Do you disable UAC?

Very well said.

 

I've had UAC disabled on the computers I use most, ever since Vista was released, and in the past there have often been times where I've had absolutely no security software installed. I prefered to be less secure, than be have to put up with regular UAC prompts. These days, I still keep UAC disabled, but always have an antivirus and VoodooShield installed

To make it clear, running with no antivirus and UAC disabled is not something I'd ever recommend doing.

 

That is a personal choice and i respect that , i see you are annoyed by the prompts , what if you had a registry tweak to disable UAC's prompts only for signed processes; will you enable UAC or still let it disabled?

good to hear that

 

I'd enable UAC again and give it a go.

I will add that the reason for me having UAC disabled, and at times (in the past) having no security software installed, is that I find it very hard to get infected. I'm not saying that I've never got infected, because I have. But, I am careful about what software I launch. I don't open random execuables I receive as attachments. If a webpage tries to download an exectutable, I won't run it unless it is a program I specifically wanted to download. By doing this, and also by keeping Windows and other vulnerable software updated, the only time I ever get infected is what I launch something I shouldn't. Just from browsing the web (even browsing unsafe websites), I never get infected.

Now, I'm not saying this is a foolproof way of doing things, but it works well in my case. Some people rely on security software to protect them. I rely on my own judegment, and use security software as a secondary defense.

 

@guest I applied the registry tweak and set UAC to maximum. While I had no UAC prompts at starup which is good. I founf that some of the software (well at least one program anyway - Hetman Partition Recovery) that I use is not compatible with the tweak, as I was getting a "A referral was returned from the server" error when launching it. So I diabled the tweak, and set UAC back to minimum.

 

In fact, this is a tweak to block unsigned process to request elevation; not to make them silent. my apologies. (it is why i removed the post)

Indeed, if you want elevate the unsigned process, you have to disable the tweak.

i created 2 reg files that i put on the taskbar (one for allow, one for block), using them as a switch.

to make them silent , i think setting UAC at lowest level , would do the trick since unsigned will be blocked. be sure then to enable the tweak again.

 

ok i tested it, so it works:

- set UAC as never notify
- enable the tweak

so :

- when i launch an unsigned process = process blocked
- when i launch a signed process = no prompts

 

So, I don't hate UAC ! The point is, for me, that just for average users to say that UAC is useful it's delusive, because those users don't konw all real threats: UAC only alerts them, and they won't what do; furthermore, they will believe to be completely protected by UAC.

 

No, @hjlbx. Your statements are incorrect and they are exactly the kind of claims to this debate that @guest, myself and other are trying to get rid of, because they confuse instead of helping.

Microsoft has at no point said what you claim they have.

You are mixing up how a PA account and a limited account works.

The important difference here is the access token and that a PA account has a split token.
This split token can be abused.

With a standard user account, that vulnerability are mitigated.

I was maybe a little short in my reply to you yesterday and I'm very sorry about that, but I find it unfortunate when someone again muddy the waters on this subject, since this subject are one of the most reappearing subjects on any IT forum.
So many users have a hard time understanding how privileges works, and if people reading along on top of that also have to weed out incorrect claims then they will just give up on the subject.

 

I think unintended FUD, derived and by cherry picking single sentences from Microsoft's own longish and technical explanation on what UAC is and isn't when UAC is set at its default level is making people confused, me included. I think an easy way to look at it is by comparing Microsoft's UAC (max) to the world of UNIX and Linux.
This has been mentioned several times in this thread already but it's worth mentioning it again. I'm not taking into account what the sudo in Linux would be in Windows or what level of security you can achieve by running as admin + UAC max. Perhaps this is the equivalent of sudo. It doesn't matter.

Windows : Regular User and UAC max vs Linux/UNIX : Regular user and -su =
A very strict boundary between userland and system.
Both examples switch the user to a GUI or console that requires the user to type in an admin / root password to gain elevated privileges.

