is it bad to turn off user account control?

Tepid · 21 Jun 2010

Running everything in standard user with UAC off is faster because all of those so called "security" layers aren't operational, and is not needed because the token which is currently used is a standard user. Why waste processor cycles for useless processes? There are lots and lots of malware that uses social engineering that can "bypass" UAC just like that, why waste processing time if with or without UAC you can catch bad things? MIC, UIPI and so on is there so that if a so called malware wants to install it self silently UAC will catch it, but come on, this is 3+ years since UAC is first introduced, are those malware/virus developers really that stupid?

And here is that answer....

a) When using standard account:

loss of protective benefits of mandatory integrity control using integrity levels, including User Interface Privilege Isolation and Protected Mode of Internet Explorer
worse application compatibility due to disabling of file and registry virtualization
loss of UAC prompt when a program isn't working due to lack of admin rights, which lets the user know why the program failed; some programs will give an informative error message at such a failure, but some won't
loss of ability to elevate programs through UAC
switching to admin account to do admin activities is more dangerous (see below)

If you were to work on a Help Desk,, you would know that the more information you can get the better when trouble shooting. You can't always get it direct form the user. Sorry, but they have no clue what they are asking or talking about, they have no idea what they are even telling you when they are trying to tell you what is wrong. The more information the better. Even in a home user environment.

IE, don't use it, it's bad for anything - unless your company is depending it's life on it (which is VERY BAD), still dont' use it (argue your boss to move to another safer browser)... No matter what version, as long it's IE, stay away from it (unless MS can prove otherwise in a wide open public test with several hundred thousand testers and tested for at least a year straight). With LUA or not, stay away from IE period.

Uhhh,, prove it with,, IE8. ..... .... Yes, there might be safer browsers.. it's called Security through Obscurity.
But, try convincing any company that has invested a ton of money in a model that does work to change for one that isn't so sure. Sorry,, FF works well for what it does, but put it under certain business models and it chokes.

Privilege elevation is still somewhat doable through "Run as..." context menu, too bad this method doesn't behave as transparent as sudo in *nix.

blah blah blah nix blah blah blah

Once you understand the difference between Admin and Standard user, when you need to do system administration, you login to admin account, do whatever you need (update apps, install new apps [installers has been scanned with AV], update drivers, etc), then log off and use standard user for everything else. You don't use admin to browse the net, especially use IE while in admin account, that's suicidal.

Answered above already.

You can get malware/virus. With UAC enabled or not, you can still get it, with admin + UAC, your virus/malware will infect your whole system in an instant (there are many thread posts that proofs just that). With LUA, the one that's infected is the limited user's files/account, it won't spread to Windows's core. Login to another user (preferably admin) and clean it up.

No one is arguing that.

The basic idea of UAC is to let regular Windows user (those who uses admin account all the time) to be able to practice safe computing without learning anything, that's all there is to it. UAC strips you off your admin privileges and saving you in the process. But for those who understands the basics of how multi user environment works, using UAC + LUA is moot, it checks and do everything to strip you out off something you don't have... It's pointless..

Again,, answered above

MrBrian · 21 Jun 2010

zzz2496 said:

Running everything in standard user with UAC off is faster because all of those so called "security" layers aren't operational, and is not needed because the token which is currently used is a standard user. Why waste processor cycles for useless processes? There are lots and lots of malware that uses social engineering that can "bypass" UAC just like that, why waste processing time if with or without UAC you can catch bad things? MIC, UIPI and so on is there so that if a so called malware wants to install it self silently UAC will catch it, but come on, this is 3+ years since UAC is first introduced, are those malware/virus developers really that stupid
IE, don't use it, it's bad for anything - unless your company is depending it's life on it (which is VERY BAD), still dont' use it (argue your boss to move to another safer browser)... No matter what version, as long it's IE, stay away from it (unless MS can prove otherwise in a wide open public test with several hundred thousand testers and tested for at least a year straight). With LUA or not, stay away from IE period.
Application compatibility has nothing to do with UAC, if a program can't access HKEY_LOCAL _MACHINE, with UAC it won't be able to access it, without UAC it still won't be able to access (with LUA), in both cases - the app will crash. Better for it to crash than to run intermittently. Maybe UAC will tell you something, but how many users will read the darn message? The fact is the app crashed... Should the registry virtualization let you run an app, most of the time that app will crash anyway, unless you run it in XP mode (saves time, blood, tears, and frustration).
Privilege elevation is still somewhat doable through "Run as..." context menu, too bad this method doesn't behave as transparent as sudo in *nix.
Once you understand the difference between Admin and Standard user, when you need to do system administration, you login to admin account, do whatever you need (update apps, install new apps [installers has been scanned with AV], update drivers, etc), then log off and use standard user for everything else. You don't use admin to browse the net, especially use IE while in admin account, that's suicidal.
You can get malware/virus. With UAC enabled or not, you can still get it, with admin + UAC, your virus/malware will infect your whole system in an instant (there are many thread posts that proofs just that). With LUA, the one that's infected is the limited user's files/account, it won't spread to Windows's core. Login to another user (preferably admin) and clean it up.

