Shulou(Shulou.com)06/02 Report--

Use the UAC whitelist to exempt the specified program from UAC restrictions 1. The hidden danger of shutting down UAC

My last blog post about ordinary users running software tips under Windows_8.1/Windows7 need to enter the administrator password solution has introduced how to run some programs that need to raise rights as an ordinary user without popping up the "user account Control Settings" dialog box, the method in the article is to completely close the UAC, which can indeed avoid annoying "user account control" prompts, but also reduce the security level of the system.

UAC (User Account Control), translated into Chinese for user account control, is a new technology introduced by Microsoft in Windows Vista and Windows7. The main function is to automatically trigger UAC when doing some operations that will affect the security of the system, which can only be carried out after confirmation by the user. Because most malware, * viruses, and advertising plug-ins enter the computer, such as copying files to directories such as Windows or Program Files, installing drivers, installing ActiveX, and so on, and these actions will trigger UAC, users can disable the operation of these programs when prompted by UAC.

Actions that can trigger UAC include:

* modify Windows Update configuration

* add or delete user accounts

* change the user's account type

* change UAC settings

* install ActiveX

* install or uninstall programs

* install the device driver

* modify and set parental controls

* modify the registry

* move or copy files to the Program Files or Windows directory

* access other user directories.

Therefore, the role of UAC is still very great. If UAC is completely closed, the system cannot help users prevent some undefined malware and * * from running. Users are likely to be implanted with malicious advertising plug-ins or * * programs when they visit some websites or run some software, which will affect the stability of the system and seriously lead to enterprise information disclosure.

two。 Adding specified programs to the UAC whitelist enterprise production environment generally does not open administrator privileges to ordinary users, but some software is both necessary and because it triggers UAC when running as an ordinary user, which is really annoying. The operation and maintenance partners should also have a deep aversion to this! The system and software environment used in this article are tested:

System: Windows 8.1 64-bit Enterprise Edition

Software that needs to be added to the UAC whitelist: SF Express "Express offline user special version"

The following describes how to open the UAC whitelist: step 1: obtain the official Microsoft tool "Application Compatibility Toolkit". Enter the application compatibility toolbox to search the keyword "Application Compatibility Toolkit" on the download site of Microsoft's official website. Find the download link and click on the download page, as shown below:

Click "Download" to enter the download list page, as shown below:

Select "ApplicationCompatibilityToolkitSetup.exe" and click "Next" in the lower right corner to download.

Step 2: install "Application Compatibility Toolkit"

Please exit all antivirus software before installation so that the software will not be blocked by antivirus software when creating some registry keys.

Double-click the software icon you just downloaded and the following image appears:

Click the "Next" button to go to the next interface:

Check "I accept the terms in the License Agreement" and click the "Next" button to go to the next interface:

The path can be modified. I will press the default road strength to install here, and continue to click the "Next" button to go to the next interface:

Click the "Install" button to go to the next interface:

Now that the installation is complete, click the "Finish" button to complete the installation.

Step 3: configure the UAC whitelist

Open the software, as shown below:

Note: the window title shows "Compatibility Administrator (32-bit)", whether you want to use the 32-bit version or the 64-bit version depends on what you need to add to the UAC whitelist. In this article, the software to be added to the UAC whitelist is a 32-bit software, so here you need to open "Compatibility Administrator (32-bit)".

1) right-click "New Database (1) [Untitled_1]"-> "Rename", and change the database name to "UAC_White_List", as shown below:

Tip: it is not necessary to change the database name, but a clear and standardized name will facilitate future management.

2) right-click "UAC_White_List"-> "Create New"-> "Application Fix", and modify the program name, developer information and complete installation path according to the actual situation, as shown below:

Click the "next" button to go to the next interface:

Check "RunAsInvoker", then click the "next" button to proceed to the next interface:.

There is no need to modify it here, just click the "next" button to enter the next interface:

This step does not need to be modified. Click the "finish" button to complete the addition of UAC whitelist:

Tip: the database "UAC_White_List" of this step can be saved as a disk file, which can be easily copied to other computers and directly opened for use, provided that other computers need to add the same software to the UAC whitelist.

3) Select the "offline user version" just created, and click "File" à "Install" in the menu bar to write the software information into the UAC whitelist of the system. Note: this step is very important, if you do not Install, the previous operation will be done in vain.

4) Test effect

Before testing, make sure that the "computer configuration"-- > "Windows Settings"-- > "Security Settings"-- > "Local Policy"-- > "Security options"-- > "user account Control: run all administrators in Administrator approval Mode" option is on, because when I tested earlier, this option was set to "off". This option is on by default, and don't worry about it if it has not been modified.

Log in as an ordinary user and run the "instant offline user special version". If there is no accident, you can open the software normally, and there is no prompt for the user to enter the administrator password. The UAC whitelist setting is complete.

3. Clears the specified application from the UAC whitelist

Remove the applications you need to remove from the UAC whitelist from "UAC_White_List" and run "Install" again.

Summary:

1. UAC can help users prevent some undefined malware and * * from running. It is recommended to enable it in the actual production environment.

two。 The deployment of systems and software in the production environment is based on the principle of minimum permissions in order to ensure the stable operation of the business system to the maximum extent.

3. Using the UAC whitelist to make the specified program free from the restrictions of UAC is a better way to allow users to run software that requires administrator approval, without having to enter the administrator password or join the administrator group.

4. After the UAC whitelist database generated by ACT (Application Compatibility Toolkit) is saved as a disk file, it can be copied to other computers that need to add the same software to the UAC whitelist, simplifying the steps of batch deployment.

5. The method in this article is relatively simple, but it will still be troublesome for large-scale deployment (for example, when 30 or more hosts are deployed together), and it takes time to install and set up one by one.

Suggestions for improving the UAC whitelist:

Microsoft's "Application Compatibility Toolkit" can evaluate application compatibility and set UAC whitelist, which is a more practical tool, but it is suggested that Microsoft can integrate UAC whitelist function directly into the system, while supporting large-scale deployment using domains, then system management will become more efficient and convenient.

I hope this article can help all the operation and maintenance partners, and welcome netizens and technology enthusiasts to point out the mistakes in the text! Thank you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.