Leave UAC enabled on 2008?

-

i looking more reasons for keeping uac enabled windows 2008.  how effective has uac been securing systems? what argument "if run administrator bypassing uac so why need enabled?"  uac more effective desktops servers?  specific examples of worms or virus that have been stopped uac?  thanks

this not going answer.  not everyone's needs features , security same, hence ability exists turn off. personaly recommend make use of it.

whenever need configure windows server 2008 setting, if logged on administrator - need elevated privileges.  design, , part of fierce security initiative in windows server 2008.

when administrator logs on computer running windows 2008, vista, user assigned 2 separate access tokens. access tokens, contain user's group membership , authorization , access control data, used windows® control resources , tasks user can access. before windows vista, administrator account received 1 access token, included data grant user access windows resources. access control model did not include failsafe checks ensure users wanted perform task required administrative access token. result, malicious software install on users' computers without notifying users. (this referred "silent" installation.)

even more damaging, because user administrator, malicious software use administrator's access control data infect core operating system files and, in instances, become impossible remove.

the primary difference between standard user , administrator in windows vista level of access user has on core, protected areas of computer. administrators can change system state, turn off firewall, configure security policy, install service or driver affects every user on computer, , install software entire computer. standard users cannot perform these tasks , can install per-user software.

to prevent malicious software silently installing , causing computer-wide infection, microsoft developed uac feature. unlike previous versions of windows, when administrator logs on computer running windows vista, user’s full administrator access token split 2 access tokens: full administrator access token , standard user access token. during logon process, authorization , access control components identify administrator removed, resulting in standard user access token. standard user access token used start desktop, explorer.exe process. because applications inherit access control data initial launch of desktop, run standard user well.

after administrator logs on, full administrator access token not invoked until user attempts perform administrative task.

contrasting process, when standard user logs on, standard user access token created. standard user access token used start desktop.

source http://technet.microsoft.com/en-us/library/cc709691%28ws.10%29.aspx

similar thread may help

windows 2008 - must disable uac

http://social.technet.microsoft.com/forums/en-us/exchangesvrdeploy/thread/e6514654-8479-46d3-aa66-8baa3d13b6a8/

uac - what. how. why." (video).

"security features vs. convenience". windows vista team blog



Windows Server  >  Windows Server General Forum



Comments

Post a Comment

Popular posts from this blog

Motherboard replacement

-
running windows 10 technical preview, need replace motherboard can run the  sysprep  command restoring pc ? or there easier  or more preferred way ? thanks if replace motherboard within same family of chipsets (i.e. intel > intel or amd > amd), should okay restarting pc twice. carey frisch Windows 10 Insider Preview  >  Windows 10 Insider Preview General
Read more

Cannot create Full Text Search catalog after upgrading to V12 - Database is not fully started up or it is not in an ONLINE state

-
in order access new full text search capiblities of sql azure, upgraded our azure sql v12. (a day later), when try create new catalog: create fulltext catalog mycatalog default i following message: msg 9972, level 16, state 100, line 1 database not started or not in online state. try full-text ddl command again after database started , becomes online. hi scott, apologies inconvenience caused you. known issue on service side , fix going included in next update. specific case mitigated, should able use full-text search syntax now. thanks, mihaela Microsoft Azure  >  Azure SQL Database
Read more

Remote Desktop App - Error 0x207 or 0x607

-
hi all, i manage windows 2012 r2 network, including connection broker, session hosts , remote apps virtual servers.  i've used remote desktop app on own android phone, no issues @ - connects published gateway url , can login , access network. we looking move business onto nokia handsets ms operating system (currently on blackberry), not able connect via remote desktop app on nokia lumia handset. setup, per android config , brings remote apps , remote desktop screen, know can connect.  when select remote desktop, shows following process: initiating remote connection securing remote connection certificate can't verified - choose connect it digitally signed cert (digicert sha2), pc name different physical connection broker name (inherited domain name old gov project - can't publish publicly) initiating establishing securing connection error have been 0x207 getting 0x607 a bit baffled, work on android (and ipad @ home using app). assume ms use d...
Read more