The basic idea of UAC is to let regular Windows user (those who uses admin account all the time) to be able to practice safe computing without learning anything, that's all there is to it. UAC strips you off your admin privileges and saving you in the process. But for those who understands the basics of how multi user environment works, using UAC + LUA is moot, it checks and do everything to strip you out off something you don't have... It's pointless...

zzz2496

Nice post also, zzz2496.

Some thoughts about your points:
1. If you're using a standard account and not actually elevating anything, then I believe that any time differences are for most intents and purposes inconsequential, at least on a fairly modern machine. There is a few seconds delay on my fairly new machine when elevating from an admin account - that's a fair point. I don't notice any delay when launching elevated apps in a standard account using the elevated program launcher method.
2. I do run Firefox as a low integrity process. For those that use IE however, I wouldn't be surprised that Protected Mode IE is the part of UAC that is preventing the most damage to users.
3. I disagree. Let's use a concrete example to illustrate. Yahoo Messenger running as a standard user writes information to its Program Files folder. Without file virtualization of UAC (or manual altering of file permissions), Yahoo Messenger would fail - correct me if I'm wrong. With UAC turned on, UAC redirects the file writes to the VirtualStore folder, and Yahoo Messenger works without any problems.
4. I agree. But without UIPI that UAC provides, there is less protection of elevated apps from non-elevated apps running in the same desktop.
5. That's what I do typically also.
6. I agree that UAC in an admin account is not as good, because malware running non-elevated has access to the same account where elevated processes run. I don't have any data to demonstrate what percent of malware is taking advantage of these deficiencies of UAC in an admin account.

zzz2496 · 21 Jun 2010

Tepid,

I'm sorry, I don't work in help desk

, I do act as one of the core domain admins. I don't really care if a client complains about his/her computer, I asked them what did they do, they will describe something, then I point them to the "rule book", then they nod without asking me anything anymore, all is well... My office runs on my internal web portal, primary apps in use are: FF/GC/Safari, Vanilla Windows installation (or Linux live CD image) + basic drivers + FF (or GC on most Windows computers, Safari on Macs). Servers runs Linux under VMM, when infected with ANY malware/virus, I run CloneZilla, restore the disk image off one of my storage silos, business as usual in less than 10 minutes. I'm planning on moving the clients to iSCSI boot, write protected disk images, boot over LAN, no headache guaranteed.

As for IE, my own internal portal that conforms to W3C standards, tested with FF/Safari/GC/Opera, runs fine on those three, but will almost always render incorrectly with IE, either a small glitch (IE has it's own DOM format, doesn't conform to industry standards) to complete disaster, I don't want to remember it - made me debug my library until 3 AM... Oh yeah, I've left the ActiveX ways, much better these days with Async JS + JSON than ActiveX (reminded me another nightmare few years back), so no IE dependency at all.

MrBrian,

I'm sorry, I don't use Yahoo Messenger... I use either Pidgin or Digsby. Pidgin is running in "portable" mode so it won't complain anything... Everything in my place is running close to static image, except my development box which I use the way I want it to. As I said earlier, if the user (me) bumped to a program that doesn't work with Win7, the user (me) will learn to not use the program and will look for alternatives that will work. Not to mention I have my own XMPP chat server in my internal network, so Yahoo Messenger isn't really important...

zzz2496

Tepid · 23 Jun 2010

Ahhhh,,, that explains it.

I don't give advice on how I use my system, (exactly), I give advice on how a system is supposed to be used and works. For instance, I do run as full admin with no UAC, but, that is because I know how to fix it if it breaks, clean it if it gets infected, needs a re-image when needed. Takes me a very short amount of time.

but telling others (general public and those who really don't know how to do these things) information on how and what I do, according to how I use my system, could set them up for disaster. Could leave them vulnerable and not know how to fix it and coming back here to try and figure out what happened.

