Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Best Practices for User Account Type and UAC?

18 Jan 2015   #11
ThrashZone

Win-7-Pro64bit 7-H-Prem-64bit
 
 

That's pretty much it
Turning uac off or without thought clicking through the prompts is for lack of a better word giving everything good or bad the same permissions to run,

Most of the windows security patches address specially crafted scripts that effect admin accounts with or without a password or the highest uac settings,
I've personally never used a standard account and I know the risks but leave uac on because I would like to have a prompt to know if something out of the ordinary is launching/ running without me knowing,
Most security experts would say use a standard account for everyday surfing,
Cheers.


My System SpecsSystem Spec
.
18 Jan 2015   #12
AddRAM

Windows 7 Pro x64 Windows 10 Pro x64
 
 

Me, I`ve always turned it off since Vista. I just hate the thing. But then, I know what I`m doing with a pc.

A novice might want to leave it alone until they fully understand what it`s for.
My System SpecsSystem Spec
18 Jan 2015   #13
andrew129260

Windows 10 Pro
 
 

Quote   Quote: Originally Posted by gregrocker View Post
If MS really thought it waa important to run a Standard Account, then it wouldn't issue an Admin account during install to the assumed owner.

I disagree. Especially since what they say here on there own site:

Why use a standard user account instead of an administrator account? - Windows Help

Microsoft just leaves the ball in your court. They made UAC because they realized people always failed to create standard user accounts for each user, so this is one of the many reasons UAC was made to solve that issue. Admin accounts could then run with permissions of a standard account, and would only elevate on a prompt from UAC.

Microsoft even in xp days wanted users to create standard user accounts. But it was a hassle logging off etc. But that was actually the main reason they created switch user for xp. To ease the pain of the process. In vista they then went with UAC to make things even more streamlined.

Vista UAC protection was actually better then windows 7, but then users complained about all the prompts, so Microsoft lessened the security of the system to make things more "convenient". Convenience always has a price with security. If you want the protection closer to what vista had, having uac always notify is your best bet to a more secure approach. The default is a compromise for convenience.

In the end though, UAC is not extremely effective. Most malware can easily disable or bypass it. Most though do not even need to, as the user always clicks yes without reading anyway.

You can never prevent malware as long as the human who doesn't want to learn or read sits at the pc.
My System SpecsSystem Spec
.

18 Jan 2015   #14
iron7

7 64
 
 

If UAC is disabled, aren't standard users still prompted for an admin password for the same types of events that UAC would pop-up when it's set to "always notify"?
My System SpecsSystem Spec
18 Jan 2015   #15
Alejandro85

Windows 7 Ultimate x64
 
 

Quote   Quote: Originally Posted by iron7 View Post
If UAC is disabled, aren't standard users still prompted for an admin password for the same types of events that UAC would pop-up when it's set to "always notify"?
No. Standard users simply get an "access denied" or something like that. Programs that rely on admin permissions either fail or cannot perform all of their functions. You can use "run as another user" manually to switch to a specific user when needed, but Windows will not do on its own.

With UAC enabled you get those notifications, admin users get prompted for yes/no and standards need to supply a user/password. Also poorly written programs get file and registry virtualization for helping compatibility and the secure desktop for entering passwords.
My System SpecsSystem Spec
18 Jan 2015   #16
andrew129260

Windows 10 Pro
 
 

Quote   Quote: Originally Posted by Alejandro85 View Post
Quote   Quote: Originally Posted by iron7 View Post
If UAC is disabled, aren't standard users still prompted for an admin password for the same types of events that UAC would pop-up when it's set to "always notify"?
No. Standard users simply get an "access denied" or something like that. Programs that rely on admin permissions either fail or cannot perform all of their functions. You can use "run as another user" manually to switch to a specific user when needed, but Windows will not do on its own.

With UAC enabled you get those notifications, admin users get prompted for yes/no and standards need to supply a user/password. Also poorly written programs get file and registry virtualization for helping compatibility and the secure desktop for entering passwords.
Great answer.

As alejandro85 stated, turning uac off and running as a standard user would in a sense be like windows xp was running as a standard user. Access denied messages everywhere when attempting anything adminstrative on the pc. This is why UAC is good to have on, it encourages you to use a standard user account.

User account control (UAC) protects the system in many ways.

In windows vista and above, the admin account has the same rights as the standard account. The only time the admin account is elevated to admin is when the uac box appears and you click yes to allow the action, which elevates that process for a short time until the action is complete. When copying or changing any folders in examples below, you must click continue (vista) or yes (windows 7 ^) to allow a rename or delete of a folder, etc.

UAC protects multiple areas, here are some of them:
-registry
-installing/uninstalling programs
-program files folder
-windows folder
-other user accounts folders
-temp folder/app datar

Read up on it here:
User Account Control - Wikipedia, the free encyclopedia

UAC info for IT professionals

Why use a standard user account instead of an administrator account?

When using a standard account and you make a change or install a program that affects the whole system, UAC will prompt you to continue. Make sure the setting or program you are tying to install is listed, then click yes to continue. If you are just browsing the web and the prompt appears with a program you have not heard of, or do not know what it is, it is much safer to click no then yes. No will block the action, and if you were trying to do something, you can always start it again and choose yes.

UAC makes this easy, see here:

What is user account control (UAC)?

