Windows account security settings

Enterprise 2023-05-17 04:27:40 views: null

1. Windows account configuration

1. Create a user account

What happens when we create a user account in Windows?

First, the system will create a corresponding configuration file for the user according to the entered user name, then generate a unique SID (Security Identifiers, security identifier) ​​for the account, and assign corresponding permissions to the corresponding SID according to the type of account or rights, and then encrypt the account's access credentials (username and password) and other information and save them in the database.

For local accounts in stand-alone and workgroup environments, credential information is stored in the local SAM database; for domain global accounts in domain environments, the information is stored in the domain controller. When we set access permissions for an object, we are actually editing the ACL (Access Control List, Access Control List) of the object.

The above content involves several concepts, which are explained below.

1. Security Identifier

Contrary to what many people think, Windows does not distinguish accounts based on the name of each account. Instead, Windows relies on SID. In the Windows environment, almost all objects have corresponding SIDs, such as local accounts, local account groups, domain accounts, domain account groups, local computers, domains, and domain members. Understand it as the name of each of us, understand SID as the ID number of each person, the name can be repeated, but the ID number will never be repeated).

This is mainly for the convenience of management. For example, because Windows distinguishes objects by SID, we can change the user name of an account when needed without worrying about the need to reset the required permissions for the same account with the new name. , because the SID will not change. In the same way, if there is an account, we have assigned the corresponding permissions to the account. Once the account is deleted, then recreate an account with the same username and password, because the SID of the account has changed, so although the account's The name and password are the same, but the permissions and rights that the original account had are not automatically applied to the new account.

SID is a 48-bit string. In Windows 7, to view the SID of the currently logged in account, you can start the command prompt window as an administrator, and then run the "whoami /user" command. After running this command, we can See results similar to this:

This tool can display the SID of the currently logged in account. If you want to check the SID of other accounts on the machine, or want to check the account SID in the old version of Windows that does not include this tool, you can use a free Microsoft tool PsGetSid, which can be found at http://tinyurl.com/5tt7fo download for free. When using this tool, you only need to enter "PsgetSID" in the command line window, then enter a space, and enter the account name to view the SID.

Although SIDs are unique, there are still some common SIDs that are completely common across all Windows systems.

These same SIDs are mainly for the convenience of management. For example, the following table lists some common common SIDs. 

2. Permissions and rights

In the Windows environment, there are two terms used to represent access privileges: Permission and Right. Permission refers to the ability to access a specific object in a fixed way, such as writing or deleting files to an NTFS partition; right refers to the ability to perform certain operations, such as changing the settings of the paging file.

3. Access Control List

Why can't we open some key system folders after we log in with a standard account? If you need to prohibit a user from opening a folder or file, you can restrict it through NTFS permissions. In fact, these are all thanks to the access control list (ACL).

In the Windows system, each accessible object (folder, file, printer, computer, etc.) has a corresponding ACL, and setting permissions for an object is actually editing the ACL of the object. For example, if you want to prohibit the user "User" from accessing a folder A, then you actually edit the ACL of the folder A and add an entry that denies access to the user "User" (SID) in the ACL. Of course, in the ACL, users are actually distinguished by the corresponding SID.

Similarly, when a user tries to access an object, the Windows security subsystem will first obtain the user's SID according to the user's account name, and then compare the SID with the information in the object's ACL. If it is found that the record in the ACL allows the SID to access, then the access is allowed; otherwise, the access is prohibited.

2. Login process and access token

The account has been created, and the corresponding SID, configuration file, and permissions have been set, so how do they participate in the work of ensuring system security in the process of using Windows?

When logging in, if the user name and password entered by the user pass the verification of the SAM database or domain controller, then Windows will automatically generate a Security Access Token (Security Access Token) for the user, which contains the user name and password of the user. Information such as SID, and also includes information about the user group in which the account belongs (these contents are collectively referred to as security configuration files). An access token can be regarded as an electronic passport, which records the security verification information required to access objects, execute programs, and modify system settings.

Access tokens can be passed, for example, if a user tries to run a program after logging in, the program will get the user's access token. In short, programs run by the user will have the same privileges as the user itself. For example, for an administrator user, he has an access token with administrator privileges after he logs in, and the programs run by this user will also have administrator privileges and have complete control over the system. Assuming that the user receives an attachment with a virus from an email, this virus will maliciously modify the system settings, if the attachment is run, the attachment will also have administrator rights, so the purpose of modifying the system settings can be fully realized; However, if the user is a standard/restricted account and has no permission to modify the system settings, then after the user runs the virus-infected attachment, the virus can run, but the system settings cannot be modified due to lack of permissions, which directly prevents destroyed by the virus.

Therefore, for a long time, many security books or articles have suggested that you create an administrator account in Windows and create a standard account, so that you can log in with a standard account at ordinary times, only when you need to maintain the system, or do other things that require an administrator Use the administrator account to log in to the operation that can only be performed with permission.

In Windows 7, because of the new user account control function, this function can limit the user's authority, thereby further ensuring the security of the system.

3. In-depth understanding of configuration files

The hierarchical structure of the user configuration folder is also called the namespace of the user configuration file. In Windows 7, the use of namespaces is quite different from that of older versions of Windows (mainly systems before Windows Vista).

Understanding these differences is important to understanding the design philosophy of least user privilege, and namespace changes are a major cause of compatibility issues with third-party applications. Therefore, the following will take Windows XP and Windows 7 as examples to introduce the improvement of namespaces under these two systems.

1. Windows XP configuration file namespace

In Windows XP (and earlier versions of Windows), the user profile namespace has the following main characteristics:

  • The configuration files of local users are located in the %SystemDrive%\DocumentsAndSettings directory.
  • Every user who has logged in at least once on this machine will have a configuration folder named after their account name, which is "%SystemDrive%\Documents And Settings\username".
  • There is a special configuration folder %SystemDrive%\DocumentsAndSettings\AllUsers, which contains some common items, for example, to display program shortcuts and desktop icons on the desktop or start menu of all users who log in to the machine. By customizing the content of the configuration file, all users who log in to the machine can see the same program shortcuts.
  • There is a special hidden configuration folder %SystemDrive%\DocumentsAndSettings\DefaultUser, which is mainly used as a template when creating configuration files for new users. When a user logs in to the machine for the first time, Windows will automatically load the Default User configuration file and copy it to the "%SystemDrive%\Documents And Settings\username" path as the user's configuration file.

The subfolders contained in the configuration folder of Windows XP are mainly used to save application settings and user data, and some folders are hidden, as shown in the figure.

These important folders and their uses are:

  • ApplicationData: Contains data related to a specific application, such as configuration parameters for the application.
  • Cookies: contains the cookie file of IE.
  • Desktop: Contains content to be displayed on the user's desktop, such as files or shortcuts.
  • Favorites: Contains the favorites content of IE.
  • Local Settings: Contains application settings and data related to a specific computer, or files that are too large for roaming in a domain environment. There are several important subfolders under this folder, including Application Data, History, Temp, and Temporary Internet Files.

