Is UAC needed if all users run as STANDARD users

We've have recently been discussing UAC and its pro's and con's.  We run a single domain environment.  All our workstations run with MS firewall turned on, Sophos, MS Updates are current and all users run as standard (non-admin) users.  We are a government entity and are required to run a myriad of different programs.  Most (all) of these programs come from trusted sites but not all of them run well with UAC turned on.  Some of our vendors suggest not having UAC turned on if their software is installed.  Most of this software is mandatory that we run it.  Our desire is to create the safest environment possible while still be practical about running needed software.  My question - If 99% of the time a PC is being run by a user with Standard user permissions and we have MS firewall turn on, Sophos and our MS updates current - How much safer are we going to be by having UAC turned on?  We don't have problem with logging onto a users computer as an admin to install software.  We are struggling with the balance between running UAC and running our software without having constant problems.  Your feedback is appreciated!
barrontechAsked:
Who is Participating?
 
d_yorkCommented:
The best practice, of course, is to have it on.  But you've got an instance here were the core job of the computer is being negatively impacted by an optional component.  If your environment is well controlled and managed, UAC is not going to be a safety net.  Anything that bypasses Sophos, machine policy, and other security standards you've implemented will skip right by UAC as well.  Really, the question is simply "have we done enough to supersede UAC".  There are numerous tools in a managed environment the home user doesn't really access - like only allowing approved programs to run, preventing the launch of executables from unapproved folder locations, things like that - things that Sophos can bring to the table (as well as Group Policy).  However, turning off UAC on every machine may be just as much work as tweaking a couple applications to launch without UAC intervention:
http://social.technet.microsoft.com/wiki/contents/articles/19900.how-to-make-uac-exception-for-applications-in-windows-vista-windows-7-and-windows-8.aspx
http://www.techrepublic.com/blog/windows-and-office/run-uac-restricted-programs-without-the-uac-prompt/

If your environment is subject to IT audits, and I'd wager it is, you'd probably get dinged for having UAC off unless you can provide extensive proof that you have a 'better replacement'.  There are some replacements for UAC offered from software vendors - perhaps that avenue is worth exploring as you try to balance security with practicality while keeping your career and sanity intact.
0
 
JohnBusiness Consultant (Owner)Commented:
For Standard Users, disabling UAC is a really bad idea. In addition to the inability to install most software that comes with Standard User protection, UAC prevents drive by installations and helps with preventing malware in users machines. Do NOT disable UAC. I have NO user machines with UAC disabled.
0
 
JohnBusiness Consultant (Owner)Commented:
UAC is not going to be a safety net.  Anything that bypasses Sophos, .... will skip right by UAC as well.   <--- I have a number of clients and we do NOT use software that skips by UAC. That is just inviting problems.
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
jcimarronCommented:
barrontech--
Just a little more information about what UAC accomplishes for the safety of a PC.
http://windows.microsoft.com/en-us/windows/what-is-user-account-control#1TC=windows-7

If the government does not understand the possible risk, the above info will help you try to change the policy.
Good luck.
0
 
barrontechAuthor Commented:
Thank you everyone for you responses - I have a few follow up questions.

John - You referred to software that comes with Standard User Protection.  I've never heard of this.  Can you tell me more about this and how I can tell if the software has it?

One question I have is how does software get installed or modified when a user is logged on as a standard user?  This might sound like a dumb question but I thought the whole purpose of standard user was to prevent this?

The default setting for UAC is 'Notify me only when programs try to make changes to my computer" - I'm sure the setting is really up to individual needs but generally is the the most accepted level to have it set at?

Also, thank you for the links to the good articles.
0
 
JohnBusiness Consultant (Owner)Commented:
Any modern software I use works with Standard User - that is what I meant. Sorry if I confused you.

One question I have is how does software get installed or modified when a user is logged on as a standard user?  <-- Most of the time, the installation will kick off UAC and an administrator needs to OK it. With UAC, the install will just fail most of the time.

The default setting for UAC is 'Notify me only when programs try to make changes to my computer"  <-- That is the accepted level.
0
 
