UAC: How to Leave it Enabled

  • Comments 15
  • Likes

I know a lot of people who are running Vista and disabling UAC.  I'll admit UAC can make for a frustrating install and setup experience with the repeated prompts with every application you  install and every MMC console you launch.  Turing it off, while it may allow you to get things done faster, is not really a good idea for a number of reasons.  First it leaves your machine open to comprimise because any malicous code that runs on your machine will run with full admin privileges and it turns off IE7 Protected Mode, which is the nice secure sandbox environment that IE7 runs it.  So how do you leave it enabled and at the same time maintain your productivity and sanity levels?  Watch and learn as I share my little system setup tip!  (Note: double click the Silverlight player to go full screen, then press ESC to return)

By the way, leave a comment and let us know if you like this sort of content and the SilverLight player :)

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Rodney

    EXCELLENT TIP!  I like that, simple and effective!

    Now on the "funny side" (Hey you saw this coming) I could hear all them police cars and fire trucks.

    Did you forget to put out your shoes?

    ... Sorry ....

  • Its always great getting quick tips, especially if there's a video involved.  The silverlight player is neat, but theres too much stuff going on outside the content.  The falling leaf, Canadian and all is nice but I have a short attention span :)  Also, I'm not quite sure the purpose of the leaf cutout in the top left, with the video showing.  It's smaller and harder to see.  It would be 10x better if it were a zoomed in portion of the video, following the mouse cursor or something.  There's an interesting feature in camtasia studio that automatically chooses what to zoom in on, and where.  Or you could even stick a video of you in there, as you're presenting...makes it seem less like a computer is telling us stuff.  

    However, you may be the only person I know who could pull off pretending to be a computer while wearing shoes with red flames all over them :)

    Cheers!

  • Thanks for the feedback Steven.  I am trying to figure out why it is not showing up full size as the source video is 1024x768 and clear as can be.  Once I figure that out I'll update the video.

    Rodney Buike

    IT Pro Advisor

  • I found double clicking on the middle of the Silverlight video at least made it full screen which was nice.  

    Couldn't hide the police cars though... :)

  • Rodney, how about dedicating a machine or vm for administrative purposes turning down the UAC and installing the all the admin tools, using that for the 'work' and your secured up and protected os for all the web surfen!  or vice versa ;-)

  • Hey Murray, thanks for the comments.  

    Security vs. usability will always be a struggle.  While the perception that UAC is obnoxious and obtrusive is out there most people are leaving it on and the amount of prompts is really low once the system is deployed.  That said I've talked to too many people who are turing it off during system setup and configuration.

    This tip is more about leaving UAC on when you are setting up a machine, which is typically when it is more vulnerable as firewall, AV, and hotfixes haven't been installed and/or configured yet.  

    A dedicated machine for your admin tasks with all the tools required is always something that I recommend and virtualization makes it easier to implement as you don't need the addtional hardware.  You might even want to go as far as using undo disks to revert back to a known safe install as long as you merge the undo disks after you apply security hotfixes and such.

    The one question I ask is shouldn't the "work" machine that you are logging on with your domain admin credentials, that has the tools required to manage your environment be more secure than your day to day box?  

    I think everyone would be in agreement with that and in such an instance, leaving UAC on as part of the defence in depth approach would still be a good idea and hopefully this tip helps realize that.

    Rodney Buike

    IT Pro Advisor

  • The other thing with what Rodney has suggested is you could (following this method) launch a batch file with everything you need in one shot.

    Correct?

    Or even easier, if I understand the restrictions, a single custom MMC module with all you management needs in one spot.  

    Would that follow the UAC rules?  Launching one app as admin, one click done?

    I could make a silly comment but I'm actually working right now... Sorry.

  • I was disappointed that I had to download yet another player to get this tip. I'm running Windows XP in a VM, with no sound so after watching the video with illegible text and no commentary, I still have no idea what you did. Now I have to go over to my Vista laptop, install the player, and run the video again. It would have been a lot easier if you skipped the flashy stuff and just wrote out the steps.

  • Hi Don,

    Thanks for your feedback.  Silverlight is a not a player but a cross platform, cross browser plugin similar to Flash.  Also if you double click on the video it will open up full screen.

    If you want to know more about Silverlight and the streaming service (it is free and you can create videos and share them this way on your blog) check out the post on the CanUX blog by my team mate Qixing Zheng!

    http://blogs.msdn.com/canux/archive/2007/12/11/mini-tutorial-publishing-video-experience-to-silverlight-streaming.aspx

    Rodney Buike

    IT Pro Advisor

  • Just because of you, our discussion and because you asked (suggested strongly), when I setup my new laptop,  I left UAC on for 14 days before change it. So after 14 days I have not turned it off yet or changed it! but like the VMRC+ and firewall issue http://smsug.ca/blogs/garth_jones/archive/2007/11/01/737.aspx, I have to find way to prevent it from popping up every time I launch the ConfigMgr Console from my desktop! Someday when I have time I will figure out how to do that, without turning off UAC!!!

  • I do a lot of presenting on various security topics, and have done depth research and presentations on Vista security.  By Microsoft's own admission (see Mark Russinovich 2/12/2007 blog entry), UAC is *not* a security feature.  So I'll avoid the temptation to be verbose.

    It is certainly important to know when Administrative priviledge is being used, and that's really why its important to leave on.  The flip side, is that it truly is obnoxious if you're a power user.  Rodney makes an excellent point in his talk here.  The machine you use for administration should be the most secure machine... so definitely don't turn it off there.  Another person commenting here suggested a VM, its a great idea also.  Turn on undo disks, surf anywhere, download as much malware as you want, and then discard undo disks at reboot.  

    Summary: For a machine used to do administration, or line of business applications that should be tested and Vista compliant, then UAC should stay on.  For your home machine you don't care about, perhaps turn it off, and for surfing those naughty naughty sites - use a VM!

    /bb

  • Wow, a lot of great comments and suggestions.  I did want to clarify something Brian said (only because I know him and can't do this often as he usually knows more than I do :) )

    Mark Russinovich did not say that UAC is not a security feature, and Microsoft's stance is that it is, rather that it is not a security boundry.  You can read the blog post on that here http://blogs.technet.com/markrussinovich/archive/2007/02/12/638372.aspx  and read Mark's indepth look at UAC here http://www.microsoft.com/technet/technetmag/issues/2007/06/UAC/default.aspx

    Jim Allchin wrote an excellent post on Security vs. Convenience and some the choices made by the Windows team.  It is an excellent read as well http://windowsvistablog.com/blogs/windowsvista/archive/2007/01/23/security-features-vs-convenience.aspx

    I am hoping with some understanding of what UAC is, how it works and how it can, combined with other security tools and features, contribute to a more secure computing environment.

    Rodney Buike

    IT Pro Advisor

  • As an exercise in "Security vs Convenience" UAC is a total failure IMO. All it does is train the user to continuously click Allow to clear the prompt over and over again until it becomes habit. So the one time they SHOULDN'T click it they will as part of a routine action thus allowing who knows what to run amok. I have seen it where I work a 1000 times already since Vista came in. Users click that prompt instantly and don't even read it anymore.

    On a personal level what really bothers me about UAC is if you wish to turn it off you will get a constant tray nag that UAG is turned off. If you wish to turn THAT off you have to turn off ALL security alerts (Firewall not active, AntiVirus not up to date, Windows updates need installing, etc.)!!

    In XP you can choose which security alerts you want, Vista forces you to take an all or nothing approach. How did this feature get removed?! "We really think you should use UAC and to encourage that, we're going to take away ALL security alerts if you don't like it, disable it and don't want to see the tray nag". Is MS going to punish me for staying up too late by shutting down my PC too?! ;) Cuz you know, after 4am I'm more likely to get careless...

    Since the awful "UAC is disabled" alert is included in that all or nothing package of Security Alerts it means not only do you lose what little protection UAC offered (IE7 protected mode primarily since routine clicking Ok negates the rest) but you lose a whole bunch of USEFUL security alerts to boot. Or you have the tray nag always there masking if you have a REAL security alert. Leave it on and you have the constant UAC prompts. Ugh, that Mac vs PC commercial finally got it right with the "Allow or Deny" bit. :)

    I should clarify I'm talking about how Vista runs without resorting to registry hacks or using command prompt to run all your modules. I was HOPING I was just mistaken and there was a way to disable ONLY UAC while keeping protected mode and without getting the tray nag. Which is why I came here looking for a good tip. Alas I don't feel command prompt is the answer. Windows is not Linux and its success is in part based on ease of use, point and click GUI. There HAS to be a better way...

    MS needs to own up on this one, UAC is a bad implementation of a good idea in theory and just fix it already! Have the average Joe User click "allow" 100 times and tell me if they catch the Virus on #101...

    Sorry for the rant!

    Anthony

  • Hi Anthony,

    Thanks for your comments, it is OK to rant :)  I am going to have to ask a few questions as to why users are being prompted.

    UAC really allows you to manage desktops easier.  It allows you to deploy workstations into the environment and have users log in as standard users as opposed giving them administrator level controls like you  had to in 2000 and XP.  

    There are options available in Group Policy (or Local Policy) that allow you to control the behaviour of the prompt such as completely disabling the prompt for Standard Users thus automatically denying the elevation.  This prevents them from making changes to the system that could harm it, while allowing an administrator to still make those changes via Fast User Switching, Remote Desktop, or what ever other management and configuration tool you use.

    This would prevent users from seeing any prompt and when they call asking why they can't install uTorrent and change the firewall settings to allow who knows what from connecting to who knows where, you have the perfect opportunity to ask why and pass on some end user awareness.

    On the recent My TechNet Security Tour we looked at some of these options and you can check that out here -->  http://technet.microsoft.com/en-ca/events/bb880962.aspx  Check the video from Session 1.

    In regards to the Apple commercial they have had a form of UAC in place for years, it's called sudo (from their Unix heritage) and its a command line option.  I've seen UAC like prompts in a number of Linux distros now too as they add the GUI based functionality.

    Understanding UAC is the big challenge as it is very different from how we used and managed desktops before.  There are some great resources I'd thought I'd share to help.

    The GPO settings I described are explained here http://www.hackreport.net/2007/08/07/managing-vistas-user-account-control-uac

    And then there is the UAC Step By Step guide as well which goes in depth  http://technet2.microsoft.com/WindowsVista/en/library/0d75f774-8514-4c9e-ac08-4c21f5c6c2d91033.mspx

    I hope that helps!

    Rodney Buike

    IT Pro Advisor

    P.S.  You can always send feedback to the UAC team via their blog at http://blogs.msdn.com/uac

  • Interesting video Rodney, thanks for that.  You should have used PowerShell instead of cmd.exe though -- cmd.exe is so passé!  Or you could have created a PowerGUI PowerPack with all of the admin functionality you want to use and then just run that as admin. :)

    Kirk out.