Monday, October 12, 2009

UAC configurability

I guess I should have inspected the Group Policy Editor in Windows 7 a little more thoroughly before. I've now found that it's possible to require the user to enter an administrator password in the UAC prompt. Why this isn't on by default, we'll never know.

The source of this information is a Microsoft TechNet article written for Vista, but the options are exactly the same in Windows 7. It's mostly tl;dr, so the key information isn't intentionally hidden, but outside of descriptions of settings it's mostly stuff that will probably make you enter "skim over huge amount of text" mode. If you're curious, the options we're changing in the Group Policy Editor are covered in Table 2.1 and Table 2.2.

So here's how to get UAC set up to actually be secure. These directions are written for Windows 7, since that's what I'm using to test them. I don't have a copy of Vista to run virtualized, so... yeah. These instructions should work on Vista though.

There are two distinct tasks here, making UAC prompt as often as possible, and then configuring it to require password entry. These instructions assume you have administrative access to the computer. As always, it's important that you follow the instructions exactly and don't randomly change things that aren't mentioned. The Group Policy Editor is a very powerful configuration tool that can change a lot of aspects of your system, so just like with the registry, you should be careful.

Making UAC prompt as often as possible:
  1. Open the Start menu.
  2. Go to the Control Panel.
  3. Open the Action Center.
  4. In the pane on the left, click User Account Control settings.
  5. Move the slider all the way up to Always Notify.
  6. Click OK.
  7. If UAC prompts you, allow the change.
Requiring password entry:
  1. Open the Start menu.
  2. Type gpedit.msc into the search box and press Enter.
  3. You may have to answer a UAC prompt here, especially if you already set it to Always Notify. You want to get in here, so you should allow Microsoft Management Console to make changes.
  4. In the pane on the left, under Computer Configuration:
    1. Expand Windows Settings.
    2. Expand Security Settings.
    3. Expand Local Policies.
    4. Select Security Options.
  5. Now, in the right pane, scroll down until you find the options whose names begin with User Account Control.
  6. Double click Behavior of the elevation prompt for administrators in Admin Approval Mode.
  7. In the dropdown, select Prompt for credentials on the secure desktop.
  8. Click OK.
  9. Repeat this process for Behavior of the elevation prompt for standard users.
  10. Go back to the pane on the left. Under Computer Configuration:
    1. Collapse Windows Settings.
    2. Expand Administrative Templates.
    3. Expand Windows Components.
    4. Select Credential User Interface.
  11. Now, in the right pane, double click Enumerate administrator accounts on elevation.
  12. Set it to Enabled and click OK.
  13. If you want you can enable Require trusted path for credential entry as well, this will make it so you have to press Ctrl+Alt+Del before entering a password. This will prevent trojans, keyloggers, and the like from getting your password.
  14. Close the Group Policy Editor.
  15. Go on with life.
Now you will be prompted for an administrator password whenever you do something that should rightfully generate a UAC prompt. Ideally your everyday user account shouldn't be an administrator, but that's another rant...

No comments:

Post a Comment

I moderate comments because when Blogger originally implemented a spam filter it wouldn't work without comment moderation enabled. So if your comment doesn't show up right away, that would be why.