Join Steve Fullmer for an in-depth discussion in this video User Account Control (UAC): Only run signed applications when elevated, part of Managing Windows 8.
- View Offline
In a recent video, we talked about the ability to use Secure Booter, Trusted Boot. That requires UEFI. Let's see if we can go forward. UEFI 2.3.1 and typically a GPT drive that you're going to boot into, and the purpose of that secured boot is to block any unsigned application from being loaded into your system. Now, that doesn't just block the boot process. That blocks throughout the entire essentially execution of your operating system.
You may not have a UEFI firm wire, but you say, "Gee, it's really a cool idea "if we can block applications from running "that aren't digitally signed." Well, you can do that by going into app blocker, application by application by application if you desire, but that's time consuming. For some of you who may be preparing for one of the Windows 8 certification exams, there is a more administratively simple method to try to essentially secure your system, than using Secure Boot, Trusted Boot or application by application basis using app blocker.
And so the big, long title of this particular, although short, video, long title, short video, is only run signed applications as elevated that happens to be one of our user account control options. That our in-group policy, so what I'm going to do on my Windows 7 back here is, we're going to load, just for demonstration purposes, the local group policy editor. I am going to right click it to make sure that I go in with administrative rights here to be able to set the settings, and what I'm going to do is go under local group policy here.
You can do this again. It's site domain or OU level through group policy in a domain environment. We're going to go under our Windows settings, and I'm connected to remote computer, so I've got a little bit of a latency or lag here. We're going to go into security settings, local policies, security options, so again, this is computer configuration, Windows settings, security settings, local policy, security options, and if we scroll down to the very bottom set, we have user account control, and one of the options that's available to us in both Windows 7 and Windows 8 is right here.
Only elevate executables that are signed and validated, and this is the user account control policy, and if we click the explanation so you can see it, only those applications that have a digital certificate where the trusted publisher is stored in the local certificate store, the certificate registry, on your box, then, and only then, will those applications be allowed to be elevated. Now that means you can run applications in non-elevated mode, but typically, if the application's not elevated, it's not going to be able to corrupt the operating system, your boot files, et cetera, so it is one other way in a very simple, straightforward methodology, to secure your system from potentially untrusted or malicious softwares, and I just wanted to share that as we were talking about Secure Boot because you need to understand some of the very simple, straightforward methodologies for securing your system using group policy.