具有管理权限的 Windows 7、8 和 10 用户帐户的操作方式与(operate differently than admin accounts)以前版本 Windows 中的管理员帐户不同。
这些帐户不是为管理帐户提供对 PC 上所有内容的完全和不受限制的访问权限,而是作为普通用户帐户运行,直到弹出需要管理员权限的操作。此时,帐户进入管理员批准模式(Admin Approval Mode),以便用户可以批准该操作。
Windows 7/8/10比 Windows Vista 对管理员批准的处理有了很大改进,在(admin approval)安全性和可用性(security and usability)之间取得了平衡。幸运的是,微软(Microsoft)可以进一步自定义管理员批准模式(Admin Approval Mode)在 PC 上的运行方式。
根据您的计算机所在的位置和谁使用它,您可以通过更改 Windows 7/8/10 使用管理员批准模式的方式来升级或降级您的(Admin Approval Mode)PC 安全性(PC security)。您还可以阅读我关于如何关闭管理员批准模式(how to turn off Admin Approval Mode)的帖子。
注意:为了在 Windows 计算机上访问本地安全策略,您必须运行 Pro 版本或更高版本。这不适用于 Windows Home、Home Premium 或 Starter 版本。 (Note: In order to access Local Security Policy on a Windows computer, you have to be running a Pro version or higher. This will not work for Windows Home, Home Premium or Starter editions. )
更改管理员批准模式的工作方式(How Admin Approval Mode Works)
要更改管理员批准模式(Admin Approval Mode)在Windows 7/8/10 PC 上的工作方式,请首先使用具有管理权限的帐户登录操作系统。(operating system)单击(Click)开始- 所有程序 - (Windows) 管理工具 - 本地安全策略(Start – All Programs – (Windows) Administrative Tools – Local Security Policy)。
您现在应该查看“本地安全策略”(Local Security Policy)选项窗口。
在左侧窗格(hand pane)中,单击标题为本地策略(Local Policies)的文件夹,然后单击标记为安全选项(Security Options)的文件夹。在右侧窗格(hand pane)中找到一个选项,标题为“用户帐户控制:管理员批准模式下管理员的提升提示行为”(User Account Control: Behavior of the Elevation Prompt for Administrators in Admin Approval Mode)。
右键单击此选项并从菜单中选择属性。(Properties)
您会注意到属性窗口的下拉菜单中有六个选项。
下面(Below)是管理员批准模式提升(Admin Approval Mode elevation)的每个选项的描述。
六个管理员批准模式选项
六个管理员批准模式(Admin Approval Mode) 选项(Options)中的每一个都强制Windows在提升对需要批准才能在操作系统(operating system)中运行的应用程序和功能的批准时以不同的方式运行。
请注意,安全桌面(secure desktop)是指整个屏幕变暗,直到您在UAC 提示(UAC prompt)中接受或拒绝请求。查看我的另一篇文章以了解UAC的工作原理。
无需提示即可提升
这是最方便的选择,但也是最不安全的选择。每当应用程序或功能尝试(application or function tries)运行通常需要管理员批准时,应用程序或功能(application or function)将自动运行,就好像它已被授予运行权限一样。
除非您的 PC 位于与网络隔离的超级安全位置(secure location),否则这不是明智的选择(wise choice)。
(Prompt)在安全桌面上(Secure Desktop)提示输入凭据(Credentials)
此选项比默认设置更安全。每当弹出需要管理员批准的操作时,Windows实际上会提示用户在安全桌面(secure desktop)上输入用户名和密码。
(Prompt)在安全桌面(Secure Desktop)上提示同意(Consent)
Windows不会像上面的选项那样提示输入用户名和密码,而是简单地要求用户批准安全桌面(secure desktop)上的操作。
凭据提示
此选项的操作类似于上面标题为“安全桌面上的凭据提示”的选项,(Prompt for Credentials on the Secure Desktop,)除了用户键入用户名和密码(username and password)而没有增加安全桌面(secure desktop)的安全性。
提示同意
与上面标题为“安全桌面上的同意提示”( Prompt for Consent on the Secure Deskto)的选项类似,此选项只是要求用户批准该操作,但这样做并没有增加安全桌面(secure desktop)的安全性。
提示(Prompt)同意(Consent)非 Windows 二进制文件
这是默认的管理员批准模式选项(Admin Approval Mode option)。使用此选项,仅当操作需要批准且不是经过验证的Windows 操作(Windows action)或可执行文件时,用户才需要同意该操作。
二进制文件只是编译后的可执行代码,与应用程序或程序同义。仅次于(Second)上面的Elevate without Prompting选项,这是最自由的管理员批准模式(Admin Approval Mode)选项之一。
Windows在安全性和不间断的计算体验(computing experience)之间取得了很好的平衡,但仍然允许您进一步自定义您同意需要管理员批准的操作的方式。
通过更改Admin Approval Mode选项,您可以创建自定义的操作系统环境(operating system environment),允许您根据个人对管理安全性的需求来增加或降低安全性。
Change How Windows Prompts for Admin Approval Mode
Windows 7, 8 and 10 uѕer accounts that have administrative privileges operate differently than admin accounts in previous versions Windows.
