Achieve the Non-Admin Dream with User Account Control
 

در این بخش به موارد زیر می پردازیم  و بیشتر با UAC در Windows VISTA آشنا می شویم .

At A Glance:
  • Why you shouldn't run as administrator
  • Addressing problems trying to run as standard user
  • How User Account Control works

مهمترین دلیلی که برای استفاده نکردن از Admin Account می باشد برای امنیت یک سیستم حمله Malware ها می باشد به سیستم .

اگر Account شما در زمان حمله این برنامه ها دارای Privilege Admin باشد این برنامه ها می توانند بیشترین آسیب رابه سیستم برسانند اما

اگر User معمولی باشید معمولا مشکلی پیش نمی آید .

زمانی که شما دارای Administrator Privilege می باشید برنامه های Hack می توانند مناطقی که برای Windows مهم می باشد و باید از آنها

مراقبت کند آسیب پذیر باشند مانند WINDIR , Program Files , Registry Key به همین دلیل باید به این نکته توجه کرد مخصوصا در زمانی که سیستم

به Internet متصل می باشد .

در Windows VISTA تمامی User Account هارا دارای Standard User Privilege می کند تا این مشکل حل شود در زیر با موارد مهم دیگر در

امنیت UAC و Windows VISTA  آشنا می شویم .

 
Virtualization Improves Compatibility

برخی از برنامه ها بر روی Windows XP نمی توانند که با قدرت Standard User کارکنند چون نیاز دارند که بر روی Program Files و یا Registry تغییراتی

دهند در نتیجه این برنامه های ممکن می باشد مشکل ایجاد کنند در Windows VISTA مورد جدیدی که بوجود آمده Virtualization می باشد که

یکجور هدایت کردن Write برنامه ها و اطلاعات از دوآدرس بالا به مکان جدیدی می باشد که در شکل مشاهده می کنید زمانی که یک Standard User

بخواهد این تغییرات را بدهد Access is Denied می گیرد در نتیجه سیستم بصورت خودکار اطلاعات را در آدرس دیگری مربوط به آن فرد تغییر می دهد

همانند شکل 1 که می توانید مشاهده کنید چگونه عمل می شود .

 
 
For example, if an application attempts to write to C:\program files\contoso\settings.ini and the user doesn't have permission to write to that directory, the write will be redirected to C:\Users\username\AppData\Local\VirtualStore\Program Files\contoso\settings.ini. If an application attempts to write to HKLM\Software\Contoso\ the action would automatically be redirected to HKCU\Software\Classes\VirtualStore\MACHINE\Software\Contoso. Figure 1 outlines the redirection process. In addition, the Certified for Windows Vista Software Logo Program will require that an application will run as standard user without requiring virtualization; if it doesn't, the logo will not be awarded to the application.

    Figure 1:  File and Registry Virtualization Process

Standard Users Can Do More

بر روی Windows VISTA یک Standard User دارای قدرت بیشتری نسبت به User  های معمولی در ویندوزهای قبلی شده که مواردی از آنها را بیان

می کنیم این موارد بدون نیاز به قدرت Admin و یا Permission Admin می باشد .

مواردی همچون نمایش ساعت سیستم و Calendar و تغییر دادن Zone Time و امکان Configure کردن Network Security Setting برای شبکه های

Wireless و و نیز Download Hotfix های سیستم از Microsoft و Install آنها بر روی سیستم .

ActiveX Control Installation

ActiveX controls can be particularly tricky to manage centrally because they may update frequently and they need to be repackaged before they can be distributed through a software distribution program like Systems Management Server (SMS) or through Group Policy. Windows Vista includes an optional component called the ActiveX Installer Service that allows IT administrators to use Group Policy to specify Web sites from which standard users will be allowed to install ActiveX controls. To use the ActiveX Installer Service, do the following:

  1. Enable the ActiveX Installer Service on the client computers. You can enable the service through the Windows Features Control Panel applet or when you configure your desktop image.

  2. In Active Directory Group Policy, in Computer Configuration | Administrative Templates | Windows Components, select ActiveX Installer Service. Select Enable. Now after the policy is replicated to the users, they will be able to install controls from the sites you specify.

Since ActiveX controls and other executable code could perform malicious tasks, use this feature judiciously; use it only for vendors you trust and only on intranet sites that are under strict control.