This concept is perceived as a basic but a very important security feature!
Without this boundary in Linux you're out of luck, you're a sitting duck.
Now tell me Windows UAC (max) in concert with a regular user account requiring an admin password is not a security feature, a boundary, a fence, a wall.
It is a security boundary.
There's no other way to look at it.

Ultimately Microsoft has implemented a fine set of built-in UNIX inspired tools where a user can choose to run a very secure system by clearly separating userland from the system,
that forces you to type in the admin password if you want to tinker with your system. Basically all software I use don't require admin rights, except for that darn Dropbox and few others.

Frankly I find it pretty amazing that some people interested in computer security hanging out at Wilders find the UAC prompts annoying. For me, an UAC prompt is a signature of a secure system that relentlessly alerts me if something out of ordinary might be happening; something that wants elevated privileges with or without my consent. I rarely see UAC prompts anyway. Only when I apply system patches or update software. If you would frequently see UAC prompts when you use the internet or open pdf or word documents I could understand why you're annoyed. But I don't think that's the issue either. Worth noting is that Linux users don't complain about requiring to do a -su or sudo when they install / patch / upgrade. Why should security oriented people using Windows be different?

 

@new2security :

I agree with you.

The big problem that causes these reoccurring threads, are that there's at least a thousand irrelevant and often wrong articles written for every relevant one.

The truly great materials on this are in good old books. Not online.

And as we both say - the UNIX documentation on this is pure gold.

 

I know what I read in M$' early Protection-Security Center and TechNet about 10 or so years ago. I remember it so distinctly because I was surprised at what I read there. It wasn't an official statement by M$ released world-wide, but nevertheless the information was vetted via official M$ channels.

Among the things discussed was how certain malwares can lie-in-wait in a LUA\SUA for an OTS elevation (for example, Aleuron) and how certain malwares could still manage to exfiltrate personal data even when highly restricted by using a LUA\SUA. There was also discussion of early implementation problems with early Vista UAC (bugs) - not to mention OS vulnerabilities that directly affected UAC in all account types.

I may be old and decrepit, but I haven't lost my mind... yet.

There's a lot of surprising stuff to be found about UAC if one digs deep into M$ sites. However, I will admit, it has been a very long time since I have re-visited. And it is reasonable to expect some of what was discussed then wont' apply to UAC and Windows today.

OK...ok... at this point in time, UAC at max using a SUA, after years of bug and vulnerability fixes, is what ? - probably a 99.9 % rest-easy security measure for the typical user with safe computing habits ? However, that doesn't mean it's 100 % - even in a LUA\SUA.

I think it is bad form to assert that UAC, combined with a LUA\SUA, is bullet-proof. At the very least that is a fool-hardy claim - and only one made by users here and at other security forums. M$ has never asserted that the access token system is impervious to attack nor vulnerability-free.

I also think this whole thread, like so many here at Wilders, is invariably about one and one thing only: "You are wrong... I-am-right-and-you-are-wrong. You are mistaken, you don't understand, you're a liar, you're starting a flame war, you're spreading FUD, etc..." Make a statement that one of the "power" users doesn't agree with and you'll likely get lambasted.

The funny point to all this is that I have advocated that UAC should not be disabled at other points in this thread.

I think UAC should not be disabled - with the caveat that UAC per se is not a 100 % guarantee of system protection - even while using a LUA\SUA.

 

I have UAC on its Maximum level (= Always Notify).

 

I don't think anyone implied it's bullet proof, but it's already built-in to Windows, and it does add a significant measure of separation between running as a standard user and that of an administrative user when enabled as PA in an elevated account, and of course although it's not really a security feature, it will alert to surprise elevation requests.

 

It is rare for me not to install new software every day. In the last two weeks I installed 50 programs (some of which were updates to existing software) and uninstalled 30. If I had UAC enabled, I would have received a lot of UAC prompts, just from installing and uninstalling these apps, aside from the prompts I would get when launching some of the software I use.

