Solved

Advantages and dis-advantages of UAC

Posted on 2016-07-20
27
64 Views
Last Modified: 2016-07-22
Looking for some confirmation. If UAC is disabled the "Run as Administrator" flat out doesn't do anything does it?

Other then being really annoying does UAC bring anything to the party?

lastly... is there a GPO to turn it on and set the level?

I have one network where I turn UAC off just because the users complain that they are always having to answer questions. No one is administrators of their local computers and as a result I am always having to log off and log back on as an administrator just to install or change stuff. What do others do? Leave UAC on so "Run As Administrator" works?
0
Comment
Question by:LockDown32
  • 10
  • 10
  • 6
  • +1
27 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 41721978
UAC is now VERY old (almost a decade). It is silly to turn it off as that invites bad things to happen to your computer. Leave it on.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41721981
No one is administrators of their local computers and as a result I am always having to log off and log back on as an administrator just to install or change stuff.

That is what we do. Even when a client manager insists we try it for a special employee, it ends in grief. No exceptions to that.

We keep it on everywhere and manage client computers as we need to.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41722010
"It is silly to turn it off as that invites bad things to happen to your computer" such as ??????

What about answers to the other questions:

If UAC is disabled the "Run as Administrator" flat out doesn't do anything does it?

lastly... is there a GPO to turn it on and set the level?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41722013
On my machines, if you disable UAC, Run as Administrator will still function for a standard user, but nothing will show as a block for an admin user. That has always been like that for me.

I do not know about the GPO as we always leave it enabled full on for all the machines we set up.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41722019
Guess we are going to have to focus on just on thing at a time. To the question "Other then being really annoying does UAC bring anything to the party?" you responded "It is silly to turn it off as that invites bad things to happen to your computer"

Bad things such as ??????
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41722022
Any time we turn off UAC for a standard user, they hose their computer and it has to be re-imaged. Never fails. Client management now knows better all around and never requests it any more.

With UAC off, visiting a dodgy website and hovering and/or clicking can result / has resulted in a virus.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 41722058
UAC is supposed to pop up whenever something attempts to install a program or modify system settings.  In Windows XP and before, this was a fairly big problem because viruses and malware could install themselves without the users knowing.  UAC is supposed to prevent that.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41722231
UAC is the biggest misunderstanding in computer history, if you ask me. I'll line up the facts and leave out the opinions that result from not knowing the facts.

Why was UAC developed?
1 For convenience reasons, many users run as local administrator, a security no-go. With UAC on, those will at least be notified when they or something acting in their name requests to use those administrative privileges and do get a chance to say "no" if that was not their intention. That is its benefit for people who run as local admin (which is still not recommended).
2 For those who are smarter and run as restricted user (but know the credentials of an administrative user),  UAC is no security feature, but a convenience feature. Whenever they would like to install things, they don't need to switch the user but UAC will offer to enter the credentials whenever UAC detects the necessity.
3 For those restricted users that don't have administrative credentials, UAC does exactly nothing, security-wise. It has no effect if it is on or not, all is the same. For those, it only increases application compatibility, because it has a "side feature" that is called file and registry virtualization that redirects write access from protected directories to user-writable directories, preventing app-execution to fail.

That's it. People do all kinds of speculation about UAC but they don't understand these 3 points.

Only one more thing: item 1 is technically flawed on several OS' including win7 and win8.1. If you only design your malware correctly, administrators will not be asked for consent to execute it with the highest possible rights. This does not apply to win10, by the way. See https://social.technet.microsoft.com/Forums/windows/en-US/52b9c450-72f1-4dbc-b431-ed3127fc225b/uac-bypass?forum=w8itprosecurity
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41722258
Almost forgot to answer those remaining 2 questions:
" If UAC is disabled the "Run as Administrator" flat out doesn't do anything does it?" - for a restricted user, it will bring up "access denied". For a local administrator, it has no effect to use it since every process already runs elevated.

"lastly... is there a GPO to turn it on and set the level?" - sure.
https://technet.microsoft.com/en-us/library/dd851609.aspx - "Prompt for consent on the secure desktop" is the highest level, for example.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41722882
I do not understand the "no effect" stuff.

If UAC is ON and the user is Standard, it throws up a box asking for Admin credentials. The user cannot install software. Yes, there was a variant of this over a decade ago with XP but XP is dead.

This normally also prevents installation of viruses because most have to install as admin.

I do not call this NO effect.

For convenience reasons, many users run as local administrator, a security no-go

We do not let this happen. Such users would just routinely OK prompts.

