As administrators roll out Windows 7, the following questions and associated registry keys may help them achieve their desired user experience .
1. How do I turn on/off User Account Control (UAC)? How can I change my admin account to get full administrator rights on Windows 7? How can I write create files and directories on the root of the C: drive?
Each of these issues can be addressed via the following registry key:
Data: [see below]
0 = Disable UAC.
1 = Enable UAC. (default)
Disabling UAC is not recommended because it weakens the security posture of the system. But if you accept the increased risk, disabling UAC will give your admin account full admin capabilities on the system and allow your to write files and directions anywhere on the system. This will also disable all other UAC-related registry key settings. If you are scanning your enterprise and want to ensure all systems are configured to use UAC (as recommended), look for a value of "1." More information about UAC can be found at Microsoft's TechNet site.
2. How can I prevent the computer from rebooting after patches are installed?
Data: [see below]
1 = The system will not be restarted if a user is currently logged on.
0 = The logged on user will be notified that the system will reboot in five minutes. (default)
By default, the computer automatically reboots after a Windows Update or after Windows Server Update Services installs patches. Users logged on at that time will be given a five-minute warning before reboot. By setting this value to "1," the system will not automatically reboot if a user is logged on. Instead, a warning message will be given, and the system will not be rebooted. Note that some patches may not be fully installed until a reboot has occurred. Although this registry key setting helps address unscheduled reboots, it's still important to reboot the system shortly after patch installation to ensure system stability and patch effectiveness. You can find more information about Windows updates at this blog.
3. What registry key turns on/off Automatic Update?
Data: [see below]
0 = Automatic Updates are enabled. (default)
1 = Automatic Updates will be disabled.
If you're using a third-party patch management application or you like to "let it ride," then disable Automatic Updates. Otherwise, keep this value at "0" so that Microsoft security updates are automatically installed as needed. You may need to add this registry key and value to your system if it doesn't already exist. Read more about configuring automatic updates.
4. How can I require users to enter Ctl-Alt-Delete to log in?
Data: [see below]
0 = Users must press Ctl-Alt-Delete to log into the system. (Default for domain joined systems)
1 = Users do not need to press Ctl-Alt-Delete to log into the system. (Default for nondomain joined systems)
Unless Auto Login is enabled (see below), users must always enter a password to log in to the computer. The Ctl-Alt-Delete key sequence provides a secure mechanism to initiate the log-in process. Computers that are part of a domain require this key sequence by default: Nondomain joined machines and home-user systems do not. Instead, users select their usernames from a list displayed onscreen and then enter their passwords. Legal notice text (if configured) is not displayed when DisableCad is set to "1." To ensure all of your corporate systems -- both those joined to a domain and those not joined to a domain -- require users to press Ctl-Alt-Delete, make sure this value is set to "0." Microsoft provides more information on automatic login here.
5. How can I ensure that users need to enter a username and password to log into the computer? How can I enable/disable Auto Admin Login?
0 = Auto Admin Login is not enabled (default) 1 = Auto Admin Login is enabled
If enabled, the following values may be required:
Value: DefaultPassword (this value may not be present)
Data: domainname or computername
The Auto Admin Login registry setting enables a system to start and log in as the specified administrative user account without requiring an interactive login. While this is a potentially dangerous setting, it may be required on some systems in an enterprise. If the DefaultPassword value is entered in the registry, the password string will be visible in clear text to anyone who can read your registry (locally or remotely).
If you need to use Auto Admin Login, you should use the alternate password storage mechanism so that the password won't be stored under this key in clear text. Run "netplwiz" from the command line, and uncheck the box "Users must enter a user name and password to use this computer." This will store the password with the local security authority. However, this option is not available on a domain-joined system. In that instance, the only way to enable auto login is to use the full set of registry values above. Also, when implementing Auto Admin Login, you can't require Ctl-Alt-Delete (DisableCAD=0, discussed above). Computer Performance Ltd. has more information online.
When doing a security audit of your network, make sure to identify all instances of Auto Admin Login where the DefaultPassword value exists. I hope this value isn't for your Domain Administrator account.
These five registry keys should help your configure your desktops to suit your needs. As always, test all registry changes before rolling them into production.
Have other keys that you think would benefit administrators? Email Eric at firstname.lastname@example.org.
|ABOUT THE AUTHOR:|
| Eric Schultze
Eric Schultze is an independent security consultant who most recently designed Microsoft patch management solutions at Shavlik Technologies. Prior to Shavlik, Schultze worked at Microsoft, where he helped manage the security bulletin and patch-release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.
This was first published in January 2010