Software installation essentials
Mastering User Account Control
Maintaining application integrity
The security architecture in Microsoft Windows Server 2012 R2 and Windows 8.1 controls the way accounts are used and applications are installed and run. Windows Server 2012 R2 has two general types of user accounts: standard user accounts and administrator user accounts. Standard users can perform any general computing tasks, such as starting programs, opening documents, and creating folders, and can perform any support tasks that do not affect other users or the security of the computer. Administrators, however, have complete access to the computer and can make changes that affect other users and the security of the computer. Windows 8.1 adds a special type of local account called a Microsoft account, which can be thought of as a synchronized local account and is not available on earlier releases of Windows.
Like Windows 8.1, Windows Server 2012 R2 runs programs, some of which are designed specifically for client–server environments in addition to desktop apps. An app is a program in the most general sense. However, apps are fairly new to Windows and have many distinct characteristics, as I discuss in Chapter 7 of my book Windows 8.1 Administration Pocket Consultant: Essentials & Configuration (Microsoft Press, 2013). With that in mind, this chapter focuses specifically on software applications that are installed as programs rather than as apps.
Software installation, configuration, and maintenance are processes that require elevated privileges. As discussed later in this chapter, under “Mastering User Account Control,” elevation is a feature of User Account Control (UAC). Because of User Account Control, the operating system can detect the installation of software. When the operating system detects a software installation–related process, it prompts for permission or consent prior to allowing you to install, configure, or maintain software on your computer. This means you must either install software by using an account with administrator privileges or provide administrator permissions when prompted. It also means administrator privileges are required to perform the following software maintenance tasks:
Change/Update
Repair/Reinstall
Uninstall/Remove
Windows does not include an Add/Remove Programs utility. Instead, it relies completely on the software itself to provide the necessary installation features through a related setup program. As discussed later in this chapter, under “Maintaining application integrity,” Windows also provides the architecture for software access tokens and restrictions that require software programs to write to specific system locations. Software applications not specifically designed to support this architecture are considered noncompliant applications. Thus, software is either compliant or noncompliant.
Part of the installation process involves validating your credentials and checking the software’s compatibility. Most software applications have a setup program that uses Windows Installer, InstallShield, or Wise Install. The job of the installer program is to track the installation process and make sure the installation completes successfully. If the installation fails, the installer is also responsible for restoring a computer to its original state by reversing all the changes the setup program makes. Although this works great in theory, you can encounter problems, particularly when you are installing noncompliant programs. Noncompliant programs won’t have and won’t be able to use the features of the latest versions of installer programs, and as a result, they sometimes cannot uninstall a program completely.
Because a partially uninstalled program can spell disaster for a computer, you should protect yourself by backing up a server prior to installing any software. By backing up a server, you can be sure that you can fully recover the server to the state it was in prior to installing the software. This way, if you run into problems, you’ll have an effective recovery strategy.
Before installing any software, you should do the following:
Check to see whether it is compatible. You can determine compatibility in several ways. You can check the software packaging, which should specify whether the program is compatible. Alternatively, you can check the software developer’s website for a list of compatible operating systems.
Check the software developer’s website for updates for the program. If available, download the updates prior to installing the software and then install them immediately after completing the software installation. Some software programs have automated update processes that you can use to check for updates after installing the software. In this case, after installation, run the software and then use the built-in update feature to check for updates.
Diagnosing a problem you are having as a compatibility issue isn’t always easy. For deeper compatibility issues, you might need to contact the software developer’s technical support staff. To avoid known compatibility issues with noncompliant applications, Windows Server includes an automated detection feature known as the Program Compatibility Assistant.
If the Program Compatibility Assistant detects a known compatibility issue when you run a noncompliant application, it notifies you about the problem and provides possible solutions for resolving the problem automatically. You can then allow the Program Compatibility Assistant to reconfigure the application for you. Although the Program Compatibility Assistant is helpful, it can’t detect or avoid all compatibility issues. You might have to configure compatibility manually. One way to do this is to press and hold or right-click the software shortcut, select Properties, and then use the options on the Compatibility tab to configure software compatibility options.
Important
Don’t use the Program Compatibility Assistant or similar compatibility features to install older virus detection, backup, or system programs. These programs might attempt to modify your computer’s file systems in a way that is incompatible with Windows Server and thus prevent Windows Server from starting.
