Setting up UAC in VISTA

Discussion in 'other security issues & news' started by Kees1958, Sep 11, 2007.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Dear all,

    As you problably all have heard/read the fuzz about UAC and Vista. Microsoft diliberately did not build in an escape in UAC to permanently mark an application as trusted. I initially called UAC an Anti Executable with the intelligence of a 98 year old suffering from Parkinson. After some testing and fiddling with UAC settings I have determined a workable set, which still leaves the idea of UAC intact, only reducing the prompts for the admin.

    Now run REGEDIT and look what your settings are:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System and look at

    "EnableLUA"
    User Account Control: Run All Administrators in Admin Approval Mode 1 = ON (default), 0 = OFF
    >> advice: Keep it ON to keep the protection of UAC.

    "ConsentPromptBehaviorAdmin"
    User Account Control: Behavior of the Elevation Prompt For Administrators in Admin Approval Mode
    0 = run in quite mode (keep UAC on, but automaticallu elevate to Admin)
    1 = run UAC, when an elevation request occurs, your are asked to enter the admin password
    2 = run UAC, prompts for confirmation to continue a task which requires admin rights (default)
    >> advice: set to 0 (quite mode)
    >> effect: when launching autostarts it will not allow you to change registry entries, when launching as administrator it is allowed to change these settings without prompt.

    "EnableInstallerDetection"
    User Account Control: Detect Application Installations and Prompt For Elevation 1 = ON (default), 0 = OFF
    >> advice: set to OFF
    >> effect: when running a 32 bit installer program Vista will NOT detect it is an installer and will NOT silently elevate to admin. This means that you are not able to install Firefox for instance, because the file protection and registry protection are still ON. You have to explicitely run a program as administrator. This prevents 'shoot in the foot' errors to some degree.

    "EnableVirtualization"
    User Account Control: Virtualizes file and registry write failures to per-user locations 1 = ON (default), 0 = OFF
    >> advice: keep this ON

    "EnableSecureUIAPaths"
    User Account Control: Only elevate UIAccess applications that are installed in secure locations 1 = ON (defaut), 0 = OFF
    >> advice: keep this ON
    >> effect: only elevates programs from C:\Windows, and the C:\Program Files or C:\Program Files (x86) location (the locations by default marked as secure)

    "PromptOnSecureDesktop"
    User Account Control: Switch to the secure desktop when prompting for elevation 1 = ON (default) 0 = OFF
    >> advice: keep this ON
    >> effect: screen darkens when asking for admin approval

    "ValidateAdminCodeSignatures"
    User Account Control: Only elevate executables that are signed and validated 1 = ON 0=OFF (default)
    >> advice: keep this OFF.
    >> effect: allows unsigned programs to run without admin approval, over a year or so you should set this to on (there are simply to few programs signed now).

    "ConsentPromptBehaviorUser"
    User Account Control: Behavior of the Elevation Prompt For Standard Users
    0 = no pop-up, disallow/block when UAC is and running as limited user account
    1 = allows you to take over the credentials of the admin by entering account and password
    Advice: what you want (either disable or allow admin credential takeover)

    "FilterAdministratorToken"
    User Account Control: Admin Approval Mode for the Built-in Administrator Account 1 = ON, 0 = OFF (default)
    See http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/27/windowsvistasecurity_.aspx
    I have vista64 home premium with no shared domain, so I have kept it off (when a hacker would be able to define a shared domain, from one of the other compuers behind the router, he/she can not log-on using the build in admin in safe mode, I guess not tested though)

    Regards Kees
     
    Last edited: Sep 11, 2007
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Thanks Kees, so looks like it is in fact possible to control UAC alerts, I was afraid that it wasn´t possible. I do want to leave UAC turned on, but it must not prompt about certain things. ;)
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    There is a little free application called TweakUAC. It will allow you to set the ConsentPromptBehaviorAdmin value from UAC OFF, UAC ON in quiet mode and UAC fully.

    It is handy when you want tor un in quiet mode mostly, but turn to full UAC when you start surfing

    Regards
     
  4. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    You can access all of these settings directly from Vista UI :
    run "secpol.msc" and go to Local Policies -> Security Option.

    There is all the 9 settings possible for UAC there, under "User Account Control".
    However having the corresponding registry entries is interesting too.

    Regards,
    gkweb.
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep,

    In Ultimate you can, not in Home

    Regards Kees
     
  6. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    Thanks for the information, I didn't know :)

    Regards,
    gkweb.
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Gkweb,

    When going vista64, i think it is easier to buy ultimate, so you made a better choice.

    Rg
     
  8. midway40

    midway40 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    1,257
    Location:
    SW MS, USA
    It's like grpedit.msc in XP. You can access it in Pro but not in Home. Secpol.msc can be accessed by Business, Ultimate and Enterprise editions.

    I hardly run into UAC anymore since my computer is set up (the same happened in Linux where I hardly had to "root"). The only thing I changed was turning off the "blackening" effect which annoyed me.
     
Loading...
Thread Status:
Not open for further replies.