Disable UAC - Windows 7

NathanE · 26 Mar 2012 at 10:53

db2431 said:
I dont use UAC but this argument that such and such isnt needed cos I dont click exes I dont know anymore is stupid.You are far more likely these days to get a virus through your browser without you even knowing, which is why not having an antivirus these days with a realtime scanner is insane.

Yes, YOU are far more likely to get something from just web surfing. Because you've disabled UAC.

I think it's safe to assume you're also running as Administrator. So this means your web browser is running with full admin rights, along with Flash/Acrobat and all that other insecure addon tat. So unless you're keeping your Flash/Acrobat/browser/Windows bang up to date literally no more than a day or two after the hot fixes are released then you're putting yourself at a huge risk of "surf-by" exploitation by some malware.

With UAC enabled however your web browser and all its addon tat wouldn't have full admin rights. So despite a web page's best attempts, and even a successful attempt, at exploiting say your Flash plugin. It still won't get very far because it will be prevented by the Windows account being, effectively, only a "standard user" (it's actually a admin account but with a half-token, which amounts to being the same thing as a standard user).

If, by your logic, having no AV is insane when web surfing. Then purposely disabling UAC when web surfing is patently suicidal.

LizardKing · 26 Mar 2012 at 11:28

As a note to what others are saying
IE uses UAC as a method of sandboxing its self, turning this off is just asking for issues.
Ok so you use Firefox/Chrome and your not affected, not quite true, UAC also redirects any write attempts to system files and folders to your local profile path. i.e. writes to the Program Files dir get redirected to c:\users\you\etc etc where it is sandboxed in again. This limits any virus/malware infection to the logged in user. (Ok so this isn't always the case but no security software is infallible)

This also has a nice side effect of making backups of your settings a whole lot easier. With UAC on just backup your profile folder and you can easily transfer all your settings onto a new pc, good luck doing that with UAC off.

With UAC disabled your just making it that bit easier for the dodgy software vendors to poke holes in your OS.

Dewotter · 26 Mar 2012 at 11:47

NathanE said:
I think it's safe to assume you're also running as Administrator. So this means your web browser is running with full admin rights, along with Flash/Acrobat and all that other insecure addon tat. So unless you're keeping your Flash/Acrobat/browser/Windows bang up to date literally no more than a day or two after the hot fixes are released then you're putting yourself at a huge risk of "surf-by" exploitation by some malware.

We also need to add the time it takes for exploits to be patched as well, before he could even get an update to fix any flaw.

mrk · 26 Mar 2012 at 11:48

LizardKing said:
As a note to what others are saying
IE uses UAC as a method of sandboxing its self, turning this off is just asking for issues.
Ok so you use Firefox/Chrome and your not affected, not quite true, UAC also redirects any write attempts to system files and folders to your local profile path. i.e. writes to the Program Files dir get redirected to c:\users\you\etc etc where it is sandboxed in again. This limits any virus/malware infection to the logged in user. (Ok so this isn't always the case but no security software is infallible)

This also has a nice side effect of making backups of your settings a whole lot easier. With UAC on just backup your profile folder and you can easily transfer all your settings onto a new pc, good luck doing that with UAC off.

With UAC disabled your just making it that bit easier for the dodgy software vendors to poke holes in your OS.

Huh, I see:

LizardKing · 26 Mar 2012 at 12:02

mrk said:
Huh, I see:
http://robbiekhan.co.uk/root/temp/easytransfer.png[IMG][/quote]

Except that wont transfer settings from programs that like to keep settings within there install directory.

NathanE · 26 Mar 2012 at 12:06

LizardKing said:
Ok so you use Firefox/Chrome and your not affected, not quite true, UAC also redirects any write attempts to system files and folders to your local profile path.

That's a secondary issue. The main issue is that he's running his Chrome/Firefox/whatever with administrator rights. To do such a thing in the Unix fraternity, i.e. running as root, would get you laughed out of the room. That some Windows users here seem to think that running without UAC is what all "power users" do only makes it all the more hilarious.

This has nothing to do with IE having some special integration/support for UAC in its sandboxing mechanisms. It has less to do with UAC (which is merely a UI and filesystem virtualisation construct to allow running as a Standard User on a daily basis) and more to do with just NT 6.0+ enhancements to integrity levels between processes and dropping of unrequired permissions.

Swarfega · 26 Mar 2012 at 12:21

Used to turn it off in the early days of Vista as it was too spammy. These days though I leave it on.

KIA · 26 Mar 2012 at 12:36

Nexus18 said:
peerblock is only needed if you download a lot of torrents especially if they're from public trackers otherwise you may get a nasty letter from your ISP.

Peerblock is useless and most of the time, it does more harm than good by blocking ranges belonging to Universities and gaming corps such as Blizzard. Anyone harvesting BitTorrent swarms is going to use a residential connection or a dedicated server.

mrk · 26 Mar 2012 at 12:36

This isn't a Unix fraternity.

LizardKing said:
Except that wont transfer settings from programs that like to keep settings within there install directory.

Then for those apps you'd backup manually as most modern apps store data in the user directory by default anyway.

Nexus18 · 26 Mar 2012 at 13:26

KIA said:
Peerblock is useless and most of the time, it does more harm than good by blocking ranges belonging to Universities and gaming corps such as Blizzard. Anyone harvesting BitTorrent swarms is going to use a residential connection or a dedicated server.

Better to be safe than sorry

Plus the amount of comments on certain torrents that I have seen where people have said that they have received letters from their ISP for downloading that torrent is unbelievable and they didn't have peerblock installed. Granted they could have got the letters even with peerblock installed but as I said, it is better to have it than not to

It does block games from going online etc. but that can be solved easily by just opening peerblock and right clicking on the required IP's and allowing them permanently.

KIA · 26 Mar 2012 at 14:15

Nexus18 said:
Better to be safe than sorry

It's a placebo. Anyone can Google for blocks of IP addresses that belong to corporations and add them to a list. Most of the anti-piracy work is outsourced and you would have to be naive to think that the people in charge of hunting pirates aren't aware of blocklists.

NathanE · 26 Mar 2012 at 14:54

Peerblock is just another snake oil product. Claims to work wonders but in reality just causes more problems than it solves. Anti-virus products are the same.

If you don't want letters then don't use public trackers.

jaybee · 26 Mar 2012 at 15:21

Personally it was one of the first things I disabled when I got win7 on my company laptop whilst I set it all up. I think I went back and attempted to run with it on and got annoyed with it and turned it off. My company laptop has a standalone separate firewall/AV package anyway which is ok.
Having seen this thread today I decided to turn UAC back on. Cue instant failure to load teh first program I try; putty connection manager. It also failed to load a couple of legacy apps, and when I say fail, I mean they failed without even presenting the YES/NO UAC messages. Instead they just errored.
The best case scenario is half of the stuff I use for my role works, but I have to click YES everytime I load it. Could they not have atleast made it learn on a per session basis that you already said it was safe to load program X? I mean come on. Instead, you have to muck about with task shortcuts to give your "problem" apps/programs elevated priviledges. Too farsicle for me. Turned it straight back off.
Good in theory for "normal" users maybe, aka grandma using just Internet Explorer. Not for a sys admin in most coorperate environments running all sorts of software.

NathanE · 26 Mar 2012 at 15:46

Putty Connection Manager works fine for me (with UAC).

Some legacy apps will fail in bad ways. That's what makes them a legacy app. They need administrator rights, no ifs or buts. And they aren't modern enough to embed a manifest file that indicates their security requirements. But it's not exactly hard to right-click->Properties->Compatibility tab->Tick "Run this program as administrator". Then it will behave just like a modern app that needs elevation.

Fire Wizard · 30 Mar 2012 at 07:53

Jay794 said:
Like I've said before, I (and loads of others judging by this thread) don't need/want a prompt asking me if I meant to do something.

User Account Control isn't trying to second guess every thing you're trying to do. The reason you receive an elevation dialog when you perform a certain task is because that particular operation has requested administrative rights. When you have User Account Control enabled, even when you log in as an administrator, you're running with standard user rights by default.

The reason why, when you log into an administrator account on a system which is running Windows Vista or later, you are running with standard user rights was to change the way in which software developers wrote software. Now that everyone will be running with standard user rights by default, either in the form of using a standard user account or running in Administrator Approval Mode (being logged into an administrator account with User Account Control enabled), developers have to assume they will not have administrator rights by default. This encourages them to write software which works correctly in a standard user environment, and doesn't unnecessary require administrative rights. That is really the primary goal of User Account Control.

As far as the benefits it offers to user's is really going to depend on whether that particular user would like to run as an administrator, or as a standard user. If you want to run as a full blown administrator and have no inclination of using a standard user account, or making the transition, there is a very high chance that User Account Control is going to be annoying to you. If that is the case, you have the choice of disabling it.

However, if you're interested in using a standard user account, or making the switch over to one, User Account Control is a tool which helps you to do so. It helps you to do so primarily due to the elevation dialogs. If you're using a standard user accout, when ever you need to perform an operation which is requesting administrative rights, the 'Over The Shoulder' elevation dialog will appear which will ask to to enter the credentials of an administrator user on the system.

Being able to perform administrative operations from the same user account that you use for your every day tasks is much more convenient that having to switch to a separate administrator account. While when ever you perform administrative operations in an account which is most susceptible to malware, you're introducing a security risk, it is still a lot safer than running with administrative rights all the time.