Friday, April 13, 2012

Remote Assistance, VNC, and UAC Prompts

Many of us as tech professionals are quite busy and reducing time doing unnecessary tasks is necessary so we can still complete the ever growing tasks being asked of us. One of the ways to do this is remove travel whenever it is possible. When someone has a problem and you need to resolve it then often we run down to do it ourselves.

Luckily Microsoft has us covered by including remote assistance and for some the preference or need means VNC. Both of these programs allow us to complete tasks remotely without leaving our desk. Many of us also follow LUA, aka Least-Privileged  User Account, meaning most of our users run as limited users. Because of this when you connect to a computer using the two previous methods you would have to use various "Run As" methods to remotely change some settings or install software.

With Windows XP this wasn't a problem, as long as you knew the various ways run as methods to get into various control panels, software installs, and other tasks that you might be called upon to complete.

With the advance of Windows Vista and 7 came UAC and "secure desktop." These things were great but when you wanted to use Remote Assitance or VNC then anytime something deemed that administrative rights were required you would get a blank screen with a Pause symbol on Remote Assistance and with VNC I believe it turned everything a pink color and in both cases you lost control. The user than would be displayed a prompt to put in credentials.(In Group Policy it may not be set to display credentials so your behavior may be slightly different.

This effectively reduced the functionality these tools brought us quite heavily to the point that trips were sometimes made instead. The reason this was happening is that UAC was set to display only on "Secure Desktop." For a good article on this behavior you can read a Microsoft Article here.

Security settings can be changed on the computer to fix this issue. Remember though you are loosening some the settings so read up on the changes and determine if you are fine taking the associated risk. If you are using Group Policy this makes life a lot easier. If not you can change these locally on the computer by going into "Local Security Settings" and deploy this using various methods.

Under Group Policy\Domain then you will take the following path:
Computer Configuration>Policies>Windows Settings>Security Settings> Local Policies>Security Options

Under Local Security Policy:
Local Policies>Security Options

Remote Assistance
If you are using Remote assistance then you will need to change the following settings to Enabled:
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop

This will allow Remote Assistance to disable "secure desktop" for UAC so you can also see the prompts allowing for you to do what is needed. For information on this setting click here.

VNC (Other Viewers such as TeamViewer should fall under this settings)
Now if you installed VNC as a service than the later version may work by just changed the above settings. If they are installed as an application, or if just changing the above setting didn't work then you need to Disable the following setting:
User Account Control: Switch to the secure desktop when prompting for elevation

This will disable "Secure Desktop" for all prompts. I recommend again reading the first link mentioned in this article so you can determine for yourself if you are OK with the potential security risks. For more information about this setting you can also read this article here.

Taking the above step might also require a reboot. After the appropriate setting is changed though you should now be able to use your favorite tool to complete and RunAs remotely.

No comments:

Post a Comment

Keep it Clean.