application refers to a computer program developed to run on the operating system in order to complete a certain task or a certain task, which directly serves the user. If the operating system is a platform, then the application is the protagonist. But the application brings convenience to the user, and sometimes it also threatens the security of the system. To this end, implementing security control on the application is an important security policy of the operating system. . Then, in the Windows environment, how to implement security controls to the application of it? This is today's tutorial to give you about content, interested friends together and see.
1, configure the application
program run level with the previous Vista, Microsoft is not advocating a user logged in as administrator to perform operations directly, as this there is a big risk. We know that in Windows 7, if you log in to the system as an administrator, all running programs run with administrator privileges by default. For security, we log in to the system as a non-administrator user, but sometimes it needs to be set up or maintained by the system. To perform these operations, you must have administrator privileges. Then you need to log out of the current user and log in as an administrator again. System? In fact, in Windows7, we can implement the application in the upgrade mode in two ways.
(1). Once run with administrator privileges. In general, we only need to run the administrator with the current permissions, then select the privilege escalation policy that runs once with administrator privileges. The specific implementation is to right-click the shortcut of the application or its main program, and select "Run as administrator" in the menu list. At this point, the User Account Control (UAC) dialog box will pop up. The dialog box lists all the administrators of the system for the user to select. We can select an administrator user and enter the corresponding password to run the program as an administrator. In this regard, we can open Widnows7's task manager to confirm, you can see that although the current user is logged into the system, the program runs as an administrator.
(2). Always an administrator to run the program. In addition to temporarily running the program with administrator privileges, we can also make the program always run with administrator privileges. The advantage of this is that it saves the trouble of privilege escalation every time, and after setting such a program that can only run in the administrator privilege, it can prevent its use problem due to permission. failure. Of course, the drawbacks of this are very obvious. If the application is always running with administrator privileges, it will bring certain security risks. Moreover, after logging in this way, we will lose meaning when logging in to the system as a normal user. The author's recommended practice is to set only programs that must be run with administrator privileges to always run as an administrator.
In Windows7, we can set: Right-click the application or its icon, select "Properties" and navigate to the "Compatibility" tab in the properties dialog box, hook under privilege level Select "Run this program as an administrator". If you want this setting to be valid for all users, you need to click the "Change all user settings" button, then an application properties dialog, under the privilege level of the "All users compatibility" tab, check again. Just run this program as an administrator check box. It's important to note that we can't set up a system application or a process that always runs as an administrator. In some cases, we will find that the "Hidden this program as administrator" checkbox is not optional, usually because the program is a system program or the program is prohibited from escalating permissions. In addition, this check box is not optional if the current user is not an administrator or if the program does not require administrator credentials. Source: Exam large
2, the control application installation and runtime behavior
for the average user or system administrator, in addition to permission to run the application to control the system has been installed Also, control the installation behavior of the application. So, how are these implemented in Windows 7? We can achieve our goals through Windows 7 related group policy items.
(1). Install the control
Windows7 run secpol.msc to open the Local Security Policy console, navigate to the "Security Settings" → "Local Policies" → "Security Options" node, in There are many group policy items visible on the right. There are four main items related to application installation, which are explained below.
User Account Control: Detect application installations and prompt for elevation. This option is enabled by default and determines whether Windows 7 automatically detects the installation of the application and prompts for promotion. By default, the installation of the application is automatically detected and the user is prompted to promote or approve the application to proceed with the installation. If this option is disabled, the user is not able to control the installation of the application.
User Account Control: Only elevate executables signed and verified. This option determines whether Windows 7 only allows running executables with signatures and valid ones. By default, this option is disabled. If this option is enabled, Windows will force the validity of the file public key certificate to be checked before the executable runs.