If I was to keep a fairly constant setup and not make many changes, then of course I would receive very few UAC prompts. This is what I do on one of my other laptops, and as a result I have kept UAC enabled.

 

Ok, that would be cumbersome. You mind my asking; are you a software tester?
Perhaps not the optimal solution but if I were in your shoes I'd consider disabling UAC when I install/upgrade/patch my system. Of course, If possible, plan the install/uninstall so that I perform those actions say within few hours. It's almost like sudo with a time bar where you don't need to type in your password.

 

@new2security No, I'm not a software tester, I just have a lot of software on my system. I'm not too worried about not using UAC.

 

No one in their right mind would claim a certain "security feature x" is bulletproof and is 100% secure. It's all about layered security, effectively raising the cost for the attacker where
UAC + regular account is the foundation of a secure computer. If you on top of that want to add anti-exes, HIPS, AV, malware scanners, sandboxes, EMET etc - that's swell, because if one layer fails you have a half dozen others that could catch the intruder.

But if you disable UAC and want to use an admin account for your daily computer tasks you still probably would be able to secure your computer but it will still cost in form of using different layers to achieve similar results and it comes with taking a higher risk. We know for instance that AV software in certain situation introduce a serious attack vector into the system kernel.
The question is ; is it worth taking the risks just to avoid the annoying UAC prompts?

 

Of course not, it is what i keep saying here.

 

I have got a tablet which is powered by an Intel Atom z3740 upgraded from Windows 8.1 to Windows 10 and is (mis)used by Everyone.

I have (as always) UAC set to deny elevation for unsigned and added SRP default level basic user (except admin, so I can install with run as admin) I have set Smartscreen to require admin consent and elevation requires admin password.

I have disabled Windows Defender, so basically only relying on the UAC (admin password prompt) boundery. This tablet is virus free since I bought it and used as tablet to be used aby the family and visitors (2.5 years now). So although they say UAC is not a securty boundery, together with Smartscreen and SRP it provides sufficient security.

 

I don't disable it but instead I set it to maximum. I have set SRP so it's almost a must to leave it on. I also prefer to have control over privilege elevation.

 

I clearly said that UAC is useless if you're already using top rated security tools, I stand by that opinion.

Also, this topic is called: Do YOU disable UAC? It's not called Should I disable UAC? So no wonder that people are going to post what they do on their own system. Actually, 90% of this forum is about user opinions, people may say things like "This HIPS sucks", so should software companies blame us for slow sales because of negative reviews?

And I can tell people to run in LUA and to use Sandboxie. But what if they tell me that they find the UAC alerts annoying, and find SBIE confusing? Should I tell them to quit whining? No, I don't think so, I should try to come up with another new solution. It's all about user preference and finding a balance between usability and security. What works for you may not work for someone else.

 

Very interesting reply. I think it's clear that you look at it from a different angle, you seem to be focused on the UAC design as a whole. But I'm focused on what you're getting to see in day to day usage. But if I'm correct, this topic is not about Protected Admin vs LUA. If you run in LUA you can not even disable UAC, am I correct? This topic is mostly about if you think it's worth to keep UAC enabled when running as Protected Admin. Some think it's an important security layer, while others don't.

Yes exactly, at the end of the day it's all about keeping the system safe, that's exactly the job of anti-malware tools, namely to be a hindrance to malicious actions. If malware isn't able to run, or isn't able to achieve its goal because of AV/AE/HIPS/Sandbox, then keeping UAC enabled as Protected Admin is a non issue. What I'm basically trying to say is that I don't consider UAC alerts (on Protected Admin) to be an important security layer.

 

After so much Rasheed self inflicted bashing, I must say that Rasheed has a point here.

So first time a post of Rasheed made me smile again.

I will keep my promise and won't respond to your argumentation

 

You and Rasheed can't be, but what, a few hours apart at most ?

Meet-up and knuck it out...