Enhanced Security#

This document describes the enhanced security provided by the user configurations in the AME 10 & 11 playbook.

Permissions System#

With enhanced security, administrator privileges are revoked from all standard users, and a secondary Administrator account is used instead. This may sound strange, but it makes a lot of sense security wise.

When you normally run a program as administrator, the following prompt shows up:

../_images/uac.png

This is actually not very secure, since it is the only thing between software and administrative permissions, and is very commonly exploited by malware.

Being logged in as an administrator is the cause for up to 94% of critical Windows vulnerabilities reported. (Source)

On Linux or Unix systems (such as Ubuntu or macOS), the default user never has so-called root (administrator) permissions for this very reason. There is a hidden user with elevated permissions, which is invoked if such permissions are required, and then needs to be authenticated in order to grant a temporary elevation.

Similarly, With enhanced security, you are instead prompted for a password before running anything as administrator. This means that those critical vulnerabilites mentioned before are all mitigated, making for a much more secure environment.