logs on to a computer running Windows 7 or Windows Vista, the user's full administrator access token is split into two access tokens: a full administrator access token and a standard user access token. During the logon process, authorization and access control components that identify an administrator are removed, resulting in a standard user access token. The standard user access token is then used to start the desktop, the Explorer.exe process. Because all applications inherit their access control data from the initial launch of the desktop, they all run as a standard user.After an administrator logs on, the full administrator access token is not invoked until the user attempts to perform an administrative task. When a standard user logs on, only a standard user access token is created. This standard user access token is then used to start the desktop.ImportantBecause the user experience can be configured with Group Policy, there can be different user experiences, depending on policy settings. The configuration choices made in your environment will affect the prompts and dialog boxes that are seen by standard users, administrators, or both.

Requirements for User Account Control

We recommend that you first use the steps provided in this guide in a test environment. Step-by-step guides are not necessarily meant to be used to deploy features in the operating system without accompanying documentation (as listed in the Additional resources section), and this guide should be used with discretion as a stand-alone document.

Setting up the test lab

The lab configuration needed for testing UAC includes a domain controller running Windows Server 2008 R2 or Windows Server 2008; a member server running Windows Server 2008 R2 or Windows Server 2008; and a client computer running Windows 7 or Windows Vista. The domain controller, member server, and the client computer should be on an isolated network, and they should be connected through a common hub or Layer 2 switch. Private addresses should be used throughout the test configuration.

Key scenarios for User Account Control

This guide covers the following scenarios for UAC:Scenario 1: Request an application to run elevated one time Scenario 2: Configure an application to always run elevated Scenario 3: Configure User Account Control NoteThe three scenarios that are included in this guide are intended to help administrators become familiar with the UAC feature. They include the basic information and procedures that administrators need to start using UAC. Information and procedures for advanced or customized UAC configurations are not included in this guide.

Scenario 1: Request an application to run elevated one time

In Windows Vista, UAC and its Admin Approval Mode are enabled by default. When UAC is enabled, local administrator accounts run as standard user accounts. This means that when a member of the local Administrators group logs on, they run with their administrative privileges disabled. This is the case until they attempt to run an application or task that has an administrative token. When members of the local Administrators group attempt to start such an application or task, they are prompted to consent to running the application as elevated. Scenario 1 details the procedure to run an application or task as elevated one time.NoteTo perform the following procedure, you must be logged on to a client computer as a member of the local administrators group. You cannot be logged on with the computer (or built-in) administrator account because Admin Approval Mode does not apply to this account (the built-in administrator account is disabled on new installations of Windows Vista).

To request an application to run elevated one time

Start an application that is likely to have been assigned an administrative token, such as Microsoft Windows Disk Cleanup. A User Account Control prompt is displayed.Verify that the details presented match the request you initiated.In the User Account Control dialog box, click Continue to start the application.
.
Scenario 2: Configure an application to always run elevated

Scenario 2 is similar to the previous scenario in that you want to run an application or process as elevated with the administrator access token. However, in this scenario you want to run an application that has not been marked by the developer or identified by the operating system as an administrative application. Some applications, such as internal line-of-business applications, or non-Microsoft products might require administrative rights, but they have not been identified as such. In this scenario, you mark an application to prompt the user for consent, and if granted, to run as an administrative application. The following procedure steps you through this process.NoteTo perform the following procedure, you must be logged on to a client computer as a member of the local administrators group. You cannot be logged on with the computer (or built-in) administrator account because Admin Approval Mode does not apply to this account.ImportantThis procedure cannot be used to prevent UAC from prompting for consent to run an administrative application.

To configure an application to always run elevated

Right-click an application that is not likely to have been assigned an administrative token, such as a word processing application.Click Properties, and then select the Compatibilitytab.Under Privilege Level, select Run this program as an administrator, and then click OK.NoteIf the Run this program as an administratoroption is unavailable, it means that the application is blocked from always running elevated, the application does not require administrative credentials to run, the application is part of the current version of the operating system, or you are not logged on to the computer as an administrator.


Scenario 3: Configure User Account Control

Scenario 3 outlines some common tasks that local administrators perform during the set up and configuration of client computers running Windows 7 or Windows Vista. The following procedures step you through the tasks of turning off UAC, disabling Admin Approval Mode, disabling UAC from prompting for credentials to install applications, and changing the elevation prompt behavior.ImportantAdvanced configuration options for UAC are not available in Windows Vista Starter, Windows Vista Home Basic, or Windows Vista Home Premium.

Turning off UAC

Use the following procedure to disable UAC.To perform the following procedure, you must be able to log on with or provide the credentials of a member of the local Administrators group.ImportantTurning off UAC reduces the security of your computer and may expose you to increased risk from malicious software. We do not recommend leaving UAC disabled.

To turn off UAC

Click Start, and then click Control Panel.In Control Panel, click User Accounts.In the User Accounts window, click User Accounts.In the User Accounts tasks window, click Turn User Account Control on or off.If UAC is currently configured in Admin Approval Mode, the User Account Control message appears. Click Continue.Clear the Use User Account Control (UAC) to help protect your computer check box, and then click OK.Click Restart Now to apply the change right away, or click Restart Later, and then close the User Accounts tasks window.

Disabling Admin Approval Mode

Use the following procedure to disable Admin Approval Mode.NoteTo perform the following procedure, you must be logged on to a client computer as a local administrator.ImportantYou cannot disable Admin Approval Mode on Windows Vista Starter, Windows Vista Home Basic, or Windows Vista Home Premium because secpol.msc is not included.

To disable Admin Approval Mode

Click Start, click All Programs, click Accessories, click Run, type secpol.msc in the Open box, and then click OK.If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue..From the Local Security Settings console tree, double-click Local Policies, and then double-clickSecurity Options.Scroll down and double-click User Account Control: Run all administrators in Admin Approval Mode.Select the Disabled option, and then click OK.Close the Local Security Settings window.

Disabling User Account Control from prompting for credentials to install applications

Use the following procedure to disable UAC from prompting for credentials to install applications.NoteTo perform the following procedure, you must be logged on to a client computer as a local administrator.ImportantThis procedure is not supported on Windows Vista Starter, Windows Vista Home Basic, or Windows Vista Home Premium.

To disable UAC from prompting for credentials to install applications

Click Start, click All Programs, click Accessories, click Run, type secpol.msc in the Open text box, and then click OK.From the Local Security Settings console tree, click Local Policies, and then click Security Options.Scroll down and double-click User Account Control: Detect application installations and prompt for elevation.Select the Disabled option, and then click OK.Close the Local Security Settings window.



.


.