What does roaming mean?

In a domain environment, because a user can use a domain account to log in on any computer that joins the domain, the user's configuration file can be saved on the file server through the "roaming configuration file". In this way, no matter which client computer the user logs in on, the configuration folder can be directly downloaded from the file server and cached locally, and the content saved in the configuration folder (such as documents, application settings, etc.) use on any computer. When the user logs off, the client computer will automatically retransmit the modified content in the configuration file to the file server.

Roaming of configuration files can only be used in the domain environment, and cannot be used in stand-alone and workgroup environments. However, by redirecting the configuration files and storing the files uniformly on the network server, roaming effects similar to the domain environment can also be obtained.

  • My Documents: The default location for saving documents created by users, which is "My Documents". This folder also includes several important subfolders such as My Pictures, My Music, and other application-specific folders.
  • NetHood: Contains shortcuts to be displayed in My Network Places.
  • PrintHood: Contains shortcuts to be displayed in the printers folder.
  • Recent: Contains shortcuts to recently opened files, programs, and settings.
  • SendTo: Contains shortcuts to different storage locations and applications, which is also known as the content of the right-click "Send To" menu.
  • StartMenu: Contains shortcuts to be displayed in the Start menu.
  • Templates: Contains shortcuts for template items.

NOTE: Windows Explorer's name for the "Translate" feature.

By default, the names of these folders are actually in English, but after opening the configuration folder in the explorer of the Chinese version of Windows, you will find that some folders use Chinese names. In fact, this is for ease of use. The name "translation" function provided by Windows Explorer can automatically translate the names of some frequently used folders into more friendly Chinese. But on the file system, these folders still use English names.

For the user configuration folder namespace of Windows XP, although it is very convenient to use, there are still some deficiencies, which are specifically manifested in:

  • Both the application and user data folders are saved in the user profile, which means that both types of data are saved together. For example, the %SystemDrive%\Documents And Settings\user_name\Local Settings\Application Data folder holds both computer-specific data and settings, but these cannot (and should not) be roamed, and may be Save content that is too large for roaming, so this design is not perfect.
  • Folders such as MyPictures, MyMusic, and MyVideos belong to subfolders of MyDocuments, and these subfolders usually contain very large media files. Therefore, once folder redirection is configured, a large amount of data may need to be transferred over the network during login and logout, which will result in extended login and logout times, and this transfer is often unnecessary.
  • There is no uniform convention for where third-party applications store per-user settings and data in the configuration folder. For example, some third-party applications may create new subfolders under the user profile folder to store user information instead of using the existing namespace location. Moreover, some third-party applications may be specific to the computer and the information set by each user is saved in the Application Data folder at the same time, which may cause some applications to be unusable after roaming.

2. Windows 7 profile namespace

Because of various deficiencies, the namespace of the user configuration folder has changed a lot since Windows Vista, and Windows 7 has continued these changes, including:

1) The root location of the user profile namespace is moved from %SystemDrive%\Documents And Settings to %SystemDrive%\Users, which means that the location of a certain user profile folder becomes "%SystemDrive%\Users\username", Instead of "%SystemDrive%\Documents And Settings\username".

2) The folder used to save user data no longer adds the prefix "My", which makes the display more concise. But here we need to remind you again of the "translation" function of Windows Explorer. In fact, in Windows 7, the folders in the configuration file namespace will no longer have the "my" prefix, but the Explorer will be able to understand these names. When translating, the prefix is ​​still added (to confirm this, you can browse the contents of the configuration folder through Windows Explorer and the command line window).

3) My Music, My Pictures, and My Videos folders in Windows 7 are no longer subfolders of My Documents, and these folders start to be saved directly under the root path of the configuration folder, at the same level as the My Documents folder Structures are equal. With such a setup, there is a better separation between the user's own data and the application's settings.

4) Under the root directory of the configuration folder, several subfolders have been added to save different types of user data and settings more conveniently. The newly added subfolders include the following 5.

  • Contacts: The default location for saving user contact information.
  • Downloads: The default location for saving all downloaded files.
  • Searches: The default location for saving saved searches (aka virtual folder).
  • Links: The default location for saving Windows Explorer favorites content.
  • SavedGames: The default location for saving game save records.

5) In order to allow the application to roam better, three separate subfolders were created under the AppData folder, and their functions are as follows:

  • Local This folder holds computer-related application data and settings that cannot (and should not) be roamed, as well as the user's own data or settings that are too large to effectively roam. The AppData\Local folder in Windows 7 is actually equivalent to the Local Settings\Application Data folder in older versions of Windows.
  • Roaming This folder stores the user-related application data and settings that should (or must) be roamed. The AppData\Roaming folder in Windows 7 is actually equivalent to the Application in the root directory of the configuration folder in the old version of Windows. Data folder.
  • LocalLow This folder is available for low-integrity processes to gain write access. Operations performed by low-integrity processes cannot affect the operating system. For example, applications launched by IE in protected mode can only use this configuration folder to store application data and settings. The LocalLow folder is new in Windows Vista/7.

6) The All Users configuration file has been renamed Public to better highlight its purpose. All the content saved in this folder can be used by all users of this machine, and some subfolders of this folder (such as the content of Desktop) will be merged into the user's own after logging in to this machine in the config folder.

7) The Default User configuration file is renamed to Default, which is similar to Default User in Windows XP. The Default configuration file in Windows 7 is never loaded, and will only be copied directly when creating a new configuration file. Therefore, it is also used as a template for creating a configuration file when a user logs in to the machine for the first time.

4. Parental Control

First of all, we need to create an account with parental control, which can only be a standard account.

And the computer administrator account needs to be password protected, otherwise all settings will be in vain. 

The parental control of Windows7 mainly includes three aspects of detailed content, time control, game control and program control. First, confirm the login account of the computer administrator, open the "Control Panel" - "User Accounts and Family Safety" - "Parental Control", and select the account to be controlled. 

Below is the specific setting interface, make sure the parental control is enabled. 

time control. Click the event point with the mouse to switch between blocking or allowing.

 

When the controlled account logs in during the set blocked time period, it will prompt that it cannot log in, as shown in the figure.

 

Game permission can be set according to the game rating, but because there is currently no game rating regulation in China, if some games cannot be set to block rating, you can use a specific game blocking method.

If the game is set to not be used, it will prompt that it has been blocked, and you can also directly see the mark as unusable from the start menu, as shown in the figure. 

 

In the program settings, it can be set to be available for all, or only certain programs can be used, and the system will refresh the related programs that can be found. Check it to set the program to be used, or use the browse button below to add other programs that cannot be found .

 

When the program is blocked, there will be relevant prompts, as shown in the figure.

 

2. User Account Control

1. Introduction to UAC

User Account Control (UAC), originally named User Account Protect, is a new technology introduced by Microsoft in Windows Vista to improve system security. It requires all users to run programs and tasks in standard account mode to prevent unauthenticated program installation. And prevent or prompt standard users to make improper system settings changes.

