Vista - UAC - practical implementation?

Hi!

I think I am missing something very basic and expected to be able to
find the information I am looking for easily, but in fact, have not been
able to.

I want our staff to have standard user accounts, because I want them to
be aware of potentially malicious activities they did not initiate and I
want them to pause and consider the consequences when they do initiate
actions that are considered potentially destabilizing. This can be
achieved by supplying an administrator user name and password. However,
I do not want to prevent people from performing these actions and having
an administrator do it for them is totally impractical.

It would seem the obvious solution is to provide an additional
administrative account on the machine that can be used to authorize
these activities, but as soon as people are aware of that account they
will just log on with it. Then the UAC dialogs lose any "security" value
and just become an annoyance, because most people will always just click
"OK" without even reading them.

What I am looking for is an account that can be used for privelege
escalation, but cannot be used to log on locally. I tried removing the
"Log on locally" permission from an administrative account, but then it
can not be used for privilege escalation either.

How is one supposed to accomplish this scenario? Is it actually possible
to create an account that can be used for privilege escalation, but not
for local log on?

regards,
Alan.

The short answer is you can't do this. The account has to have the right to
logon locally to be used for UAC.

You really need to give people some education about the risks surrounding
high privilege. You should also have the ability to trace what they are
doing. Using event logs (yes I know they are difficult to use for many
things) you can capture when they are elevating, and if you find that they
are elevating everything you can stop them.

The administrative accounts should not be mail enabled if you use Exchange.
That makes them very difficult to use to read e-mail.

Another thing I have experimented with is to use ISA Server's ability to
authenticate connections to make life more difficult on users who use admin
accounts to surf the web. I put all the admin accounts in a group and blocked
that group from connecting to the Internet. It works pretty well if you are
in a domain environment, but once you have stand-alone machines it becomes
unwieldy.

The key thing is to educate people though. You can't get around the need for
that.

Keep in mind too the three ways you can use UAC:
1. Good - make your users admins in admin approval mode
2. Better - make your users standard users and teach them to elevate to an
admin account that is specific to each user
3. Best - block elevation for standard users, make all your users standard
users, and teach them to use fast user switching to log on using an admin
account that is specific to each user for admin tasks.

"Alan van der Vyver" wrote:

> Hi!
>
> I think I am missing something very basic and expected to be able to
> find the information I am looking for easily, but in fact, have not been
> able to.
>
> I want our staff to have standard user accounts, because I want them to
> be aware of potentially malicious activities they did not initiate and I
> want them to pause and consider the consequences when they do initiate
> actions that are considered potentially destabilizing. This can be
> achieved by supplying an administrator user name and password. However,
> I do not want to prevent people from performing these actions and having
> an administrator do it for them is totally impractical.
>
> It would seem the obvious solution is to provide an additional
> administrative account on the machine that can be used to authorize
> these activities, but as soon as people are aware of that account they
> will just log on with it. Then the UAC dialogs lose any "security" value
> and just become an annoyance, because most people will always just click
> "OK" without even reading them.
>
> What I am looking for is an account that can be used for privelege
> escalation, but cannot be used to log on locally. I tried removing the
> "Log on locally" permission from an administrative account, but then it
> can not be used for privilege escalation either.
>
> How is one supposed to accomplish this scenario? Is it actually possible
> to create an account that can be used for privilege escalation, but not
> for local log on?
>
> regards,
> Alan.
>

Jesper wrote:
> The short answer is you can't do this. The account has to have the right to
> logon locally to be used for UAC.
>

Jesper,

Thanks for the answer. That is pretty much what I expected. It is not
that big a problem for machines connected to the domain, because I can
make the domain account a normal user and create a local admin user as
well. The local admin account's inability to access network resources
will prevent it from being used as a default log-in account.

The problem arises with laptop users who are almost never in the office.
There, it would be really useful to have an escalation account that does
not permit local log-in.

It has been my experience that education only works if it does not get
in people's way. I was amazed to discover that most dialogs have a
lifetime of less than a second if they do not require that information
be entered. The fact that there might be important or useful information
on them seems irrelevent.

regards,
Alan.

Sadly, I know exactly what you mean about education. Most people are way too
quick to click. And, then they complain when you won't give them admin privs,
so they can install iTunes, on their work computer. Silly me. I thought the
ability to listen to your music anywhere you wanted was the reason you bought
an iPod in the first place.

The Zune does not require admin privs...

"Alan van der Vyver" wrote:

> Jesper wrote:
> > The short answer is you can't do this. The account has to have the
> right to logon locally to be used for UAC.
> >
>
> Jesper,
>
> Thanks for the answer. That is pretty much what I expected. It is not
> that big a problem for machines connected to the domain, because I can
> make the domain account a normal user and create a local admin user as
> well. The local admin account's inability to access network resources
> will prevent it from being used as a default log-in account.
>
> The problem arises with laptop users who are almost never in the office.
> There, it would be really useful to have an escalation account that does
> not permit local log-in.
>
> It has been my experience that education only works if it does not get
> in people's way. I was amazed to discover that most dialogs have a
> lifetime of less than a second if they do not require that information
> be entered. The fact that there might be important or useful information
> on them seems irrelevent.
>
> regards,
> Alan.
>

Well, yeah ... but they don't have a free high-speed Internet connection at
home, do they? We all know the main reason I provide a network to my users
at work is so folks can use our gigabit connectivity to upload pictures to
their Web site, download movies and music ... right? ;-)

--
Richard G. Harper [MVP Shell/User] rgharper@gmail.com
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"Jesper" <Jesper@discussions.microsoft.com> wrote in message
news:416829BA-434C-4827-A15C-8FB8DA8340BB@microsoft.com...
> Sadly, I know exactly what you mean about education. Most people are way
> too
> quick to click. And, then they complain when you won't give them admin
> privs,
> so they can install iTunes, on their work computer. Silly me. I thought
> the
> ability to listen to your music anywhere you wanted was the reason you
> bought
> an iPod in the first place.
>
> The Zune does not require admin privs...

I've heard, but never actually seen it, of people requesting that BitTorrent
be added to the default workstation image...

"Richard G. Harper" wrote:

> Well, yeah ... but they don't have a free high-speed Internet connection at
> home, do they? We all know the main reason I provide a network to my users
> at work is so folks can use our gigabit connectivity to upload pictures to
> their Web site, download movies and music ... right? ;-)
>
> --
> Richard G. Harper [MVP Shell/User] rgharper@gmail.com
> * NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
> * PLEASE post all messages and replies in the newsgroups
> * The Website - http://rgharper.mvps.org/
> * HELP us help YOU ... http://www.dts-l.org/goodpost.htm
>
>
> "Jesper" <Jesper@discussions.microsoft.com> wrote in message
> news:416829BA-434C-4827-A15C-8FB8DA8340BB@microsoft.com...
> > Sadly, I know exactly what you mean about education. Most people are way
> > too
> > quick to click. And, then they complain when you won't give them admin
> > privs,
> > so they can install iTunes, on their work computer. Silly me. I thought
> > the
> > ability to listen to your music anywhere you wanted was the reason you
> > bought
> > an iPod in the first place.
> >
> > The Zune does not require admin privs...
>
>
>

I actually got paged in one night to install Real so one of the night shift
supervisors could watch his college alma mater play in the regional hockey
playoffs. You can guess what the answer to that one was. ;-)

Can't say I've had a request for any of the BT clients but I have had a
request for iTunes to be rolled out via AD for select users.

--
Richard G. Harper [MVP Shell/User] rgharper@gmail.com
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"Jesper" <Jesper@discussions.microsoft.com> wrote in message
news:311351F1-0663-425A-BF2B-FEEF3A51105C@microsoft.com...
> I've heard, but never actually seen it, of people requesting that
> BitTorrent
> be added to the default workstation image...
>
> "Richard G. Harper" wrote:
>
>> Well, yeah ... but they don't have a free high-speed Internet connection
>> at
>> home, do they? We all know the main reason I provide a network to my
>> users
>> at work is so folks can use our gigabit connectivity to upload pictures
>> to
>> their Web site, download movies and music ... right? ;-)
>>
>> --
>> Richard G. Harper [MVP Shell/User] rgharper@gmail.com
>> * NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
>> * PLEASE post all messages and replies in the newsgroups
>> * The Website - http://rgharper.mvps.org/
>> * HELP us help YOU ... http://www.dts-l.org/goodpost.htm
>>
>>
>> "Jesper" <Jesper@discussions.microsoft.com> wrote in message
>> news:416829BA-434C-4827-A15C-8FB8DA8340BB@microsoft.com...
>> > Sadly, I know exactly what you mean about education. Most people are
>> > way
>> > too
>> > quick to click. And, then they complain when you won't give them admin
>> > privs,
>> > so they can install iTunes, on their work computer. Silly me. I thought
>> > the
>> > ability to listen to your music anywhere you wanted was the reason you
>> > bought
>> > an iPod in the first place.
>> >
>> > The Zune does not require admin privs...
>>
>>
>>

