Lesson 1: Managing User Account Control CHAPTER 9 483
the built-in Administrator account using the Accounts: Administrator Account Status policy,
which is also located in the Security Options node. The default setting of this policy is Disabled.
If you enable the built-in Administrator account, privilege elevation occurs automatically
without a UAC prompt. If you enable the policy and the built-in Administrator account, the
built-in account receives UAC prompts when attempting tasks that require privilege elevation.
UAC: Behavior Of The Elevation Prompt For Administrators
In Admin Approval Mode
UAC: The Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode
policy functions in a similar way to the User Account Control Settings dialog box that was
covered earlier in this lesson. It allows you to configure how intrusive UAC is for users
that log on to a client running Windows 7 with administrative privileges. Unlike the UAC
Settings dialog box, which has four settings, the UAC: Behavior Of The Elevation Prompt For
Administrators In Admin Approval Mode policy, shown in Figure 9-4, has six settings.
FIGURE 9-4 Elevation prompt for administrators
These settings work as follows:
n
Elevate Without Prompting This is the least secure setting and is the equivalent of
disabling UAC. Requests for elevation are approved automatically.
n
Prompt For Credentials On The Secure Desktop UAC always prompts the administrator
for a password, as shown in Figure 9-5, on the Secure Desktop.
4 8 4 CHAPTER 9 Authentication and Account Control
FIGURE 9-5 Prompt for credentials
n
Prompt For Consent On The Secure Desktop UAC always prompts the administrator
for consent on the Secure Desktop, as shown in Figure 9-6. This setting does not require
the user to enter a password.
FIGURE 9-6 Consent prompt
n
Prompt For Credentials The user must enter a password. The Secure Desktop is used

only if the UAC: Switch To The Secure Desktop When Prompting For Elevation policy is
enabled (that policy’s default setting).
n
Prompt For Consent This policy prompts for consent. The Secure Desktop is used
only if the UAC: Switch To The Secure Desktop When Prompting For Elevation policy is
enabled (that policy’s default setting).
n
Prompt For Consent For Non-Windows Binaries This is the policy’s default setting.
UAC prompts only when an application that is not a part of the Windows operating
system requests elevation. Applications that are a part of the Windows operating
system and that request elevation do not trigger a UAC prompt.
Lesson 1: Managing User Account Control CHAPTER 9 485
UAC: Behavior Of The Elevation Prompt For Standard Users
The UAC: Behavior Of The Elevation Prompt For Standard Users policy, shown in Figure 9-7,
determines whether and how Windows prompts a user who does not have administrative
privileges for privilege elevation. The default option automatically denies elevation requests.
Windows does not provide the user with any direct indication that this denial has occurred,
though they can infer it by the fact that they are unable to do whatever they were trying to
do that prompted the attempt at elevation in the first place. The other options are to prompt
for credentials on the Secure Desktop or to prompt for credentials. Credentials are required
because another user account, one that has administrative privileges, is necessary to approve
any elevation request.
FIGURE 9-7 Elevation requests for standard users
UAC: Detect Application Installations And Prompt For Elevation
The UAC: Detect Application Installations And Prompt For Elevation policy determines
whether an application installer is able to request an elevation of privilege. The default setting
is enabled, allowing the installation of software once consent or appropriate credentials have
been provided. This policy is often disabled in enterprise environments where software is
distributed through Group Policy and the direct use of application installers is not necessary.
UAC: Only Elevate Executables That Are Signed And Validated