The ActiveX Control Installer Service is also integrated with the Windows Vista Eventing Infrastructure, so you can be notified automatically if there are ActiveX controls your users need to install. When a standard user tries to install a control that has not been approved, the service creates an event in the Application Log. In Windows Vista, tasks can be configured to automatically send an e-mail or execute another program as soon as an event is triggered. Then you know when a user needs a control and you can add the site to Group Policy without the user experiencing significant down time. With Windows Vista you can also subscribe to events from multiple machines across your enterprise and generate a list of all the controls your users are trying to install.

Hardware Device Driver Installation

بر روی Windows VISTA افراد معمولی مانند Standard Users نیز از این به بعد می توانند برای سیستم Driver نصب کنند و از آن استفاده کنند

برای این کار شما باید Policy مربوطه را فعال کنید که اجازه Install Driver ها را به Users نیز بدهد .Install کلیه درایور ها برای User معمولی بدون

اینکه نیاز به Administrator Permission باشد امکان پذیر می باشد.

By default, only users with administrator rights can add new drivers to the Driver Store. But there is a critical need for users, particularly mobile users, to install devices like printers while they're on the go. With new Group Policy settings, Windows Vista enables you to give standard users the flexibility needed to install permitted devices even if drivers aren't already staged in the Driver Store. To delegate device driver staging privileges, open the Group Policy interface and navigate to Computer Configuration | Administrative Templates | System | Driver Installation | Allow non-administrators to install drivers for these devices. You'll need to know the GUID for the device classes you want standard users to stage and install. You can find device classes online at MSDN® or if the device is installed on your machine, go to the Device Manager | Properties window. Click on the Details tab and select the dropdown labeled Device Class GUID. You also need to make sure the certificates used to sign the drivers are already in the client machine's Trusted Publishers store, which can be managed via Group Policy.

These advances in Windows Vista now provide standard users with the needed flexibility in device installation so you can move more users to a managed desktop environment.

Levels of Desktop Lockdown

در VISTA شما می توانید از Standard Users استفاده کنید برای کار در برخی از موارد شما نمی توانید از این Users استفاده کنید و لازم می باشد

که از   Administrator استفاده کنید برای این منظور می توان از Group Policy و Account Selection استفاده کرد . در Policy از UAC می توان استفاده

کرد همانند شکل 2 که این حالت را Admin Approval Mode می نامند .

  

    Figure 2:  Security Policy Editor

این حالت برای جلوگیری کردن از حمله برنامه های Malware بسیار مفید می باشد .چون موجب می شود که همیشه Account ها دارای

Standard User Privilege باشند تا زمانی که نیاز به استفاده از قدرت Administrator باشد

دومین روش استفاده از Account Selection می باشد یعنی اینکه شما مشخص می کنید که می خواهید از چه نوع User Type استفاده کنید .

برای این منظور برای مثال کلیه Administrator Account ها از سیستم پاک می کنید .زمانی که این کار را بکنید سیستم زمانی که Prompt می دهد

برای گرفتن PWD برای Admin دیگر در لیست خود همانند شکل زیر دارای Administrator Account نمی باشد .در واقع By Default Account شما یک

Standard User می شود برای  کار در Prompt های ظاهر شده .اما Standard User نمی تواند ادامه کار را داشته باشد چون UAC نیاز به PWD دارد

که مربوط به ADMIN باشد. در این روش شما باید Password Administrator سیستم را وارد کنید برای User ALEX تا بتوانید ادامه کار را داشته باشید .

  

    Figure 3:  Requiring an Admin Password

روش دیگری وجود دارد و ان این می باشد که توسط Policy جلوگیری کنید از نمایش UAC در نتیجه اجرای برنامه ها توسط Standard Users در زمان

اجرا همانند شکل 4 یک Error می گیرد .

  • User Account Control: Behavior of the elevation prompt for standard users setting to Automatically deny elevation requests

 

 

    Figure 4:  Application Blocked By Group Policy

روش دیگری برای جلوگیری از اجرای فابلهای Exe وجود دارد و آن هم استفاده از Software Restriction Policy SRP می باشد تا جلوگیری کنید

از اجرای برنامه های اجرایی توسط Users ها بجز Administrators در دو آدرس Windir  و Program Files .