In Windows 7, Microsoft has made a lot of improvements to the UAC function. While ensuring security, the number of UAC elevation prompts appears less, and we can use different levels of prompts as needed. Therefore, while ensuring security, , and further enhance the ease of use.

Although many articles on security have been recommending that you log in to the system with standard account privileges and perform various operations, use the administrator account only when you need to perform administrative tasks. But in fact, in the era before the release of Windows Vista, it was often difficult to use non-administrator accounts for routine operations in daily operations, mainly because:

  • Many applications can only run if given administrator privileges, even if it may be a very simple little game itself.
  • If you want to run an application with low privileges, you often need to use the Runas command, which is very inconvenient.
  • Some operations of Windows itself, such as changing the time zone, adding a printer, etc., also require administrator privileges.

The UAC function in Windows Vista/7 makes it easier to use accounts without administrator privileges. These conveniences are specifically reflected in:

  • Most applications can run without administrator privileges. Applications designed for Windows 7 don't require unnecessary administrator privileges, and UAC provides backward compatibility for problematic programs through file system and registry virtualization.
  • Applications that require administrator privileges will display an elevation prompt to the user if necessary. For example, when modifying the configuration of some application programs, if the modified option only affects the current user, then it can be modified directly; These changes need to go through the promotion prompt.
  • Performing common tasks no longer requires administrator privileges. Windows 7 includes numerous improvements so that standard users can perform most common configuration tasks without providing administrator credentials. For example, in the old version of Windows, only administrators can change the time zone, but in Windows 7, ordinary users can modify it, which is a very convenient improvement for people who need to travel across the country. However, because changing the system clock may have a greater impact, in Windows 7, only administrators can still modify the system clock.
  • Features that require administrator privileges are identified by the operating system with a shield icon. In older versions of Windows, users may not even know which features of the operating system require administrator privileges, and only encounter error messages when they actually make changes. But in Windows 7, anything that requires administrator privileges is marked with a prominent shield icon.
  • Even if you log in with an administrator account, Windows 7 still runs applications with standard user privileges by default. Although it is recommended that most users log in to the system with a standard account, some people are used to logging in with an administrator account. With the protection of UAC, the programs executed by users will still use the privileges of standard users, which is undoubtedly more secure.

Because there are many changes in the use of privileges, Windows Vista/7 with UAC behaves differently in some aspects compared to Windows XP, and their differences are shown in the following table.

UAC is a useful feature, but because of some misunderstandings, it has been questioned a lot. For example, many people feel that this function does not improve system security, but increases the difficulty of using it, because many old programs have encountered compatibility problems with this function, and this function also makes many operations more cumbersome.

Unlike older versions of Windows, in Windows 7, when a user logs in with an administrator account, Windows creates two access tokens for that account: a standard token and an administrator token. Most of the time, when a user tries to access a file or run a program, the system will automatically use the standard token, and only use the administrative token if the privilege is insufficient (that is, if the program claims to require administrator privileges). Administrator token; if the program does not declare that it needs administrator privileges, some functions of the program may not be used normally at this time, or the program may not be able to run, which is also the main reason for some application compatibility problems when UAC is enabled.

This mechanism for distinguishing administrator privileges is called UAC (User Account Control, User Account Control). In simple terms, UAC is actually a special "reduced privilege" mode of operation.

When performing operations that require administrator privileges, the system will first pop up a "UAC" dialog box to ask the user to confirm (if the current login is an administrator user), or enter the password of the administrator user (if the current login is a standard user). Accessing files or running programs with an administrator token is only allowed if the correct login credentials are provided. This process of asking for confirmation or entering the administrator account password is called "elevation".

There are two different "Elevate" dialogs in Windows 7, depending on the account type. If you are currently logged in as an administrator account, the "Elevate" dialog box will appear as shown, just confirm to continue.

If you are currently logged in with a standard account, the "Elevate" dialog box will appear as shown, and you will need to enter a password for an administrator account to continue.

In the "Promote" dialog box of the administrator account, you can see the name of the program that is currently running with the administrator's fresh installation. After clicking the "Details" button, you can see the installation path of the program and other information. According to the actual situation, if you want to run the program, you can click the "Continue" button, otherwise you can click the "Cancel" button.

In the "Promote" dialog box of the standard account, in addition to the above content, it mainly displays all administrator accounts on the current machine. At this time, you need to select an administrator account, enter the password, and click "Continue" button to run the program.

In addition, depending on the program to be run as an administrator, the background color of the top column of the "Elevate" dialog box may change. Generally speaking, the background colors and corresponding meanings we can see are as follows: 

  • A red background with a red shield icon indicates that the publisher of the program is banned, or is banned by Group Policy. Be extremely careful when encountering this "promote" dialog.
  • An orange background with a red shield icon indicates that the program is not trusted by the local computer (mainly because it does not contain a trusted digital signature or the digital signature is corrupted).
  • The blue-green background indicates that the program is a program that comes with Windows Vista (with a digital signature from Microsoft).
  • A gray background indicates that the program is signed and trusted by the local computer (with a trusted digital signature).

In Windows 7, a colored shield icon is added next to many options, as shown in the figure.

This icon indicates that this option requires higher permissions, and it must be elevated by UAC before using it.

2. Configure UAC

Many people who have prejudices against UAC are mainly divided into two situations.

Novices often think that the UAC function makes the already cumbersome operations even more cumbersome, because many operations need to be confirmed or enter the administrator password.

People who know about UAC and system security believe that although UAC can create artificial obstacles to the operation of malware, it cannot completely solve the problem. For example, if the virus needs to modify the system settings or destroy the system, but the anti-virus software fails to intercept it in time due to various reasons, although UAC will require the user to complete the upgrade operation, if the user does not know enough about this, he will click on it casually. "Continue" button, the virus will still run successfully.

In fact, both views are well understood. Indeed, after enabling UAC, many operations require elevation, but most operations can be performed without elevation. For example, after Windows is just installed, we may need to adjust some system settings according to the actual situation, and may be frequently interrupted by UAC during this process. However, once the system is configured, in normal use, most people have little or no need to make other adjustments to important system options. Therefore, the existence of UAC is no longer so "disturbing" at this time.

As for applications, many programs need to be upgraded every time they run because of their particularity, such as the need to directly read and write key system files, or need to work at the bottom of the system. But this is often a rare case. With the further popularization of Windows operating systems including UAC functions such as Windows Vista/7, after application developers develop programs with better compatibility for UAC, this phenomenon will become less and less .

As for what many people think, if people who don't understand the whole mechanism click the "Continue" button casually after encountering the UAC "Elevation" dialog box, this does exist. However, the weakest link in security is always the user. After all, the operating system cannot directly intervene in the user's operations. For example, if the user wants to execute a certain virus file, the operating system cannot judge whether the user executes it accidentally or deliberately executes it because he wants to study the virus. Therefore, Windows can only use the "Elevate" dialog box to tell the user to execute this The operation requires a higher level of authority, and caution is required. As for whether to accept the suggestion of the operating system and whether to continue this operation, it still depends on the user himself.

