How to use UAC to improve the security of Windows 7

Q: How do I use UAC to improve security for Windows 7?

A: In the Windows7 operating system, a new computer security management mechanism is proposed, that is, UAC (user Account Control). What's the use of this feature? Simply put, other users have made changes to the operating system that require administrator privileges, and the operating system automatically notifies the administrator to decide whether to allow this change. Although in previous versions, there were limitations in this area. But there has been a lot of improvement in the WINDOWS7. Not only does it subdivide the level of control, but it also automatically notifies the administrator.

　　One, the administrator can choose different control level according to the need

In Windows7, this level of control is divided into four levels. The highest level is "Always notify Me", that is, users install the application software or upgrade the application software, the application software in the user's knowledge or ignorance of the operating system changes, modify Windows settings, and so on, will report to the system administrator.

The second level is to notify the system administrator only when the application tries to change the computer. This level is the default control level for the operating system. The main difference between him and the first level is that the system administrator is not notified when you change Windows settings. At this level, even if a malicious program is running on the operating system, it will not cause much negative impact on the operating system. Because its malicious programs cannot modify the configuration of the system without the knowledge of the system administrator, such as changing the registry, changing the default page of IE browser, changing the service startup list, and so on. This level of security is sufficient for most users, especially for enterprise users. The level is too high, it is too rigid. It may be that the system administrator is constantly running for it.

The third and fourth levels are progressively less secure, until all are not notified. In fact, this control level with the original IE browser Control level similar to the Microsoft's custom control level. As a system administrator, you need to understand the specific content of each level of control, and then set the security level according to the actual situation of the enterprise. Generally speaking, the higher the security level, the more secure the operating system is. But the system administrator may need to spare more time to respond to user complaints. Because it is possible that any user changes to the operating system need to be told to the system administrator. You can't have the fish and the bear's paw, the system administrator needs to achieve a balance between security and convenience.

　　Second, insufficient user rights how to notify system administrators

I wonder if you have ever used any of the workflow products of Microsoft or other companies? In fact, Microsoft in this problem is to deal with the process of working flow. When a user attempts to change a setting or secure an application, the system sends a request to the administrator when its permissions are insufficient. The system administrator will see a dialog box the next time they log on to the system. The dialog box displays the settings that the user needs to change or the application to install. The system administrator needs to look at this information carefully to determine if the system's stability will be compromised. You can then tell the operating system by using this dialog box to allow or deny user change actions. Finally, the system will feed the decision of the system administrator to the user. The user will be able to continue the subsequent operation. If the system administrator agrees, you can install the application or change the configuration of the operating system. Obviously, this process is very familiar to everyone. Yes, this is a workflow process. In the Windows7 operating system, this workflow can be seen in many places. This is also the embodiment of humanization of Windows7 operating system.

　Third, turn off UAC control

If the user does not like this advanced thing, but prefers window control scheme, this is also possible. The system administrator simply switches this level to level fourth, which turns off UAC control. At this point, as with the previous operating system version, any changes will not be communicated to the system administrator. If the user logs into the operating system as an administrator, any changes that the application has made to the operating system will not alert the administrator, but apply the relevant changes directly.

Visible, at this point if some malicious program in the change, it will be unknown to the situation, the system changes some of the settings, such as Web pages, registry, and so on. If the user is logged on to the operating system as a normal user, the operating system will simply reject the operation if it does, including installing or upgrading the application, changing the operating system configuration, and so on, as long as it does not have the relevant permissions. That is, the workflow will not be used in the form of notifying the administrator. If the user does have this need, only verbally notify and let the system administrator adjust the relevant permissions. When a system administrator moves this UAC control from a high level to this fourth level, the control level must be restarted before it takes effect.

When the system administrator shuts down this UAC, it is important to be careful of the damage that the various applications may cause to the operating system, because the application can access or modify the protected areas, the user's private data, and so on, as long as it is running with an administrator account. That is, its application has the same permissions as the system administrator. In addition, some malicious programs can communicate with other computers in the network and even the host on the Internet in order to achieve the destructive effect without the knowledge of the system administrator.

In fact, this UAC control level looks similar to the operating system's personal firewall in some way. When any application has the behavior of modifying the operating system configuration (changing IE home page, modifying the registry, setting a service to start automatically), you will be prompted to the user. The user is also notified when the application is sending information to the Internet. For this reason, if the system administrator is not used to this function, need to close it, it is best to use other security measures to replace. If you can use this personal firewall instead of the UAC control level. Although it is not able to achieve all of the functions of UAC, some of the core protection features of personal firewalls are already competent. Indeed, if the enterprise has now deployed a personal firewall, then when the WINDOWS7 operating system to promote the use of this UAC control, repeat. Instead, it may cause users to resent it. In a word, the system administrator chooses one of these two scenarios according to the operating system of the user. More than a burden.

　　Iv. unifying this level of management through domain security policies

There are often a number of clients in the enterprise. A system administrator to manage the client is not hundreds of units, there are dozens of units. If one by one to adjust the control level of this UAC, it is obviously a repetitive, not challenging job. According to the author's test, this UAC control level can be used in combination with Group Policy or domain security policy. That is, you can set this level at the domain controller level or at the group level. Then when the client joins the domain or the group, it inherits the administrative level. That is, you do not need to make one by one more configurations on each client. To tell you the truth, Microsoft has been doing a good job in this area. Although Microsoft's domain environment is built and managed is a bit more complex, but its function is still relatively powerful. If some of the advanced features of the Windows operating system are to be applied more conveniently, this domain environment is often unavoidable. At least this domain environment can provide a platform for unified management of each client.