So, playing the side of caution, Standard User with UAC is the best answer for the average individual that comes in here or anywhere , asking. You can't teach those who lurk over a forum. And those that post or ask don't always fully understand what is being told to them.

I am a Help Desk and Desktop Support tech. Trust me when I say, "people don't really want to know what is broken or how it broke when you start explaining and you either hear (literally) or see their eyes glaze over with "huh?" and you try to break it down and they say, "but it's fixed right?"

Same goes in any forum, if they really want to know, I or someone will break it down, but when the question is as simple as the one asked here, the answer should be as simple also. "Don't do what I do, cause I actually do know more than you and can rectify problems easier than you can, so my answer is the simplest answer, run the system the way it is meant to be run, you will be better off." otherwise, you could set someone up for failure.

Granted, I may forget this rule from time to time, I try not to. And in my real life, if I do forget, it almost always comes back to bite me. The main 2 rules are.....

Rule 1: simplicity (or even fudging the truth) is worth more than trying to fully explain. (ie. it was a ID10T error, or the admins screwed the pooch and that wiped out your settings) kidding of course, but not by much.

Rule 2: Get in, fix it and get out, don't try to do more unless they ask (I'm guilty, I still break this one on occasion), it confuses most clients, or forums readers.

If I do break Rule 2, I try to explain to the best of my ability and provide extra info that anyone can go look at when possible if they want to.

But, I digress as I think this thread is starting to beat a dead horse.

BCXtreme · 23 Jun 2010

Tepid said:

Ahhhh,,, that explains it.

I don't give advice on how I use my system, (exactly), I give advice on how a system is supposed to be used and works. For instance, I do run as full admin with no UAC, but, that is because I know how to fix it if it breaks, clean it if it gets infected, needs a re-image when needed. Takes me a very short amount of time.

but telling others (general public and those who really don't know how to do these things) information on how and what I do, according to how I use my system, could set them up for disaster. Could leave them vulnerable and not know how to fix it and coming back here to try and figure out what happened.

So, playing the side of caution, Standard User with UAC is the best answer for the average individual that comes in here or anywhere , asking. You can't teach those who lurk over a forum. And those that post or ask don't always fully understand what is being told to them.

I am a Help Desk and Desktop Support tech. Trust me when I say, "people don't really want to know what is broken or how it broke when you start explaining and you either hear (literally) or see their eyes glaze over with "huh?" and you try to break it down and they say, "but it's fixed right?"

Same goes in any forum, if they really want to know, I or someone will break it down, but when the question is as simple as the one asked here, the answer should be as simple also. "Don't do what I do, cause I actually do know more than you and can rectify problems easier than you can, so my answer is the simplest answer, run the system the way it is meant to be run, you will be better off." otherwise, you could set someone up for failure.

Granted, I may forget this rule from time to time, I try not to. And in my real life, if I do forget, it almost always comes back to bite me. The main 2 rules are.....

Rule 1: simplicity (or even fudging the truth) is worth more than trying to fully explain. (ie. it was a ID10T error, or the admins screwed the pooch and that wiped out your settings) kidding of course, but not by much.

Rule 2: Get in, fix it and get out, don't try to do more unless they ask (I'm guilty, I still break this one on occasion), it confuses most clients, or forums readers.

If I do break Rule 2, I try to explain to the best of my ability and provide extra info that anyone can go look at when possible if they want to.

But, I digress as I think this thread is starting to beat a dead horse.

I think the thread "started" to beat a dead horse a long time ago...

BTW, it's impressive that you have the patience to help out on here in addition to help desk work. Most people don't have it in them to spend their free time doing the same thing they do during work hours ... I know I certainly don't!

Kudos!

codyw · 23 Jun 2010

A long time ago I had problems downloading updates via Windows Update. I couldn't figure out what was going on.
Someone suggested on the forums here to turn off UAC and sure enough that did the trick. I turned it back on when the updates were complete but now I know what to do in the case where they won't install.

Chris K · 23 Jun 2010

codyw said:

A long time ago I had problems downloading updates via Windows Update. I couldn't figure out what was going on.
Someone suggested on the forums here to turn off UAC and sure enough that did the trick. I turned it back on when the updates were complete but now I know what to do in the case where they won't install.

I would suggest you use User Account for your day-2-day use and logon to an Admin account whenever you need to install something (once blue moon when you're set up) - UAC is PITA and totally unnecessary piece of baggage - XP didn't need it, Vista doesn't and neither does Win 7

.

zzz2496 · 23 Jun 2010

Tepid said:

Ahhhh,,, that explains it.

