disable UAC?

  • 15 April 2013
  • 9 replies

i have a security concern/question that i'd like to check with some sercurity experts on this forum. I have an AD enviornment here and i'm considering disabling UAC via GPO to help resolve some minor issues with users accessing network shares.
I've read on more than one occasion on the internet recommending disabling UAC to solve one problem or another and not necessarily my particular problem.   I'm worried about the security hole that I might open and that i may regret later. So, trying to find that balance here in this enviorment.
any tips/advice on this matter is appreciated.  i can provide further details on the issue i'm trying to clear up if interested.

Best answer by Rakanisheu Retired 17 April 2013, 11:20

View original

9 replies

Userlevel 7
I would only recommend turning UAC off completely for your more experienced users. Have you tried lowering the settings to "Notify only when programs try to make changes to my computer (do not dim desktop)"?
no...i have not tried that...any tips on creating that GPO?  there's probably an article out there i could use for guidance...
Userlevel 7
From a threat point of view the UAC doesnt really do too much. Generally speaking it wont stop an infection from being installed. UAC itself wasnt designed to stop to malware and at the end of the day even if a malware asks for permission to run (which does happen) all the user has to do is hit OK. And as we all know the weakest link in the security on a PC is the user! UAC was dialled down in Windows 7 due to the negative feedback that it got in Vista.
Drive by downloads or Java exploits using something similar to the Blackhole exploit kit wont be effected by the UAC in anyway. I have it enabled on all my test PC`s and my home PC and I dont get really get that many alerts. Generally if I do its due to running legacy software or unusual testing programs.
You can test UAC`s by having a clean VM (with no AV) and throw malware at it and see what it blocks. If it stops 10% I`d be suprised. If you drop the UAC setting down one notch in the settings it will stop the majority of alerts. Assuming you have all your Windows updates and other 3rd party plugins it wont lower your systems security levels. Some may disagree with that statement but from all my testing of malware I have rarerly seen the UAC actually block malware. Good education combined with up to date security is your best bet. If you have any questions please feel free to reply.
i appreciate the direct response Roy.  As stated before, i'm trying to weigh the risk of disabling UAC vs. getting rid of this annoying issue on my network.  I think i might lean towards killing UAC and see if that helps.  Your resopnse does not really surprise me.  Although, I would not have been able to articulate it as well as you.  Thanks!
Userlevel 7
Badge +6
UAC should not be disabled. Even if it's not seen as a great malware prevention method, it enforces proper security controls on your computer and prevents normal programs from screwing stuff up if you're running as a local administrator. Seriously there are programs we run here that will really mess themselves up system-wide when running as admin/with UAC off. Way easier to fix issues when they can't break stuff outside of a user's profile.
Can you describe how UAC is impacting the ability to access network shares? It is extremely strange to me and I would like to give  you some tips if you could describe your issue further.
To be blunt, disabling UAC is not the right way to resolve problems because symptoms of it being an issue are caused by poor configuration and poorly implemented programs. It's often recommended as a solution on forums since debugging the actual cause usually requires you be in front of the machine to figure it out. If you are getting UAC prompts during normal use of a computer this a red flag to something you need to address the root cause of. However, I recognize not everyone/every company has the resources to figure out UAC issues so if you need to disable it to get your job done that's ok. I just wanted to bring this to your attention. 
Note: Getting UAC prompts is also a symptom of a program running in Compatibility Mode, which should never be used unless specifically required. It can cause more problems than it resolves.
Userlevel 5
I agree with explanoit, there should be no need to turn off UAC for your users. If you are having issues with network shares, then you really should be looking at their permissions and not at disabling UAC. All the machines at our office are running with UAC on and we're using non-admin profiles and I've never heard anybody complain about it (except for Adobe and Java updates, but that's a different matter).
Userlevel 7
Just a note that I was talking about UAC from a threat point of view (its the first thing I mention) as I was asked to give my input on it. I have it enabled on my work and home PC btw. I would agree with diagnosing the network share issue first.
Userlevel 7
Badge +6
Oh yeah Rakanisheu, I knew you were coming purely at a threat point of view. Malware is obviously UAC/non-admin aware now and even then most users will click yes anyway. There's a design decision that Microsoft made that lets programs byass UAC with a certain trick anyway, though its been years since I looked into it so I'm not sure if it was resolved in W8.
I wanted to chime in so they were aware, like I was, that you weren't commenting on UAC overall as a feature.
Userlevel 7
Badge +6
Also it's important to note that UAC is not something you should just turn off and turn on at-will.
Depending on a program's design, where it stores files and configuration with UAC off and UAC on can be different. So if you go switching the UAC settings around you can cause issues..