UAC | Microsoft Study Bible

How to manage UAC through Domain security policy?

Unify the management of the UAC control hierarchy through Domain security policy.

In an enterprise, there is a lot of clients .

Generally speaking; a system administrator should manage at least tens of clients, even amount to hundreds of ones. Obviously, it would be a real chore without challenging, if the UAC of the clients required adjusting one by one .According to my test, the UAC can be used in conjunction with GPO (group policy object) or domain security policy, that is to say, the control level can be set in domain controller or group levels. When the clients join in the domain or the Group, this level will be inherited. So, there is no need to set the UAC control level in each of clients. To be honest, Microsoft works pretty well in this respect. Although the structure and management of Microsoft domain is complex, the function is comparatively strong. And the domain context is always necessary to make some applications of advanced features more flexible. At least, this domain context can provide a platform to manage the clients intensively.

Turn off UAC or Give up Windows 7?

Filed under: Windows — Tags: malicious programs, OS, UAC, Win7, Windows 7, Windows Vista, Windows XP — Jackson @ 8:57 pm

My Reviews about UAC in Windows 7 (Part 2)
三 Turn off the UAC
But some users of Win7 would like to use the window control strategy, rather than the new and advanced security technology of Windows 7 called User Account Control. What should they do with the UAC, either give up Win7 or choose some other OS? My answer is there is no need to choose other operating systems; just one simple operation could make it. The system admin just turned the level to the fourth, that is to say, turned off the UAC, which make the OS Win7 the same like the previous edition ones that didn’t have UAC.
Like Windows XP, Win7 that had turned off UAC would never notify the system administrator if there is any change in system configuration. For example, when the user as an administrator access to the Operating System, any changes in OS by the application won’t automatically notify the administrator, and will become directly applicable.
123

1231
Overall, the UAC experience is much improved in Windows 7 than in Windows Vista. The number of clicks (by default) is drastically reduced in Windows 7 when compared to Windows Vista. The ultimate goal of the UAC is to provide user the control over what changes can happen to the system and not to annoy users with more number of prompts.
However，if some malicious programs inserted into and system, would secretly change system settings or configurations such as webpage, the registry etc. When the users with a general or common account accessed to the OS, any changes that the users have no relevant authority to do have would meet with a refusal, such as the installation and upgrade of the application, the changes in the system configuration, and so on. Unless the user sent an oral notice to the admin to adjust the authority, the users could not do those changes.
It should be noted that only when the system administrator must restart the computer, the adjustment that the admin changed the high level to the fourth would come into force.
When UAC was turned off, kinds of applications would cause damage to the OS. Because the application could access to and modify the protected areas, the private data and so on, that is to say, the application had the same privilege as the admin. Besides, some malicious programs could also secretly do communication and data transmission with other computers on networks, even the hosts on the Internet, which would attack and damage the OS.

My Review about Windows 7 with UAC?(part 1)

Filed under: Windows — Tags: human Oriented Design, IE, UAC, User Account Control, Win7 OS, Windows 7 — Jackson @ 4:14 am

The Windows 7 OS provide a new security management mechanism that is User Account Control (UAC). So, what is UAC or what can it do? To be brief ,that is if the other users ,not the administrator want to do some changes to the operating system, they must receive the permission from the administrator. When they want to change, the OS will automatically send the notice to the administrator, who determines whether to allow these changes. In the previous OS editions there is the limit like that, but greatly improvement in Windows 7.UAC not only makes the level of the users more granular, also automatically inform the administrator.

1.The administrator can choose the different levels to control the users according the requirements.
In Windows 7, UAC has four grades. The highest level is “Windows 7’s UAC setting is set to “Notify me when any changes in my computer”. That is to say, when the users install the application software or get the applications upgrade, or the applications want to do some changes to the OS such as modify ,change the Windows setting of modification ,change and so on ,which the user do not know , the system will prompt UAC to make the users informed.
The second level is “by default, Windows 7’s UAC setting is set to “Notify me only when programs try to make changes to my computer”. Differently from the first level ,the key change is not to notify system administrator when the Windows setting changed. Even though there are malware or autorun programs inserting into the system, it won’t have much impact on the OS. Because the programs couldn’t change the system setting such as this registry setting, Defaults page of IE browser, and the Service start-up list and so on. For most of the users ,especially for the enterprise users, this security level is enough .Higher the level ,more inflexible the system. Too high level will make the system administrator very busy.
The third and the fourth levels gradually reduce the security, finally down to no security .This level is similar to the control-lever of the previous IE .Both of them is a control-level named by Microsoft itself. The administrators need to know about the details of each of the control-levels to set the security level fit for the enterprise. Generally speaking ,the higher the level is ,more safe the system is . Unfavorably, the administrator would spend more time in the complaint from the users, as the users made any changes to the system ,which would notify the administrator .But , you cannot burn the candle at both ends. The administrator must give a choice between the security and the flexibility.
uac1

2. How to notify the administrators when the authority was not enough?
When you read this, had you used workflow products from Microsoft or other companies? In fact, the Microsoft was effective in borrowing from the way the workflow software cope with that problem. When the users without enough authority tried to change one setting or some security application, the system will send a request to the administrator. When the system administrator login next time, he would see the dialog box, which would show these changes the users tried to. After checking over whether these message to damage the stability of the system, the admin will tell the system to allow or refuse the changes by the dialog box. (more…)

Microsoft Study Bible

September 15, 2009

September 7, 2009

Turn off UAC or Give up Windows 7?

September 1, 2009

My Review about Windows 7 with UAC?(part 1)