Tip

Five registry keys to improve Windows 7 security

As administrators roll out Windows 7, the following questions and associated registry keys may help them achieve their desired user experience .

1. How do I turn on/off User Account Control (UAC)? How can I change my admin account to get full administrator rights on Windows 7? How can I write create files and directories on the root of the C: drive?

Each of these issues can be addressed via the following registry key:

Requires Free Membership to View

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
Value: EnableLUA
Type: REG_DWORD
Data: [see below]
0 = Disable UAC.
1 = Enable UAC. (default)

Disabling UAC is not recommended because it weakens the security posture of the system. But if you accept the increased risk, disabling UAC will give your admin account full admin capabilities on the system and allow your to write files and directions anywhere on the system. This will also disable all other UAC-related registry key settings. If you are scanning your enterprise and want to ensure all systems are configured to use UAC (as recommended), look for a value of "1." More information about UAC can be found at Microsoft's TechNet site.

2. How can I prevent the computer from rebooting after patches are installed?

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Value: NoAutoRebootWithLoggedOnUsers
Type: REG_DWORD
Data: [see below]
1 = The system will not be restarted if a user is currently logged on.
0 = The logged on user will be notified that the system will reboot in five minutes. (default)

By default, the computer automatically reboots after a Windows Update or after Windows Server Update Services installs patches. Users logged on at that time will be given a five-minute warning before reboot. By setting this value to "1," the system will not automatically reboot if a user is logged on. Instead, a warning message will be given, and the system will not be rebooted. Note that some patches may not be fully installed until a reboot has occurred. Although this registry key setting helps address unscheduled reboots, it's still important to reboot the system shortly after patch installation to ensure system stability and patch effectiveness. You can find more information about Windows updates at this blog.

3. What registry key turns on/off Automatic Update?

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Value: NoAutoUpdate
Type: REG_DWORD
Data: [see below]
0 = Automatic Updates are enabled. (default)
1 = Automatic Updates will be disabled.

If you're using a third-party patch management application or you like to "let it ride," then disable Automatic Updates. Otherwise, keep this value at "0" so that Microsoft security updates are automatically installed as needed. You may need to add this registry key and value to your system if it doesn't already exist. Read more about configuring automatic updates.

4. How can I require users to enter Ctl-Alt-Delete to log in?

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: DisableCAD
Type: REG_DWORD
Data: [see below]
0 = Users must press Ctl-Alt-Delete to log into the system. (Default for domain joined systems)
1 = Users do not need to press Ctl-Alt-Delete to log into the system. (Default for nondomain joined systems)

Unless Auto Login is enabled (see below), users must always enter a password to log in to the computer. The Ctl-Alt-Delete key sequence provides a secure mechanism to initiate the log-in process. Computers that are part of a domain require this key sequence by default: Nondomain joined machines and home-user systems do not. Instead, users select their usernames from a list displayed onscreen and then enter their passwords. Legal notice text (if configured) is not displayed when DisableCad is set to "1." To ensure all of your corporate systems -- both those joined to a domain and those not joined to a domain -- require users to press Ctl-Alt-Delete, make sure this value is set to "0." Microsoft provides more information on automatic login here.

5. How can I ensure that users need to enter a username and password to log into the computer? How can I enable/disable Auto Admin Login?

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: Autoadminlogin
Type: REG_SZ
Data:
0 = Auto Admin Login is not enabled (default)
1 = Auto Admin Login is enabled

If enabled, the following values may be required:

Value: DefaultUserName
Type: REG_SZ
Data: username
Value: DefaultPassword (this value may not be present)
Type: REG_SZ
Data: password
Value: DefaultDomainName
Type: REG_SZ
Data: domainname or computername

The Auto Admin Login registry setting enables a system to start and log in as the specified administrative user account without requiring an interactive login. While this is a potentially dangerous setting, it may be required on some systems in an enterprise. If the DefaultPassword value is entered in the registry, the password string will be visible in clear text to anyone who can read your registry (locally or remotely).

If you need to use Auto Admin Login, you should use the alternate password storage mechanism so that the password won't be stored under this key in clear text. Run "netplwiz" from the command line, and uncheck the box "Users must enter a user name and password to use this computer." This will store the password with the local security authority. However, this option is not available on a domain-joined system. In that instance, the only way to enable auto login is to use the full set of registry values above. Also, when implementing Auto Admin Login, you can't require Ctl-Alt-Delete (DisableCAD=0, discussed above). Computer Performance Ltd. has more information online.

When doing a security audit of your network, make sure to identify all instances of Auto Admin Login where the DefaultPassword value exists. I hope this value isn't for your Domain Administrator account.

These five registry keys should help your configure your desktops to suit your needs. As always, test all registry changes before rolling them into production.

This was first published in January 2010

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.