Share via


Security Policy Settings New for Windows Vista

This section provides information about new security settings in Windows Vista including the locations of the security settings in the local Group Policy object (GPO), their default values, and a discussion of the setting.

Access Credential Manager as a trusted caller

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\

Discussion

This security setting is used by Credential Manager during Backup and Restore. No accounts should have this user right, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this user right is assigned to other entities.

Default value

Not configured

Change the time zone

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\

Discussion

This security setting determines which users and groups can change the time zone used by the computer for displaying the local time, which is the computer's system time plus the time zone offset. System time itself is absolute and is not affected by a change in the time zone.

This user right is defined in the Default Domain Controller GPO and in the local security policy of the workstations and servers.

Default value

Administrators, Users

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\

Discussion

This security setting determines if the user can create a symbolic link from the computer the user is logged on to.

Warning

This user right should only be assigned to trusted users. Symbolic links (symlinks) can expose security vulnerabilities in applications that aren't designed to handle symbolic links.

Note

This setting can be used in conjunction with a symbolic link file system setting that can be manipulated with the Fsutil command-line tool to control the types of symbolic links that are allowed on the computer. Type fsutil behavior set symlinkevalution /? at a command prompt to get more information about the Fsutil command-line tool and symbolic links.

Default value

Administrator

Increase a process working set

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\

Discussion

This security setting determines which user accounts can increase or decrease the size of the working set of a process.

The working set of a process is the set of memory pages currently visible to the process in physical RAM. These pages are resident and available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process.

Warning

Increasing the working set size for a process decreases the amount of physical memory available to the rest of the system.

Default value

Users

Modify an object label

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\

Discussion

This security setting determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.

Default value

Not configured

Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Discussion

Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way by using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. A new registry value introduced in Windows Vista, SCENoApplyLegacyAuditPolicy, allows audit policy to be managed by using subcategories without requiring a change to Group Policy. This registry value can be set to prevent the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool.

If the category-level audit policy on a computer is not consistent with the events being generated, the cause might be that this registry key is set.

Default value

Disabled

User Account Control: Admin Approval Mode for the Built-in Administrator account

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Discussion

This security setting determines the behavior of Admin Approval Mode for the Built-in Administrator account.

The following table describes the values available for this setting.

Value Description

Enabled

The Built-in Administrator will log on in Admin Approval Mode. By default, the consent prompt will be displayed for any operation that requires elevation of privilege.

Disabled

The Built-in Administrator will log on in XP-compatible mode and run all applications by default with full administrative privilege.

Default value

Disabled

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Discussion

This security setting determines the behavior of the elevation prompt for administrators.

The following table describes the values available for this setting.

Value Description

Prompt for consent

An operation that requires elevation of privilege will prompt an administrator in Admin Approval Mode to click either Continue or Cancel. If the administrator clicks Continue, the operation will continue with the administrator's highest available privilege. This option allows users to enter their user name and password to perform a privileged task.

Prompt for credentials

An operation that requires elevation of privilege will prompt an administrator in Admin Approval Mode to enter a user name and password. If valid credentials are entered, the operation will continue with the applicable privilege.

Elevate without prompting

This value allows an administrator in Admin Approval Mode to perform an operation that requires elevation without providing consent or credentials. This is the least secure option.

Default value

Prompt for consent

User Account Control: Behavior of the elevation prompt for standard users

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Discussion

This security setting determines the behavior of the elevation prompt for standard users.

The following table describes the values available for this setting.

Value Description

Prompt for credentials

An operation that requires elevation of privilege will prompt the user to enter an administrative user name and password. If the user enters valid credentials, the operation will continue with the applicable privilege.

Automatically deny elevation requests

A standard user will receive an access-denied error message when an operation that requires elevation of privilege is attempted. Most enterprises running workstations as standard user will configure this policy to reduce help desk calls.

Default value

Prompt for credentials (home)

Automatically deny elevation requests (enterprise)

User Account Control: Detect application installations and prompt for elevation

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Discussion

This security setting determines the behavior of application installation detection for the computer.

The following table describes the values available for this setting.

Value Description

Enabled

This setting detects application installation packages that require an elevation of privilege to install and displays the configured elevation prompt.

Disabled

Enterprises running standard user workstations that use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) will automatically disable this setting. In this case, installer detection is unnecessary and thus not required.

Default value

Enabled (home)

Disabled (enterprise)

User Account Control: Only elevate executables that are signed and validated

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Discussion

This security setting will enforce public key infrastructure (PKI) signature checks on any interactive application that requests elevation of privilege. Enterprise administrators can control which administrative applications are allowed through the certificates in the local computer's Trusted Publishers certificate store.

The following table describes the values available for this setting.

Value Description

Enabled

This value enforces the PKI certificate chain validation of a given executable before it is permitted to run.

Disabled

This value does not enforce PKI certificate chain validation before a given executable is permitted to run.

Default value

Disabled

User Account Control: Only elevate UIAccess applications that are installed in secure locations

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Discussion

Note

UIAccess integrity level is enabled by setting UIAccess=true in an application's manifest.

This security setting will enforce the requirement that applications requesting to be run with a UIAccess integrity level must reside in a secure location on the file system. Secure locations are limited to the following directories:

  • …\Program Files\ (and subfolders)
  • …\Windows\System32\r-
  • …\Program Files (x86)\ (and subfolders, in 64-bit versions of Windows only)

Note

Windows enforces a PKI signature check on any interactive application that requests to be run with UIAccess integrity level regardless of the state of this security setting.

The following table describes the values available for this setting.

Value Description

Enabled

An application will start with UIAccess integrity only if it resides in a secure location in the file system.

Disabled

An application will start with UIAccess integrity even if it does not reside in a secure location in the file system.

Default value

Enabled

User Account Control: Run all administrators in Admin Approval Mode

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Discussion

This security setting determines the behavior of all UAC policies for the entire system.

The following table describes the values available for this setting.

Value Description

Enabled

Admin Approval Mode and all other UAC policies are dependent on this option being enabled. Changing this setting requires that the computer be restarted.

Disabled

The Admin Approval Mode user type and all related UAC policies will be disabled. If the Disabled value is selected, the Security Center will provide notification that the overall security of the operating system has been reduced.

Default value

Enabled

User Account Control: Switch to the secure desktop when prompting for elevation

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Discussion

This security setting determines whether the elevation prompt appears on the interactive user's desktop or the secure desktop.

The following table describes the values available for this setting.

Value Description

Enabled

All elevation prompts appear on the secure desktop.

Disabled

All elevation prompts appear on the interactive user's desktop.

Default value

Enabled

User Account Control: Virtualize file and registry write failures to per-user locations

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Discussion

This security setting enables the redirection of application write failures to defined locations in both the registry and file system. This feature mitigates those applications that historically ran as administrator and wrote runtime application data to protected locations (%ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software\...).

Virtualization facilitates the running of applications that historically failed to run as standard user because of application write failures.

Note

Because Windows Vista–compliant applications do not write application data to protected locations, an administrator running only Windows Vista–compliant applications may choose to disable this feature.

The following table describes the values available for this setting.

Value Description

Enabled

Facilitates the runtime redirection of application write failures to defined user locations for both the file system and registry.

Disabled

Applications that write data to protected locations will not work correctly.

Default value

Enabled

Additional resources

For more information about security policy settings, see the following resources: