Security Policy Settings New for Windows Vista
This section provides information about new security settings in Windows Vista including the locations of the security settings in the local Group Policy object (GPO), their default values, and a discussion of the setting.
Access Credential Manager as a trusted caller
Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
Discussion
This security setting is used by Credential Manager during Backup and Restore. No accounts should have this user right, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this user right is assigned to other entities.
Default value
Not configured
Change the time zone
Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
Discussion
This security setting determines which users and groups can change the time zone used by the computer for displaying the local time, which is the computer's system time plus the time zone offset. System time itself is absolute and is not affected by a change in the time zone.
This user right is defined in the Default Domain Controller GPO and in the local security policy of the workstations and servers.
Default value
Administrators, Users
Create symbolic links
Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
Discussion
This security setting determines if the user can create a symbolic link from the computer the user is logged on to.
Warning
This user right should only be assigned to trusted users. Symbolic links (symlinks) can expose security vulnerabilities in applications that aren't designed to handle symbolic links.
Note
This setting can be used in conjunction with a symbolic link file system setting that can be manipulated with the Fsutil command-line tool to control the types of symbolic links that are allowed on the computer. Type fsutil behavior set symlinkevalution /? at a command prompt to get more information about the Fsutil command-line tool and symbolic links.
Default value
Administrator
Increase a process working set
Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
Discussion
This security setting determines which user accounts can increase or decrease the size of the working set of a process.
The working set of a process is the set of memory pages currently visible to the process in physical RAM. These pages are resident and available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process.
Warning
Increasing the working set size for a process decreases the amount of physical memory available to the rest of the system.
Default value
Users
Modify an object label
Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
Discussion
This security setting determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
Default value
Not configured
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
Discussion
Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way by using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. A new registry value introduced in Windows Vista, SCENoApplyLegacyAuditPolicy, allows audit policy to be managed by using subcategories without requiring a change to Group Policy. This registry value can be set to prevent the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool.
If the category-level audit policy on a computer is not consistent with the events being generated, the cause might be that this registry key is set.
Default value
Disabled
User Account Control: Admin Approval Mode for the Built-in Administrator account
Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
Discussion
This security setting determines the behavior of Admin Approval Mode for the Built-in Administrator account.
The following table describes the values available for this setting.
| Value | Description |
|---|---|
Enabled |
The Built-in Administrator will log on in Admin Approval Mode. By default, the consent prompt will be displayed for any operation that requires elevation of privilege. |
Disabled |
The Built-in Administrator will log on in XP-compatible mode and run all applications by default with full administrative privilege. |
Default value
Disabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
Discussion
This security setting determines the behavior of the elevation prompt for administrators.
The following table describes the values available for this setting.
| Value | Description |
|---|---|
Prompt for consent |
An operation that requires elevation of privilege will prompt an administrator in Admin Approval Mode to click either Continue or Cancel. If the administrator clicks Continue, the operation will continue with the administrator's highest available privilege. This option allows users to enter their user name and password to perform a privileged task. |
Prompt for credentials |
An operation that requires elevation of privilege will prompt an administrator in Admin Approval Mode to enter a user name and password. If valid credentials are entered, the operation will continue with the applicable privilege. |
Elevate without prompting |
This value allows an administrator in Admin Approval Mode to perform an operation that requires elevation without providing consent or credentials. This is the least secure option. |
Default value
Prompt for consent
User Account Control: Behavior of the elevation prompt for standard users
Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
Discussion
This security setting determines the behavior of the elevation prompt for standard users.
The following table describes the values available for this setting.
| Value | Description |
|---|---|
Prompt for credentials |
An operation that requires elevation of privilege will prompt the user to enter an administrative user name and password. If the user enters valid credentials, the operation will continue with the applicable privilege. |
Automatically deny elevation requests |
A standard user will receive an access-denied error message when an operation that requires elevation of privilege is attempted. Most enterprises running workstations as standard user will configure this policy to reduce help desk calls. |
Default value
Prompt for credentials (home)
Automatically deny elevation requests (enterprise)
User Account Control: Detect application installations and prompt for elevation
Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
Discussion
This security setting determines the behavior of application installation detection for the computer.
The following table describes the values available for this setting.
| Value | Description |
|---|---|
Enabled |
This setting detects application installation packages that require an elevation of privilege to install and displays the configured elevation prompt. |
Disabled |
Enterprises running standard user workstations that use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) will automatically disable this setting. In this case, installer detection is unnecessary and thus not required. |
Default value
Enabled (home)
Disabled (enterprise)
User Account Control: Only elevate executables that are signed and validated
Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
Discussion
This security setting will enforce public key infrastructure (PKI) signature checks on any interactive application that requests elevation of privilege. Enterprise administrators can control which administrative applications are allowed through the certificates in the local computer's Trusted Publishers certificate store.
The following table describes the values available for this setting.
| Value | Description |
|---|---|
Enabled |
This value enforces the PKI certificate chain validation of a given executable before it is permitted to run. |
Disabled |
This value does not enforce PKI certificate chain validation before a given executable is permitted to run. |
Default value
Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations
Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
Discussion
Note
UIAccess integrity level is enabled by setting UIAccess=true in an application's manifest.
This security setting will enforce the requirement that applications requesting to be run with a UIAccess integrity level must reside in a secure location on the file system. Secure locations are limited to the following directories:
- …\Program Files\ (and subfolders)
- …\Windows\System32\r-
- …\Program Files (x86)\ (and subfolders, in 64-bit versions of Windows only)
Note
Windows enforces a PKI signature check on any interactive application that requests to be run with UIAccess integrity level regardless of the state of this security setting.
The following table describes the values available for this setting.
| Value | Description |
|---|---|
Enabled |
An application will start with UIAccess integrity only if it resides in a secure location in the file system. |
Disabled |
An application will start with UIAccess integrity even if it does not reside in a secure location in the file system. |
Default value
Enabled
User Account Control: Run all administrators in Admin Approval Mode
Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
Discussion
This security setting determines the behavior of all UAC policies for the entire system.
The following table describes the values available for this setting.
| Value | Description |
|---|---|
Enabled |
Admin Approval Mode and all other UAC policies are dependent on this option being enabled. Changing this setting requires that the computer be restarted. |
Disabled |
The Admin Approval Mode user type and all related UAC policies will be disabled. If the Disabled value is selected, the Security Center will provide notification that the overall security of the operating system has been reduced. |
Default value
Enabled
User Account Control: Switch to the secure desktop when prompting for elevation
Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
Discussion
This security setting determines whether the elevation prompt appears on the interactive user's desktop or the secure desktop.
The following table describes the values available for this setting.
| Value | Description |
|---|---|
Enabled |
All elevation prompts appear on the secure desktop. |
Disabled |
All elevation prompts appear on the interactive user's desktop. |
Default value
Enabled
User Account Control: Virtualize file and registry write failures to per-user locations
Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
Discussion
This security setting enables the redirection of application write failures to defined locations in both the registry and file system. This feature mitigates those applications that historically ran as administrator and wrote runtime application data to protected locations (%ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software\...).
Virtualization facilitates the running of applications that historically failed to run as standard user because of application write failures.
Note
Because Windows Vista–compliant applications do not write application data to protected locations, an administrator running only Windows Vista–compliant applications may choose to disable this feature.
The following table describes the values available for this setting.
| Value | Description |
|---|---|
Enabled |
Facilitates the runtime redirection of application write failures to defined user locations for both the file system and registry. |
Disabled |
Applications that write data to protected locations will not work correctly. |
Default value
Enabled
Additional resources
For more information about security policy settings, see the following resources:
- Security Policy Settings (https://go.microsoft.com/fwlink/?LinkId=77873)
- Group Policy Collection (https://go.microsoft.com/fwlink/?LinkID=29907)
- Security Configuration and Analysis (https://go.microsoft.com/fwlink/?LinkId=77876)
- Security Templates (https://go.microsoft.com/fwlink/?LinkID=20482)