On the other hand, this upgrade process can still enhance system security. For example, if we download a software installation program from the Internet, and the installation program is bundled with a virus, but we don’t know about it, then when we run the software, because we know that the software is developed by Company A, it will bring There is a digital signature of Company A, but Windows suddenly displays an "Elevation" dialog box, telling us that there is an unsigned or signed software by Company B that requires administrator privileges to install. At this time, I believe the working principle of UAC Anyone who knows something will be aware of the problems.

In the default settings of Windows 7, many UAC behaviors have been improved and adjusted to make them less annoying. And the prompt level of UAC can also be modified through the option. Therefore, here is how to make UAC quieter while ensuring system security.

1. Modify the default prompt level

If you think the default UAC in Windows 7 is still annoying, you can adjust the prompt level by doing the following:

  • Log in to Windows 7 with an administrator account and open the Control Panel.
  • In Control Panel, click User Accounts and Family Safety→User Accounts→Change User Account Control Settings.
  • In the subsequent interface as shown in the figure, you can adjust the UAC prompt level through the slider. Five levels are provided here, with decreasing security from top to bottom, and at the same time, the degree of "disturbance" is also decreasing.

  • If you want to completely turn off the UAC prompt, you can drag the slider to the bottom. But this is not to disable UAC, but UAC no longer displays any prompt information. 
  • Click the "Apply" button. Depending on the specific settings, the system may need to be restarted for the changes to take effect.

Please refer to the table below for the differences between the above different levels and the recommended usage environment.

For ordinary users, it is usually recommended to lower the default (third) level by one level, so that you can get the same security protection as the default setting, except that when the UAC elevation dialog box is displayed, the entire screen is no longer dimmed, which means This is the so-called "secure desktop".

By default, Windows 7 dims the desktop background when the UAC elevation dialog pops up. The main reason for this is not to highlight UAC's dialog box, but for security. Security is excellent since the UAC dialog runs on a secure desktop. Except for trusted system processes, no user-level processes can run on the secure desktop. In this way, phishing attacks by malicious programs can be prevented.

For example, if there is malware that intends to forge the UAC elevation dialog in order to spoof the user's account and password, if there is no secure desktop function, then if the user cannot distinguish the real UAC elevation dialog, or the fake dialog is too If it is too realistic, it is possible to reveal your password. After using the secure desktop function, because the real promotion dialog box is displayed on the secure desktop, and in this case, the user cannot interact with the interface of other programs, so a large number of security problems are avoided.

The Secure Desktop feature is well-intentioned, but in some cases it can be more annoying than the UAC elevation dialog itself. For example, when switching to a secure desktop, the entire screen goes black first, then everything else displayed on the desktop is dimmed and becomes inoperable. In fact, during the blackout process, the system will automatically take a screenshot of the entire desktop, and then display the full screen on the secure desktop as a background, and display the promotion dialog on top of this background. For some computers, if the performance is not strong enough, or there is a problem with the driver, it may cause the process to slow down and affect normal operation. Therefore, if you can't stand the secure desktop function, you can consider lowering the UAC prompt by a level. 

2. Control UAC with policy

Before operation, you need to adjust the Group Policy settings, but only Windows 7 Business Edition/Enterprise Edition/Ultimate Edition has the Group Policy function. Home Basic and Home Premium versions of Windows 7 do not come with Group Policy.

Open the "Start" menu, enter "secpol.msc" in the "Search" dialog box and press Enter to open the local security policy console. Navigate to "Security Settings" → "Local Policies" → "Security Options" in the console tree on the left side of the window, and then you can find 10 policies beginning with "User Account Control" in the right pane, such as As shown in the figure.

Here are the 10 strategies.

1) Elevation prompt behavior for standard users

This policy determines whether a user logged in with a standard user account can see an elevated dialog box when running a program that requires administrator privileges. By default, users who log in with a standard account will be asked to enter the login credentials (that is, the password) of the administrator account when running programs that require administrator privileges, but by configuring this option, users will not see the prompt. In this case, the user will not be able to proceed further by providing the administrator account login credentials to gain elevated privileges. However, this setting does not prevent users from right-clicking on a program's shortcut and selecting "Run as administrator" to elevate it.

If you want standard users to see the UAC elevation dialog when required, set this policy to Prompt for Credentials, which is the default setting. If you don't want standard users to see the UAC elevation dialog when needed, you can set this policy to "Automatically deny elevation requests".

2) Elevation prompt behavior for admins in admin approval mode

This policy determines whether administrator accounts that are restricted to administrator approval mode can see an elevation prompt when running programs that require administrator privileges, and also determines how the elevation prompt works. By default, administrators will be asked for approval to run programs that require administrator privileges, but simply click the "Continue" button to complete the elevation without entering their own password. If this option is configured, administrators must also enter their own passwords, just as standard users do. We can also configure this option so that the administrator does not see any prompts. In this case, the administrator will not be able to elevate his privileges. This doesn't prevent administrators from right-clicking a program shortcut and selecting "Run as administrator," though. Note that this policy does not affect the system's built-in Administrator account.

For this policy, it is recommended to use the default "Consent Prompt for Non-Windows Binary Files", so that you will only see the upgrade dialog box when you need to upgrade a program that does not come with Windows. If it is a program that comes with Windows that needs to be upgraded, you can directly pass. However, if you want the administrator account to automatically elevate directly without seeing the UAC elevation dialog box when running a non-Windows built-in program that requires administrator privileges, then you can set the policy to "Elevate directly without prompting" ( This is generally not recommended). If you want the administrator account to see the UAC elevation dialog box when running a program that requires administrator privileges, but just click the "OK" button to continue, then you can set the policy to "Consent Prompt" (if the computer only has For your own use, you can do this).

If you want the administrator account to see the UAC elevation dialog box when running a program that requires administrator privileges, and must enter the password of itself or other administrator accounts before continuing, then you can set this policy to "prompt for credentials" "(If others occasionally need to use our own account to run the program, it is recommended to do so).

3) Detect application installation and prompt to upgrade

This policy determines whether Windows automatically detects the installation of applications and prompts for privilege escalation or approval. Because this policy is enabled by default, Windows automatically detects the installation of the application and prompts the user for elevated privileges or approval if necessary so that the installation can proceed. If this policy is disabled, the user will not be prompted, in which case the user will not be able to elevate privileges by providing administrator credentials.

That is to say, if you want the UAC function to automatically elevate the privileges when the installation program is automatically detected, prompt the user to click the "Continue" button or the "Allow" button, or enter the administrator account password, then you can set this policy to " Enabled"; if you want the UAC function not to elevate privileges when it automatically detects that the installation program is running, but to completely prohibit users from installing programs that require elevation before they can be installed, you can set this policy to "Disabled". Doing so does not prevent the normal installation of the small number of programs that do not require elevation and can be installed with standard permissions. And if you directly click the right mouse button on the icon of the installation file and select "Run as administrator", you can also directly prompt and install it, and you will not be affected by this policy at this time.

