Best Practices for User Account Type and UAC?

That's pretty much it
Turning uac off or without thought clicking through the prompts is for lack of a better word giving everything good or bad the same permissions to run,

Most of the windows security patches address specially crafted scripts that effect admin accounts with or without a password or the highest uac settings,
I've personally never used a standard account and I know the risks but leave uac on because I would like to have a prompt to know if something out of the ordinary is launching/ running without me knowing,
Most security experts would say use a standard account for everyday surfing,
Cheers.

Me, I`ve always turned it off since Vista. I just hate the thing. But then, I know what I`m doing with a pc.

A novice might want to leave it alone until they fully understand what it`s for.

gregrocker said:

If MS really thought it waa important to run a Standard Account, then it wouldn't issue an Admin account during install to the assumed owner.

I disagree. Especially since what they say here on there own site:

Why use a standard user account instead of an administrator account? - Windows Help

Microsoft just leaves the ball in your court. They made UAC because they realized people always failed to create standard user accounts for each user, so this is one of the many reasons UAC was made to solve that issue. Admin accounts could then run with permissions of a standard account, and would only elevate on a prompt from UAC.

Microsoft even in xp days wanted users to create standard user accounts. But it was a hassle logging off etc. But that was actually the main reason they created switch user for xp. To ease the pain of the process. In vista they then went with UAC to make things even more streamlined.

Vista UAC protection was actually better then windows 7, but then users complained about all the prompts, so Microsoft lessened the security of the system to make things more "convenient". Convenience always has a price with security. If you want the protection closer to what vista had, having uac always notify is your best bet to a more secure approach. The default is a compromise for convenience.

In the end though, UAC is not extremely effective. Most malware can easily disable or bypass it. Most though do not even need to, as the user always clicks yes without reading anyway.

You can never prevent malware as long as the human who doesn't want to learn or read sits at the pc.

Alejandro85 said:

iron7 said:

If UAC is disabled, aren't standard users still prompted for an admin password for the same types of events that UAC would pop-up when it's set to "always notify"?

No. Standard users simply get an "access denied" or something like that. Programs that rely on admin permissions either fail or cannot perform all of their functions. You can use "run as another user" manually to switch to a specific user when needed, but Windows will not do on its own.

With UAC enabled you get those notifications, admin users get prompted for yes/no and standards need to supply a user/password. Also poorly written programs get file and registry virtualization for helping compatibility and the secure desktop for entering passwords.

Great answer.

As alejandro85 stated, turning uac off and running as a standard user would in a sense be like windows xp was running as a standard user. Access denied messages everywhere when attempting anything adminstrative on the pc. This is why UAC is good to have on, it encourages you to use a standard user account.

User account control (UAC) protects the system in many ways.

In windows vista and above, the admin account has the same rights as the standard account. The only time the admin account is elevated to admin is when the uac box appears and you click yes to allow the action, which elevates that process for a short time until the action is complete. When copying or changing any folders in examples below, you must click continue (vista) or yes (windows 7 ^) to allow a rename or delete of a folder, etc.

UAC protects multiple areas, here are some of them:
-registry
-installing/uninstalling programs
-program files folder
-windows folder
-other user accounts folders
-temp folder/app datar

Read up on it here:
User Account Control - Wikipedia, the free encyclopedia

UAC info for IT professionals

Why use a standard user account instead of an administrator account?

When using a standard account and you make a change or install a program that affects the whole system, UAC will prompt you to continue. Make sure the setting or program you are tying to install is listed, then click yes to continue. If you are just browsing the web and the prompt appears with a program you have not heard of, or do not know what it is, it is much safer to click no then yes. No will block the action, and if you were trying to do something, you can always start it again and choose yes.

UAC makes this easy, see here:

What is user account control (UAC)?

I also suggest choosing always notify for UAC for better security:

What are User Account Control settings?

The above link clearly explains the differences between the uac settings.

Alejandro85 said:

No. Standard users simply get an "access denied" or something like that. Programs that rely on admin permissions either fail or cannot perform all of their functions. You can use "run as another user" manually to switch to a specific user when needed, but Windows will not do on its own.

With UAC enabled you get those notifications, admin users get prompted for yes/no and standards need to supply a user/password. Also poorly written programs get file and registry virtualization for helping compatibility and the secure desktop for entering passwords.

Well, if the scenario is that the users are novices who rarely modify programs or Windows settings, I think a simple "access denied" is much safer than a defeatable prompt, which are well-known to be commonly bypassed without a thought. For such users, on the rare occasion that changes need to be made to programs or Windows settings, they can switch over to the Admin account.

For the opposite situation, the much more advanced user, I really like the idea of running as admin, turning off the annoying UAC, and having all internet-facing apps run without admin priv. with something like dropmyrights. Doesn't this seem like a fairly secure plan for the advanced user?

Turning off UAC or only the UAC prompts? There's a big difference. With UAC still on but you change the prompt option in group policy to "Elevate without prompting" for admins, all apps that doesn't require admin rights will still run as standard user.
Dropmyrights is an old XP thing.

I've thought about it myself but I went for highest privilege shortcuts via Task Scheduler instead. And/or you might want to setup AppLocker, SRP or similar so no unknown executable is allowed to start.

According to Microsoft: no, not really. The primary goal of UAC was to enable more users to run with standard user rights and to get developers to create/change programs that run as standard user. UAC basically means more standard user friendly. It's the prompt part of UAC that make users think it's all about security. But in reality I'm guessing most home users only set up the required admin account. That's called a Protected Administrator (PA) account and from a security perspective it's not as good as a standard account. Here's an example where UAC fails to protect you. If you want to try it yourself use a normal non-elevated command prompt for your UAC protected admin account:

A non-admin program runs the following command where "eventvwr" should be seen as the malware that wants admin rights:
reg add "HKCU\Software\Microsoft\Command Processor" /v AutoRun /d "eventvwr" /f

Now open an elevated command prompt and look closely at the UAC prompt + click Show Details and verify the executable file and signature. When you allow it, the other program will start with admin rights without a second UAC prompt, Event Viewer("eventvwr") in this case.

HKCU stands for current user compared to HKLM (local machine) that requires elevated rights to modify. If you try this in a standard users account it only affects that "current user", so when you try to run an elevated command prompt from a standard users account you'll be prompted to select an admin account which means it won't run in the same "current user" anymore so this UAC bypass won't work on standard users.
For a PA account the "current user" is the same non-elevated as when elevated and that's why this bypass works and that's why admin accounts are dangerous.

Oh and if you tried the above this will undo it:
reg delete "HKCU\Software\Microsoft\Command Processor" /v AutoRun /f

Personally I still use a PA account but I also have Software Restriction Policy in white list mode which according to some people is considered maybe even better protection than by an anti-virus.
- And keep in mind that malware running without admin rights can still do some damage and steel data for example, but not compromise whatever it wants which basically an admin malware can.