- Database and Business Intelligence
- Desktop Management
- Disaster Recovery and High Availability
- Enterprise Application Development
- Identity Management
- IT Automation and Service Management
- IT Management
- IT Monitoring
- Messaging
- Networking
- Security and Compliance
- Storage Management
- Unified Communications
- Virtualization and Application Deployment
- Windows Administration
-
NEED HELP?
-
Visit our FAQ if you run into problems downloading our eBooks. If you are wondering why all of the chapters aren't available for some of the eBooks, we'll explain it here!
-
PAGE FEEDBACK
- Having a problem with this page? Please let us know!
by Greg Shields
For many of us, UAC’s excessive prompting forced our environments to immediately shut down its services. Granting users the ability to determine which processes were legitimate wasn’t a task we wanted to hand to our users. For those environments that shut it off, the time cost of UAC’s interruptive prompting was deemed to be greater than the protections that it brought.
And yet Microsoft’s recommendation remains today that environments should not turn off its services. So what are the best practices in order to get the most out of UAC? At the same time, how can you leverage UAC to assist you with eliminating administrator privileges? For those answers, keep reading.
Important to remember with UAC is that its prompting is intended primarily for those with Administrator access only. Users who have not been given Administrator access on the local computer will generally operate without its prompting for elevation. This behavior in and of itself helps in driving IT organizations towards eliminating administrator privileges. In short, get rid of administrator access and you at the same time get rid of UAC’s prompt.
For administrators, however, elevation prompts are a daily activity any time that person attempts to use their administrative credentials. Although these prompts can be annoying during daily activities, they can also be handy in helping you locate the common activities that require elevation.
Consider the example where you are attempting to trace which user activities require administrative privileges. In most cases, the first place to start is by looking for the shield icon next to the action. If that shield icon is present, you can be assured that the activity will require administrative privileges.
The problem with UAC, however, is that not all actions within Windows are necessarily accompanied by the shield icon. For example, many software installation files do not include the shield as part of their icon.
Double-clicking these files or running these actions will internally attempt to run the action with the assumption that you have the correct privileges. The OS doesn’t necessarily “know” that you won’t be able to accomplish the action until you attempt to accomplish it and fail. Only then will UAC take over and request your permission to elevate permissions in order to accomplish the action.
File and Registry Virtualization
Once you’ve located the applications that require administrator privileges, your next task is to determine whether they can be reconfigured to eliminate the requirement. Microsoft’s solution for assisting with this problem is through the Microsoft Application Compatibility Toolkit (ACT). This toolkit enables your organization to create a database of applications and their compatibility, not only with different OSs but also with their administrative credential requirements.
The ACT’s Standard User Analyzer wizard provides a guided step-by-step process for launching an application, identifying the credential requirements of that application based on the resources it requires, and ultimately providing a set of mitigations that eliminate its need for administrative privileges. These mitigations typically arrive in the form of slightly-loosened ACLs for the files, folders, registry entries, and other on-system elements that the application requires. The goal of ACT’s Standard User Analyzer is in locating enough of these areas where security can be loosened just enough so that the user can continue working without the need for administrative credentials. You can download ACT, currently in version 5.5, from Microsoft’s Web site.
About the Author
Greg Shields is an independent author, speaker, and IT consultant, as well as a Partner and Principal Technologist with Concentrated Technology. With 15 years in information technology, Greg has developed extensive experience in systems administration, engineering, and architecture specializing in Microsoft OS, remote application, systems management, and virtualization technologies. He is a Contributing Editor and columnist for TechNet Magazine and Redmond Magazine, and serves as the Series Editor for Realtime Publishers, the world’s leading provider of high-quality content for the IT market. Greg is a highly sought-after and top-ranked speaker for both live and recorded events, and is seen regularly at conferences like TechMentor Events, Microsoft Tech Ed, VMworld, and more. He is a multiple recipient of Microsoft “Most Valuable Professional” award.
If you found this tip helpful, consider downloading the following book:
 |
Follow Realtime on Twitter
Watch Realtime on YouTube
Add the Realtime RSS FeedSign up for our Realtime Nexus newsletters and book alerts and discover when new books on your favorite IT topics are available!
- © 2012 Realtime Publishers
- // Google Analytics Tracking