Group Policy Extensions in Windows Vista and Windows Server 2008, Part 3
If you would like to read the other articles in this series please go to:
Being that security was Microsoft’s paramount concern when developing Windows Server 2008 and Windows Vista, it should come as no surprise that some of the new group policy settings are specifically related to how these various new security features are implemented. I want to begin this article by talking about the group policy settings that are related to a new security feature called User Account Protection (also referred to in some Microsoft documents as User Account Control or UAC).
In case you aren’t familiar with User Account Protection it is a security feature designed to protect Windows against users with excessive permissions. In a Windows XP environment, it was usually necessary for users to have local administrative permissions in order for them to be able to do their jobs. When designing Vista, Microsoft took a long, hard look at what capabilities users really needed, and rolled those capabilities into standard user accounts so that users would not have to be granted local administrative permissions. For example, some of the tasks that Windows Vista allows a mobile user to perform without having administrative permissions include installing a printer driver, entering a WEP key, configuring a VPN connection, and installing application updates.
User Account Protection isn’t just about granting users additional permissions. The feature is also designed to protect administrators from themselves. Even if someone is logged in as an administrator, Windows treats that user as a standard user. If the user attempts to perform some action that requires administrative permissions, Windows prompts the user as to whether or not it is OK to temporary elevate their privileges in order to accomplish the task at hand.
Administrators also have the option of staying logged in as standard users. If a standard user needs to perform an action that requires administrative permissions, they do not have to use the Run As command. Instead, Vista will automatically prompt them to enter a set of credentials that can be used for that task.
Now that I have given you some background regarding what User Account Protection is, and how it works, let’s take a look at the group policy settings that are related to User Account Protection. Like most of the other group policy settings that I have discussed in this series, the group policy settings that I am about to show you are only compatible with Windows Server 2008 and Windows Vista. Therefore, until Windows Server 2008 is released and you have a Windows Server 2008 based domain controller on your network, these group policy settings will have to be set at the Local Computer level of the group policy hierarchy.
The group policy settings related to User Account Protection can be found in the Group Policy Object console at Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options. You can see the number of available policy settings shown in Figure A.
Figure A: These are the group policy settings related to Vista’s User Account Protection feature
As you can see in the figure, this container contains many settings that are not related to User Account Protection. Settings for User Account Protection are located at the bottom of the screen.
The first setting that’s related to User Account Control is the User Account Control: Admin Approval Mode for the Built In Administrator Account setting. This option, which is enabled by default, causes the built in Administrator account to be treated as a standard user. Any action that requires administrative privileges will cause Windows to prompt the user for permission before the action is performed. If this option is disabled, then Vista will behave more like Windows XP. The built in Administrator account will be treated as a true administrator and the user will never be prompted to give Windows permission to perform an action.
The next available option is the User Account Control: Behavior of the Elevation Prompt for Administrators in Admin Approval Mode option. As you already know, Vista is designed so that it will not perform an administrative action without an administrator’s consent. This option allows you to control what type of consent an administrator must give in order for the requested action to be completed.
The default option is a simple prompt for consent. This means that an administrator will be asked if they wish to allow or deny the attempted action. As an alternative, an administrator can be prompted for credentials. This will force an administrator to enter their password prior to performing any administrative actions. This option tends to be a pain to use, but is worth considering in high security environments.
The final option is to elevate the permissions without prompting the administrator to approve the action. I do not recommend using this option.
Just as Windows Vista limits what an administrator can do without permission, it also limits the capabilities of a standard user. You can control what happens when a standard user attempts to perform an action that requires elevated privileges by using the User Account Control: Behavior of the Elevation Prompt for Standard Users setting.
When a standard user attempts to perform an action that requires an elevation of privileges, one of two things can happen. The user can either be prompted to enter administrative credentials, or the request can be automatically denied without the user being prompted. By default, standard users are prompted for administrative credentials if they are operating in a home environment, but elevation requests are automatically denied for users operating in an enterprise environment.
Although Windows Vista is designed to require an elevation of privileges for specific types of actions, some types of actions can be configured so that they can be performed without an elevation of privileges. One example of this is software installation. The User Account Control: Detect Application Installations and Prompt for Elevation setting allows applications to be installed without requiring an elevation of privileges.
Not requiring an elevation of privileges for software installation might seem counter productive at first, but there is a legitimate use for this setting. In managed environments, applications are usually deployed through a group policy setting, or through an SMS Server, or a similar mechanism. In such situations, it would be impractical to require an administrator to approve the action on every desktop, every time an application is installed. Therefore, you can disable the prompt for an elevation of privileges in such environments. Keep in mind that this doesn’t mean that standard users will be able to install applications. It only means that those who do have the appropriate permissions will not be hindered by an elevation of privileges prompt.
In this article, I have explained that User Account Control is one of the centerpieces of Windows Vista’s security. User Account Control makes Windows Vista much more resistant to malware infections than previous versions of Windows were. Being that User Account Control is such an important security feature, it is critical that administrators know how to configure it to meet their organization’s security needs. In Part 4 of this series, I will continue the discussion by talking about more User Account Control related settings.
If you would like to read the other articles in this series please go to: