Friday 23 January 2009

SBS 2008 - Enable UAC by default in Group Policy

We ran into a strange struggle while troubleshooting a client's line of business application today.

SBS 2008 is the primary server with all client computers running Windows Vista Business Service Pack 1.

We have set up a limited domain user account that was pushed out to all of the client computers and subsequently added to the local admin group on them for software installs and system configuration changes. The password on this account has not been rotated yet as this is a relatively fresh install. It will be rotated on a regular basis once things have settled in.

Remote Assistance in SBS 2008 allows the user to check a box to transfer UAC prompts to the one providing the remote assistance. But, they first need to affirm that setting by receiving a UAC prompt.

When we were providing remote assistance for the LoB and the user enabled the setting to transfer UAC prompts to us, no UAC happened. We knew this because the RA window goes black during that initial UAC prompt.

It did not take long to see that the user had managed to disable the Windows Vista UAC prompt altogether.

Well, we do not want that to happen. So, to eliminate that happening again, we are going to enable UAC by default using Group Policy:

Enable UAC by default in Group Policy

We created and linked a GPO called Default Computers Policy to the Computers OU, disabled User settings, and set the following under Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Local Policies --> Security Options:

  • UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode: Prompt for credentials
  • UAC: Behavior of the elevation prompt for standard users: Prompt for credentials
  • UAC: Detect application installations and prompt for elevation: Enabled
  • UAC: Run all administrators in Admin Approval Mode: Enabled

Note that we set a comment into the properties of the GPO itself to keep track of the GPO's creation date, the changes we made and when they were made. We do this for all GPOs, but in this particular case the Windows Settings node does not allow for comments on each setting, so it is particularly important to make note of any changes we have made.

The Administrative Templates nodes for both User Configuration and Computer Configuration allow for us to comment on the individual settings. We also comment when we have made changes to any settings in those nodes too.

Once the new settings have been updated on the client workstations, the UAC will not be able to be disabled.

UAC is, in our experience, one of the best ways that a user can use to prevent any malware or virus infections. Once a user is aware of the implications when they see a UAC prompt, and they know they need to cancel, unless they initiated a software install, it is virtually impossible for any bad software to take hold of the system.

We did the opposite of Petri's Method #3 to disable UAC in Group Policy: How can I disable the User Account Control (UAC) feature on my Windows Vista computer?

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

3 comments:

stryqx said...

Be aware that certain push installs won't work if UAC is turned on. Commonly this is AV/AS software that has a remote deploy option.

What you gain in security you may lose in manageability.

Philip Elder Cluster MVP said...

Chris,

We have already seen that behaviour in Trend and Symantec A/V products without this setting enabled.

Trend's a bit more frustrating to get the Web based install to work on the client side, but Symantec's is pretty straight forward. We just had the users click on a link in their e-mail from us to run the install routine and all was good.

Philip

Jason Poole said...

FYI: Trend will let you create a Client Install MSI file, which you can then deploy using Group Policy. We use this so we know all new PC's will get AV on them.