Installation using software application media is straightforward. Not all programs have distribution media on a disc or flash drive. If you download a program from the Internet, it’ll probably be in a .zip or self-extracting executable file, and you can install the program by following these steps:
Start File Explorer. Extract the program’s setup files by using one of the following techniques:
If the program is distributed in a .zip file, press and hold or right-click the file and select Extract All. This opens the Extract Compressed (Zipped) Folders dialog box. Tap or click Browse, select a destination folder, and then tap or click OK. Tap or click Extract.
If the program is distributed in a self-extracting executable file, double-tap or double-click the .exe file to extract the setup files. You’ll see one of several types of prompts. If prompted to run the file, tap or click Run. If prompted to extract the program files or select a destination folder, tap or click Browse, select a destination folder, and then tap or click OK. Tap or click Extract or OK as appropriate.
In File Explorer, browse the setup folders and find the necessary setup program file. Double-tap or double-click the setup file to start the installation process.
When Setup starts, follow the prompts to install the software.
If software installation fails and the software used an installer, follow the prompts to allow the installer to restore your computer to its original state. Otherwise, exit Setup and then try rerunning Setup to complete the installation or uninstall the program. If this doesn’t work, you can use the techniques discussed in “Maintaining the registry” in Chapter 8 to clean up the installer settings.
Installing software is only one part of software management. Often, after you install software, you need to make configuration changes to your computer or the software itself. You might need to reconfigure, repair, or uninstall the software, or you might need to resolve problems with the way the software starts or runs.
After you install software, you can manage its installation by using the Programs And Features page in Control Panel. Windows Server takes advantage of the features of the installer program used with your software. This means you’ll have more configuration options than you otherwise would. For example, previously, most software allowed you to rerun Setup to uninstall the program but didn’t necessarily allow you to rerun Setup to change or repair the software. Windows Server provides these features to make it easier to manage your software.
You can use the Programs And Features page to reconfigure, repair, or uninstall software by following these steps:
In Control Panel, tap or click Uninstall A Program under Programs.
In the Name list, select the program you want to work with and then select one of the following options on the toolbar:
Change. Modifies the program’s configuration
Repair. Repairs the program’s installation
Uninstall. Uninstalls the program
Uninstall/Change. Uninstalls or changes a program with an older installer program
You can use Task Manager to work with running programs. To access Task Manager, press and hold or right-click the lower-left corner of the Start screen or the desktop and then tap or click Task Manager. Alternatively, press Ctrl+Alt+Delete and then click Task Manager. If the Summary view is displayed when you open Task Manager, tap or click More Details.
Use the information and options provided on the Processes, Performance, and Details tabs to get more information about running programs. When you select a program or process on the Processes tab, you can terminate the process by tapping or clicking End Task. You learn more about Task Manager in Chapter 10.
User Account Control (UAC) seeks to improve usability while enhancing security by controlling how standard user and administrator user accounts are used. User Account Control does this by limiting the scope of administrator-level access privileges and requiring all applications to run in a specific user mode. In this way, UAC prevents users from making inadvertent changes to system settings and locks down the computer to prevent unauthorized applications from installing or performing malicious actions.
Current releases of Windows make it easy to determine which tasks standard users can perform and which tasks administrators can perform. You might have noticed the multicolored shield icon next to certain options in windows, wizards, and dialog boxes. This is the Permissions icon. It indicates that the related option requires administrator permissions to run. That doesn’t mean you’ll see a prompt, though. The way the prompt works depends on the following:
Whether UAC allows changing Windows settings without prompting
Whether the computer is a member of a workgroup or a domain
Whether you are logged on as a standard user or an administrator
Note
UAC is disabled in Server Core installations. With other Windows Server installations, the best way to configure the UAC prompt is to use Group Policy settings. In Control Panel, tap or click System And Security. Under the Action Center heading, tap or click Change User Account Control Settings. On the User Account Control Settings page, use the slider to choose when to be notified about changes to the computer.
By default, when you are logged on to a computer as a standard user, you see a User Account Control (UAC) prompt when programs try to make changes to the computer that require administrator permissions and when programs try to change Windows settings. In a workgroup, the prompt shows the accounts of administrators. If you tap or click an account, you must then enter the password for that account and then tap or click Yes.
In a domain, as shown in Figure 9-1, the prompt shows the logon domain and provides user name and password boxes. To proceed, you must enter the name of an administrator account, type the account’s password, and then tap or click Yes. The task or application then runs with administrator permissions.
