User Account Control

. Configure authentication and authorization

Cram Saver

1. What feature prevents a program from making unauthorized changes to your computer running Windows 7?

❍ A. UAC ❍ B. USB ❍ C. GMT ❍ D. ActiveX

2. Which UAC slider option dims the desktop causing other programs not to run when the UAC dialog box appears? (Choose all that apply.)

❍ A. Always notify ❍ B. Notify me only when programs try to make changes to my

computer ❍ C. Notify me only when programs try to make changes to my

computer (do not dim my desktop) ❍ D. Never notify

Answers

1. A is correct. User Account Control (UAC) is a feature in Windows that can help prevent unauthorized changes to your computer. If you are logged in as an administrator, UAC asks you for permission, and if you are logged in as a standard user, UAC asks you for an administrator password before performing actions that could potentially affect your computer’s operation or that change settings that affect other users. Answer B is incorrect because USB is short for Universal Serial Bus, which is used to connect devices to the computer. Answer C is incorrect because Greenwich Mean Time (GMT) is used with time zones. Answer D is incorrect because ActiveX is a framework for defining reusable components known as controls.

2. A is correct. The only option that dims the screen when a UAC prompt appears is Always notify; therefore, all other answers are incorrect.

Need-to-know is a basic security concept that says information should be lim- ited to only those individuals who require it, and they should be given only enough access to carry out their specific job functions. When planning for how you assign the rights and permissions to the network resources, follow these two main rules:

User Account Control

. Give the rights and permissions for the user to do his or her job. . Don’t give any additional rights and permissions that a user does not

need. Although you want to keep resources secure, you want to make sure that the

users can easily get what they need. For example, give users access to the nec- essary files, and give them only the permissions they need. If they need to read a document but don’t need to make changes to it, they need to have only the read permission. Giving a person or group only the required amount of access and nothing more is known as the rule or principle of least privilege.

When you ran earlier versions of Windows, including Windows XP, and you logged in with an administrative account, every task that you execute and every process that ran in the account’s session ran as an as administrator with elevated privileges. Because the elevated privileges provided access to every- thing, it opened the possibility of human error, which could cause problems in Windows functionality or data loss, and it allowed malicious software to access any part of the computer. Unfortunately, most legacy applications and even new applications were or are not designed to work without full administrator privileges.

User Account Control (UAC) is a feature in Windows that can help prevent unauthorized changes to your computer. If you are logged in as an administra- tor, UAC asks you for permission, and if you are logged in as a standard user, UAC asks you for an administrator password before performing actions that could potentially affect your computer’s operation or that change settings that affect other users. When you see a UAC message, read it carefully and then make sure the name of the action or program that’s about to start is one that you intended to start.

The Application Information Service (AIS) is a system service that facilitates UAC and launching applications that require one or more elevated privileges or user rights to run, such as Administrative Tasks, as well as applications that require higher integrity levels. If you disable AIS, when you try to run appli- cations that require administrative access, you get an Access Denied error.

To keep track of a user’s access, when a standard user logs in to Windows 7, a token is created that contains only the most basic privileges assigned. When an administrator logs in, two separate tokens are assigned. The first token contains all privileges typically awarded to an administrator, and the second is

a restricted token similar to what a standard user receives. User applications, including the Windows Shell, are then started with the restricted token result- ing in a reduced privilege environment even under an Administrator account.

CHAPTER 8: User Management

When an application requests elevation or is run as administrator, UAC prompts for confirmation and, if consent is given, starts the process using the unrestricted token.

The default UAC setting allows a standard user to perform the following tasks without receiving a UAC prompt:

. Install updates from Windows Update . Install drivers from Windows Update or those that are included with the

operating system . View Windows settings . Pair Bluetooth devices with the computer . Reset the network adapter and perform other network diagnostic and

repair tasks Administrative users automatically have:

. Read/Write/Execute permissions to all resources . All Windows privileges

When your permission or password is needed to complete a task, UAC alerts you with one of the following messages: