Link to home
Create AccountLog in
Avatar of LockDown32
LockDown32Flag for United States of America

asked on

Advantages and dis-advantages of UAC

Looking for some confirmation. If UAC is disabled the "Run as Administrator" flat out doesn't do anything does it?

Other then being really annoying does UAC bring anything to the party?

lastly... is there a GPO to turn it on and set the level?

I have one network where I turn UAC off just because the users complain that they are always having to answer questions. No one is administrators of their local computers and as a result I am always having to log off and log back on as an administrator just to install or change stuff. What do others do? Leave UAC on so "Run As Administrator" works?
Avatar of John
John
Flag of Canada image

UAC is now VERY old (almost a decade). It is silly to turn it off as that invites bad things to happen to your computer. Leave it on.
No one is administrators of their local computers and as a result I am always having to log off and log back on as an administrator just to install or change stuff.

That is what we do. Even when a client manager insists we try it for a special employee, it ends in grief. No exceptions to that.

We keep it on everywhere and manage client computers as we need to.
Avatar of LockDown32

ASKER

"It is silly to turn it off as that invites bad things to happen to your computer" such as ??????

What about answers to the other questions:

If UAC is disabled the "Run as Administrator" flat out doesn't do anything does it?

lastly... is there a GPO to turn it on and set the level?
On my machines, if you disable UAC, Run as Administrator will still function for a standard user, but nothing will show as a block for an admin user. That has always been like that for me.

I do not know about the GPO as we always leave it enabled full on for all the machines we set up.
Guess we are going to have to focus on just on thing at a time. To the question "Other then being really annoying does UAC bring anything to the party?" you responded "It is silly to turn it off as that invites bad things to happen to your computer"

Bad things such as ??????
Any time we turn off UAC for a standard user, they hose their computer and it has to be re-imaged. Never fails. Client management now knows better all around and never requests it any more.

With UAC off, visiting a dodgy website and hovering and/or clicking can result / has resulted in a virus.
Avatar of Dave Baldwin
UAC is supposed to pop up whenever something attempts to install a program or modify system settings.  In Windows XP and before, this was a fairly big problem because viruses and malware could install themselves without the users knowing.  UAC is supposed to prevent that.
UAC is the biggest misunderstanding in computer history, if you ask me. I'll line up the facts and leave out the opinions that result from not knowing the facts.

Why was UAC developed?
1 For convenience reasons, many users run as local administrator, a security no-go. With UAC on, those will at least be notified when they or something acting in their name requests to use those administrative privileges and do get a chance to say "no" if that was not their intention. That is its benefit for people who run as local admin (which is still not recommended).
2 For those who are smarter and run as restricted user (but know the credentials of an administrative user),  UAC is no security feature, but a convenience feature. Whenever they would like to install things, they don't need to switch the user but UAC will offer to enter the credentials whenever UAC detects the necessity.
3 For those restricted users that don't have administrative credentials, UAC does exactly nothing, security-wise. It has no effect if it is on or not, all is the same. For those, it only increases application compatibility, because it has a "side feature" that is called file and registry virtualization that redirects write access from protected directories to user-writable directories, preventing app-execution to fail.

That's it. People do all kinds of speculation about UAC but they don't understand these 3 points.

Only one more thing: item 1 is technically flawed on several OS' including win7 and win8.1. If you only design your malware correctly, administrators will not be asked for consent to execute it with the highest possible rights. This does not apply to win10, by the way. See https://social.technet.microsoft.com/Forums/windows/en-US/52b9c450-72f1-4dbc-b431-ed3127fc225b/uac-bypass?forum=w8itprosecurity
Almost forgot to answer those remaining 2 questions:
" If UAC is disabled the "Run as Administrator" flat out doesn't do anything does it?" - for a restricted user, it will bring up "access denied". For a local administrator, it has no effect to use it since every process already runs elevated.

"lastly... is there a GPO to turn it on and set the level?" - sure.
https://technet.microsoft.com/en-us/library/dd851609.aspx - "Prompt for consent on the secure desktop" is the highest level, for example.
I do not understand the "no effect" stuff.

If UAC is ON and the user is Standard, it throws up a box asking for Admin credentials. The user cannot install software. Yes, there was a variant of this over a decade ago with XP but XP is dead.

This normally also prevents installation of viruses because most have to install as admin.

I do not call this NO effect.

For convenience reasons, many users run as local administrator, a security no-go

We do not let this happen. Such users would just routinely OK prompts.