d_yorkCommented:
Legit software does not get installed or modified by a standard user, that is the purpose.  The confusion started when UAC was introduced, Microsoft described it as something that could potentially stop the installation of malware and it can - sort of - for an administrator.  But, of course, only if it bothers to ask...  The notion behind UAC isn't that it is some kind of anti-malware/antivirus component - it is not, it's more of an anti-PUP (Potentially Unwanted Program).  Read the description from Microsoft for Windows 7 and compare it to the description for Windows Vista, it has been more clearly defined with less Microsoft sales spin.  The notion behind UAC is that if you are logged in as administrator, there is an added layer with UAC (kind of an "are you sure?") when you execute a program that could potentially install/reconfigure system settings.  It also allows you, akin to su/sudo in Linux, to elevate your currently logged in non-admin account to administrative level so you don't have to log off a standard account which is safer since "everything else" will still run in a standard user context.  It also provides that extra layer of protection when you are logged in with an administrative account by checking for things like digital signatures and alerting you if it is missing (or spoofed).  You'll note that the description for UAC changed between Vista and Windows 7/8 - the description was changed a long time ago.  That said, UAC is not a safety net for malware/viruses in a controlled environment and its ability to stop malware/viruses that can skip past your normal enterprise security (in your case Sophos, domain policy, the usual stuff) is practically nil.  In my opinion, the notion that you should leave it on and live with so it will stop malware/viruses is not valid as that is not the intent of UAC.  There are a lot of ways to bypass UAC - it is not a monstrous hurdle of complex technology.  If you have need for UAC, in terms of elevating user privilege ad hoc, or your users are logged in as administrators, then you would leave it on.  If you have no issues at all with UAC, you should just leave it on.  But if you encounter interference with software, you can definitely turn it off.  It is an optional component, useful in some scenarios but also not useful if your mandated software is incompatible with it.  But it may be left in many IT policies as some kind of security best practice, so if you must always run UAC per policy or vendor certification, then you'll have to replace it with something else until policy changes.  There are a lot of reasons users need to be logged in with an administrator account, and UAC helps you here.  Standard user (generic logins) can be UAC prompted for domain software (with local machine admin privs), and UAC would help you here.  But I don't see you mentioning this, I see your security model as domain logins are standard user, and the users cannot elevate by default - only IT or other designated individuals.  In standard user sessions, there are a lot of very valid reasons UAC will interfere with software - especially highly specialized, legacy, high performance, or narrow focus applications that:
1)  Do not tolerate thread pauses
2)  Run command or other processes that are not supported for elevation
3)  Has to run in an isolated memory context for security reasons
4)  Requires things like HKLM registry/old school access
5)  Needs uninterrupted real time cpu
6)  Needs access to "old school" temp and folder structure
The list goes on.
From your post, it sounds like you all are noodling the benefits of UAC from a security context with standard user sessions, and in that context UAC is of little benefit from a security standpoint.  Your need to run mandatory software with UAC incompatibility issues outweighs the security benefit.  However, if your users were required to be logged in as administrator or were able to elevate ad hoc - the tables would probably be turned and you'd look at ways to make the software live with UAC.  Though, with enterprise Sophos, I'd argue you could negate the need for UAC just through the level of control you have with Sophos.
0
 
barrontechAuthor Commented:
d_york,

Thank you for the very good information.  I appreciate it.  You are correct on your assumptions.  Our users ONLY run as standard users except when there is the rare need to run something as an admin.  But these are rare and the user is switched back to a standard user after the process is done.  An example would be if we had to change some Java settings.  Change the user to a admin, update the settings, set them back to a standard user.   It seems to me that UAC is more important to a admin user than a standard user, for the very reason of the "are you sure" process.   In our situation 95% of our workstations have UAC turned on without any problems.  We have no  reason to turn it off.  On the other 5% we have UAC turned off.  On these 5% the users are all standard users, have firewall turned on, Sophos, MS updates, ect.  Even with these 5% we are researching to see if we can figure out how to fix the 'bad app' that requires us to turn UAC off.   I guess I'm looking for a 'your doing the best you can with the software given to you' type of response. ;)  

Thanks again your response was very, very helpful.
0
 
JohnBusiness Consultant (Owner)Commented:
It seems to me that UAC is more important to a admin user than a standard user, <-- UAC is important to ALL users, standard or admin. I have NO computer (my own or clients) where UAC is disabled. It is no big deal to say OK occasionally. In the case of a Standard User, some stuff (Chrome comes to mind (if I am correct) and some other common software) will install for a Standard User and UAC will stop it.

Please let us know of any software you have that needs UAC disabled. I don't have any for myself or clients that does this.
0
 
barrontechAuthor Commented:
John and Dyork thank you for the good information.   We solved one of our problems.  Some time back we had followed an article regarding UAC best practices.  We had setup a group policy controlling the 10 UAC settings.  One settings 'Only elevate executables that are signed and validated' was set to 'Enable'.  This is the only setting of the ten that deviated from Microsofts defaults.  After reviewing the GP we found the setting and switched it to its default of 'Disable'.  One of the programs that we were having problems with was not a signed executable.  (A small program from Casio used for connecting wireless to a projector)  After the change the program works fine.  We still have a couple other programs to test.  We really haven't had many problems with UAC other than a few programs, this has given me the opportunity to learn a bit more about it.
0
 
barrontechAuthor Commented:
I didn't explain any specific problem but the general use of UAC.  Both people provided good general information.  I appreciate their feedback.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.