I suppose, many working with Vista now are considering disabling User Account Control in Vista. There is at least one good reason to do so, but there also some reasons to give UAC a chance.

Michael Pietroforte

Michael Pietroforte is the founder and editor in chief of 4sysops. He has more than 35 years of experience in IT management and system administration.

When I first was confronted with these UAC prompts, I was quite disappointed how Microsoft solved this common problem. Windows sysops usually logon with an Administrator account, because without this you simply can't administrate a Windows machine. I already pointed out my view about UAC pop-ups before. Constant prompting is not the solution.

However, this "Secure Desktop Prompting" is only a part of UAC. Since you can disable UAC prompts easily, there is not enough reason to turn off UAC, altogether. UAC has other features which are more interesting and quite useful.

For example, it reduces the risk of so-called shatter attacks. Malware often makes use of the fact that applications are able to communicate with Windows and with each other. UAC compliant software helps to isolate privileges of processes, thereby reducing the risk to compromise other parts of the system. At the moment, there are not many UAC compliant applications available. But this will certainly change soon.

In theory, UAC can also manage legacy applications by virtualizing the registry and parts of the the file system for them. Thus, some applications needing Administrator privileges on a XP machine might work with standard user rights under Vista. However, this usually doesn't work with administration tools since they simply need real Administrator rights by nature.

Another interesting feature of UAC is that standard users can start applications with Administrator privileges more easily than under Windows XP. Sometimes, it can be useful to allow computer savvy users to install software themselves. On a XP machine, you could add the user's account to the local Administrator group until she is finished the installation.

In Vista, a user can just enter the credentials of an account having enough privileges to fulfill the task. You could create a domain account with local Administrator rights. Every time a user needs admin privileges on his machine, you enable this account with a little script. So it costs you only a mouse click to give this user enough rights. It is just one example where this UAC feature can be useful.

At the moment, I know of only one reason, why you might have to disable UAC altogether. If you have many legacy applications which are incompatible with UAC, you simply have no other choice. Many Windows programs need admin privileges, and UAC probably will fail to detect this correctly in many cases. Please check out the Related section at the end of this post for more information.

There are several ways to disable UAC. The most common way is thru the User Account tool in the Control Panel. You've to reboot afterward. Unfortunately, it is not that easy to disable UAC with Group Policy. By default you can only configure some of its settings there. However, it is possible to disable UAC with a registry setting:

You've to set EnableLUA to 0. So, you could create an ADMX file and disable UAC this way for multiple computers.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

0
Share
8 Comments
  1. TR 13 years ago

    EnableUA > EnableLUA

    0

  2. Michael Pietroforte 13 years ago

    Thanks! I corrected it in the text.

    0

  3. [...] I have been following the blogs over the first few days after the official launch now, and there’s one common theme I can identify so far: several blogs recommend disabling one Vista’s key security features, User Account Control (UAC). You can check Technorati for the number of blogs that recommend doing this (at the point of writing: at least 125). [...]

    0

  4. [...] But several people have changed their minds recently about it. Mark Minasi says “I’d have been a fool to write the UAC comment [”UAC has got to go”], because I now see it as a useful tool.” John Conners says, “I wrote before about how annoying User Account Control was, but I’m happier with it now.” Michael Pietroforte says, “…but there also some reasons to give UAC a chance.” [...]

    0

  5. Lee 13 years ago

    Doesn't disabling the UAC elevation prompts allow automatic privilege escalation, and thus allow shatter attacks?

    I disabled UAC altogether. But then, I don't have a car alarm because the annoyance isn't worth what limited protection they provide. In fact, the annoyance reduces the protection.

    LoJack got it right. Security should be invisible until it's needed.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account