Whether the computer is in a workgroup or domain, the prompt shows the name of the program requesting elevation, the publisher of that program, and the file origin. If you have any question about the authenticity of the request, tap or click Show Details. You then see the program location, which shows the full path to the program’s executable. For verified publishers, display their verification certificate by clicking the link provided.
Figure 9-1. User Account Control requires a password to run certain applications when the user is not logged on with an administrator account.
Note
The first screen capture shows the UAC prompt without details. The second screen capture shows the UAC prompt with details.
The prompt works differently when you are logged on with an administrator account. Here, it doesn’t matter whether the computer is in a workgroup or a domain, and the prompt doesn’t require an account selection or a password. Instead, your current credentials are used, and you are simply prompted to confirm that you want to allow the task or program to make changes to the computer. If you click Yes, the task or application then runs with administrator permissions. (See Figure 9-2.)
Figure 9-2. User Account Control prompts users when they are already logged on with an administrator account.
The process of getting approval prior to running an application in administrator mode and prior to performing actions that change system-wide settings is known as elevation. Elevation enhances security by reducing the exposure and attack surface of the operating system. It does this by providing notification when you are about to perform an action that could affect system settings, such as installing an application, and it eliminates the ability of malicious programs to invoke administrator privileges without your knowledge and consent.
Prior to the elevation and display of the User Account Control (UAC) prompt, Windows Server performs several background tasks. The key task you need to know about is that Windows Server switches to a secure, isolated desktop prior to displaying the prompt. The purpose of switching to the secure desktop is to prevent other processes or applications from providing the required permissions or consent. All other running programs and processes continue to run on the interactive user desktop, and only the prompt itself runs on the secure desktop.
Elevation, prompts, and the secure desktop are aspects of User Account Control that affect you the most. Although they seem restrictive at first, these features prevent users from making inadvertent changes to system settings, and they lock down the computer to prevent unauthorized applications from installing or performing malicious actions.
The key component of UAC that determines whether and how administrators are prompted is Admin Approval Mode. By default, all administrators, except the built-in local administrator account, run in and are subject to Admin Approval Mode. Therefore, all administrators, except the built-in local administrator account, see the elevation prompt whenever they run administrator applications.
In Group Policy under Local PoliciesSecurity Options, five security settings determine how Admin Approval Mode and elevation prompting works. Table 9-1 summarizes these security settings. Remember, Group Policy gives you the flexibility to configure UAC as needed for specific environments. For example, if servers at a remote office are in a separate GPO from workstations at that office, you could configure UAC for servers one way and UAC for workstations another way.
Table 9-1. Security settings related to Admin Approval Mode
In a domain environment, you can use Active Directory–based Group Policy to apply the desired security configuration to a particular set of computers. Just configure the desired settings to a Group Policy Object (GPO) that applies to those computers.
For workgroup configurations or for a special case, you can configure these security settings on a per-computer basis, using local security policy. To access local security policy and configure UAC settings, follow these steps:
Select Local Security Policy on the Tools menu in Server Manager. This starts the Local Security Policy console.
In the console tree, under Security Settings, expand Local Policies and then select Security Options, as shown in Figure 9-3.
Double-tap or double-click User Account Control: Admin Approval Mode For The Built-in Administrator Account. This opens the related properties dialog box shown in Figure 9-4. Select Enabled to turn on this setting or Disabled to turn off this setting. Tap or click OK.
Double-tap or double-click User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode. The available options are used as follows:
Elevate Without Prompting. Enters Admin Approval Mode and elevates to the user’s highest available privileges without prompting for consent or credentials.
Prompt For Credentials On The Secure Desktop. Switches to the secure desktop and then prompts for credentials before elevating to the user’s highest available privileges.
Prompt For Consent On The Secure Desktop. Switches to the secure desktop and then prompts for consent before elevating to the user’s highest available privileges.
Prompt For Credentials. Prompts for credentials before elevating to the user’s highest available privileges but doesn’t switch to the secure desktop.
Prompt For Consent. Prompts for consent before elevating to the user’s highest available privileges but doesn’t switch to the secure desktop.
Prompt For Consent For Non-Windows Binaries. When running non-Windows applications that require elevation, prompts for consent on the secure desktop before elevating to the user’s highest available privileges. This is the default.