When you enable the UAC: Only Elevate Executables That Are Signed And Validated policy,
UAC provides an elevation prompt only for executable files that have digital signatures from
a trusted certificate authority (CA). If an application has no digital signature, or has a signature
4 8 6 CHAPTER 9 Authentication and Account Control
from a CA that is not trusted, UAC does not allow elevation. This policy is disabled by default
and should be used only in environments where all applications that require elevation are
digitally signed.
UAC: Run All Administrators In Admin Approval Mode
The UAC: Run All Administrators In Admin Approval Mode policy dictates whether Windows
provides UAC for users with administrative privileges when they perform a task that requires
elevation. The default setting of the policy is Enabled. When this policy is disabled, users with
administrative privileges are elevated automatically when they perform a task that requires
elevation. Disabling this policy disables UAC for all users with administrative rights.
UAC: Switch To The Secure Desktop When Prompting For Elevation
The UAC: Switch To The Secure Desktop When Prompting For Elevation policy determines
whether the UAC prompt is displayed on the Secure Desktop when a user is prompted for
elevation. Secure Desktop dims the screen and requires that a user respond to the UAC
prompt before being able to continue using the computer. This functions as a security
measure, ensuring that malware is unable to disguise the appearance of a UAC prompt as
a way of tricking an administrator into providing consent. This policy is enabled by default.
If this policy is disabled and the UAC: Behavior Of The Elevation Prompt For Administrators
In Admin Approval Mode policy is set to either the Prompt For Consent or Prompt For
Credentials setting on the Secure Desktop, Secure Desktop is still used.
UAC: Virtualize File And Registry Write Failures To Per-User Locations
Many older applications attempt to write data to the Program Files, Windows, or Windows\
System32 folder, or the HKLM\Software\ registry area. Windows 7 does not allow applications
to write data to these secure locations. To support these applications, Windows 7 allows
applications to believe that they have successfully written data to these locations, when in
reality, Windows 7 has redirected this data to virtualized per-user locations. When the UAC:
Virtualize File And Registry Write Failures To Per-User Locations policy is disabled, Windows

blocks applications from writing data to protected locations. This policy is enabled by default.
UAC: Allow UIAccess Applications To Prompt For Elevation
Without Using Secure Desktop
User Interface Accessibility (UIAccess) programs are a special type of program that can
interact with Windows and applications on behalf of a user. Examples include on-screen
keyboard and Windows Remote Assistance. The UAC: Allow UIAccess Applications To Prompt
For Elevation Without Using Secure Desktop policy determines whether UIAccess applications,
which are identified as such by the properties of the application, are able to issue a UAC
prompt without using Secure Desktop. The default setting for this policy is Disabled.
You should enable this policy when it is necessary for remote assistance helpers to respond
to UAC prompts that occur during a remote assistance session. During normal operation,
Lesson 1: Managing User Account Control CHAPTER 9 487
if a UAC prompt is triggered during a remote assistance session, the remote computer
displays the UAC prompt on the Secure Desktop. Unfortunately for the helper, the Secure
Desktop is not available to them when they are connected over a remote assistance session.
The only way that a helper can respond to these UAC prompts is if Secure Desktop is not
invoked when using UIAccess applications. This policy is only necessary if UAC prompts
are configured for standard users. If this policy is not enabled, elevation is not possible for
standard users so the helper will not get an opportunity to provide credentials.
UAC: Only Elevate UIAccess Applications That Are Installed
In Secure Locations
The UAC: Only Elevate UIAccess Applications That Are Installed In Secure Locations policy
applies only to applications that request execution with the UIAccess integrity level.
The default setting for this policy is Enabled, which means that only applications that are
installed in the Windows\System32 folder and the Program Files\ folder and its subdirectories
are able to request execution with this special integrity level. Disabling this policy allows
programs that are installed in any location to request execution with the UIAccess integrity
level. Programs requesting execution with UIAccess integrity level must have a digital
signature issued by a trusted CA independent of this policy setting.
Secpol and Local Security Policy

