Best Practices for User Account Type and UAC?

[iron7]

I feel the amount of reading I've done on these two (acct types & UAC) is disproportionate to the understanding I've gained regarding best practices.

Does anyone have a good, distilled recommendation or link?

 

[sandravlado]

Hi.

Did you read the article on technet?

User Account Control In Windows 7 Best Practices

User Account Control Step-by-Step Guide

 

[iron7]

I don't consider myself to be a dumb person, but i seriously need the super-simplified version on this issue. It just seems way too convoluted. MS's interpretation just made it worse, and I don't trust their recommendations.

I need super-distilled (but not the version as if I was mildly-retarded). Anyone?

 

[Brink]

Hello iron7,

It all really depends on your needs and environment for what may be best for you.

I like to keep by UAC settings at "Always notify" (top level), and I use a password protected administrator account (not the built-in elevated Administrator account) for everyday usage.

 

[Lady Fitzgerald]

I agree with Brink on where to set UAC; I also keep my UAC settings at the top level. Having to click on "Yes" on the little pop-up every time is a pain in the...neck but the safety it affords is well worth that comparatively minor annoyance.

The purpose behind UAC is to notify you when you, someone else, or a program tries to start a program. That way, if a hacker takes control of your computer or a virus gets on it, neither can start up any of your programs without your approval. It's another layer of protection for your computer.

 

[Alejandro85]

Besides keeping it at the highest level always, another important tip is to always use a standard account instead of the bad-practice administrator account that Windows always creates by default.
My normal installation is to create two user accounts, one admin and the other standard. I always login and use the standard, and in case of a program that legitimally requires full admin access I can simply fill the UAC prompt with the user/password of the admin account. That makes a clear separation of admin/non-admin and is far more secure that the default Windows configuration.

Another tip I like it to fine tune the UAC options using the local policy applet that MS hides by default (and only available in professional and higher editions). That provides a lot more options than that slider everyone knows, which is in fact eye candy to 4 sets of preconfigured settings.
This link shows how to access the real UAC settings: Use Local Security Policy to customize UAC behavior

A more complete set of recommendations is also available here: User Account Control in Windows 7 Best Practices

Note that most options you can change imply a compromise between security and convenience. Making the system more safe most times make it a little more difficult to use, and making it easy to use sacrifises security in some way. It's important to know that the default, clean install that MS ships favors convenience over security in many aspects (that's why Windows tends to be insecure by default). You need to decide whether you like one or the other, and balance your choices accordingly.

 

[iron7]

I finally found something related to UAC that I can identify with:

UAC, UAC, go away, come again some other day

I was reading Mark Russinovich’s latest UAC article and Long Zheng’s latest scribblings and… developed quite the headache. Honestly, I’m tired of trying to sort out what UAC really is and don’t care anymore. UAC has become this gigantic undocumented blob of an idea that is explained (differently) on-demand every single time, to fit some marketing agenda du jour, and I’m sick of it. Mark jumps up and down about how UAC isn’t a security boundary and how we’re stupid for thinking such, yet Microsoft’s own sites pitch otherwise. Whatever, guys.

Here’s my million dollar question: If UAC wasn’t designed to ultimately protect us from anything, why does its icon resemble a damn shield?

UAC, UAC, go away, come again some other day â

I'll take a stab here. Run as std user with no UAC is the most secure/least annoying setup for everyday use (i.e. not tweaking system settings, or adding dropping apps and the like)

 

[gregrocker]

If MS really thought it waa important to run a Standard Account, then it wouldn't issue an Admin account during install to the assumed owner.

Running under Standard Acct is unnecessary if you keep UAC set to Always Notify, which is important to be notified if something tries to makes changes to your PC while you remain unaware.

The only difference is that if you operate under a Standard Account, you will be prompted before making changes to insert the Admin password, which is unnecessary inconvenience compared to simply being notified with the UAC prompt that something wishes to make changes.

 

[Lady Fitzgerald]

...Here’s my million dollar question: If UAC wasn’t designed to ultimately protect us from anything, why does its icon resemble a damn shield?...

UAC does protect you. Go back and read my previous post.

 

[iron7]

Thanks Greg.

