Yesterday, I described how to start an application at an elevated level, i.e. with Administrator privileges under Vista. Unfortunately, this won't prevent UAC (User Account Control) prompts from getting on your nerves. Every time a user or an Administrator runs an application requiring Administrator rights, UAC will prompt you for confirmation to proceed. Microsoft calls this "Secure Desktop Prompting". These UAC prompts only distract you from your current task and bring no extra security. Therefore, I recommend disabling this feature.
- Author and member of the year 2019 – Why DevOps still doesn't rule the IT world - Wed, Jan 1 2020
- Results of the 4sysops member and author competition in 2018 - Tue, Jan 8 2019
- Why Microsoft is using Windows customers as guinea pigs - Reply to Tim Warner - Tue, Dec 18 2018
It is supposed to prevent malware from getting started with Administrator rights. It is obvious that malware running with Administrator privileges can do more harm to your system than with standard user rights.
However, in my view, a warning of a possible security breach is only useful, if there is a relatively low chance for false positives, i.e. cases where you get a confirmation prompt without a security breach. I think, the false positive rate for security pop-ups should not be higher than 90%. This means that at least one out of 10 confirmation prompts has be to a security breach. Another important condition is that pop-ups shouldn't show too often during your daily work.
Now you might object that if UAC prevents you, even only once from malware damaging your system, it has already done its job. For this, you accept the need to always confirm these UAC prompts. This is what Microsoft's security experts must have had in mind. However, I think that this argument is totally wrong.
It is a technical solution to a security problem. However, it can't work on psychological grounds. Security is mostly a psychological problem, not a technical one. Most of the so-called security experts often oversee this point. In this case, it is quite obvious that these permanent UAC pop-ups will make Administrators blind for any security-related prompts. It is a matter of fact that they will click on them automatically once they get used to them.
This way, UAC will decrease security because Administrators will lose their sensitivity for dangerous situations. If you are doing Administration work on a Vista machine, then you will get these UAC pop-ups the whole day, however, the probability of a UAC prompt rescuing you from the pitfalls of malwares during your entire career as a sysop, is not very high. If UAC would be smarter, acting like many spyware tools for XP, these prompts would make sense. But the only heuristics, UAC knows, is to prompt users whenever they access a security relevant part of the operating system.
Imagine, the sirens of your house's alarm system wailing every time someone enters the house, comes close to your safe or touches a knife. Do you think any neighbor would care, once the sirens wail because thieves are entering your house? Well, this is exactly how UAC prompting works.
Therefore, I highly recommend turning it off. Don't confuse this with disabling UAC, altogether. If you only disable UAC prompting for Administrators, Vista will just automatically run administration tools at an elevated level without prompting for confirmation. However, this only works for apps where Vista already knows that they need Administrator rights. Please read my article how to deal with UAC in case of legacy administration tools .
To disable the UAC elevation prompts, start the Local Security Policy tool (Just enter its name at the Program search prompt). Then, go to Local Policies/Security Options. There, you will find this option: "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" If you set it to "Elevate without prompting" UAC won't get on your nerves in the future, anymore.
If you want to do this for all the computers where system administrators work, you can use Group Policy to change this setting for the corresponding Active Directory container. For this, you have to run GPMC (Group Policy Management Console) on a Vista machine which is a member of a Windows Domain. Just type in gpmc.msc at the Program search prompt. Then, you disable UAC prompting the same way as with the Local Security Policy tool.