The Local Security Policy console (also known as Secpol.msc), shown in Figure 9-8, is available
in the Administrative Tools section of the Control Panel. The console displays a subset of
the policies available in the Local Group Policy editor. You can use the Local Security Policy
console to edit what appears in the Computer Configuration\Windows Settings\Security
Settings node of the Local Group Policy editor. The advantage of the Local Security Policy
console over the Local Group Policy Console is that the Local Security Policy console is
focused specifically on security settings. Every task that you can accomplish with the Local
Security Policy console, you can also complete using the Local Group Policy Editor.
FIGURE 9-8 Local Security Policy
488 CHAPTER 9 Authentication and Account Control
You can use both the Local Group Policy Editor and the Local Security Policy console to
import and export security-related Group Policy settings. You can use this import and export
functionality to apply the same security settings to stand-alone computers that are not part
of a domain environment. Exported security files are written in Security Template .inf format.
As well as using Local Group Policy Editor and the Local Security Policy console to import
policies that are stored in .inf format, you can apply them using the Secedit.exe command-line
utility. You use the Local Group Policy Editor in the practice which follows.
eXaM tIP
Understand the difference between prompt for consent and prompt for credentials.
Practice Configuring User Account Control
UAC can be configured to better meet the needs of the administrators and users in your
environment. In this practice, you configure different UAC options and evaluate them to get
a better idea of what configuration options are available.
exercise 1 Configuring UAC Settings
In this exercise, you configure UAC settings and take note at how different settings influence
the function of UAC.
1. Log on to computer Canberra using the Kim_Akers user account.
2. Click Start. In the In the Search Programs And Files text box, type User Accounts. Click
the User Accounts item on the Start menu.
3. Click the Manage Another Account item. Note that you are not prompted by UAC to

start the Manage Accounts control panel. Click Go To The Main User Accounts Page.
4. Click the Change User Account Control settings item. Note that you are not prompted
by UAC when clicking this item.
5. On the Choose When To Be Notified About Changes To Your Computer page, move
the slider to Always Notify. Click OK.
6. At the User Account Control prompt, click Yes.
7. Click the Manage Another Account item. Note that this time, you are prompted by
UAC and that the screen is dimmed, indicating that the Secure Desktop feature is
active. Click No to cancel the UAC prompt.
8. Click the Change User Account Control settings item. Note that you are now prompted
by UAC with the Secure Desktop when you click this item. Click Yes.
9. On the Choose When To Be Notified About Changes To Your Computer page, return
the slider to the Default – Notify Me Only When Programs Try To Make Changes To My
Computer setting. Click OK. Click Yes when prompted by the UAC prompt.
10. Close the User Accounts control panel.
Lesson 1: Managing User Account Control CHAPTER 9 489
exercise 2 Configuring and Exporting UAC Policies
In this exercise, you configure User Account Control policies using the Local Security Policy
editor.
1. If you have not done so already, log on to computer Canberra using the Kim_Akers
user account.
2. Using Windows Explorer, create the C:\Export folder.
3. In the In the Search Programs And Files text box, type Edit Group Policy. Click the Edit
Group Policy item.
4. Ensure that the Computer Configuration\Windows Settings\Security Settings node is
selected. Open the Action menu and then choose Export Policy.
5. Save the exported policy as C:\Export\Base_policy.inf
6. Within Security Settings, select the Local Policies\Security Options node. Double-click
the User Account Control: Behavior Of The Elevation Prompt For Administrators In
Admin Approval Mode policy.

7. Select the Prompt For Credentials On The Secure Desktop setting, as shown in
Figure 9-9, and then click OK.
FIGURE 9-9 Prompt For Credentials On The Secure Desktop
8. Click Start. In the In the Search Programs And Files text box, type gpupdate /force
and press Enter.
9. Click Start. In the In the Search Programs And Files text box, type User Accounts. Click
the User Accounts item on the Start menu.
4 9 0 CHAPTER 9 Authentication and Account Control
10. Click the Change User Account Control Settings item. Note that you are required to
enter your user name and password on the Secure Desktop, as shown in Figure 9-10.
Enter your password and then click Yes.
FIGURE 9-10 Entering credentials
11. Notice that the User Account Control Settings slider has been set to the most secure
option rather than the default setting that you set it to in the previous exercise. Click
Cancel to dismiss the dialog box.
12. Ensure that the Computer Configuration\Windows Settings\Security Settings node is
selected. Open the Action menu and then click Import Policy. Import the C:\Export\
Base_policy.inf policy. If you receive an error, click OK.
13. In the In the Search Programs And Files text box, type gpupdate /force.
14. In the User Accounts control panel, click the Change User Account Control Settings
item. Note that the User Account Control Settings opens and that you do not have to
enter credentials. You should also note that the slider has been returned to the default
position.
15. Close all open windows and log off.
Lesson Summary
n
You can use the Local Security Policy console or the Local Group Policy Editor to edit
security-related group policies.
n
When UAC is configured to use Secure Desktop, an administrator must respond

