UAC and Remote Access

Previous page
Table of content
Next page

UAC also impacts certain types of remote access to a computer running Windows Vista. Exactly how differs between access methods and account types.

SMB Access

Windows Vista can, as all previous versions of Windows, act as a server for Server Message Block (SMB) sharing. Connecting to a computer running Windows Vista that is acting as a server while using domain accounts for authentication will work exactly as in Windows XP. If the domain account is a local administrator, the impersonation token used on the server to perform access checks is a full administrative token. However, if you authenticate with a local account that is a member of the Administrators group, you will get a filtered token, just as if you were logging on locally with that account. The difference, of course, is that in the SMB case, you cannot elevate.

The reason tokens are filtered in stand-alone environments is to stop a worm from propagating over network connections. Malware that infects one computer and becomes an administrator there could spread to a different computer if that computer has an administrative account using the same user name and password. However, if administrators get a filtered token when they connect, the exploit will likely fail. Computers in a domain environment do not get a filtered token because it would break too many remote management tools.

This behavior can be changed using a registry hack:

 Hive:    HKEY_LOCAL_MACHINE Key:     SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system Value:   LocalAccountTokenFilterPolicy Type:    REG_DWORD Data:    0 (default) - Build filtered token          1 - Build elevated token

You can add this setting to the Group Policy Security Options interface by using the technique documented in Microsoft Knowledge Base Article 214752. On the Web site for the book you will find an updated sceregvl.inf file that contains the new setting.

Remote Desktop and Remote Assistance

Remote Desktop, also known as Windows Terminal Services, works just like an interactive session for the purposes of UAC elevation. Remote Assistance (RA), however, poses certain new challenges.

RA is a feature first included in Windows XP. It allows an "expert" to assist a user in troubleshooting by opening a remote connection to a user's logon session and interacting with that session. This permits the user to very easily show the expert what is happening.

UAC has an interesting side effect on RA. The prompt shows up on the secure desktop, but the secure desktop is not available over RA. The end user that is being helped can answer the prompts, but not if the end user is not an administrator and does not have credentials for an administrator. In this case, the only option is to disable the setting to show the UAC prompt on the secure desktop. To do so, you may set this registry key:

 Hive:    HKEY_LOCAL_MACHINE Key:     SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system Value:   PromptOnSecureDesktop Type:    REG_DWORD Data:    0- Elevation prompt goes on the 1 (default) - Elevation prompt goes on the secure desktop

You would need to make this change before establishing the remote assistance session. This can be done using the following command line command:

 reg add \\<remote computer name>\HKLM\SOFTWARE\Microsoft\Windows\image from book CurrentVersion\Policies\system /v PromptOnSecureDesktop image from book /t REG_DWORD /d 0 /f

You would need to replace < remote computer name > with the name of the remote computer you are connecting to. After you are done with your RA session you can revert the system to its original state using this command:

 reg add \\<remote computer name>\HKLM\SOFTWARE\Microsoft\Windows image from book \CurrentVersion\Policies\system /v PromptOnSecureDesktop image from book /t REG_DWORD /d 1 /f

This setting is also available in Group Policy. See the section "UAC Policy Configuration" for information.

If the policy is set to deny elevation requests for non-administrator, the elevation will be denied automatically and no prompt is ever shown. In that case, that policy needs to be turned off before launching the RA session. Alternatively, the expert can launch an administrative command prompt using the runas.exe command as an administrator. This command prompt will be running with a filtered token, but now the elevation is subject to the elevation policy for administrators, not users, so the prompts will be shown, subject to the policy on where to put them. Keep in mind, if you use this approach, that if the user requesting help pulls the network cable from the computer at this point, the user is left with an administrative command prompt running as someone else.


Previous page
Table of content
Next page
Windows Vista Security. Securing Vista Against Malicious Attacks
Windows Vista Security. Securing Vista Against Malicious Attacks
ISBN: 470101555
EAN: N/A
Year: 2004
Pages: 163
BUY ON AMAZON
CISSP Exam Cram 2
Inside Network Security Assessment: Guarding Your IT Infrastructure
Lotus Notes and Domino 6 Development (2nd Edition)
Image Processing with LabVIEW and IMAQ Vision
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy