UAC - practical implementation?

  • Thread starter Thread starter Alan van der Vyver
  • Start date Start date
A

Alan van der Vyver

Hi!

I think I am missing something very basic and expected to be able to
find the information I am looking for easily, but in fact, have not been
able to.

I want our staff to have standard user accounts, because I want them to
be aware of potentially malicious activities they did not initiate and I
want them to pause and consider the consequences when they do initiate
actions that are considered potentially destabilizing. This can be
achieved by supplying an administrator user name and password. However,
I do not want to prevent people from performing these actions and having
an administrator do it for them is totally impractical.

It would seem the obvious solution is to provide an additional
administrative account on the machine that can be used to authorize
these activities, but as soon as people are aware of that account they
will just log on with it. Then the UAC dialogs lose any "security" value
and just become an annoyance, because most people will always just click
"OK" without even reading them.

What I am looking for is an account that can be used for privelege
escalation, but cannot be used to log on locally. I tried removing the
"Log on locally" permission from an administrative account, but then it
can not be used for privilege escalation either.

How is one supposed to accomplish this scenario? Is it actually possible
to create an account that can be used for privilege escalation, but not
for local log on?

regards,
Alan.
 
The short answer is you can't do this. The account has to have the right to
logon locally to be used for UAC.

You really need to give people some education about the risks surrounding
high privilege. You should also have the ability to trace what they are
doing. Using event logs (yes I know they are difficult to use for many
things) you can capture when they are elevating, and if you find that they
are elevating everything you can stop them.

The administrative accounts should not be mail enabled if you use Exchange.
That makes them very difficult to use to read e-mail.

Another thing I have experimented with is to use ISA Server's ability to
authenticate connections to make life more difficult on users who use admin
accounts to surf the web. I put all the admin accounts in a group and blocked
that group from connecting to the Internet. It works pretty well if you are
in a domain environment, but once you have stand-alone machines it becomes
unwieldy.

The key thing is to educate people though. You can't get around the need for
that.

Keep in mind too the three ways you can use UAC:
1. Good - make your users admins in admin approval mode
2. Better - make your users standard users and teach them to elevate to an
admin account that is specific to each user
3. Best - block elevation for standard users, make all your users standard
users, and teach them to use fast user switching to log on using an admin
account that is specific to each user for admin tasks.
 
Jesper said:
The short answer is you can't do this. The account has to have the right to
logon locally to be used for UAC.
Click to expand...

Jesper,

Thanks for the answer. That is pretty much what I expected. It is not
that big a problem for machines connected to the domain, because I can
make the domain account a normal user and create a local admin user as
well. The local admin account's inability to access network resources
will prevent it from being used as a default log-in account.

The problem arises with laptop users who are almost never in the office.
There, it would be really useful to have an escalation account that does
not permit local log-in.

It has been my experience that education only works if it does not get
in people's way. I was amazed to discover that most dialogs have a
lifetime of less than a second if they do not require that information
be entered. The fact that there might be important or useful information
on them seems irrelevent.

regards,
Alan.
 
Jesper said:
The short answer is you can't do this. The account has to have the
Click to expand...
right to logon locally to be used for UAC.
Jesper,

Thanks for the answer. That is pretty much what I expected. It is not
that big a problem for machines connected to the domain, because I can
make the domain account a normal user and create a local admin user as
well. The local admin account's inability to access network resources
will prevent it from being used as a default log-in account.

The problem arises with laptop users who are almost never in the office.
There, it would be really useful to have an escalation account that does
not permit local log-in.

It has been my experience that education only works if it does not get
in people's way. I was amazed to discover that most dialogs have a
lifetime of less than a second if they do not require that information
be entered. The fact that there might be important or useful information
on them seems irrelevent.

regards,
Alan.
 
Jesper said:
The short answer is you can't do this. The account has to have the
Click to expand...
right to logon locally to be used for UAC.
Jesper,

Thanks for the answer. That is pretty much what I expected. It is not
that big a problem for machines connected to the domain, because I can
make the domain account a normal user and create a local admin user as
well. The local admin account's inability to access network resources
will prevent it from being used as a default log-in account.

The problem arises with laptop users who are almost never in the office.
There, it would be really useful to have an escalation account that does
not permit local log-in.

