Wednesday 10 June 2009

Windows 7 UAC is Broken?

By default, we enable UAC to prompt for credentials on our SBS 2003 and SBS 2008 networks.

A while back we heard about the possibility of Windows 7 breaking UAC (User Account Control) due to the effects of the UAC Slider that allows for changing the how/when a user would receive the UAC prompt.

The default Windows 7 UAC Slider position is one stop below the “ON” position, “ON” being UAC turned on in Windows Vista, that allows certain types of elevation to pass by without user consent or notification that the elevation has happened.

Apparently, there may indeed be a vulnerability in the new UAC Slider:

Tied into the above Group Policy mandatory UAC elevation settings is user training.

Putting a lock on the door does not stop the person inside from opening the lock and subsequently the door to someone or something on the outside.

Training involves letting the user know the how and why a UAC will prompt. Keeping it simple is the best way:

  • If you are not installing a known software product, then Cancel.
  • If browsing the Internet and a UAC prompt happens, then Cancel and close the browser window.
  • If browsing the Internet and an AntiVirus message happens, save and close any work then Log Off. Do not go back to that site after logging back in.

By keeping the training simple and tying it into everyday analogies like the locked door above, users will get a pretty good idea of what is good and what is bad. We call that “Internet Street Smarts”.

Long’s article reaffirms to us that UAC needs to be enabled and set to “ON” by default, elevate with credentials required (we push a local admin account out to all domain enabled systems – Step 26 Part 3 – SBS 2008 Setup Checklist), and make sure that the elevation happens on the Secure Desktop.

Having a good lock on the door is a good start to tightening up SBS network security.

Philip Elder
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

No comments: