Windows UAC Protected folders

2

2

By default, C:\Program Files, C:\Windows are UAC protected. How to make additional folders to be UAC protected?

linquize

Posted 2012-06-13T07:58:52.863

Reputation: 159

What exactly do you mean by "UAC protected"? What is the behaviour you're trying to replicate? – Harry Johnston – 2012-06-15T02:59:03.417

When you need to make changes inside that folder, such as overwriting a file, creating a folder, deleting a file, etc..., UAC prompt will show up and the user confirm the action – linquize – 2012-06-15T04:39:56.990

1This will happen for any folder that doesn't grant write permissions to the user in question or to all users. Remove write access for groups like "Users", "Everyone", or "INTERACTIVE". Secure folders typically only grant write permission to the Administrators group, CREATOR OWNER, and SYSTEM. – Harry Johnston – 2012-06-15T05:36:02.067

Answers

3

Change the folder permissions.

  1. right click on the folder
  2. select Properties
  3. in the Security tab
  4. click Advanced
  5. under Owner tab click Edit
  6. Select Admin

To keep non-Admin users from accessing the folder:

  1. Go to the same Security tab
  2. Click Edit
  3. Deny Full Control by checking the deny box

WikiWitz

Posted 2012-06-13T07:58:52.863

Reputation: 1 233

how? which user should enable / disable what permisions? – linquize – 2012-06-13T08:20:17.110

Deny Full Control will deny all access, including read access, and typically will block administrators as well as non-administrators; e.g., if you Deny Full Control to Users, you'll block out everyone, because Users includes Authenticated Users and deny entries take precedence. – Harry Johnston – 2012-06-15T05:35:53.910

@HarryJohnston: Deny Full Control only applies to the user in question. Actually I suggested blocking non-Admin users. He can select them at his own discretion. – WikiWitz – 2012-06-15T05:37:27.543

What, you mean give each user you don't want to have access an individual deny entry? That would work, I suppose, on non-domain-joined machines, provided you remembered to update the permissions every time you added a new user. But blacklists aren't good practice except in special cases. Instead, you should grant access only to the specific users you want to have it, which in this case would be the Administrators group. – Harry Johnston – 2012-06-15T05:42:56.350

Also, deny entries won't work at all in this case, because the user wants to be able to gain access via the UAC approval dialog. Since the elevated token contains all the security primitives contained in the non-elevated token, any deny entry that applies to the non-elevated user will also apply to the elevated user. – Harry Johnston – 2012-06-15T05:47:47.327

At least not as you say, "..typically will block administrators..." We would appreciate it if you will offer a workaround in Windows 7 to do this "Only allow Admins" settings. – WikiWitz – 2012-06-15T05:48:19.993

I tried this in my machine before posting the answer. The Admin will have no problems accessing the file. – WikiWitz – 2012-06-15T05:50:59.663

let us continue this discussion in chat

– WikiWitz – 2012-06-15T05:53:12.733

Asked: 2012-06-13T07:58:52.863

Viewed: 11 171 times

Active: 2012-06-13T08:36:01.803