directly to the prompt before being able to continue using the computer.
n
UAC can be configured to prompt for consent or prompt for credentials. Prompting for
consent requires that the administrator simply assents to the elevation. Prompting for
credentials requires the administrator to his password to allow elevation.
Lesson 1: Managing User Account Control CHAPTER 9 491
n
By default, Windows 7 does not prompt standard users. You can configure UAC to
prompt standard users for credentials. They must then provide the credentials of a user
that is a member of the local administrators group.
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 1,
“Managing User Account Control.” The questions are also available on the companion CD if
you prefer to review them in electronic form.
note ANSWERS
Answers to these questions and explanations of why each answer choice is correct or incorrect
are located in the “Answers” section at the end of the book.
1. Which policy setting should you configure to ensure that the Windows 7 built-in
Administrator account must respond to a UAC prompt before elevating privileges?
a. UAC: Behavior Of The Elevation Prompt For Administrators In Admin Approval
Mode: Elevate Without Prompting
B. UAC: Admin Approval Mode For The Built-In Administrator Account: Enabled
c. UAC: Admin Approval Mode For The Built-In Administrator Account: Disabled
D. UAC: Behavior Of The Elevation Prompt For Administrators In Admin Approval
Mode: Prompt For Consent For Non-Windows Binaries
2. Which of the following policy settings should you configure to ensure that users that
are not members of the local Administrators group on a client running Windows 7 are
prompted for credentials when they perform an action that requires the elevation of
privileges?
a. User Account Control: Behavior Of The Elevation Prompt For Standard Users:

Automatically Deny Elevation Requests
B. User Account Control: Behavior Of The Elevation Prompt For Standard Users:
Prompt For Credentials
c. User Account Control: Behavior Of The Elevation Prompt For Administrators In
Admin Approval Mode: Prompt For Credentials
D. User Account Control: Behavior Of The Elevation Prompt For Administrators In
Admin Approval Mode: Prompt For Consent
3. You are responsible for managing a student lab that has 30 stand-alone clients running
Windows 7. These clients are not members of a domain, though are members of the
same HomeGroup. You have configured a set of UAC policies on a reference computer.
4 9 2 CHAPTER 9 Authentication and Account Control
You want to apply these policies to each of the 30 client computers in the lab. Which of
the following tools could you use to do this? (Choose all that apply.)
a. Local Group Policy Editor console
B. Computer Management console
C. User Account Control settings
D. Local Security Policy
4. You are in the process of phasing out older applications at your organization. You want
to ensure that older applications that attempt to write data to protected locations such
as the \Windows\System32 folder fail and are not redirected by Windows into writing
data elsewhere. Which of the following policies should you configure to accomplish
this goal?
a. UAC: Only Elevate Uiaccess Applications That Are Installed In Secure Locations
B. UAC: Only Elevate Executables That Are Signed And Validated
c. UAC: Behavior Of The Elevation Prompt For Standard Users
D. UAC: Virtualize File And Registry Write Failures To Per-User Locations
5. You want users that are members of the local Administrators group to be prompted
for credentials when performing a task that requires elevation, but you do not want
them to have to respond to this prompt on the Secure Desktop. You have configured
the User Account Control: Behavior Of The Elevation Prompt For Administrators In

Admin Approval mode to Prompt for Credentials. Users that are members of the
local administrators group are being forced onto the Secure Desktop during the UAC
process. Which of the following policy settings should you configure to resolve this
problem?
a. UAC: Admin Approval Mode For The Built-in Administrator Account
B. UAC: Behavior Of The Elevation Prompt For Administrators In Admin
Approval Mode
c. UAC: Switch To The Secure Desktop When Prompting For Elevation
D. UAC: Behavior Of The Elevation Prompt For Standard Users