Coping with LUA Issues
There are about as many ways to cope with LUA issues and the related Windows inconsistencies as there are users who try to live the mere user lifestyle. Here are a few tips that I've found useful:
- You can audit privilege use by setting local policy to log various security-related events. Then you can use the Windows event logs to figure out what the problem is.
- Use Internet Explorer as an administrative shill. Internet Explorer and Windows Explorer are different applications, but when you run IE and access the drive system or Windows components it takes on the appearance and function of Windows Explorer. This gets around the instance-reuse problem I mentioned earlier in this article. Best of all, you can enter Control Panel in the IE address bar to access the full Control Panel, or display the Folders panel and select it from My Computer as shown in Figure 5. Now you'll have administrative access to all Windows configurations. Just remember that you're running IE under that administrative account's profile context, and close the window when you're done with your administrative tasks.
- To access network resources, the NET USE command allows alternate credentials, similar to how Run As works.
- To set the system date and time or to change the time zone, you can run the datetime.cpl Control Panel applet from an administrative command prompt, perhaps using Run As. You can also grant the "change the system time" local security policy to a specific user. There are other such permissions you can use to overcome limitations. But again, be aware that granting permissions like this is opening potential security holes!
- To allow a user to enable or disable network connections, including wireless connections, you can add the user to the Network User Group. But this group has many privileges beyond managing network connections, so the user will be able to do a lot more than you might intend.
- As an extreme measure, you can edit a resource's access control list (ACL), the object Windows uses to determine whether a particular user has access to the resource. For objects in the filesystem, such as writing to the c:\Program Files directory, you can give a user permission to do so. The easiest way is to run Windows Explorer as an administrator, navigate to the file or directory, right-click it, and select the Security tab, as shown in Figure 6. (Simple file sharing must be turned off for this approach to work.) A similar dialog box is available from the Windows regedit utility to change the ACLs for registry objects. The Windows command-line utility cacls.exe lets you make the same changes from a command prompt. Just be aware that easing ACL restrictions like this is opening holes that an attacker might be able to use.
- As a last resort, you can always log out and log back in as an administrator. But remember: Once you're done doing something that requires administrative privileges, log back out and back on under your LUA!