Sunday, August 29, 2010


Get The Best Results Using User Account Control

Fundamentally, it's the IT department's responsibility to ensure the security of the PC assets, prevent the use of unlicensed software, and enforce compliance with government regulations and internal policies. Most companies will find that the only way to do this is to enact a new policy of restricting the number of users who have administrator privileges. Luckily, you'll find this much easier to do on Windows Vista And Windows 7.
Fewer users running with administrator privileges is a worthy goal in most IT organizations. But while IT administrators generally agree that restricting users to a standard user account is the way to go, about 80 percent deploy their desktops with admin accounts, making those machines more susceptible to malware and harder to manage. But it's not that easy to avoid the admin account. The potential obstacles you'll face if you try are numerous.

Why Providing Administration Rights Rather Than Non-Admin Rights?
First, there's application compatibility. Because many applications were written and tested using administrator accounts, they may not even run under standard accounts. (This is most often the case because the applications attempt to write to restricted areas such as the Program Files directory or HKLM registry keys.)

Second, earlier versions of Windows were overly restrictive about which settings users were allowed to configure. Standard users could not change the time zone, power settings, connect to secure wireless networks, or install ActiveX controls without calling the helpdesk, which has associated costs.

Fortunately Windows Seven and Vista addresses these concerns. And even if your users don't have admin accounts, User Account Control (UAC) and other management technologies in Windows 7 and Vista make it easier to support and manage those desktops, promote higher productivity for standard users, and do it all without the looser security that results when you modify access control lists (ACLs)—the usual method of providing users greater, customized access. Let's look more closely at how Windows 7 and Vista alleviates some of your access control issues.

Virtualization Improves Compatibility
Many applications that will not run as a standard user on Windows XP will be able to run without modification on Windows 7 and Vista because of the File and Registry Virtualization capabilities. In Windows XP, many applications break when they attempt to write to protected areas of the file system and registry that the standard user is not permitted to access. Windows 7 and Vista will improve compatibility by redirecting writes (and subsequent file or registry reads) to a special location within that user's profile. 
For example, if an application attempts to write to C:\program files\contoso\settings.ini and the user doesn't have permission to write to that directory, the write will be redirected to C:\Users\username\AppData\Local\VirtualStore\ProgramFiles\contoso\settings.ini. If an application attempts to write to HKLM\Software\Contoso\ the action would automatically be redirected to HKCU\Software\Classes\VirtualStore\MACHINE\Software\Contoso. 
Figure 1 outlines the redirection process. In addition, the Certified for Windows 7 / Vista Software Logo Program will require that an application will run as standard user without requiring virtualization; if it doesn't, the logo will not be awarded to the application.
Figure 1 File and Registry Virtualization Process

Standard Users Can Do More
In Windows 7 / Vista, standard user accounts have been given additional privileges so users can perform common tasks without helpdesk support and without having the full set of permissions provided by the administrator account. The new privileges include the ability to view the system clock and calendar, to change the time zone, to modify wireless network security settings, to change power management settings, and to download and install critical updates from Windows Update.

Additionally, disk defragmentation is an automatically scheduled process in Windows 7 / Vista. Actions that do require administrator privileges are marked with a shield icon, so users can see what configuration changes they can and can't make.

ActiveX Control Installation
ActiveX controls can be particularly tricky to manage centrally because they may update frequently and they need to be repackaged before they can be distributed through a software distribution program like Systems Management Server (SMS) or through Group Policy. Windows 7 / Vista includes an optional component called the ActiveX Installer Service that allows IT administrators to use Group Policy to specify Web sites from which standard users will be allowed to install ActiveX controls. 

To use the ActiveX Installer Service, do the following:
  1. Enable the ActiveX Installer Service on the client computers. You can enable the service through the Windows Features Control Panel applet or when you configure your desktop image.
  2. In Active Directory Group Policy, in Computer Configuration | Administrative Templates | Windows Components, select ActiveX Installer Service. Select Enable. Now after the policy is replicated to the users, they will be able to install controls from the sites you specify.
Since ActiveX controls and other executable code could perform malicious tasks, use this feature judiciously; use it only for vendors you trust and only on intranet sites that are under strict control.

The ActiveX Control Installer Service is also integrated with the Windows 7 / Vista Eventing Infrastructure, so you can be notified automatically if there are ActiveX controls your users need to install. When a standard user tries to install a control that has not been approved, the service creates an event in the Application Log. In Windows 7 / Vista, tasks can be configured to automatically send an e-mail or execute another program as soon as an event is triggered. Then you know when a user needs a control and you can add the site to Group Policy without the user experiencing significant down time. With Windows 7 / Vista you can also subscribe to events from multiple machines across your enterprise and generate a list of all the controls your users are trying to install.

Hardware Device Driver Installation
Concerns that users will be unable to install device drivers they need when traveling is another reason administrator permissions remain popular, particularly for laptop users. The new Driver Store infrastructure in Windows 7 / Vista alleviates this hurdle by allowing flexible control over devices that standard users can install. First, you can prepopulate the Driver Store with trusted drivers so users can install permitted devices as they need them. Second, you can use Group Policy to give standard users permissions to install classes of devices, such as printers, or even specific device hardware IDs, such as permitted flash drives.

Since the Windows 7 / Vista Driver Store is a trusted cache of in-the-box and third-party drivers on the hard drive of each client machine, users may install them without administrator privileges. To stage drivers in the Driver Store, you can either inject them into offline images or dynamically update drivers to online clients over the network. For offline images, use Package Manager to seamlessly stage drivers in the Driver Store.

For online images, use command-line utilities such as pnputil.exe or DevCon in conjunction with software distribution applications to add, update, or delete drivers in the Driver Store. To further streamline and add flexibility to the process of staging drivers, Windows 7 / Vista allows IT departments and third parties the ability to sign driver package integrity.

By default, only users with administrator rights can add new drivers to the Driver Store. But there is a critical need for users, particularly mobile users, to install devices like printers while they're on the go. With new Group Policy settings, Windows 7 / Vista enables you to give standard users the flexibility needed to install permitted devices even if drivers aren't already staged in the Driver Store.

To delegate device driver staging privileges, 
  1. Open the Group Policy interface and 
  2. Navigate to Computer Configuration | Administrative Templates | System | Driver Installation | Allow non-administrators to install drivers for these devices. 
  3. You'll need to know the GUID for the device classes you want standard users to stage and install. 
  4. You can find device classes online at MSDN or 
  5. If the device is installed on your machine, go to the Device Manager | Properties window. 
  6. Click on the Details tab and 
  7. Select the dropdown labeled Device Class GUID. 
  8. You also need to make sure the certificates used to sign the drivers are already in the client machine's Trusted Publishers store, which can be managed via Group Policy.

These advances in Windows 7 / Vista now provide standard users with the needed flexibility in device installation so you can move more users to a managed desktop environment.


About bench3 -

Haja Peer Mohamed H, Software Engineer by profession, Author, Founder and CEO of "bench3" you can connect with me on Twitter , Facebook and also onGoogle+

Subscribe to this Blog via Email :