none
UAC Control settings? RRS feed

  • Question

  • Just a quick question, what is more secure since I am the only one using my laptop as a local Admin account?

    User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode 

    Prompt for Consent on the Secure Desktop

    or

    Prompt for Credentials on the Secure Desktop?

    Tuesday, August 27, 2019 6:43 PM

All replies

  • Unless you have gone through a lot of trouble there is no security on an end user machine. You would need drive encryption through something like Bitlocker, Move your SAM files so they are not easily found, disable default local admin, and create a new one. After that you might be able to get picky about something like this. Otherwise if someone like me gets your computer it will take me about 60 seconds to reactivate the default admin, blank it's password, and go to town. Bitlocker would be the frontline preventing this, followed by moving the SAM file, if I don't know where the SAM is then I can not easily blank account passwords including the one you made for yourself. 

    After all that Prompt for Creds would be more secure. 


    Thomas Faherty

    Tuesday, August 27, 2019 8:36 PM
  • That is the first thing I do after installation is enable Bitlocker. Is Prompt for Credentials on the Secure Desktop more secure than using Prompt for Consent on the Secure Desktop for UAC?
    Tuesday, August 27, 2019 9:10 PM
  • Here, 

    I will let you read up and you can decide for yourself.

    https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/The-Curious-Case-of-the-Redundant-UAC-Policies/ba-p/228643


    Thomas Faherty

    • Proposed as answer by Kiodos Tuesday, August 27, 2019 9:58 PM
    Tuesday, August 27, 2019 9:58 PM
  • >>Is Prompt for Credentials on the Secure Desktop more secure than using Prompt for Consent on the Secure Desktop for UAC?

    Yes.

    If this laptop can only be touched by you, any others can’t touch this device, two options have the same security level(in general, no one can guarantee this). Otherwise,  Prompt for Credentials on the Secure Desktop is more secure.

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 28, 2019 2:37 AM
    Moderator
  • UAC is no security feature. If you are working as admin, it does not really matter what you select of these two options, since there have been ways to bypass UAC disregarding of what you have set there.

    --

    That said, what you should do, is work as user and use UAC to enter credentials of the administrative account whenever needed. That is considered secure.

    If that seems exhausting, you can do this:

    1 make your account a restricted user

    2 create an administrative user "admin" without a password (yes, you read correctly)

    3 whenever a UAC prompt come, just select admin and press enter.

    Since blank passwords cannot be abused by runas scripts, this option is secure. Since your machine has a bitlocker protection (preboot authentication, I assume?), people cannot start the laptop and login with "admin" and no password. If you want it even more secure, just enable "admin" whenever you are logged in and disable it when logged off or when the screen is locked using scheduled tasks that use these triggers.

    Sounds complicated? Read more on it in my article: https://www.experts-exchange.com/articles/24599/Free-yourself-of-your-administrative-account.html

    Wednesday, August 28, 2019 8:31 AM
  • Interesting. however I am still a bit confused on why setting the Admin account with a blank password. I also should of mentioned that my laptop is not on a domain.

    Yes, I use Bitlocker with a PIN. 

    One question, do I need to do the "Notes On" section from the link you provided  or just the one above you mentioned as shown below?

    1 make your account a restricted user

    2 create an administrative user "admin" without a password (yes, you read correctly)

    3 whenever a UAC prompt come, just select admin and press enter.

    For step 3, do I need to set the UAC prompt for Behavior of the elevation prompt for administrators in Admin Approval Mode  to Prompt for Credentials on the Secure Desktop or Prompt for Consent?

    From that article, it mentions below: - 5 Prevent interactive logon with that account  -  Where is this setting under Group Policy?




    • Edited by A.Slayton Thursday, August 29, 2019 7:54 PM
    Thursday, August 29, 2019 7:04 PM