Maybe all this is the reason my clients have very few viruses and in here, lots of members and their colleagues get viruses.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41722895
John, setups trigger UAC, correct. But if the UAC is off, still the user needs administrative credentials to install software to the default locations (that means, to make system wide changes), so even if UAC is off, the installation will not succeed.
If we have portable software, it will be a simple extraction process and that would not trigger UAC so again: no difference or effect with UAC on or off.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41722917
Misunderstood is an understatement. John we aren't talking about how you set up your users or networks. We are simply talking about what happens with UAC ON and OFF. They have done something different with Windows 10. Hence the question. Need to play with it more. Right now I can no longer turn off UAC for a restricted user.... or was I ever able to????
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41722924
UAC does not turn off per-user but system wide. Only admins may change UC settings. What changed with 10: pushing down the lever to the bottom no longer turns it off completely but only using the registry value:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA
Set to 0.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 15

Author Comment

by:LockDown32
ID: 41722933
Well.... system wide but by user "class". Admin or Non-admin isn't it? First you can turn it on or off globally then have different settings for admins and non-admins right?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41722942
John we aren't talking about how you set up your users or networks. We are simply talking about what happens with UAC ON and OFF.

Thank you for the clarification. You asked " What do others do?"  That is what I answered.

I leave UAC ON for all users and NO users are administrators.  I see no issues that result from doing this and I spend my time on other user requirements
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41722949
"Well.... system wide but by user "class". Admin or Non-admin isn't it?" - no, valid for all with one exception: the built-in administrator account "administrator" ignores UAC. For that account, UAC is always off. After setting that regkey, a reboot is needed, by the way.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41722954
As a side note when you disable that registry setting restricted users don't get the UAC prompt and the "Run As Administrator" does nothing.

So explain. You can't have different UAC settings for different users? It is either on for everyone or off?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41722956
No, you can't. What is there to explain about it? That is by design.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41722976
Well... this is the exact scenario that started this whole topic. I upgraded a bunch of Windows 7 Pro workstations earlier this week to Windows 10. I have always been under the impression that if you turn off UAC as an administrator that it was turned off for all users (computer wide) and for a lot of these users I turn off UAC. I started getting calls about not being able to do things. When I popped on UAC was enabled for the user. I swear I turned it off as an administrator and couldn't figure out why it got turned back on when the user logged in.

Maybe I wasn't paying attention but I want to start there. Nothing has changed? When I log in as an administrator and turn off UAC by sliding the slide all the way down it turns if off for every user logging in to that computer right?
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41722983
After playing maybe I need to re-phrase. UAC is enabled or disable computer wide (based on that registry setting) but can the Levels of UAC be different for various users?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41723310
No. It's a system-wide setting. Only the built-in accounts local\administrator and the built-in domain admin domain\administrator are exceptions and for those, UAC is off by default, no matter what is set.

If you turn off UAC and it appears to be on again, then either someone with administrative rights has turned it on again or it's a defect.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41723352
So even the UAC Level is system wide? Wow. That what I had always thought. I could turn it to Never Notify and it would be that way no matter who logged on and not matter if they were restricted or not. Hence my state of confusion.

I turn UAC to "Never Notify". I do not log in as administrator but I am administrator level. I added a restricted user to my computer. When I logged in as that restricted user I expected UAC to be at "Never Notify". When I ran UAC it popped up and asked be for admin credentials. I supplied them and UAC was "Always Notify" and I couldn't change it. It said I had to be logged in as administrator to change it.

Then I found out that if I make this restricted user a member of local administrators UAC is "Never Notify". I remove this user from local administrators and it is back to Always Notify. I found this sort of scenario on my customers workstations after upgrading them. It kind of threw everything about UAB that I though I knew out the door.....
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 41723370
Bugs. Win10 is a young OS
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41723453
I guess. Just when you thought it was safe to go back in the water..... wow. It has to be pretty much a global issue. Not only is is happening on my computer here at the office but on all 20 that I just upgraded at my customer's. What a mess!
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41723561
Ok, let's bring this to an end, shall we :-)
That behavior you describe, I have seen it myself, once, and it looked like a bug. But it was not reproducible anywhere else, so it seemed more like a defect, after a while.
But anyway, your question: "I have one network where I turn UAC off just because the users complain that they are always having to answer questions. No one is administrators of their local computers and as a result I am always having to log off and log back on as an administrator just to install or change stuff" - when users are restricted users, UAC will not let them answer questions but ask for credentials. If it "asks questions" like "do you want to proceed", it shows, those users are admins, not restricted users, otherwise these questions would not appear. if you feel this statement is wrong, name one example, one action that we can reproduce to see such a question.

In general, if the administrator has to constantly help people by entering his credentials, then you need to look at the apps that cause this and exchange them for apps that don't require administrative rights, quite simple. That has nothing to do with UAC being on or off or buggy or not.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41724551
It was so long ago I had to go back and check with them. It was UAC. Since upgrading their workstations earlier this week UAC pops up after logon. Some kind of older Access Database they all run. Now I have to add insult to injury. Because of this bug I have to make them local admins just to get UAC turned off. But then again it it weren't for Microsoft I wouldn't have a job :)
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41724574
Look, there are programs that have an application manifest that tells windows to require administrator privileges, while the application would actually run without. That seems to be the case here. The bad fix is to turn off UAC. The good fix, apart from getting rid of such software, is to apply an application fix, a so called shim that tells window "whoever starts this app, use his credentials, don't try to elevate".
Shims are built using the application compatibility toolkit (ACT 5.x) and can be deployed network wide.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now