Maybe all this is the reason my clients have very few viruses and in here, lots of members and their colleagues get viruses.
John, setups trigger UAC, correct. But if the UAC is off, still the user needs administrative credentials to install software to the default locations (that means, to make system wide changes), so even if UAC is off, the installation will not succeed.
If we have portable software, it will be a simple extraction process and that would not trigger UAC so again: no difference or effect with UAC on or off.
Misunderstood is an understatement. John we aren't talking about how you set up your users or networks. We are simply talking about what happens with UAC ON and OFF. They have done something different with Windows 10. Hence the question. Need to play with it more. Right now I can no longer turn off UAC for a restricted user.... or was I ever able to????
UAC does not turn off per-user but system wide. Only admins may change UC settings. What changed with 10: pushing down the lever to the bottom no longer turns it off completely but only using the registry value:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA
Set to 0.
Well.... system wide but by user "class". Admin or Non-admin isn't it? First you can turn it on or off globally then have different settings for admins and non-admins right?
John we aren't talking about how you set up your users or networks. We are simply talking about what happens with UAC ON and OFF.

Thank you for the clarification. You asked " What do others do?"  That is what I answered.

I leave UAC ON for all users and NO users are administrators.  I see no issues that result from doing this and I spend my time on other user requirements
"Well.... system wide but by user "class". Admin or Non-admin isn't it?" - no, valid for all with one exception: the built-in administrator account "administrator" ignores UAC. For that account, UAC is always off. After setting that regkey, a reboot is needed, by the way.
As a side note when you disable that registry setting restricted users don't get the UAC prompt and the "Run As Administrator" does nothing.

So explain. You can't have different UAC settings for different users? It is either on for everyone or off?
No, you can't. What is there to explain about it? That is by design.
Well... this is the exact scenario that started this whole topic. I upgraded a bunch of Windows 7 Pro workstations earlier this week to Windows 10. I have always been under the impression that if you turn off UAC as an administrator that it was turned off for all users (computer wide) and for a lot of these users I turn off UAC. I started getting calls about not being able to do things. When I popped on UAC was enabled for the user. I swear I turned it off as an administrator and couldn't figure out why it got turned back on when the user logged in.

Maybe I wasn't paying attention but I want to start there. Nothing has changed? When I log in as an administrator and turn off UAC by sliding the slide all the way down it turns if off for every user logging in to that computer right?
After playing maybe I need to re-phrase. UAC is enabled or disable computer wide (based on that registry setting) but can the Levels of UAC be different for various users?
No. It's a system-wide setting. Only the built-in accounts local\administrator and the built-in domain admin domain\administrator are exceptions and for those, UAC is off by default, no matter what is set.

If you turn off UAC and it appears to be on again, then either someone with administrative rights has turned it on again or it's a defect.
So even the UAC Level is system wide? Wow. That what I had always thought. I could turn it to Never Notify and it would be that way no matter who logged on and not matter if they were restricted or not. Hence my state of confusion.

I turn UAC to "Never Notify". I do not log in as administrator but I am administrator level. I added a restricted user to my computer. When I logged in as that restricted user I expected UAC to be at "Never Notify". When I ran UAC it popped up and asked be for admin credentials. I supplied them and UAC was "Always Notify" and I couldn't change it. It said I had to be logged in as administrator to change it.

Then I found out that if I make this restricted user a member of local administrators UAC is "Never Notify". I remove this user from local administrators and it is back to Always Notify. I found this sort of scenario on my customers workstations after upgrading them. It kind of threw everything about UAB that I though I knew out the door.....
ASKER CERTIFIED SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
I guess. Just when you thought it was safe to go back in the water..... wow. It has to be pretty much a global issue. Not only is is happening on my computer here at the office but on all 20 that I just upgraded at my customer's. What a mess!
Ok, let's bring this to an end, shall we :-)
That behavior you describe, I have seen it myself, once, and it looked like a bug. But it was not reproducible anywhere else, so it seemed more like a defect, after a while.
But anyway, your question: "I have one network where I turn UAC off just because the users complain that they are always having to answer questions. No one is administrators of their local computers and as a result I am always having to log off and log back on as an administrator just to install or change stuff" - when users are restricted users, UAC will not let them answer questions but ask for credentials. If it "asks questions" like "do you want to proceed", it shows, those users are admins, not restricted users, otherwise these questions would not appear. if you feel this statement is wrong, name one example, one action that we can reproduce to see such a question.

In general, if the administrator has to constantly help people by entering his credentials, then you need to look at the apps that cause this and exchange them for apps that don't require administrative rights, quite simple. That has nothing to do with UAC being on or off or buggy or not.
It was so long ago I had to go back and check with them. It was UAC. Since upgrading their workstations earlier this week UAC pops up after logon. Some kind of older Access Database they all run. Now I have to add insult to injury. Because of this bug I have to make them local admins just to get UAC turned off. But then again it it weren't for Microsoft I wouldn't have a job :)
Look, there are programs that have an application manifest that tells windows to require administrator privileges, while the application would actually run without. That seems to be the case here. The bad fix is to turn off UAC. The good fix, apart from getting rid of such software, is to apply an application fix, a so called shim that tells window "whoever starts this app, use his credentials, don't try to elevate".
Shims are built using the application compatibility toolkit (ACT 5.x) and can be deployed network wide.