I also suggest choosing always notify for UAC for better security:

What are User Account Control settings?

The above link clearly explains the differences between the uac settings.
My System SpecsSystem Spec
18 Jan 2015   #17
iron7

7 64
 
 

Quote   Quote: Originally Posted by Alejandro85 View Post
No. Standard users simply get an "access denied" or something like that. Programs that rely on admin permissions either fail or cannot perform all of their functions. You can use "run as another user" manually to switch to a specific user when needed, but Windows will not do on its own.

With UAC enabled you get those notifications, admin users get prompted for yes/no and standards need to supply a user/password. Also poorly written programs get file and registry virtualization for helping compatibility and the secure desktop for entering passwords.
Well, if the scenario is that the users are novices who rarely modify programs or Windows settings, I think a simple "access denied" is much safer than a defeatable prompt, which are well-known to be commonly bypassed without a thought. For such users, on the rare occasion that changes need to be made to programs or Windows settings, they can switch over to the Admin account.

For the opposite situation, the much more advanced user, I really like the idea of running as admin, turning off the annoying UAC, and having all internet-facing apps run without admin priv. with something like dropmyrights. Doesn't this seem like a fairly secure plan for the advanced user?
My System SpecsSystem Spec
20 Jan 2015   #18
iron7

7 64
 
 

anyone?
My System SpecsSystem Spec
20 Jan 2015   #19
Tookeri

Windows 7 Pro 32
 
 

Turning off UAC or only the UAC prompts? There's a big difference. With UAC still on but you change the prompt option in group policy to "Elevate without prompting" for admins, all apps that doesn't require admin rights will still run as standard user.
Dropmyrights is an old XP thing.

I've thought about it myself but I went for highest privilege shortcuts via Task Scheduler instead. And/or you might want to setup AppLocker, SRP or similar so no unknown executable is allowed to start.
My System SpecsSystem Spec
20 Jan 2015   #20
Tookeri

Windows 7 Pro 32
 
 
Is UAC a security feature?

According to Microsoft: no, not really. The primary goal of UAC was to enable more users to run with standard user rights and to get developers to create/change programs that run as standard user. UAC basically means more standard user friendly. It's the prompt part of UAC that make users think it's all about security. But in reality I'm guessing most home users only set up the required admin account. That's called a Protected Administrator (PA) account and from a security perspective it's not as good as a standard account. Here's an example where UAC fails to protect you. If you want to try it yourself use a normal non-elevated command prompt for your UAC protected admin account:

A non-admin program runs the following command where "eventvwr" should be seen as the malware that wants admin rights:
reg add "HKCU\Software\Microsoft\Command Processor" /v AutoRun /d "eventvwr" /f

Now open an elevated command prompt and look closely at the UAC prompt + click Show Details and verify the executable file and signature. When you allow it, the other program will start with admin rights without a second UAC prompt, Event Viewer("eventvwr") in this case.

HKCU stands for current user compared to HKLM (local machine) that requires elevated rights to modify. If you try this in a standard users account it only affects that "current user", so when you try to run an elevated command prompt from a standard users account you'll be prompted to select an admin account which means it won't run in the same "current user" anymore so this UAC bypass won't work on standard users.
For a PA account the "current user" is the same non-elevated as when elevated and that's why this bypass works and that's why admin accounts are dangerous.

Oh and if you tried the above this will undo it:
reg delete "HKCU\Software\Microsoft\Command Processor" /v AutoRun /f

Personally I still use a PA account but I also have Software Restriction Policy in white list mode which according to some people is considered maybe even better protection than by an anti-virus.
- And keep in mind that malware running without admin rights can still do some damage and steel data for example, but not compromise whatever it wants which basically an admin malware can.
My System SpecsSystem Spec
Reply

 Best Practices for User Account Type and UAC?




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
User Account Type - Change
How to Change a User Account Type in Windows 7 This will show you how to change a already created user account to be either a guest, standard user, or administrator type in Windows 7. Guests - A guest account allows people to have temporary access to your computer. People using the guest...
Tutorials
Change user account type from System Recovery
Hello, thanks for looking, I have a Windows 7 Home Premium 64 laptop with a single user on it. This user recently got changed to a guest account type from admin account type and I can't fix it. I have read all the guides to "enable hidden administrator account" using "net user...
Backup and Restore
Is default email account type deteremined by type of device?
I set up an Outlook account on a new-to-me laptop. I had been unable to download email for several months, since I didn't have a computer. I had been saving the emails I wanted to keep and had planned on downloading them into my new computer. After setting up the account, it appeared the system...
Microsoft Office
Account type: Standard user
hello, I have created a standard user. my requirements: 1. standard user can install programs, which is saved for future uses (i have seen pcs where the programs are deleted/uninstalled as soon as the user log out) 2. standard user CANNOT re-install windows by inserting a windows disc...
General Discussion
Change Account Type button is not enabled even as administrator user
Friends, i have windows 7 x64 in my dell precision notebook. i have administrator user and tommy user. tommy user is in admin group. but not able to execute any program but its account type is standard. then i logged in as administrator and went to UAC there i try to change the account type...
General Discussion
Best Practices for Creating a Secure Guest Account
Best Practices for Creating a Secure Guest Account In some environments, you might need to set...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 14:44.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App