Well, it seems for users who know what they're doing on windows, running as admin with UAC maxed makes sense as it's less annoying and provides protection from malware running wild. (as I understand, the main difference between admin and std user, both with UAC maxed, is that w/ admin no pass is required for the same events)

Now the second possible circumstance: users who don't know what they're doing...

I read somewhere that some obscene percentage of users mindlessly click "okay" when prompted with UAC windows. For the Windows novice, it seems best practice would be to run standard accounts with UAC maxed, and explain that the password should never be entered unless they are attempting to remove or install software they trust (at least this would probably work well for the novice users I have in mind, who aren't doing much more than surfing and using MS office or Acrobat).

Perhaps the least annoying solution, for the most advanced users, would be to have admin account(s) with UAC off, and to have internet-facing apps launch without Admin priv. by default (perhaps using dropmyrights?)

Thoughts?

 

[ThrashZone]

That's pretty much it
Turning uac off or without thought clicking through the prompts is for lack of a better word giving everything good or bad the same permissions to run,

Most of the windows security patches address specially crafted scripts that effect admin accounts with or without a password or the highest uac settings,
I've personally never used a standard account and I know the risks but leave uac on because I would like to have a prompt to know if something out of the ordinary is launching/ running without me knowing,
Most security experts would say use a standard account for everyday surfing,
Cheers.

 

[AddRAM]

Me, I`ve always turned it off since Vista. I just hate the thing. But then, I know what I`m doing with a pc.

A novice might want to leave it alone until they fully understand what it`s for.

 

[andrew129260]

If MS really thought it waa important to run a Standard Account, then it wouldn't issue an Admin account during install to the assumed owner.

I disagree. Especially since what they say here on there own site:

Why use a standard user account instead of an administrator account? - Windows Help

Microsoft just leaves the ball in your court. They made UAC because they realized people always failed to create standard user accounts for each user, so this is one of the many reasons UAC was made to solve that issue. Admin accounts could then run with permissions of a standard account, and would only elevate on a prompt from UAC.

Microsoft even in xp days wanted users to create standard user accounts. But it was a hassle logging off etc. But that was actually the main reason they created switch user for xp. To ease the pain of the process. In vista they then went with UAC to make things even more streamlined.

Vista UAC protection was actually better then windows 7, but then users complained about all the prompts, so Microsoft lessened the security of the system to make things more "convenient". Convenience always has a price with security. If you want the protection closer to what vista had, having uac always notify is your best bet to a more secure approach. The default is a compromise for convenience.

In the end though, UAC is not extremely effective. Most malware can easily disable or bypass it. Most though do not even need to, as the user always clicks yes without reading anyway.

You can never prevent malware as long as the human who doesn't want to learn or read sits at the pc.

 

[iron7]

If UAC is disabled, aren't standard users still prompted for an admin password for the same types of events that UAC would pop-up when it's set to "always notify"?

 

[Alejandro85]

If UAC is disabled, aren't standard users still prompted for an admin password for the same types of events that UAC would pop-up when it's set to "always notify"?

No. Standard users simply get an "access denied" or something like that. Programs that rely on admin permissions either fail or cannot perform all of their functions. You can use "run as another user" manually to switch to a specific user when needed, but Windows will not do on its own.

With UAC enabled you get those notifications, admin users get prompted for yes/no and standards need to supply a user/password. Also poorly written programs get file and registry virtualization for helping compatibility and the secure desktop for entering passwords.

 

[andrew129260]

If UAC is disabled, aren't standard users still prompted for an admin password for the same types of events that UAC would pop-up when it's set to "always notify"?

No. Standard users simply get an "access denied" or something like that. Programs that rely on admin permissions either fail or cannot perform all of their functions. You can use "run as another user" manually to switch to a specific user when needed, but Windows will not do on its own.

With UAC enabled you get those notifications, admin users get prompted for yes/no and standards need to supply a user/password. Also poorly written programs get file and registry virtualization for helping compatibility and the secure desktop for entering passwords.

Great answer.

As alejandro85 stated, turning uac off and running as a standard user would in a sense be like windows xp was running as a standard user. Access denied messages everywhere when attempting anything adminstrative on the pc. This is why UAC is good to have on, it encourages you to use a standard user account.

User account control (UAC) protects the system in many ways.