Rather than giving administrative accounts complete and unbridled access to everything on the PC, these accounts operate as normal user accounts until an action requiring admin privileges pops up. At this point, the account enters Admin Approval Mode so the user can approve the action.
Much improved over Windows Vista’s handling of admin approval, Windows 7/8/10 strikes a balance between security and usability. Fortunately, Microsoft makes it possible to further customize how Admin Approval Mode operates on a PC.
Depending on where your computer is located and who uses it, you can upgrade or downgrade your PC security by changing how Windows 7/8/10 uses Admin Approval Mode. You can also read my post on how to turn off Admin Approval Mode.
Note: In order to access Local Security Policy on a Windows computer, you have to be running a Pro version or higher. This will not work for Windows Home, Home Premium or Starter editions.
Changing How Admin Approval Mode Works
To make changes to how Admin Approval Mode works on a Windows 7/8/10 PC, begin by logging into the operating system using an account that has administrative privileges. Click on Start – All Programs – (Windows) Administrative Tools – Local Security Policy.
You should now be looking at the Local Security Policy options window.
In the left hand pane, click on the folder titled Local Policies and then on the folder labeled Security Options. Locate an option in the right hand pane titled User Account Control: Behavior of the Elevation Prompt for Administrators in Admin Approval Mode.
Right click on this option and choose Properties from the menu.
You will notice that you have six options in the drop down menu in the properties window.
Below is a description of each option for Admin Approval Mode elevation.
Six Admin Approval Mode Options
Each of the six Admin Approval Mode Options forces Windows to operate differently when it comes to elevating approval for applications and functions that require approval to run in the operating system.
Note that secure desktop is when the entire screen dims until you accept or deny the request in the UAC prompt. Check out my other post to understand how UAC works.
Elevate Without Prompting
This is the most convenient option, but also least secure option. Whenever an application or function tries to run that would normally require approval from an administrator, the application or function will run automatically as if it were already given permissions to run.
Unless your PC is in a super secure location isolated from networks, this is not a wise choice.
Prompt for Credentials on the Secure Desktop
This option is more secure than the default setting. Whenever an action pops up requiring approval from an admin, Windows will actually prompt the user for a username and password on the secure desktop.
Prompt for Consent on the Secure Desktop
Rather than prompting for a username and password like the option above, Windows will simply ask the user to approve the action on the secure desktop.
Prompt for Credentials
This option operates similarly to the option above titled Prompt for Credentials on the Secure Desktop, except that the user types in the username and password without the added security of the secure desktop.
Prompt for Consent
Like the option above titled Prompt for Consent on the Secure Desktop, this option simply asks the user to approve the action but does so without the added security of the secure desktop.
Prompt for Consent for non-Windows Binaries
This is the default Admin Approval Mode option. With this option, users are required to consent to an action only if it requires approval and is not a verified Windows action or executable.
Binaries are simply compiled executable code synonymous to applications or programs. Second only to the Elevate without Prompting option above, this is one of the most liberal Admin Approval Mode options.
Windows strikes a good balance between security and an uninterrupted computing experience, but still allows you to further customize how you consent to actions that require admin approval.
By altering the Admin Approval Mode options, you can create a customized operating system environment allowing you to increase or decrease security depending on your personal need for administrative security.