I was working recently as a IT Support, and a problem appear: Error 0x80070522; I couldn't create, save or load any document in the computer. It happened between 5 ~ 6 hours ago. I search and look everywhere about the error and found onte the Local Security Policy, and this (User Account Control: Run all administrators in Admin Approval Mode) was enable. Could it, in someway, turn on by itself or by some software?
Normally, It is enabled by default when you install Windows . And if you disabled it, indeed some softs or tweaking batch files may reenabled it, but you should would be aware of it.
Oh, i got it. But, if some sort of softwares or batch can re-enable some assets and functions of windows, there are any program that can i use to control this?
NoVirusThanks SystemHardener has options for it. But I suggest you to read its thread here beforehand.
I want to make sure it i understood what is being asked. Are we looking to disable Admin Approval Mode? If so the outcome will be this: Taken from here: https://docs.microsoft.com/en-us/wi...l-mode-for-the-built-in-administrator-account If this is the intention then fine. Just understand this will make the device considerably less secure.
Will also add this article dates to 2017. Microsoft has removed the hidden full admin account in later Win 10 versions; at least on the Home versions as I recollect.
Sorry for the misunderstanding. English isn't my native language. I already solve the Admin Approval Mode. The question is: "If it can turn on by ano sort of batch files or software, how can i manage this and others Windows config to don't change that easily? And an easy way to know if it has changed."
Nothing for you to be sorry for, I just want to make sure you are getting the correct answer. Are you asking if these settings are easily exploited and if so can you monitor for such changes? Anything that does run at admin level can change any setting. An easy way to know if it has changed? Not an easy way that I am aware of. You would probably just have to check it regularly if it is of concern. If someone has an easy way feel free to post it.
You never mentioned what Win OS you are using? For the following comments, I assume you are using Win 7. You originally asked: Assuming an attacker was able to gain local admin privileges, he could just run the following commands in a batch script: Next you asked: Yes. Remove the hidden admin account in Win 7 as follows: My standard disclaimer. Do the above at your own risk.
I use Win 10 Pro. Like xxJackxx said, i can check regularly, it's a simple response for this, but, our IT Team onto my workspace is too little, and we've much other importants things to do. For example, i run an installer of a antivirus/antimalware. To make what it does, he (necessairly) need admin commands to control the data collected daily and make what he is done for. One thing i saw recently was the urgence update from microsoft for the security breach for worm-type malware. which can infect CPU-in-LAN. And, if a simple batch can undo the Admin Approval Mode, it can do things worstier, am i right?
It's not meant for control but you can try using this option to track and audit changes made through GPO: https://www.lepide.com/how-to/audit-chnages-made-to-group-policy-objects.html
But the GPO/GPMC doesn't make me more vulnerable to take theses changes? however i'll have the monitoring of the Policies, and have the power to control them, same as the malware who invaded my domain, no?
Appears Microsoft only removed hidden admin account on the Home versions. The commands to enable it or delete it are the same ones for Win 7.
I've never tried auditing those changes so can't answer you from my experience. I don't think that setting those audits will make you more vulnerable but it can give you some information about when changes happened and who made them. It won't protect you though from malware that got your domain or computer credentials.
But this won't affect a user by domain? we use a domain "xxxxxxx.local" which has 2 admins (on each CPU), the personal ('cause we need to have control of all the CPUs) and a super-admin (which connect onto the TS and FS). (maybe i am talking poop, but i'm really curious)
It's a good choice, i can't deny. Have a monitoring tool to know where, who, and when do something is very useful, but my fear is the vulnerability it can cause.
Well monitoring GPO changes is just one aspect of your overall security. Malware can do a lot of bad things without ever touching your GP settings. IDK how useful it could be to you.
(un)fortunately i know. But searching for a program which can control and detect this would be very helpful. Like, a ERP or something like this which can manage this settings and have a GP control, it would be great! If you think a little, every spot for a malware can be a crucible point.
You will have to check the devices and see if a full admin account exists. If needed, then obviously they shouldn't be removed. You most definitely should be employing GPO password logon restrictions on those devices such as 3 logon attempts w/lockout thereafter. Again, anyone running with full administrator privileges can do anything unimpeded.
Read my post above, i gave you the only tool I'm aware of, that let you select admin Approval options.