Client Management Suite

 View Only
Back to Library

User Access Control: Modes, Options and Default Values 

Sep 11, 2007 01:47 PM

Here's a quick reference to help you navigate the User Account Control (UAC) mine field that was introduced in Microsoft's Windows Vista operating system.

If you're an application packager, you'll want to bookmark this bad boy.


  1. User Account Control: Admin Approval Mode for the Built-in Administrator account

    This security setting determines the behavior of Admin Approval mode for the Built-in Administrator account.

    The options are:

    • Enabled: The Built-in Administrator will logon in Admin Approval Mode. By default any operation that requires elevation of privilege will prompt the Consent Admin to choose either Permit or Deny.
    • Disabled: The Built-in Administrator will logon in XP compatible mode and run all applications by default with full administrative privilege.

    Default: Disabled

  2. User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

    This security setting determines the behavior of the elevation prompt for administrators

    The options are:

    • Prompt for consent: An operation that requires elevation of privilege will prompt the Consent Admin to select either Permit or Deny. If the Consent Admin selects Permit the operation will continue with their highest available privilege. This option allows users to enter their name and password to perform a privileged task.
    • Prompt for credentials: An operation that requires elevation of privilege will prompt the Consent Admin to enter their user name and password. If the user enters valid credentials the operation will continue with the applicable privilege.
    • Elevate without prompting: This option allows the Consent Admin to perform an operation that requires elevation without consent or credentials. Note: this scenario should only be used in the most constrained environments.

    Default: Prompt for consent

  3. User Account Control: Behavior of the elevation prompt for standard users

    This security setting determines the behavior of the elevation prompt for standard users

    The options are:

    • Prompt for credentials: An operation that requires elevation of privilege will prompt the user to enter an administrative user name and password. If the user enters valid credentials the operation will continue with the applicable privilege.
    • Automatically deny elevation requests: This option results in an access denied error message being returned to the standard user when they try to perform an operation that requires elevation of privilege. Most enterprises running desktops as standard user will configure this policy to reduce help desk calls.

    Default: Prompt for credentials (home) / Automatically deny elevation requests (enterprise)

  4. User Account Control: Detect application installations and prompt for elevation

    This security setting determines the behavior of application installation detection for the entire system.

    The options are:

    • Enabled: Application installation packages that require an elevation of privilege to install will be heuristically detected and trigger the configured elevation prompt UX.
    • Disabled: Enterprises running standard users desktops that leverage delegated installation technologies like Group Policy Software Install (GPSI) or SMS will disable this feature. In this case, installer detection is unnecessary and thus not required.

    Default: Enabled (home) / Disabled (enterprise)

  5. User Account Control: Only elevate executables that are signed and validated

    This security setting will enforce PKI signature checks on any interactive application that requests elevation of privilege. Enterprise administrators can control the admin application allowed list thru the population of certificates in the local computers Trusted Publisher Store.

    The options are:

    • Enabled: Enforces the PKI certificate chain validation of a given executable before it is permitted to run.
    • Disabled: Does not enforce PKI certificate chain validation before a given executable is permitted to run.

    Default: Disabled

  6. User Account Control: Only elevate UIAccess applications that are installed in secure locations

    This security setting will enforce the requirement that applications that request execution with a UIAccess integrity level (via a marking of UIAccess=true in their application manifest), must reside in a secure location on the file system. Secure locations are limited to the following directories:

    ...\Program Files\, including subdirectories ...\Windows\system32\r ...\Program Files (x86)\, including subdirectories for 64 bit versions of Windows

    Note: Windows enforces a PKI signature check on any interactive application that requests execution with UIAccess integrity level regardless of the state of this security setting.

    The options are:

    • Enabled: An application will only launch with UIAccess integrity if it resides in a secure location in the file system.
    • Disabled: An application will launch with UIAccess integrity even if it does not reside in a secure location in the file system.

    Default: Enabled

  7. User Account Control: Run all users, including administrators, as standard users.

    This security setting determines the behavior of all UAC policies for the entire system.

    The options are:

    • Enabled: Admin Approval Mode and all other UAC policies are dependent on this option being enabled. Changing this setting requires a system reboot.
    • Disabled: Admin Approval Mode user type and all related UAC policies will be disabled. Note: the Security Center will notify that the overall security of the operating system has been reduced.

    Default: Enabled

  8. User Account Control: Switch to the secure desktop when prompting for elevation

    This security setting determines whether the elevation request will prompt on the interactive users desktop or the Secure Desktop.

    The options are:
    • Enabled: All elevation requests by default will go to the secure desktop
    • Disabled: All elevation requests will go to the interactive users desktop

    Default: Enabled

  9. User Account Control: Virtualizes file and registry write failures to per-user locations

    This security setting enables the redirection of legacy application write failures to defined locations in both the registry and file system. This feature mitigates those applications that historically ran as administrator and wrote runtime application data back to either %ProgramFiles%, %Windir%; %Windir%\system32 or HKLM\Software\....

    Virtualization facilitates the running of pre-Vista (legacy) applications that historically failed to run as Standard User. An administrator running only Windows Vista compliant applications may choose to disable this feature as it is unnecessary.

    The options are:

    • Enabled: Facilitates the runtime redirection of application write failures to defined user locations for both the file system and registry.
    • Disabled: Applications that write data to protected locations will simply fail as they did in previous versions of Windows.

    Default: Enabled

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Migration User
Oct 17, 2007 10:12 PM

hi Harsh,
Check this article..
http://juice.altiris.com/node/2684
Hope it solves your needs.
Cheers'
Vijay

Migration User
Sep 18, 2007 07:17 AM

A good article I came across for User Access Control, Thanks.
Do you have any updates for LUA Patching for Vista applications? or it will same as windows XP?

Migration User
Sep 12, 2007 10:36 AM

Thats quite a nice abstract to my article..Thanks for that.. :)
But, why was I called a "Bad Boy" ???? he he e..!! :)

Related Entries and Links

No Related Resource entered.