4) File and registry write errors are assigned to each user's location

This policy determines whether to enable file and registry virtualization. Because this policy is enabled by default, error messages and error logs related to virtualized files and registry keys will be written to the virtual location instead of the actual location the program is trying to write to. If this policy is disabled, applications will not be prompted when errors occur when they try to write to protected folders or registry keys.

Note that disabling this policy may cause some old applications that are not compatible with Windows 7 to run normally, and because this policy has little effect on the interactive use of ordinary users. For safety and security reasons, it is best not to modify the default settings of this policy.

5) Only elevate UIAccess apps that are installed in a safe location

This policy determines whether only UIAccess programs installed in safe locations on the file system can be elevated. If this policy is enabled, only UIAccess programs located under %SystemRoot%\Program Files, %SystemRoot%\Program Files (x86), or %SystemRoot%\Windows\System32 will be affected.

What is the UIAccess program?

UIAccess is a technology used to improve software usability, but because of some design features of UAC, it may cause some problems in use. For example, when a blind person uses a computer, they usually need to use screen reading software (that is, a UIAccess program) to convert menus, dialog boxes, etc. displayed on the screen into sounds, so that they can operate the computer correctly. However, when the secure desktop is enabled, the screen reader software will not be able to interact with the content of the secure desktop, and will not be able to read the content of the promotion dialog box in the secure desktop, which will cause inconvenience to blind users. Therefore, during the design process of UAC, these special circumstances have been taken into consideration, and this kind of auxiliary software is allowed to be improved to assist users in normal use.

This policy will affect the integrity level check of Windows, and has little impact on the interaction of ordinary users. Therefore, it is recommended to keep the default setting and not change it. Of course, this policy is only meaningful if you use a secure desktop, and you can ignore this policy if you have disabled the secure desktop.

6) Switch to the secure desktop when prompted to elevate

This policy determines whether Windows 7 switches to the secure desktop when an elevation prompt is displayed. A secure desktop confines that program and process to the desktop environment, which reduces the likelihood that malware or a user can gain access to a process that requires elevation.

This security option is enabled by default and can be disabled if you do not want Windows to switch to the secure desktop before prompting for elevation. However, this may make the computer more vulnerable to malware infection and attack. Of course, for a secure desktop, the easier way is to use the content introduced, and turn down the default UAC prompt by one level.

7) Run all admins in admin-approved mode

This policy determines whether administrator approval mode is used for users logged in with an administrator account. By default, this policy is enabled, which means that administrators also run in admin-approved mode, so admin accounts in admin-approved mode will also encounter elevation prompts when appropriate. If this setting is disabled, users logged in with admin accounts are not affected by admin approval and will not see an elevation prompt.

Simply put, if this policy is enabled, UAC can be enabled for administrator accounts; if this policy is disabled, UAC for administrator accounts will also be disabled (UAC for standard users will still be enabled).

8) Admin approval mode for built-in admin accounts

This policy determines whether users and processes logged in with the system's built-in Administrator account are restricted by UAC. By default, this policy is enabled, which means that the built-in Administrator account is also restricted by UAC, as well as by the elevation prompt behavior settings for administrator accounts. If this setting is disabled, users and processes using the built-in Administrator account will not be restricted to administrator approval mode and, therefore, not restricted to the elevation prompt behavior setting for administrator accounts.

To put it simply, if you want the built-in Administrator account to be restricted by UAC, you can set this policy to "Enabled"; if you want the built-in Administrator account not to be restricted by UAC, you can set this policy to "Disabled". ".

9) Allow UIAccess applications to elevate privileges without using the secure desktop

The purpose of UIAccess programs has been introduced, and such programs can be simultaneously promoted by policy. However, this has just encountered a new problem. Before the UIAccess program is promoted, it cannot interact with the secure desktop, but when the UIAccess program is promoted, the secure desktop still needs to appear, which still causes inconvenience.

Therefore, by enabling this policy, while ensuring that all other programs are elevated on the secure desktop, the elevation of the UIAccess program is not performed through the secure desktop. Of course, this policy is only meaningful if you use a secure desktop, and you can ignore this policy if you have disabled the secure desktop.

10) Only promote signed and verified executables

This policy determines how the system treats different types of executable files. If you want to prevent users from running unsigned or unverified executable files, you can set the policy to "Enabled"; if you don't want to prevent users from running unsigned or unverified executable files, you can set the The policy is set to "Disabled", which is also the Windows 7 default.

3. Advanced UAC setting skills

Through the adjustment of the above several strategies, I believe that UAC has been pleasing to the eye. But for users who use Windows 7 without the Group Policy function, or who are still unsatisfied after adjusting the policy, you can try the following tips.

1) Temporarily bypass UAC

Sometimes, we may face the problem that a large number of system settings need to be adjusted in a short period of time (for example, the configuration phase after Windows is just installed), but it seems redundant to upgrade through UAC every time. At this time, many people may think that UAC should be temporarily disabled first, and then enabled after all settings have been modified. But there are some disadvantages: enabling and disabling UAC requires restarting the system to take effect, which is very inefficient.

In addition, if you still need to run Internet Explorer to view data after disabling UAC, because without the protection of UAC, if malicious codes are included in web pages, it is likely to endanger system security.

In fact, there is a better way. You don’t need to disable UAC or restart the system. You can also temporarily bypass UAC. The specific operations are as follows:

  1. Right-click the blank space of the Windows taskbar, select "Task Manager" to open the task manager.
  2. Switch to the "Processes" tab, right-click the "Explorer.exe" process, and select "End Process". In this way, the Windows taskbar, desktop icons, and all open Explorer windows will disappear.
  3. Still under the "Processes" tab of Task Manager, click the "Show processes from all users" button and accept the UAC elevation prompt.
  4. Click the "New Task (Run)" command under the "File" menu in the Task Manager window, and enter "explorer" in the subsequent "Create New Task" dialog box that appears and press the Enter key.
  5. Next, the Windows taskbar and desktop icons will reappear. In this case, programs or options executed through the control panel or other means do not need to be elevated and have administrator privileges directly.

This is a handy trick, how does it work? Before the introduction, you first need to understand two concepts: parent process and child process. As the name implies, if a program A starts another program B, then the two programs are in a parent-child relationship, where program A is the parent process of program B, and program B is the child process of program A. To give a more vivid example, if you run cmd.exe, open a command prompt window, and then execute a command line program in the command prompt window, such as ping.exe, then cmd.exe is the parent process of ping.exe , and ping.exe is a child process of cmd.exe.