Double-tap or double-click User Account Control: Behavior Of The Elevation Prompt For Standard Users. The available options are Automatically Deny Elevation Requests, Prompt For Credentials On The Secure Desktop, and Prompt For Credentials.
Double-tap or double-click User Account Control: Run All Administrators In Admin Approval Mode. Select Enabled to turn on this setting or Disabled to turn off this setting. Tap or click OK.
Double-tap or double-click User Account Control: Switch To The Secure Desktop When Prompting For Elevation. Select Enabled to turn on this setting or Disabled to turn off this setting. Tap or click OK.
To help maintain internal consistency and application integrity, Windows Server defines two run levels for applications: standard and administrator. Windows Server determines whether a user needs elevated privileges to run a program by supplying most applications and processes with a security token. If an application has a standard token, or if an application cannot be identified as an administrator application, elevated privileges are not required to run the application, and Windows Server starts it as a standard application by default. If an application has an administrator token, elevated privileges are required to run the application, and Windows Server prompts the user for permission or confirmation prior to running the application.
Applications are said to be either compliant or noncompliant. Any application written specifically for Windows Server 2008 or later is considered a compliant application. Any application written for an earlier version of Microsoft Windows or not certified as compliant is considered a noncompliant application.
Distinguishing between compliant and noncompliant applications is important because of the architecture changes required to support UAC. Compliant applications use UAC to reduce the attack surface of the operating system. They do this by preventing unauthorized programs from installing or running without the user’s consent and by restricting the default privileges granted to applications. This, in turn, makes it harder for malicious programs to take over a computer.
The Application Information service facilitates running interactive applications with an administrator access token. By default, this service is stopped and configured for manual startup. When this service is stopped, you will be unable to start interactive applications with the additional administrator privileges you might require to perform tasks.
Applications derive their security context from the current user’s access token. By default, the Local Security Authority (LSA) turns all users into standard users even if they are members of the Administrators group. When a member of an administrator group logs on to a computer on which UAC is enabled, the LSA creates two access tokens for two logon sessions: one with administrator rights and one with administrator rights filtered out. The filtered access token is used to start the user’s desktop. The other logon session runs as an administrator and is accessed when tasks are elevated. Thus, if an administrator user has consented to the use of her administrator privileges, the unfiltered access token (which contains all the user’s privileges) is used to start the application or process rather than the user’s standard access token. Also, note that the access tokens contain separate logon IDs because they are related to different logon sessions.
Most applications can run using a standard user access token. Whether applications need to run with standard or administrator privileges depends on the actions the applications perform. Applications that require administrator privileges, referred to as administrator applications, differ in several ways from user applications that require standard user privileges, referred to as user applications.
Administrator applications require elevated privileges to run and perform core tasks. When started in elevated mode, an application with a user’s administrator access token can perform tasks that require administrator privileges and write to system locations of the registry and the file system.
Standard user applications do not require elevated privileges to run and perform core tasks. When started in standard user mode, an application with a user’s standard access token must request elevated privileges to perform administration tasks. For all other tasks, the application should not run using elevated privileges. Further, the application should write data only to nonsystem locations of the registry and the file system.
Because of UAC, the processes related to installing and running applications have also changed. In earlier versions of Windows, the Power Users group gave users specific administrator privileges to perform basic system tasks when installing and running applications. Compliant applications do not require the use of the Power Users group; this group is maintained only for compatibility with older, noncompliant applications.
Windows Server detects application installations and prompts users for elevation to continue the installation by default. Installation packages for Windows Server–compliant applications use application manifests that contain run-level designations to help track required privileges. Application manifests define the application’s desired privileges as one of the following:
RunAsInvoker. Runs the application with the same privileges as the user. Any user can run the application. For a standard user or a user who is a member of the Administrators group, the application runs with a standard access token. The application runs with higher privileges only if the parent process from which it is started has an administrator access token. For example, if you start an elevated command prompt window and then start an application from this window, the application runs with an administrator access token.
RunAsHighest. Runs the application with the highest privileges of the user. The application can be run by both administrator users and standard users. The tasks that can be performed by the application depend on the user’s privileges. For a standard user, the application runs with a standard access token. For a user who is a member of a group with additional privileges—such as the Backup Operators, Server Operators, or Account Operators groups—the application runs with a partial administrator access token that contains only the privileges the user has been granted. For a user who is a member of the Administrators group, the application runs with a full administrator access token.
