Group Policy Settings
You can configure UAC using local or Active Directory Domain Services (AD DS) Group Policy settings located in the following node:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies \Security Options
You can configure the following settings:
- User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode By default, this setting is set to Prompt For Consent For Non-Windows Binaries, which causes the UAC prompt to appear any time an application needs more than standard user privileges. Change this setting to Prompt For Credentials to cause Admin Approval Mode UAC prompts to behave like prompts for standard users, requiring the user to type an administrative password instead of simply clicking Continue. Change this setting to Elevate Without Prompting to provide administrative privileges automatically, effectively disabling UAC for administrative accounts. Choosing Elevate Without Prompting significantly reduces the security protection provided by Windows 7 and might allow malicious software to install itself or make changes to the system without the administrator's knowledge.
- User Account Control: Behavior Of The Elevation Prompt For Standard Users By default, this setting is Prompt For Credentials in workgroup environments and Automatically Deny Elevation Requests in domain environments. Prompt For Credentials causes UAC to prompt the user to enter an administrative user name and password. You can change this to Automatically Deny Elevation Requests to disable the UAC prompt. Disabling the prompt can improve security; however, the user might experience application failures because of denied privileges. If users do not have access to administrator credentials, you should disable the elevation prompt, because the user would not be able to provide credentials anyway. If you do not disable the prompt, users are likely to call the Support Center to ask for administrator credentials.
- User Account Control: Admin Approval Mode For The Built-in Administrator Account This policy applies only to the built-in Administrator account and not to other accounts that are members of the local Administrators group. When you enable this policy setting, the built-in Administrator account has UAC Admin Approval Mode enabled, just like other administrative accounts. When you disable the setting, the built-in Administrator account behaves just like it does in Windows XP, and all processes run using administrative privileges. This setting is disabled by default. n User Account Control: Detect Application Installations And Prompt For Elevation By default, this setting is enabled in workgroup environments and disabled in domain environments. When enabled, UAC will prompt for administrator credentials when the user attempts to install an application that makes changes to protected aspects of the system. When disabled, the prompt won't appear. Domain environments that use delegated installation technologies such as Group Policy Software Installation (GPSI) or Microsoft Systems Management Server (SMS) can disable this feature safely because installation processes can escalate privileges automatically without user intervention.
- User Account Control: Only Elevate Executables That Are Signed And Validated If your environment requires all applications to be signed and validated with a trusted certificate, including internally developed applications, you can enable this policy to greatly increase security in your organization. When this policy is enabled, Windows Vista will refuse to run any executable that isn't signed with a trusted certificate, such as a certificate generated by an internal Public Key Infrastructure (PKI). All software with the Certified For Windows Vista logo must be signed with an Authenticode certificate, although you might have to configure your domain PKI to trust the certificate. This setting is disabled by default, which allows users to run any executable, including potentially malicious software.
- User Account Control: Allow UIAccess Applications to Prompt For Elevation Without Using The Secure Desktop This setting controls whether User Interface Accessibility (UIAccess) programs can automatically disable the secure desktop. By default, this setting is disabled. When enabled, UIAccess applications (such as Remote Assistance) automatically disable the secure desktop for elevation prompts. Disabling the secure desktop causes elevation prompts to appear in the standard desktop.
- User Account Control: Only Elevate UIAccess Applications That Are Installed In Secure Locations This setting, which is enabled by default, causes Windows Vista to grant user interface access (required for opening windows and doing almost anything useful) to only those applications started from Program Files, from \Windows\System32\, or from a subdirectory. Enabling this setting effectively prevents non-administrators from downloading and running an application because non-administrators won't have the privileges necessary to copy an executable file to one of those folders.
- User Account Control: Run All Administrators In Admin Approval Mode This setting, enabled by default, causes all accounts with administrator privileges except for the local Administrator account to use Admin Approval Mode. If you disable this setting, Admin Approval Mode is disabled for administrative accounts, and the Security Center will display a warning message.
- User Account Control: Switch To The Secure Desktop When Prompting For Elevation This setting, enabled by default, causes the screen to darken when a UAC prompt appears. If the appearance of the entire desktop changes, it is very difficult for malware that hasn't been previously installed to impersonate a UAC prompt. Some users might find the secure desktop annoying, and you can disable this setting to minimize that annoyance. However, disabling this setting decreases security by making it possible for other applications to impersonate a UAC prompt.
- User Account Control: Virtualize File And Registry Write Failures To Per-User Locations This setting, enabled by default, improves compatibility with applications not developed for UAC by redirecting requests for protected resources. For more information, read the section titled "UAC Virtualization" earlier in this tutorial.
To disable UAC, set the User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode setting to Elevate Without Prompting. Then, disable the User Account Control: Detect Application Installations And Prompt For Elevation and User Account Control: Run All Administrators In Admin Approval Mode settings. Finally, set User Account Control: Behavior Of The Elevation Prompt For Standard Users setting to Automatically Deny Elevation Requests. Then, restart the computer.
Additionally, you can configure the credential user interface using the following two Group Policy settings located at Computer Configuration\Policies\Administrative Templates\Windows Components\Credential User Interface:
- Require Trusted Path For Credential Entry If you enable this setting, Windows 7 requires the user to enter credentials using a trusted path, which requires the user to press Ctrl+Alt+Delete. This helps prevent a Trojan horse program or other types of malicious code from stealing the user's Windows credentials. This policy affects non-logon authentication tasks only. As a security best practice, you should enable this policy to reduce the risk of malware tricking the user into typing her password. However, users who need elevated privileges regularly will find it annoying and time consuming.
- Enumerate Administrator Accounts On Elevation By default, this setting is disabled, which causes the UAC prompt to list all Administrator accounts displayed when a user attempts to elevate a running application. If you enable this setting, users are required to type both a user name and password to elevate their privileges.
In this tutorial:
- Windows 7 Client Protection
- Understanding the Risk of Malware
- User Account Control in Windows 7
- UAC for Standard Users
- UAC for Administrators
- UAC User Interface
- Secure Desktop
- How Windows Determines Whether an Application Needs Administrative Privileges
- How to Control UAC Using Application Properties
- How UAC Examines the Application Manifest
- UAC Heuristics
- UAC Virtualization
- UAC and Startup Programs
- Compatibility Problems with UAC
- How to Configure UAC
- Group Policy Settings
- Control Panel
- Msconfig.exe
- How to Configure Auditing for Privilege Elevation
- Other UAC Event Logs
- Best Practices for Using UAC
- AppLocker
- AppLocker Rule Types
- Auditing AppLocker Rules
- DLL Rules
- Custom Error Messages
- Using AppLocker with Windows PowerShell
- Using Windows 7 Defender
- Understanding Windows Defender
- Automatic Scanning
- Real-Time Protection
- Windows Defender Alert Levels
- Understanding Microsoft SpyNet
- Configuring Windows Defender Group Policy
- Configuring Windows Defender on a Single Computer
- How to Determine Whether a Computer Is Infected with Spyware
- Best Practices for Using Windows Defender
- How to Troubleshoot Problems with Unwanted Software
- Network Access Protection
- Forefront