The Great UAC Debate!

[MrKuro]

i also turn it off; i know the "benefits" ; but it annoys me too much to leave on

[Solid Knight]

I left mine on. It gets annoying but I'd rather have it on.

[techcafe]

UAC is the first thing i disable on every Vista system i setup... UAC is a royal pain in the *SS, and most of my clients absolutely hate UAC, because it constantly nags/annoys the user about the most trivial activities. UAC just gets in the way of getting real work done.

UAC is not a feature, it's a bug, and if microsoft was serious about securing the OS, then they would never have hacked together a crappy/half-assed/stop-gap measure like UAC.

[NEVER85]

UAC is the first thing i disable on every Vista system i setup... UAC is a royal pain in the *SS, and most of my clients absolutely hate UAC, because it constantly nags/annoys the user about the most trivial activities. UAC just gets in the way of getting real work done.

UAC is not a feature, it's a bug, and if microsoft was serious about securing the OS, then they would never have hacked together a crappy/half-assed/stop-gap measure like UAC.

Wow, I seriously pity any client you have, if that's the best you can come up with. Do us a favor and get out of the field before you do any more damage.

[MagicAndre1981]

@techcafe

instead of posting such a bull**** you should learn what UAC and NT security right management is.

*facepalm*

[ryan_the_leach]

Ok, I'm not claiming to be an expert.

But let us say i follow the turn UAC off camp,

What's the worst that could happen considering the arguments for and against, i end up giving malware admin access that wasn't intended as mentioned above.

Now considering I don't turn it off,

I'm annoyed daily when I'm renaming files editing ini files in program files(which i now know i can find in the virtual store thanks topic :D).

considering the two worst scenario outcomes I can tell you I personally would rather be "Protected" and annoyed.

Edit: Wow 26 pages, I think this thread has gotten way too big, and i only read until page 9, and even rorm the first 3 pages just saw people repeating themselves, reckon the facts from this topic just need to be pinned, and then locked,

but its not my place to back seat mod....

Edited June 4, 2009 by ryan_the_leach

[MagicAndre1981]

sorry, UAC never anyones you, it helps you to do operation which require elevated rights. If you're trying to do the same things with a limited account under XP, you'll get an error message ;) That's all.

[Descartes]

UAC in Vista was horrible, but since I moved to Windows 7, i have it turned on default settings - I only see it when a program needs to elevate itself, which hardly ever happens - and it saved my ass a couple of times too, the icon overlay usually gives you a heads up, when an app is not supposed to make use of the administrator privileges. A great thing!

[MagicAndre1981]

no, bad thing, look here:

http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

[PureHeart]

I always have UAC turned on, if it improves security why not? Although I don't think I have ever been saved by it though, maybe it will in the future :)

[Growled Member]

I like UAC. I run as a standard user and my Admin account has a password. Despite all of that you never know when something might get through, so UAC is turned on, just in case. It is slightly annoying but not nearly as annoying as many make it out to be.

[Kralik]

As I stated in another thread I need an AV because all the systems at one of my client's office are infected and I have to connect my USB drive there to exchange data, I also bring back viruses/malware from there and for me the combination of Norton AV 2009 and UAC is golden.. no infections so far since I started using these 2.. UAC doesn't let the exe files run without consent and NAV cleans them off. I feel almost nothing can sneak through and infect me system (Y)

[antareus]

Is it better to run as a standard user and elevate as necessary? I'll be reinstalling 7 when the final comes out so I'll switch to doing that if there is a genuine benefit over running as admin at max UAC settings.

[Brandon Live Veteran]

no, bad thing, look here:

http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

Sigh... when will that crap die.

It's a non-issue. UAC in Win7 works as intended and should be left at the default setting for most users (the UAC settings dialog explains which option you should use based on your usage habits).

[Xerxes]

I always have it turned on.

EDIT: Scratch that last part, made no sense :p

Edited July 7, 2009 by Xerxes

[Brandon Live Veteran]

Is it better to run as a standard user and elevate as necessary? I'll be reinstalling 7 when the final comes out so I'll switch to doing that if there is a genuine benefit over running as admin at max UAC settings.

