Lab Assessment
HIT172 Operating Systems and Applications
Windows 10 User Account Control
User Account Control (UAC) is a tool that you will likely use only if your user account is a member of the local administrators group.
This is because UAC is disabled by default for standard users, which means that standard users do not, by default, encounter a UAC prompt.
UAC is also a security feature of Windows 10 that informs you when the action that you want to undertake requires an elevation of privileges.
Managing User Account Control
Some example of tasks that activates UAC
Installing\uninstalling drivers & applications
Manipulating user accounts
Configuring windows update
Changing Firewall settings etc.
Privilege elevation:
Windows 10 users by default get the rights of a standard user. When a user attempts an act that requires administrative privileges, such as creating a new user account, her rights need to be raised from those of a standard user to those of an administrative user. This increase in rights is termed privilege elevation. UAC is a gateway to privilege elevation.
Managing User Account Control
Always Notify This is the most secure setting. You are prompted before programs make changes to your computer or Windows settings that require administrator permissions. During notification, your desktop appears dimmed. This is because Secure Desktop has become active. You must respond to the UAC prompt before it is possible to do anything else with the computer
Notify Me Only When Programs Try To Make Changes To My Computer When this option is set, you are prompted before programs make changes to your computer or Windows settings that require administrator permissions. Notification occurs on the Secure Desktop.
UAC Settings
Notify Me Only When Programs Try To Make Changes To My Computer (Do Not Dim My Desktop) With this option, you are prompted before programs make changes that require administrator permissions. You are not prompted if you try to make changes to Windows settings that require administrator permissions using programs that are included with Windows.
Never Notify When logged on as an administrator, you are not notified before programs make changes to your computer or to Windows settings. If you are logged on as a standard user, any changes that require administrative privileges are automatically denied.
UAC Settings
UAC Settings
More on UAC Policies: Refer to the prescribed book. Chapter 31
Section: Understanding User Account Control
Password and account lockout policies, which can be found under the Computer Configuration\Windows Settings\Security Settings node of Group Policy, allow you to configure how passwords work on clients running Windows 10. Following password policies can be configured:
Enforce Password History Use this policy to ensure that people do not use a small set of passwords that they rotate through each time they are asked to update their password. When you configure the Enforce Password History,
Password Policies
Minimum Password Age Use this policy to require that a new password be kept for a minimum number of days before the user is allowed to change it.
Minimum Password Length Use this policy to ensure that passwords have a minimum number of characters.
Password Must Meet Complexity Requirements Use this policy to require passwords to include three of the following: uppercase letters, lowercase letters, numbers, and symbols.
Maximum Password Age The maximum number of days that a person can keep the same password.
Password Policies
You can configure the following account lockout policies:
Account Lockout Duration Use this policy to configure the length of time an account is locked out before a user can attempt to log in again.
Account Lockout Threshold Use this policy to configure the number of times a user can enter an incorrect password before Windows locks out the account.
Reset Account Lockout Counter After Use this policy to specify the period in which Windows records invalid logon attempts. For example, if you set this period to 30 minutes and the Account Lockout Threshold policy is set to 3, three invalid logon attempts in 30 minutes triggers a lockout whereas three invalid logon attempts in 31 minutes will not. A valid logon automatically resets the account lockout counter.
Account Policies