MCITP 70-640: Protected Admin

Uploaded by itfreetraining on 08.08.2012

In this video I will look at the exam objective protected admin. Protected admin protects
the computer from malware and potentially damaging software.
If you have studied for the Windows 7 exam, you have probably come across user account
control. User account control protects your computer by having two SID’s for each administrator
account. One for the user and one for the administrator.
If you see the term protected admin, this is referring to user account control being
used to protect the administrator’s account. User account control was first added to Windows
in Windows Vista and Windows Server 2008. On any computer system, even one used by a
domain administrator, the privileges that are given to any administrator are only used
for a small amount of the time. The other times these privileges are not required.
To illustrate this, imagine what happens when a setting is changed on the computer. As shown
here, the administrator opens the control panel and then selects “clock, language
and region”. They next select the option date and time.
Notice the button change date and time has a shield icon. This indicates that when this
button it pressed additional rights or privileges are required. In previous versions of Windows,
pressing this button would prompt the user to confirm that this what they wanted. In
more recent editions like Windows 7 and Windows Server 2008 R2 the number of these prompts
has been reduced. If you install the latest service pack for Windows Vista and Windows
Server 2008 you will find that the number of prompts has been reduced.
If I now press the button change date and time, this will automatically confirm that
I want to use additional rights and privileges in order to change the date and time on this
computer. If I were to change the date and time here, until I press OK the additional
rights and privileges have not been used. In other words, until the change is made to
the date and time, I don’t require any additional access. In computer terms, these additional
rights and privileges were needed for milliseconds, significantly more time was need to locate
the settings and decide what changes were required.
You can see that even for a person whose job is a full time network administrator, the
amount of real time these additional administrator rights are required is very small. In most
cases, opening dialogs and Windows require user rights only. This is why there is a need
to protect the admin account. What you want is the admin account to run with user rights
and only use additional rights when required. If the admin account was to run with full
administrator rights all the time, this creates an opportunity for malware and other software
to use the administrator account to do damage. To summarize what I have looked at, User Account
Control uses two SID’s for users with administrator access. The first is a user SID and the second
is an administrator SID. For normal activity, the user SID is used. This prevents Malware
and other damaging software from installing itself on the computer.
When administrator action is required, Windows will change to the administrator SID. This
is usually indicated by a shield icon next to the button. This helps protect the computer
from unwanted software using administrator rights.
In Windows 7 and Windows Server 2008 R2 this is in most cases a pretty seamless process.
In the original Windows Vista and Windows Server 2008 a lot of extra confirmation dialogs
were given to the user when switching between the user and administrator SID.
In Windows Server 2008 R2 in most cases when logged in as an administrator you will have
all the rights you need and Windows will handle the switching between the SID’s as required.
If you ever need to ensure that software is run as an administrator, as shown here, right
click the application, in this case the command prompt and select the option run as administrator.
This will ensure that the command prompt is launched with administrator access. On a client
operating system like Windows 7 you will need to do this, but on Windows Server 2008 R2,
the command prompt should open by default with administrator rights and you will not
need to do this. Lastly remember that an administrator account
that is using UAC may be referred to as protected admin.
That’s it for the exam objective protected admin. In the next video I will look at managed
service accounts in Active Directory. When you run software in your company, you may
for security reasons want to run software as a specific user. This is common for software
like Exchange where you want to isolate Exchange so that it only runs under the one user. The
next video looks at how to manage these service accounts and how you can use them in your
company. As always, thanks for watching.