I don't give advice on how I use my system, (exactly), I give advice on how a system is supposed to be used and works. For instance, I do run as full admin with no UAC, but, that is because I know how to fix it if it breaks, clean it if it gets infected, needs a re-image when needed. Takes me a very short amount of time.

but telling others (general public and those who really don't know how to do these things) information on how and what I do, according to how I use my system, could set them up for disaster. Could leave them vulnerable and not know how to fix it and coming back here to try and figure out what happened.

So, playing the side of caution, Standard User with UAC is the best answer for the average individual that comes in here or anywhere , asking. You can't teach those who lurk over a forum. And those that post or ask don't always fully understand what is being told to them.

I am a Help Desk and Desktop Support tech. Trust me when I say, "people don't really want to know what is broken or how it broke when you start explaining and you either hear (literally) or see their eyes glaze over with "huh?" and you try to break it down and they say, "but it's fixed right?"

Same goes in any forum, if they really want to know, I or someone will break it down, but when the question is as simple as the one asked here, the answer should be as simple also. "Don't do what I do, cause I actually do know more than you and can rectify problems easier than you can, so my answer is the simplest answer, run the system the way it is meant to be run, you will be better off." otherwise, you could set someone up for failure.

Granted, I may forget this rule from time to time, I try not to. And in my real life, if I do forget, it almost always comes back to bite me. The main 2 rules are.....

Rule 1: simplicity (or even fudging the truth) is worth more than trying to fully explain. (ie. it was a ID10T error, or the admins screwed the pooch and that wiped out your settings) kidding of course, but not by much.

Rule 2: Get in, fix it and get out, don't try to do more unless they ask (I'm guilty, I still break this one on occasion), it confuses most clients, or forums readers.

If I do break Rule 2, I try to explain to the best of my ability and provide extra info that anyone can go look at when possible if they want to.

But, I digress as I think this thread is starting to beat a dead horse.

Ahahaha

, all this because we have different approach to the same problem... I should've pointed out that I give suggestions based on how I use my system(s). If I know straight away how and why something should be disabled (or better disabled) like UAC, I'll say it straight out without thinking if the other party is knowledgeable enough or not... Everyone is entitled to their own opinion, I can't force my opinion to you nor to anyone else. I say UAC is better off, it's my opinion - and I respect your opinion of UAC should stay on (as Help desk loves less problems), I stand by my opinion because I know it's better off for my systems, you know it's better on because it will cause less problems... and the thread starter is lost in all of this vast jungle of information...

I agree, we are beating an already dead horse here...

zzz2496

pparks1 · 23 Jun 2010

Chris K said:

UAC is PITA and totally unnecessary piece of baggage - XP didn't need it, Vista doesn't and neither does Win 7

.

It seems that everybody running XP as an admin user really wasn't that good of a concept now in retrospect. Look at all of the infected, malware ridden, XP boxes which were hijacked and decimated as the result of standard users with too much access to the system itself. While UAC isn't perfectly, I couldn't more strongly disagree with you on this matter.

MrBrian · 23 Jun 2010

zzz2496 said:

MrBrian,

I'm sorry, I don't use Yahoo Messenger.

The general point is that turning off UAC causes some programs to fail in a standard account that would otherwise work fine with UAC on.

From http://technet.microsoft.com/en-us/l...8WS.10%29.aspx:

Because the enterprise environment has long been a place where system administrators have been attempting to lock down systems, many line-of-business (LOB) applications are designed to not require a full administrator access token. As a result, IT administrators will not need to replace the majority of pre-Windows Vista applications when running Windows Vista with UAC enabled.

Windows Vista includes file and registry virtualization technology for applications that are not UAC compliant and that have historically required an administrator's access token to run correctly. Virtualization ensures that even applications that are not UAC compliant will be compatible with Windows Vista. When a non-UAC-compliant administrative application attempts to write to a protected directory, such as Program Files, UAC gives the application its own virtualized view of the resource it is attempting to change, using a copy-on-write strategy. The virtualized copy is maintained under the user's profile. As a result, a separate copy of the virtualized file is created for each user that runs the non-compliant application.

The virtualization technology ensures that non-compliant applications will not silently fail to run or fail in a non-deterministic way. UAC also provides file and registry virtualization and logging by default for pre-Windows Vista applications that write to protected areas.