When UAC is enabled, when a user logs in to Windows, Windows will first start explorer.exe with a standard token. This process is commonly known as the Windows shell, and can also be understood as the initial process (the parent process of all other user processes). At the same time, the Windows taskbar, desktop icons, and "Start" menu we see are all generated by the Windows shell. After logging in, if you need to set a certain system option through the "Control Panel", because the "Control Panel" is also part of the Windows shell, and because the Windows shell is enabled using a standard token, the options in the "Control Panel" (a child process of the Windows shell) is also launched with the standard token, and because of insufficient privileges we get the UAC elevation dialog.

In step 3, because the "Show processes from all users" button was clicked, this button elevates Task Manager to administrator privileges. The Windows shell running through the Windows task manager in step 4 becomes a child process of the task manager with administrator privileges, and then obtains a Windows shell with administrator privileges. Then when modifying other system options on the Windows shell with elevated permissions, naturally no additional promotion is required.

What if you need to reopen the Windows shell with standard permissions after modifying the settings? You can do the following:

  • Right-click the blank space of the taskbar, select "Task Manager" to open the task manager window (please consider what permissions this task manager process has).
  • End the elevated explorer.exe process under the Processes tab, then close the Task Manager window.
  • Press the "Ctrl+Alt+Del" key combination to open the Windows security interface, then click the "Start Task Manager" button, and then the task manager window will automatically open (what is the permission of this task manager process?) .
  • Click the "New Task (Run)" command under the "File" menu, and enter "explorer" in the "Create New Task" dialog box that appears, and press the Enter key.

2) Let UAC and file operations coexist peacefully

As early as the testing phase of Windows Vista, some testers joked that to completely delete a file on the desktop of Windows Vista, including emptying the recycle bin, seven steps are required. This problem did exist in the early beta version, but the subsequent official version has greatly simplified this kind of operation.

However, when operating files in Windows 7, especially when operating system disk files, we may often see UAC's "Elevate" dialog box. This is mainly because, in order to ensure security, the Windows operating system sets relatively strict permission restrictions on system files. Therefore, many files cannot be directly modified or accessed after logging in with a standard account or an administrator account (the specific restrictions depend on the specific file usage, and security requirements), but it can only be done after upgrading.

If you only need to operate on such files occasionally, it is not a bad idea to improve it. But if you need to operate multiple system files in a short period of time, it must be cumbersome to upgrade each file operation. At this time, we can temporarily bypass UAC, but this is not good. After all, through the method introduced earlier, we can temporarily bypass UAC for all programs executed. Here we just need to operate on files. Therefore, we only need to start the Windows Explorer program as an administrator, as follows:

  • With the "Computer" window open, press the "Alt" key to display the menu bar.
  • Click "Tools" → "Folder Options" → "View" to open the "View" tab of the "Folder Options" dialog box.
  • Check the "Open folder windows in separate process" option and click the "OK" button.
  • Then close all open Windows Explorer windows.
  • Open the "Start" menu, enter "Explorer" in the search box, right-click the shortcut of "Windows Explorer" in the displayed search results, select "Run as administrator", and accept UAC promotion hints.
  • The Windows Explorer window opened later already has administrator privileges. In this window, we can operate most of the system files without worrying about permission issues. However, there are still some files that cannot be operated, because even the administrator account does not have sufficient permissions, and those files can only be accessed by the system account, but after assigning the corresponding permissions to yourself, you can access it.

4. Solve application compatibility issues

In addition to cumbersome operations, many people's dissatisfaction with UAC is also reflected in the compatibility of applications, because the old programs that can run under Windows 7 may encounter various problems when using them because of the existence of UAC.

At present, the new versions of applications that are fully compatible with Windows 7 rarely encounter such problems. Therefore, we should mainly care about the old versions of the programs. If a certain program can run normally in the old version of Windows, but cannot run under Windows 7, Or it can run, but it is prone to some strange failures, then you can consider the impact of UAC.

For example, a program can run normally under Windows 7, but every time you run the program and modify the settings of the program, the settings cannot be saved, and the settings before the modification will still be used next time you start the program, which may be UAC in the way ; If a program can run normally under Windows 7, but some functions cannot be used, it may also be affected by UAC. How to make such programs work normally under the premise of enabling UAC to ensure system security?

Note that although a Windows 7-compatible application may not be blocked by the presence of UAC, this does not mean that a Windows 7-compatible program does not need to be elevated when running, it depends mainly on the type of program, and the program wants to The operation performed. For example, a multimedia playback software compatible with Windows 7 can play audio and video files normally without upgrading, but another disk defragmentation software compatible with Windows 7 needs to operate on the file system because it works at the bottom of the system. Compatible with Windows 7, but still requires an upgrade to work properly. This is a normal design characteristic.

Then there is another problem here, some programs will require upgrading when running, as long as they are upgraded, they can work normally under Windows 7. However, some programs (mainly old programs) do not actively ask for upgrading when they are running, and they cannot be used normally (for example, setting information cannot be saved), and they will only work normally after upgrading. Why do some programs automatically ask for elevation and others not? In fact, this is the application manifest file at work.

By default, Windows 7-compatible applications use an application manifest file (Application Manifest) that contains runlevel information, which helps the operating system understand the privileges required by the program.

The application manifest file defines the privileges required by the application in the following ways:

  • RunAsInvoker runs the application with the same privileges as the current user, so any user can run the application. For standard users or users belonging to the administrator group, the program will run with a standard access token, and only if the parent process that started the program has an administrator access token, the program will run with higher privileges. For example, if we run an elevated Command Prompt window and then launch a program from within that window, the program will only run with an administrator access token.
  • RunAsHighest runs the application with the highest privileges of the current user, such programs can be run by administrator users and standard users. The tasks that can be performed by the program depend on the user's privileges. For standard users, the program will run with a standard access token; for users belonging to user groups with higher privileges, such as the Backup Operators group, Server Operators group, or Account Operators group , the program runs with an access token that includes only the privileges the user currently has; for users belonging to the Administrators group, the program runs with a full administrator token.
  • RunAsAdmin runs the application with administrator privileges, and only administrators can run the program. For standard users or users belonging to a user group with higher privileges, only if the user can gain higher privileges through elevation to elevate, or if the program is started from an elevated parent process (for example, through the elevated command Prompt window to run the program), the program will run with an administrator access token for users belonging to the Administrators group.

The manifest file is a plain text file that can be opened with any text editing software (for example, the Notepad program that comes with Windows). After opening the manifest file of a certain software (assuming the name of the software is app.exe, then the corresponding manifest file is app.exe. manifest), you can see the following content:

in 

This line of comments indicates the permissions required to declare the program below, and the "level="requireAdministrator"" line clearly indicates that if you want to run the program, you must use elevated administrator permissions.

Therefore, when we try to execute a program under Windows 7, the system will first check whether the program has a manifest file available, and if so, execute it according to the statement in the manifest file, for example, if the manifest declares that an administrator is required permissions, the system will display a UAC elevation prompt dialog box for us to operate; if there is no manifest file, or the permissions declared in the manifest file belong to standard user permissions, then the program can be automatically started without elevation.