Desktop Management Infrastructure

Using File and Registry Virtualization, the new Driver Store infrastructure, and the other features I discussed will make it much easier for you to deploy Windows Vista desktops with standard user accounts. Even with these techniques, however, you will not be able to support a standard user environment completely unless you have the management infrastructure—tools, processes, and people—to support users who cannot do some things on their own. Some of the issues you need to consider are:

Software Installation  If users can't install software on their own, you need to provide another way. One way, which doesn't require any other management software, is to use Group Policy. With Group Policy, you can add a program to the Add/Remove programs list. If a user installs a program using this method it will launch with the elevated permissions needed for the user to complete the installation. For a richer solution you could also use SMS or a similar product. Some solutions even allow you to create self-service Web portals where standard users can pick and choose the software they want to install.

Software Updating  You'll need to have a way to install updates on your PCs, other than sending out an e-mail that says, "Please install this update!" To manage and deploy most Microsoft updates you can use Windows Server Update Services, which is a free download for Windows Server. To deploy a broader range of updates, again, you may consider a desktop management product such as SMS.

Support Processes and Staffing  When a user calls the helpdesk about something that is causing a performance problem or wants to install something new, in many cases you won't be able just talk them through the process over the phone, since they may not have permissions. Your IT department will need to make greater use of remote assistance and remote administration tools to diagnose issues and change settings. Even Windows Remote Assistance will work differently because logged-in standard users cannot approve the prompts for actions that require administrator privilege, though helpdesk staff could use Remote Desktop to make administrative changes remotely.

It will be critical to have clear, efficient processes for handling policy exceptions. Let's say someone in the marketing department needs to install a trial version of a new graphic design tool she is evaluating for her department. Who gives the approval to install that software—her manager, her director, or the CIO? How will it get installed and how long will she have to wait? We suggest creating a simple approval workflow that is integrated with the helpdesk issue tracking system. A basic workflow could be:

  1. User submits request to install a program and the link to the installation program (on their local hard drive or in their CD tray), and confirms that the software was not obtained illegally and is not being used for malicious purposes.
  2. Request is sent to manager for approval.
  3. Request is routed to application lead in IT department who can check to ensure there are no known compatibility problems, perform a virus scan, and make sure that the company has not already purchased a site license for that program or a similar program from another vendor.
  4. Request is forwarded to a support technician to remotely initiate the installation and notify the user when the software is ready for use.

To create the workflow interface you could either script dynamic Web pages or obtain a commercial helpdesk or issue-tracking package. You will also require different staffing for a managed versus an unmanaged environment. Hopefully, you will need fewer technicians to physically diagnose or reimage unstable or infected PCs. However, you may need to initially allocate additional staff to software packaging and deployment.

Over the long run, you should experience lower support costs as machines remain stable longer, but initially you may experience an increase in helpdesk calls from users asking for help with configuration. The helpdesk calls will taper off after you configure your desktop images and group policies with the settings users need and expect.

Culture


The final hurdle is not technological, but psychological. Some users may have an adverse reaction to the idea of not having administrator privileges. But I believe most users won't notice a difference. And if you deploy Windows Vista at the same time that you enforce standard user accounts, the productivity benefits of the integrated desktop search, the new Aero™ (glass) user interface, and the improvements for mobile users will outweigh any inconveniences that come from not being an administrator. However, if poor processes cause people to wait for weeks to get permission to install a piece of software, then you can expect to have some unhappy employees.

Fundamentally, it's the IT department's responsibility to ensure the security of the PC assets, prevent the use of unlicensed software, and enforce compliance with government regulations and internal policies. Most companies will find that the only way to do this is to enact a new policy of restricting the number of users who have administrator privileges. Luckily, you'll find this much easier to do on Windows Vista.

در زیر مشخصات نویسنده این مقاله را مشاهده می کنید .

Achieve the Non-Admin Dream with User Account Control

Alex Heaton is a Senior Product Manager on the Windows Vista Security Team. Previously he was Lead Site Manager for Microsoft security Web sites, which include microsoft.com/protect. He is also a contributor to the User Account Control Team blog at blogs.msdn.com/uac.

 

Last Updated: December 01, 2006

Winteacher.com
Achieve the Non-Admin Dream with User Account Control

 © 2003-2006 Winteacher.com . All rights reserved