Vista UAC - should I turn it off?
Well, the short answer is no. The long answer is detailed below.
Firstly, let me try to dispel the ITPro myth that UAC is too heavy handed. I got a new laptop recently, and built it by PXE boot off the corporate network - standard Vista SP1/Office 2007 SP1 build. I didn't change any of the default settings. I then spent an hour installing all the various other apps I use daily. UAC kicked in for each one, in total about 10 times that day. This was no big deal - I knew UAC was acting under best intentions, clicking "OK" only took a second, and if this was a customer rollout those apps would either be in the base build or else they would install silently using SCCM - so the UI prompts were really only symptomatic of my non-normal usage pattern, not something a "real" user would see.
After that - maybe 1 prompt every couple of days for the first 2 weeks, 99% of which were due to various websites trying to install controls (Adobe bits, Quicktime, Java, pieces of custom ActiveX etc) - prior to UAC I would have had no knowledge these sites were trying that install. It actually helped me deny installing some things I never heard of, that I'm sure I can do without. I haven't had a UAC prompt since then, except when I fire up the "computer management" applet, which most normal users don't even know exists (nor should they, in a corporate environment).
So, onto the long answer - why shouldn't you disable UAC? If you are in an enterprise deployment, there is the potential to switch UAC off wholesale based on your own, potentially non-representative, views. Please don't. Here's why:
• IE7 Protected Mode will be disabled. IE7 Protected Mode is one of the most important security benefits in Vista because it runs IE7 in a “sandbox” which prevents malicious scripts, executables, etc. from being installed (without notification) on a system. IE7 on XP does not have this option
• With UAC enabled, Vista systems have a 60% decrease in malware compared to an XP SP2 system (see the latest Microsoft Security Intelligence Report for details - #1 below).
• With UAC enabled, Vista and applications are running under standard user rights (least privilege) - which is a security best practice whether on Windows, Linux or a mainframe - and it results in a more “stable” system with a lower TCO. UAC enables most applications that would normally require admin rights to run as a standard user and UAC enables companies to manage which devices (e.g., printers) users can install as a standard user, as well as ActiveX controls. UAC prompts should only appear for admin apps and app/device installs (there are some LOB exceptions that can be addressed with the AppCompat Toolkit).
• UAC is flexible – While UAC means processes run with Standard User rights, UAC can be configured to allow applications to run with admin rights (e.g., the UAC prompts kick in). These prompts can be turned off (as mentioned above) if you absolutely feel it will affect user productivity negatively. So worst case scenario - keep it enabled, but turn off the prompts.
• Many customers have seen at least one recurring non-optimal scenario with UAC. If UAC is causing a specific issue (e.g., application install), I recommend following the following process as opposed to temporarily disabling UAC (which requires a reboot):
- Click the Windows Key
- Type: Command
- The Command Prompt application will appear in the search results
- Right click this application and select Run as Administrator
- Click Continue at the UAC prompt
- At this point, UAC is disabled in the Command Prompt
- All installs run out of this Command Prompt will run as they would if UAC was disabled on the entire system
- No reboot is required for this process and UAC remains enabled with the system being protected throughout
Of course, using a more sophisticated app install tool such as SCCM negates the above point because it is intelligent enough to know when to elevate for installation.
(1) Microsoft Security Intelligence Report (January – June 2007)
The Microsoft Security Response Team has proportionally cleaned malware from 60.0 percent less Windows Vista-based computers compared to computers running Windows XP SP2. Similarly, the MSRT has proportionally cleaned malware from 91.5 percent less Windows Vista-based computers than from computers running Windows XP without any service pack installed. Users who employ User Account Control (UAC) on Windows Vista will fare even better, given that UAC provides an additional layer of protection against socially engineered malware delivery methods that rely on administrative privileges for installation.
The report is available in two papers –
1. Summary – KeyFindings_MS_Security_Report_Jan-Jun07
2. Full Report – MS_Security_Report_Jan-Jun07
(2) “Tuning” User Account Control Prompts
Microsoft’s recommendation is that User Account Control (UAC) remains enabled. There are several options within Vista that allow customers to “tune” UAC to the level they believe will be accepted by the business. These are described below:
• Browse to Understanding and Configuring User Account Control in Windows Vista – https://technet2.microsoft.com/WindowsVista/en/library/00d04415-2b2f-422c-b70e-b18ff918c2811033.mspx
• Browse down to the Administering UAC with the local Security Policy Editor and Group Policy section, which lists the following options:
- User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode lists the options for UAC prompts
-- No prompt - The elevation occurs automatically and silently (UAC is still enabled). This is completely different from disabling UAC, as per the above detail
-- Prompt for consent (default) – An operation that requires a full administrator access token will prompt the administrator in Admin Approval Mode to select either Continue or Cancel
--Prompt for credentials – An operation that requires a full administrator access token will prompt an administrator in Admin Approval Mode to enter an administrator user name and password.
NB: While the "Prompt for consent" and "Prompt for credentials" options are considered more secure than the "No Prompt" option; the "No Prompt" option is more secure than entirely disabling UAC and some user requirements may drive the need for the "No Prompt" option.