This makes it clear that those programs that cannot run properly under Windows 7 because of UAC are mainly because there is no manifest file for declaring the required permissions. So how to solve this problem? Write the manifest file by hand? Don't be so troublesome, because there are two ways to make the program run as an administrator under Windows 7.

1) Run the program once as administrator

Sometimes you may occasionally need to run a program as an administrator that you don't need to use at all, or run it as a standard user. For such programs, you can right-click the program's executable file or shortcut icon, and select the "Run as administrator" command from the right-click menu, as shown in the figure.

 

2) Configure compatibility mode to always run as administrator

If a certain program needs to be run frequently, it would be cumbersome to operate according to the method introduced before each time. At this time, you can configure the compatibility mode to make the program run as an administrator every time.

Right-click the executable file or shortcut icon corresponding to the program, select "Properties", open the "Properties" dialog box, and then select the "Compatibility" tab, and then you can see the interface as shown in the figure.

In the "Compatibility" tab, select the "Run this program as an administrator" option under the "Privilege Level" option, so that every time you directly double-click the executable file or shortcut of the program in the future, UAC will display an elevation prompt for you. We operate. Note that the above method is only valid for the currently logged-in user. If other users of this program also need to use it, in order to avoid the troublesome operation of setting the compatibility mode for everyone, you can first click "Change settings for all users" button, and then select the "Run this program as an administrator" option after elevation, so that other users can use it without setting it themselves in the future. 

3. Disable UAC

Find System and Security in Control Panel.

Click Administrative Tools.

Click System Configuration.

After the system configuration window pops up, click the Tools tab, select "Change UAC Configuration", and click Start in the lower right corner.

 

Once the window pops up, drag the slider to set it up.

 

An easy way to enter commands directly:

  1. Enter msconfig in the operation, and the system configuration window will appear directly.
  2. Directly input X:\\Windows\\System32\\UserAccountControlSettings.exe (X is the system drive letter) in the operation, and the UAC setting window can pop up directly.

3. File and Registry Virtualization

1. Introduction to virtualization

If a program needs to save its configuration information to the Windows directory during operation, is this behavior good? Undoubtedly, this is not good for three reasons: 

  • Randomly writing new files to the system folder or modifying system files may affect the security or stability of the system.
  • Write the program's own files in the system folder at will, which will easily make the files in the system folder appear confusing and difficult to manage.
  • The current operating system is already multi-user, and in a multi-user system, if you want the application to also implement multi-user features (different users on the same computer can maintain relatively independent configuration of the same program, one of the users settings will not affect the other), then the configuration information of the program should be saved in each user's own configuration folder, instead of saving all the information in the Windows directory.

However, the fact is that although multi-user operating systems have been developed for many years, and most people are already using multi-user operating systems, some third-party software developers still have some bad habits. For example, the default installation location of software is C The root directory of the disk (even if the current system is not installed on the C disk at all), and the installation program does not allow to choose other installation locations; or the software will save the configuration information in the form of .ini or similar configuration files in the Windows directory ( What is the registry for? Or if you really want to make your software more "green", why not directly save the software configuration information to the software installation directory?); even the uninstaller of some software cannot remove the program from Cleanly uninstall from the system.

Aside from where the files are saved, there are similar issues with the registry. For example, there is a root key named "HKEY_CURRENT_USER" in the Windows registry. The main function of this key is to save some configuration information related to the current user. At the same time, when each user logs in to the system, Windows will file, automatically create HKEY_CURRENT_USER root keys for users (that is, each user's own HKEY_CURRENT_USER root keys are relatively independent and do not interfere with each other). According to the design, each user (whether it is an administrator account or a standard account) can directly read and write the content under the root key of HKEY_CURRENT_USER without being restricted by permissions (for standard users, open the registry by running regedit At this time, you will not see the UAC elevation dialog, which is why, because in this case, the standard user can change the content of the HKCU root key at will, and does not need to elevate privileges). However, some program developers are not aware of this, and save the configuration information of the programs they design in HKEY_LOCAL_MACHINE, or other registry keys that not all accounts have permission to read and write, which leads to many programs only having administrators Only accounts can install and run, and standard accounts are restricted from even running.

In order to solve this problem in files and registry, Microsoft uses file virtualization and registry virtualization technology in Windows 7. In simple terms, this technique is similar to a "redirection" operation. For example, if a program needs to write files in the Windows directory, Windows will automatically redirect the write operation to another dedicated folder. But for this program, it does write the file to the Windows directory, and when the program tries to read the file in the Windows directory, Windows redirects the read operation to the same folder. In this way, for this program, it can read and write files in the Windows directory, but the files actually read and written are not in the Windows directory.

The working principle and effective mode of file virtualization and registry virtualization are similar, but because the operations on files are more intuitive, the following mainly uses file virtualization as an example to introduce.

2. Use virtualization

How can I be sure that virtualization technology is working? Let's try doing something like this:

  • Run a program compatible with Windows 7, for example, the Notepad program that comes with Windows 7, enter some text in Notepad, and then save the file.
  • When selecting the save location, select the Windows directory of the current system, and then save.
  • The program will immediately report that the file cannot be written to the Windows directory, and ask us whether to save the file elsewhere (the "Documents" folder is located in the current user's configuration file, and the user's own configuration folder is naturally has all permissions), as shown in the figure.

In the above case, the virtualization technology did not work, mainly because the new version of the Windows 7-compatible program can effectively deal with Windows restrictions on folder or registry permissions, so the old ones that are not compatible with Windows 7 What will happen to the program?

Let's try to use an old version of the program to perform the same operation, for example, copy the notepad.exe file in Windows XP to run in Windows 7 system, and then try to save a file to the Windows directory. At this time, there is no prompt message, and it has been successfully saved. Can the old program bypass the permission settings of the Windows directory?

Let's use Windows Explorer to open the Windows directory. The Test.txt file we saved before does not appear in it. So where is this file saved? Pay attention to the toolbar of the explorer window, there is a "compatibility file" button on it, as shown in the figure below.

After clicking this button, the Explorer window will automatically enter another folder, as shown in the figure below.

Note the address displayed in the address bar, and the contents of the folder. It turned out that the files we planned to save in the Windows directory were redirected here, and there may be many other files and folders here, these are the results of being redirected. 

In the redirected location, notice the "VirtualStore" folder in the address bar, which is the root folder where the redirected content will be saved. For each location that has ever been redirected, there will be a corresponding subfolder under this folder. For example, after following the previous operation, the files written to the Windows directory are redirected. Therefore, a subfolder named "Windows" will be created under the VirtualStore folder, and all content redirected from the system Windows directory will be written. to here.

UAC's virtualization redirection function can take effect for write operations in the following locations:

  • %ProgramFiles%。
  • %WinDir%。
  • %WinDir%\System32。
  • HKEY_LOCAL_MACHINE\Software。

Assume that a program needs to save configuration information to the Windows directory, and the program is not compatible with Windows 7, because it cannot be directly saved, and if there is no virtualization technology, the program may report an error. But because of the virtualization technology, the file to be saved will be automatically redirected, so that the program thinks that it has saved the configuration file in the Windows directory, and the program can indeed read the configuration file from the Windows directory. Therefore, programs that may not be able to run normally under Windows 7 can already run normally because of the existence of virtualization technology.