RunAsAdmin. Runs the application with administrator privileges. Only administrators can run the application. For a standard user or a user who is a member of a group with additional privileges, the application runs only if the user can be prompted for credentials required to run in elevated mode or if the application is started from within an elevated process, such as from an elevated command prompt window. For a user who is a member of the Administrators group, the application runs with an administrator access token.
Windows Server protects application processes by labeling them with integrity levels ranging from high to low. Applications that modify system data, such as Disk Management, are considered high integrity, whereas those performing tasks that could compromise the operating system, such as Internet Explorer, are considered low integrity. Applications with lower integrity levels cannot modify data in applications with higher integrity levels.
Windows Server identifies the publisher of any application that attempts to run with an administrator’s full access token. Then, depending on that publisher, Windows Server marks the application as a compliant application, a publisher verified (signed) application, or a publisher not verified (unsigned) application. When you are installing or running an application, the elevation prompt is designed to help identify the potential security risk of installing or running the application. First, the prompt is color-coded. Second, the elevation prompt displays a unique message depending on the category to which the application belongs.
When working with the elevation prompt, keep the following in mind:
Red is a strong warning, representing likely danger. If the application is from a blocked publisher or is blocked by Group Policy, the elevation prompt has a red background and displays the message, “The application is blocked from running.”
Yellow is a general warning, indicating potential danger. If the application is unsigned (or is signed but not yet trusted), the elevation prompt has a yellow background and red shield icon and displays the message, “An unidentified program wants access to your computer.”
Blue/green is for administrative elevation. If the application is administrative (such as Server Manager), the elevation prompt has a blue/green background and displays the message, “Windows needs your permission to continue.”
Gray is for general elevation. If the application has been signed by Authenticode and is trusted by the local computer, the elevation prompt has a gray background and displays the message, “A program needs your permission to continue.”
Only core Windows processes can access the secure desktop prompt. This serves to secure the elevation process further by preventing spoofing of the elevation prompt. The secure desktop is enabled by default in Group Policy.
By default, only applications running with a user’s administrator access token run in elevated mode. Sometimes, you want an application running with a user’s standard access token to be in elevated mode. For example, you might want to start the command prompt window in elevated mode so that you can perform administrator tasks.
In addition to application manifests discussed previously, Windows Server provides three ways to set the run level for applications. You can choose to perform one of the following:
Running an application once as an administrator. You can run an application once as an administrator by pressing and holding or right-clicking the application’s shortcut or menu item and then selecting Run As Administrator, as shown in Figure 9-5. If you are using a standard account and prompting is enabled, you are prompted for consent before the application is started. If you are using a standard account and prompting is disabled, the application will fail to run. If you are using an administrator account and prompting for consent is enabled, you are prompted for consent before the application is started.
Always running an application as an administrator. Windows Server also enables you to mark an application so that it always runs with administrator privileges. This is useful for resolving compatibility issues with older applications that require administrator privileges. It is also useful for compliant applications that normally run in standard mode but that you use to perform administrative tasks. You cannot mark system applications or processes always to run as an administrator. Only nonsystem applications and processes can be marked that way. You can mark an application always to run as an administrator by pressing and holding or right-clicking the application’s shortcut and then selecting Properties. In the Properties dialog box, tap or click the Compatibility tab. Under Privilege Level, select the Run This Program As An Administrator check box, as shown in Figure 9-6, and then tap or click OK.
In Group Policy under Local PoliciesSecurity Options, six security settings determine how application installation and run behavior work. Table 9-2 summarizes these security settings.
Table 9-2. Security settings related to application installation and run behavior
For workgroup configurations or for a special case, you can configure these security settings on a per-computer basis by using local security policy. To access local security policy and configure UAC settings, follow these steps:
Select Local Security Policy on the Tools menu in Server Manager. This starts the Local Security Policy console.
In the console tree, under Security Settings, expand Local Policies and then select Security Options.
Double-tap or double-click the setting you want to work with to open its properties dialog box.
All settings related to application installation and run behavior can be defined and then configured. Make any necessary changes and then tap or click OK. Repeat this procedure to modify the related security settings as necessary.
In a domain environment, you can use Active Directory–based Group Policy to apply the desired security configuration to a particular set of computers. Just apply the desired settings to a GPO that applies to those computers.