By default, only applications running with a user’s administrator access token run
in elevated mode. Sometimes, you’ll want an application running with
a user’s standard access token to be in elevated mode. For example,
you might want to start the Command Prompt window in elevated mode
so that you can perform administrator tasks.
In addition to application manifests discussed previously,
Windows Server provides three different ways to set the run level
for applications. You can choose to perform one of the
following:
-
Running an application once as an
administrator You can run an application once as an
administrator by pressing and holding or right-clicking the
application’s shortcut or menu item and then selecting
Run As Administrator, as shown in Figure 5. If you
are using a standard account and prompting is enabled, you are
prompted for consent before the application is started. If you
are using a standard account and prompting is disabled, the
application will fail to run. If you are using an administrator
account and prompting for consent is enabled, you are prompted
for consent before the application is started.
-
Always running an application as an
administrator Windows Server also enables you to mark an
application so that it always runs with administrator
privileges. This is useful for resolving compatibility issues with legacy applications that
require administrator privileges. It is also useful for
compliant applications that normally run in standard mode but
that you use to perform administrative tasks. You cannot mark
system applications or processes to always run as an administrator. Only nonsystem
applications and processes can be marked to always run as an
administrator. You can mark an application to always run as an
administrator by pressing and holding or right-clicking the
application’s shortcut and then selecting Properties. In the
Properties dialog box, tap or click the Compatibility tab. Under
Privilege Level, select the Run This Program As An Administrator
check box, as shown in Figure 6, and then
tap or click OK.
Note
If the Run This Program As An Administrator option is
unavailable, it means that the application is blocked from always
running as elevated, the application does not
require administrative credentials to run, or you are not logged
on as an administrator.
Controlling application installation and run behavior
In Group Policy under Local Policies\Security Options, five
security settings determine how application installation and
run behavior works. Table 2 summarizes
these security settings.
Table 2. Security settings related to application installation and
run behavior
|
Security Setting |
Description |
|
User Account Control: Allow UIAccess
Applications To Prompt For Elevation Without Using The
Secure Desktop |
Determines whether User Interface Accessibility
(UIAccess) applications can bypass the secure desktop to
increase usability in certain instances. By default, this
setting is disabled. When enabled, UIAccess programs are
allowed to respond to elevation prompts on the user’s behalf
(which increases the risk that the prompt could be
manipulated by a malicious program). This setting primarily
applies to Remote Assistance scenarios because this is the
key UIAccess program in use. To avoid problems, be sure to
have users select Allow IT Expert To Respond To User Account
Control Prompts when making a remote assistance
request. |
|
User Account Control: Detect Application Installations And Prompt For
Elevation |
Determines whether Windows Server automatically
detects application installation and prompts for elevation or
consent. Because this setting is enabled by default, Windows
Server automatically detects application installations and
prompts users for elevation or consent to continue the
installation. If you disable this setting, users are not
prompted—in which case, the users will not be able to
elevate permissions by supplying administrator
credentials. |
|
User Account Control: Only Elevate Executables
That Are Signed And Validated |
Determines whether Windows Server allows the
running of only executables that are signed and validated.
By default, this setting is disabled. When enabled, Windows
enforces the public key certificate change validation of an
executable before permitting it to run. |
|
User Account Control: Only Elevate UIAccess
Applications That Are Installed In Secure
Locations |
Determines whether Windows Server validates
that UIAccess applications are secure before allowing them
to run. By default, this setting is disabled. When enabled,
only UIAccess applications in secure locations on the file
system are allowed to run. Secure locations are limited to
subdirectories of Program Files, including Program Files
directories specifically for x86 or x64. |
|
User Account Control: Switch To The Secure Desktop When Prompting For
Elevation |
Determines whether the elevation request prompt
is displayed on the secure desktop to isolate the prompt from all
other processes, which enhances security by preventing the
password from being read by any other (and possibly
malicious) program. By default, this setting is enabled.
This means the prompt is displayed on the secure desktop
(and requires a response before a user can do anything
else). If you disable this setting, the prompt is displayed
without switching to the secure desktop (and a user’s
desktop isn’t locked while waiting for a
response). |
|
User Account Control: Virtualize File And
Registry Write Failures To Per-User
Locations |
Determines how Windows Server notifies users
about application write errors. Because this setting is
enabled by default, error notifications and error logging
related to virtualized files and registry values show the
virtualized location rather than the actual location to
which the application was trying to write. If you disable
this setting, error notifications and error logging related
to virtualized files and registry values show the actual
location to which the application was trying to
write. |
For workgroup configurations or for a special case, you can
configure these security settings on a per-computer basis using
local security policy. To access local security policy and configure
UAC settings, follow these steps:
-
Select Local Security Policy on the Tools menu in Server
Manager. This starts the Local Security Policy console.
-
In the console tree, under Security Settings, expand Local
Policies and then select Security Options.
-
Double-tap or double-click the setting you want to work
with to display its properties dialog box.
-
All settings related to application installation and run
behavior can be defined and then configured. Make any necessary
changes, and then tap or click OK. Repeat this procedure to
modify the related security settings as necessary.
In a domain environment, you can use Microsoft Active
Directory–based Group Policy to apply the desired security
configuration to a particular set of computers. Simply apply the
desired settings to a Group Policy Object (GPO) that applies to
those computers.
