When UAC is enabled, what vulnerabilities does the EnableLinkedConnections registry edit cause
-
Wednesday, November 18, 2009 1:35 PMHello. I am in the process of adding windows 7 machines to a 2008 domain. I ran into a problem with my drives not mapping via a vbs logon script once I enabled UAC. I found a Microsoft article with a workaround here:
http://support.microsoft.com/kb/937624
The workaround they suggest works, but right above the workaround is the ominous message:
"Important This workaround may make your system unsafe. Microsoft does not support this workaround. Use this workaround at your own risk."
Even after editing the registry and making this change, I am still being prompted by UAC anytime I try to install a program, change certain network settings, etc (in the GPO setting: computer configuration > windows settings > security settings > security options > User Account Control: Only elevate UIAaccess applications that are installed in secure locations - I changed the setting to disabled, so I get prompted often, which is how I want it).
What exactly does this registry edit do? How does it make Windows 7 less secure? What potential vulnerability does it create?
Thanks,
All Replies
-
Thursday, November 19, 2009 5:16 PMSeriously Microsoft guys, please answer this question.
-
Wednesday, March 03, 2010 11:19 PM+1 I would like to know the answer to this as well.
-
Thursday, March 04, 2010 3:21 PM
Awaken22, Bungle,
If this GPO is enabled
=> Applications executed from- ..\Program Files\ (and subfolders)
- ..\Program Files (x86)\ (and subfolders, in 64-bit versions of Windows only)
- ..\Windows\System32\
can use UIAaccess function.
If this GPO is disabled.
=> applications executed anywhere can use the UIAaccess function
What is UIAaccess function?
This article covers some great information about the UIAaccess.
http://netsecurity.about.com/od/secureyourwindowspc/qt/uacuiaccess.htm
But try a GPO Preferences to map your drives this is a more easier and secure way.
http://blogs.technet.com/askds/archive/2009/01/07/using-group-policy-preferences-to-map-drives-based-on-group-membership.aspx
Kind Regards
DFT
IM me - TWiTTer: @DFTER- Proposed As Answer by Mr. Bungle Sunday, March 07, 2010 5:21 AM
-
Sunday, March 07, 2010 5:21 AMThanks, that is what I wanted to know. Unfortunately, GPO Preferences is only available in server editions of Windows and/or when you are working on a domain, right? I'm on Win7 Ultimate x64 and when I type gpme.msc I just get an error. According to this link I need to download a 400Mb installer to get this feature...
-
Tuesday, March 09, 2010 12:15 AM+1 I'm interested too.
My idea of a party is a virtualization server and a room of TechNet DVDs -
Tuesday, May 15, 2012 8:51 AM
There is very little information/documentation regarding this setting (http://support.microsoft.com/kb/937624). But in this discussion (http://channel9.msdn.com/Shows/Going+Deep/UAC-What-How-Why#c633305694960000000) a Microsoft employee says this:
Technically, it opens a small loophole since non-elevated malware can now "pre-seed" a drive letter + mapping into the elevated context -- that should be low-risk unless you end up with something that's specifically tailored to your environment.
.png)