In addition, please pay attention to the folder address displayed in the address bar in the above figure. The folder redirected by virtualization technology is located in the configuration folder of the current user, which means that after each user logs in to the system, there is Independent virtualized redirection folders, so that one user's configuration will not affect another user, which not only ensures compatibility, but also ensures security.

Note: Virtualization only affects programs running with standard tokens, not programs running with administrator tokens. Moreover, this technology cannot absolutely guarantee that all incompatible old programs can run normally under Windows 7.

3. The impact of virtualization on users

By design, virtualization technology should be an unsung hero, because it can improve the compatibility of old programs without users noticing, but sometimes there may be some problems.

For example, the file virtualization technology is mainly applied to some special system folders and their subfolders (such as the Windows folder or Program Files folder in the root directory of the system disk), but there is a problem, if we give A download software is installed in the Program Files directory of the system disk. By default, the files downloaded by this software will be saved in the program installation directory. Due to the existence of virtualization technology, we may not be able to find the downloaded files.

In fact, this kind of problem is also very easy to solve, just use Windows Explorer to open the installation directory of the program, and then click the "Compatibility File" button on the toolbar. Of course, a better solution is to configure the software to save the downloaded file to another location.

4. Manage stored credentials

In Windows 7, you can use Credential Manager to save the current user's credentials that are used to automatically log on to servers, Web sites, and other programs.

These credentials are stored in an electronic vault (called Windows Vault), which provides easy access to important resources without having to re-enter your credentials each time you visit. At the same time, this can also achieve a simpler single sign-on. You only need to log in to your own Windows account with a password, and you can directly log in to various network resources that have saved passwords, and use a Windows account password to manage passwords for all other resources. .

The Credential Manager in Windows 7 supports the storage of the following three types of credentials: 

  • Windows Credentials are credentials used for standard Windows authentication (NTLM or Kerberos), and can include resource location, login account name, and password information;
  • Certificate-based Credentials A credential that can include a resource location and authenticate using a certificate stored in the Personal store in the Credentials Manager;
  • Generic Credentials Credentials used by basic or custom authentication techniques, which may include resource location, login account name, and password information;

1. Add Windows or normal credentials

Each user account has its own Windows Vault. Items in Windows Vault are saved in the user's profile settings and contain the information needed to log in to password-protected resources (such as access paths to file servers).

To add an item to the currently logged in user's Windows Vault, do the following:

Sign in with the user account that you want to manage Windows Vault items. Open the "Start" menu, and click the picture of the current account in the upper right corner of the menu, in the subsequent window, click the "Manage your credentials" link on the left, and then you can see the credential manager as shown window.

Depending on the type of credential you want to create, click the Add Windows Credentials or Add Normal Credentials link respectively, then use the options provided to configure the credentials as shown.

The fields that need to be set here include:

  • Internet address or network address The network or Internet resource that the Windows Vault item needs to log into, here you can enter the name of the server, such as FileServer; or enter the fully qualified domain name of the Internet resource, such as www.microsoft.com; or use the Wildcard addresses, such as *.microsoft.com;
  • Username refers to the username required by the server, such as Server\User, or [email protected];
  • Password refers to the password required by the server. The most overlooked thing here is that if the password is changed on the server or service, the user must also change the password in their own Windows Vault. If you forget to change your password in Windows Vault, repeated attempts to log in or connect to a server or service may result in your account being disabled;

Click the OK button to save the credentials.

2. Add certificate-based credentials

The personal certificate information held in the user profile contains the certificates issued to authenticated users. Once you've added a certificate for a user, you can create credentials for resources that require a certificate to access.

To add a certificate-based item to the Windows Vault for the currently logged in user:

  • Click on the Add Certificate Based Credentials link. In the "Internet address or network address" field, enter the name of the network or Internet resource to configure the Windows Vault item. Here you can enter the server name, the fully qualified domain name of the Internet resource, or an address containing wildcards.
  • Click the Select Certificate button, click the personal certificate to use when accessing the resource in the Select Certificate dialog box, and then click the OK button.
  • Click the OK button again to save the credentials.

3. Edit Windows Vault Items

We can edit the contents of a Windows Vault item at any time, but be aware that local Windows Vault items are only visible on the computer that created the item. This means that if you want to modify an item, you must log on locally to the computer where the item was created.

To edit a user's Windows Vault item:

  • Sign in with the user account that you want to manage Windows Vault items. Open the "Start" menu and click the picture of your current account in the upper right corner of the menu, and in the window that appears, click the "Manage your credentials" link on the left. On the Credential Manager page you can see all credentials grouped by type.
  • Click the credential item you want to edit, and click the "Edit" button.
  • Modify as needed for the username and password or the certificate associated with this credential and click the Save button.

4. Backup and restore Windows Vault

To back up a user's saved credentials, the user's Windows Vault can be backed up directly. Once you have backed up your Windows Vault, you can restore your credentials by restoring your Windows Vault, or by transferring to a new computer. In most cases, we can back up Windows Vault to removable storage media.

To back up a user's Windows Vault, do the following:

  • Sign in with the user account that you want to manage Windows Vault items. Open the "Start" menu and click on the picture of your current account in the upper right corner of the menu, and in the resulting window click the "Manage your credentials" link on the left.
  • Click the Backup Vault link.
  • On the Stored Usernames and Passwords page, click the Browse button. Use the Save Backup File As dialog box to select a save location and specify a name for the credential backup file. Credential backup files are saved with a .crd file extension. Click the "Save" button.
  • Click the "Next" button and press the "Ctrl+Alt+Delete" key combination to switch to the secure desktop. When prompted, enter and confirm a password for the credential backup file.
  • Click the "Next" button, and then click the "Finish" button.

To restore a user's Windows Vault to the same computer or to a different computer:

  • Log in with the user account you want to manage Windows Vault items, and open Credential Manager as described earlier.
  • Click the Restore Vault button in the Credential Manager page.
  • On the Stored Usernames and Passwords page, click the Browse button. Use the Open Backup File dialog to select the location and file name where the credential backup file was saved, and click the Open button.
  • Click the "Next" button and press the "Ctrl+Alt+Delete" key combination to switch to the secure desktop. When prompted, enter the password for the credential backup file.
  • Click the "Next" button, and then click the "Finish" button.

5. Delete Windows Vault Items

If a Windows Vault item is no longer needed, we can delete it. To delete a user's Windows Vault item, do the following:

  • Log in with the user account you want to manage Windows Vault items, and open Credential Manager.
  • Click on the credential item you want to delete.
  • Click the "Remove from Vault" button and click the "Yes" button when asked for confirmation.

Guess you like

Origin blog.csdn.net/qq_35029061/article/details/130668985
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com