UAC - To be or not to be?

Would disabling UAC make a difference?

YES

In Windows 8 and later the slider in accounts control will not disable UAC. You need to do that in the registry. But then you would find that none of the modern Apps and a number of other things will not work. This is by design and not a bug. In the future there may be further limitations. The option to disable UAC was designed for exceptional situations, not for general use.

Then there are the security issues. Without UAC you will be running with a full time admin level account. Best practice with the NT platform has always been to use a standard account for general use, reserving the admin level account for when it was actually needed. That goes back to 1993 when security wasn't nearly the problem it is today. But UAC makes following that practice much easier than it once was.

Without UAC malware will be able to do pretty much whatever it wants, when it wants. And it won't ask for your approval. Don't assume your security software will keep you safe. It won't. Malware authors are experts at evading such protection and are getting quite good at it. With UAC enabled malware will more limited in what it can do. This can be overcome but it is another layer of protection.

Good security always consists of multiple layers. Any one layer may be circumvented while having multiple layers makes this more difficult. UAC is just one more layer, but a very useful one.

Security always has it's price. And not just with computers.

Personally I won't turn it off. It's there to provide protection. Sure, it can be annoying when you launch something that requires admin access and you have to click on Yes, but the benefit is that if you are running something like a browser and all of a sudden you click on a link and it tries to escalate to admin, you can tell it know and prevent something bad from happening.

At work, we all run as standard user accounts on our Windows boxes. We have a secondary account that is a member of the local admins group on the computer. But we are NOT allowed to log into Windows with that secondary account. We are required to use the Standard account and when something comes up requiring admin access, we have to enter in our secondary user account and password in the UAC box. As a Systems Engineer, I do an awful lot that requires admin access, but even so I still have to follow the rules and deal with the prompts. To gain access to a server, I have to RDP into a jumpbox, which prompts me for a username/password and then requires 2 factor authentication. Once on the jumpbox, I can then RDP from that location onto a server. If it something like a domain controller, I have to do 2 factor authentication again. But in the wake of all of the companies suffering data leaks, etc...it really should not be viewed as optional. It's a must today.

Leave UAC on, even if it protects you just 1 time, that should be enough.

elbmek said:

LMiller and pparks, ok, will do as you say, and leave it. My impression of UAC was a parental thing, apparently its more than that, thank guys appreciate the input.

Yeah, it's not a parental thing. It helps provide security by running all apps and tasks in the security context of a non-administrator account. This helps to prevent automatic installation of unwanted applications, and helps to ensure that something doesn't change your system settings on you. When you get to an app that requires more permissions than what is available to a standard user account you are greeted with the UAC prompt. When you click on Yes, you are basically elevating up to admin level credentials for the duration of that task, and only for that task.

As an example, if you launch Windows Explorer (Not Internet Explorer), right click on "This PC" and notice that Manage has the yellow and blue shield on it. This signifies a task that requires UAC acknowledgement to become an admin. Once you say yes, you have run Computer Management as an admin and can perform all tasks contained within as an admin.

But let's say that you launch something like notepad.exe. If notepad starts to open and then UAC pops up, it should leave you thinking "what in the world does this need admin access for, something here isn't right, I should say no". And by saying no, you prevent something bad from happening.

So it requires you to know as a user what you are doing. if you click on things you know require admin access, expect the dialog and say yes. However, if it pops up and you weren't expecting it, you might get concerned.