It has been my experience that education only works if it does not get
in people's way. I was amazed to discover that most dialogs have a
lifetime of less than a second if they do not require that information
be entered. The fact that there might be important or useful information
on them seems irrelevent.

regards,
Alan.
 
Sadly, I know exactly what you mean about education. Most people are way too
quick to click. And, then they complain when you won't give them admin privs,
so they can install iTunes, on their work computer. Silly me. I thought the
ability to listen to your music anywhere you wanted was the reason you bought
an iPod in the first place.

The Zune does not require admin privs...
 
Well, yeah ... but they don't have a free high-speed Internet connection at
home, do they? We all know the main reason I provide a network to my users
at work is so folks can use our gigabit connectivity to upload pictures to
their Web site, download movies and music ... right? ;-)

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm
 
I've heard, but never actually seen it, of people requesting that BitTorrent
be added to the default workstation image...

Richard G. Harper said:
Well, yeah ... but they don't have a free high-speed Internet connection at
home, do they? We all know the main reason I provide a network to my users
at work is so folks can use our gigabit connectivity to upload pictures to
their Web site, download movies and music ... right? ;-)

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Jesper said:
Sadly, I know exactly what you mean about education. Most people are way
too
quick to click. And, then they complain when you won't give them admin
privs,
so they can install iTunes, on their work computer. Silly me. I thought
the
ability to listen to your music anywhere you wanted was the reason you
bought
an iPod in the first place.

The Zune does not require admin privs...
Click to expand...
Click to expand...
 
I actually got paged in one night to install Real so one of the night shift
supervisors could watch his college alma mater play in the regional hockey
playoffs. You can guess what the answer to that one was. ;-)

Can't say I've had a request for any of the BT clients but I have had a
request for iTunes to be rolled out via AD for select users. :(

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Jesper said:
I've heard, but never actually seen it, of people requesting that
BitTorrent
be added to the default workstation image...

Richard G. Harper said:
Well, yeah ... but they don't have a free high-speed Internet connection
at
home, do they? We all know the main reason I provide a network to my
users
at work is so folks can use our gigabit connectivity to upload pictures
to
their Web site, download movies and music ... right? ;-)

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Jesper said:
Sadly, I know exactly what you mean about education. Most people are
way
too
quick to click. And, then they complain when you won't give them admin
privs,
so they can install iTunes, on their work computer. Silly me. I thought
the
ability to listen to your music anywhere you wanted was the reason you
bought
an iPod in the first place.

The Zune does not require admin privs...
Click to expand...
Click to expand...
Click to expand...
 
Don't roll out iTunes via AD. To do so apparently violates Apple's licensing
policy. They do not permit "redistribution" of their software. Which, of
course, means that they do not permit enterprise management of it, nor any
way for the enterprise to ensure that their computers remain up to date;
which given Apple's propensity for extremely serious bugs in iTunes, is quite
worrisome. I am distinctly getting the impression that Apple has no interest
in being an enterprise player.

Richard G. Harper said:
I actually got paged in one night to install Real so one of the night shift
supervisors could watch his college alma mater play in the regional hockey
playoffs. You can guess what the answer to that one was. ;-)

Can't say I've had a request for any of the BT clients but I have had a
request for iTunes to be rolled out via AD for select users. :(

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Jesper said:
I've heard, but never actually seen it, of people requesting that
BitTorrent
be added to the default workstation image...

Richard G. Harper said:
Well, yeah ... but they don't have a free high-speed Internet connection
at
home, do they? We all know the main reason I provide a network to my
users
at work is so folks can use our gigabit connectivity to upload pictures
to
their Web site, download movies and music ... right? ;-)

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Sadly, I know exactly what you mean about education. Most people are
way
too
quick to click. And, then they complain when you won't give them admin
privs,
so they can install iTunes, on their work computer. Silly me. I thought
the
ability to listen to your music anywhere you wanted was the reason you
bought
an iPod in the first place.

The Zune does not require admin privs...
Click to expand...
Click to expand...
Click to expand...
 
Hi!

I have not found a way to create an admin account that can be used for
privilege escalation, but not for local log-in, but I have found a way
to remove the incentive to log in using the administrative account all
the time.

It is possible to change the policy on the laptops to require that
credentials be supplied, even from an administrative account. The
default is to just require clicking an assent button.

If there is no difference in the behaviour of administrative and normal
accounts, there is no reason to use the administrative account instead
of the normal one.

regards,
Alan.
 
Back
Top