Don't roll out iTunes via AD. To do so apparently violates Apple's licensing
policy. They do not permit "redistribution" of their software. Which, of
course, means that they do not permit enterprise management of it, nor any
way for the enterprise to ensure that their computers remain up to date;
which given Apple's propensity for extremely serious bugs in iTunes, is quite
worrisome. I am distinctly getting the impression that Apple has no interest
in being an enterprise player.

"Richard G. Harper" wrote:

> I actually got paged in one night to install Real so one of the night shift
> supervisors could watch his college alma mater play in the regional hockey
> playoffs. You can guess what the answer to that one was. ;-)
>
> Can't say I've had a request for any of the BT clients but I have had a
> request for iTunes to be rolled out via AD for select users.
>
> --
> Richard G. Harper [MVP Shell/User] rgharper@gmail.com
> * NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
> * PLEASE post all messages and replies in the newsgroups
> * The Website - http://rgharper.mvps.org/
> * HELP us help YOU ... http://www.dts-l.org/goodpost.htm
>
>
> "Jesper" <Jesper@discussions.microsoft.com> wrote in message
> news:311351F1-0663-425A-BF2B-FEEF3A51105C@microsoft.com...
> > I've heard, but never actually seen it, of people requesting that
> > BitTorrent
> > be added to the default workstation image...
> >
> > "Richard G. Harper" wrote:
> >
> >> Well, yeah ... but they don't have a free high-speed Internet connection
> >> at
> >> home, do they? We all know the main reason I provide a network to my
> >> users
> >> at work is so folks can use our gigabit connectivity to upload pictures
> >> to
> >> their Web site, download movies and music ... right? ;-)
> >>
> >> --
> >> Richard G. Harper [MVP Shell/User] rgharper@gmail.com
> >> * NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
> >> * PLEASE post all messages and replies in the newsgroups
> >> * The Website - http://rgharper.mvps.org/
> >> * HELP us help YOU ... http://www.dts-l.org/goodpost.htm
> >>
> >>
> >> "Jesper" <Jesper@discussions.microsoft.com> wrote in message
> >> news:416829BA-434C-4827-A15C-8FB8DA8340BB@microsoft.com...
> >> > Sadly, I know exactly what you mean about education. Most people are
> >> > way
> >> > too
> >> > quick to click. And, then they complain when you won't give them admin
> >> > privs,
> >> > so they can install iTunes, on their work computer. Silly me. I thought
> >> > the
> >> > ability to listen to your music anywhere you wanted was the reason you
> >> > bought
> >> > an iPod in the first place.
> >> >
> >> > The Zune does not require admin privs...
> >>
> >>
> >>
>
>
>

Hi!

I have not found a way to create an admin account that can be used for
privilege escalation, but not for local log-in, but I have found a way
to remove the incentive to log in using the administrative account all
the time.

It is possible to change the policy on the laptops to require that
credentials be supplied, even from an administrative account. The
default is to just require clicking an assent button.

If there is no difference in the behaviour of administrative and normal
accounts, there is no reason to use the administrative account instead
of the normal one.

regards,
Alan.

I wouldn't even if it were proper to do so. ;-)

--
Richard G. Harper [MVP Shell/User] rgharper@gmail.com
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"Jesper" <Jesper@discussions.microsoft.com> wrote in message
news:289F7C95-798B-4BD1-ACA7-5D083BEA4417@microsoft.com...
> Don't roll out iTunes via AD. To do so apparently violates Apple's
> licensing
> policy.