The most secure thing you can do is to run as a standard user, and use Fast User Switching to switch to an administrator account for admin tasks.

A step down from that is to use OTS (Over The Shoulder) elevation, where you run as a standard user but run admin tools as an Administrator on the same desktop. To make this safer you'll want to turn on the option that requires a Ctrl+Alt+Del press before elevating, since you'll have to type a password, and you want to make sure the dialog isn't being spoofed. However, this is not a security boundary because non-admin and admin apps are sharing the same desktop.

A step down from that is UAC at the maximum setting. This is much easier to live with because you don't need to enter a password (and don't need the C+A+D press to protect from spoofing) and the apps still run with your user profile and such. Again this is not considered a security boundary because non-admin and admin apps share the same desktop.

-- The above two options are safest at times when there are no admin apps are running --

A small step down from that is the default Win7 configuration where you aren't prompted for changes to Windows settings. This reduces the barrier between non-admin and admin applications, but maintains the same barrier between protected applications (like the IE Protected Mode and Chrome sandboxes) and normal applications.

There's another notch below that where the secure desktop switch is not enabled, opening up the possibility that someone could tamper with the consent dialog.

Below that is disabling UAC entirely. This is a very bad idea because it removes the "low integrity" option used for things like IE's Protected Mode and Chrome's sandbox. That is a very important and useful security feature for mitigating the impact of exploits against the most common attack surfaces.

Across these options you have trade-offs between safety and useability. The default option is meant to provide the best balance for most users.

[MagicAndre1981]

A step down from that is UAC at the maximum setting. This is much easier to live with because you don't need to enter a password (and don't need the C+A+D press to protect from spoofing) and the apps still run with your user profile and such.

that's right and this way it was done in Vista.

Again this is not considered a security boundary because non-admin and admin apps share the same desktop.

Yes it it. The IL levels prevent you from attacking an admin app from a non-admin app.

Across these options you have trade-offs between safety and useability. The default option is meant to provide the best balance for most users.

no, it only opens a security whole which can be used very easy run apps with admin rights without accepting the UAC prompt. If Average Joe got a mail with a link to get a free cool game and the chance to win a few bucks he will download the tool and try to run it. Under Vista UAC prompt was shown and this unsettles him and de doesn't accept it. With Win7 the apps can use the Explorer, DWM or several other MS apps to bypass the UAC prompt and still get admin rights.

And this is WRONG!

[jamesVault]

The IL levels prevent you from attacking an admin app from a non-admin app.

No, this is not the purpose of IL levels (in every Windows NT version any admin app can't be attacked by a non-admin app). The purpose of IL levels is preventing an app1 to attack another app2 which runs with the same privileges of app1 i.e. app1 and app2 are running with the same privileges but different integrity levels.

Edited July 7, 2009 by jamesVault

[+allan MVC]

Just when you think this thread has taken its last breath it rears its ugly head again...... :D :D

[John G.]

I'm hoping future versions will not have an option to disable UAC, any insider info on that possibility?

That should NOT happen. People should have the ability to customize they're computer, I personally don't like **** popping up whenever I click to run programs, it happens everytime firefox starts up, some java **** or something.

[NfoTech]

UAC is a security patch (just like the security center). Until Microsoft cleans up the kernel (or starts from scratch) It will be the same issue(s) over and over.

[bryonhowley]

That should NOT happen. People should have the ability to customize they're computer, I personally don't like **** popping up whenever I click to run programs, it happens everytime firefox starts up, some java **** or something.

It should have happened in Windows 7. Microsoft should have hard coded UAC at default with NO way to change it period. I have never ever had a UAC prompt for Firefox ever if you are getting them you have something on your end.

[John.D]

Only thing with UAC (in Vista and 7 x64). Is it can give you access denied errors, when you update programs (foxit reader is one of them). Thats one reason why I've disabled it

[Growled Member]

UAC is not perfect. Nothing is, especially against a determined hacker. However, every little bit of protect helps.

[John.D]

Nothing worth stealing on these anyway