In windows vista and above, the admin account has the same rights as the standard account. The only time the admin account is elevated to admin is when the uac box appears and you click yes to allow the action, which elevates that process for a short time until the action is complete. When copying or changing any folders in examples below, you must click continue (vista) or yes (windows 7 ^) to allow a rename or delete of a folder, etc.

UAC protects multiple areas, here are some of them:
-registry
-installing/uninstalling programs
-program files folder
-windows folder
-other user accounts folders
-temp folder/app datar

Read up on it here:
User Account Control - Wikipedia, the free encyclopedia

UAC info for IT professionals

Why use a standard user account instead of an administrator account?

When using a standard account and you make a change or install a program that affects the whole system, UAC will prompt you to continue. Make sure the setting or program you are tying to install is listed, then click yes to continue. If you are just browsing the web and the prompt appears with a program you have not heard of, or do not know what it is, it is much safer to click no then yes. No will block the action, and if you were trying to do something, you can always start it again and choose yes.

UAC makes this easy, see here:

What is user account control (UAC)?

I also suggest choosing always notify for UAC for better security:

What are User Account Control settings?

The above link clearly explains the differences between the uac settings.

 

[iron7]

No. Standard users simply get an "access denied" or something like that. Programs that rely on admin permissions either fail or cannot perform all of their functions. You can use "run as another user" manually to switch to a specific user when needed, but Windows will not do on its own.

With UAC enabled you get those notifications, admin users get prompted for yes/no and standards need to supply a user/password. Also poorly written programs get file and registry virtualization for helping compatibility and the secure desktop for entering passwords.

Well, if the scenario is that the users are novices who rarely modify programs or Windows settings, I think a simple "access denied" is much safer than a defeatable prompt, which are well-known to be commonly bypassed without a thought. For such users, on the rare occasion that changes need to be made to programs or Windows settings, they can switch over to the Admin account.

For the opposite situation, the much more advanced user, I really like the idea of running as admin, turning off the annoying UAC, and having all internet-facing apps run without admin priv. with something like dropmyrights. Doesn't this seem like a fairly secure plan for the advanced user?

 

[iron7]

anyone?

 

[Tookeri]

Turning off UAC or only the UAC prompts? There's a big difference. With UAC still on but you change the prompt option in group policy to "Elevate without prompting" for admins, all apps that doesn't require admin rights will still run as standard user.
Dropmyrights is an old XP thing.

I've thought about it myself but I went for highest privilege shortcuts via Task Scheduler instead. And/or you might want to setup AppLocker, SRP or similar so no unknown executable is allowed to start.

 

[Tookeri]

Is UAC a security feature?

According to Microsoft: no, not really. The primary goal of UAC was to enable more users to run with standard user rights and to get developers to create/change programs that run as standard user. UAC basically means more standard user friendly. It's the prompt part of UAC that make users think it's all about security. But in reality I'm guessing most home users only set up the required admin account. That's called a Protected Administrator (PA) account and from a security perspective it's not as good as a standard account. Here's an example where UAC fails to protect you. If you want to try it yourself use a normal non-elevated command prompt for your UAC protected admin account:

A non-admin program runs the following command where "eventvwr" should be seen as the malware that wants admin rights:
reg add "HKCU\Software\Microsoft\Command Processor" /v AutoRun /d "eventvwr" /f

Now open an elevated command prompt and look closely at the UAC prompt + click Show Details and verify the executable file and signature. When you allow it, the other program will start with admin rights without a second UAC prompt, Event Viewer("eventvwr") in this case.

HKCU stands for current user compared to HKLM (local machine) that requires elevated rights to modify. If you try this in a standard users account it only affects that "current user", so when you try to run an elevated command prompt from a standard users account you'll be prompted to select an admin account which means it won't run in the same "current user" anymore so this UAC bypass won't work on standard users.
For a PA account the "current user" is the same non-elevated as when elevated and that's why this bypass works and that's why admin accounts are dangerous.

Oh and if you tried the above this will undo it:
reg delete "HKCU\Software\Microsoft\Command Processor" /v AutoRun /f

Personally I still use a PA account but I also have Software Restriction Policy in white list mode which according to some people is considered maybe even better protection than by an anti-virus.
- And keep in mind that malware running without admin rights can still do some damage and steel data for example, but not compromise whatever it wants which basically an admin malware can.