Walker News

Vista UAC Setup Guide In Local Security Policy

Windows Registry is almost a central repository of various Windows settings, including the new Vista User Account Control (UAC) security feature!

However, not everyone is comfortable with Registry keys and the respective values that are mostly in acronym, hexadecimal, binary, lengthy alpha-numeric class GUID, etc.

To configure or tweak or configure Vista UAC (User Account Control), you can refer to Local Security Settings, which is more user friendly and human readable!
Click on the Vista Orb (the new design of Vista Start button), type secpol.msc in the Start Search text box (Vista notable Instant Search feature) and press ENTER key to open up Local Security Settings editor.

Next, on the left panel, click to expand the Local Policies folder follow by Security Options folder.

Then, on the right panel, scroll down to the bottom and locate the Local Security Policies related to User Account Control.

Guide of Vista UAC (User Account Control) setting in Local Security policies and the respective values:
  1. User Account Control: Admin Approval Mode for the Built-in Administrator account
     
    Enable
    The built-in Administrator will log on in Admin Approval Mode, where the consent prompt (Consent UI) will pop up to prompt user for an elevation of privilege approval whenever a process require it.
     
    Disable (default)
    The built-in Administrator will log on in XP-compatible mode and run all applications by default with full administrative privilege – disable the UAC or without Consent UI pop-up. That’s to say, if you really miss to be a Windows XP administrator, you can enable the Vista Administrator account (disabled by default), disable this policy (default) and log on as Administrator (rather than a user account of Administrators group).
     
  2. User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
     
    Prompt For Consent (Consent UI) (Default)
    For every processes that require elevation of privilege, Windows Vista UAC will prompt a user account of administrator group in Admin Approval Mode to click either Continue or Cancel. If the user clicks Continue, the operation will continue with the administrator’s highest available privilege.
     
    Prompt For Credentials (Credential UI)
    The user account of administrators group will also have to enter user name and password in Admin Approval Mode whenever a process need to execute with elevated privilege.
     
    Elevate Without Prompting
    This value will suppress the Prompt For Consent (Consent UI) pop-up to allow the user account of administrators group in Admin Approval Mode to perform an operation that requires elevation of privilege.
     
  3. User Account Control: Behavior of the elevation prompt for standard users
     
    Prompt For Credentials (default in Vista Home edition)
    Credential UI will pop-up and prompt a standard user account to enter an administrative user name and password for every operation that requires elevation of privilege.
     
    Automatically Deny Elevation Requests (default in Vista Enterprise edition)
    A standard user account will receive an access-denied error message when an operation or process that requires elevation of privilege is triggered.
     
  4. User Account Control: Detect application installations and prompt for elevation
     
    Enable (default in Vista Home edition)
    An elevated privilege prompt will pop up to prompt user approval whenever an application installation package require an administrative privilege to proceed.
     
    Disable (default in Vista Enterprise edition)
    Enterprise running standard user workstations that use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) will automatically disable this setting. In this case, installer detection is unnecessary and thus not required.
     
  5. User Account Control: Only elevate executable that are signed and validated
     
    Enable
    This UAC value enforces the Public Key Infrastructure (PKI) certificate chain validation of a given executable before it’s permitted to run.
     
    Disable (Default)
    This UAC value bypass or ignore PKI certificate chain validation before a given executable is permitted to run.
     
  6. User Account Control: Only elevate UIAccess applications that are installed in secure locations
     
    Enable (Default)
    An application will start with UIAccess integrity level only if it resides in a secure location in the file system.

    Secure locations are limited to the following directories:

    …\Program Files\ (and sub-folders)

    …\Windows\System32\r-

    …\Program Files (x86)\ (and sub-folders, in 64-bit Vista editions only)

     
    Disable
    An application will start with UIAccess integrity check even if it does not reside in a secure location in the file system.
     
  7. User Account Control: Run all administrators in Admin Approval Mode
     
    Enable (Default)
    Admin Approval Mode and all other UAC policies are dependent on this option being enabled. Having say that, disable this UAC setting will void the rest of UAC setup in Vista. Changing this setting requires that the computer be restarted.
     
    Disable
    The Admin Approval Mode as well as all related UAC policies will be disabled. When the Vista UAC is disabled, the Security Center will pop up notification in System Tray area that the overall of Windows Vista security has been reduced.
     
  8. User Account Control: Switch to the secure desktop when prompting for elevation
     
    Enable (Default)
    All privilege elevation prompts will appear on the secure desktop.
     
    Disable
    All privilege elevation prompts will appear on the interactive user’s desktop.
     
  9. User Account Control: Virtualize file and registry write failures to per-user locations
     
    Enable (Default)
    Facilitates the runtime redirection of application write failures to defined user locations for both the file system and registry.
     
    Disable
    Applications that write data to protected locations will not work correctly. It’s only safe to disable this UAC setting on an administrator running only Windows Vista–compliant applications!

Custom Search

  1. Should You Enable The Windows Vista Hidden Administrator Account? – Walker News 24-12-08@00:41

    [...] which do not inherit complete privileges of the built-in Administrator account. Thus, when User Account Control (UAC) is turned on, a user-defined account of Administrators group has to acknowledge Consent UI [...]

2014  •  Privacy Policy