Manage Learn to apply best practices and optimize your operations.

The risks of disabling User Account Control (UAC) on Windows Vista

It may upgrade the user experience to disabe the User Account Control (UAC) feature, but there are some serious security risks. Application security expert Michael Cobb gives advice.

Twelve percent of Windows Vista users have apparently decided to disable the User Account Control feature, making the OS behave, in many ways, like Windows XP. What are the risks of doing this, and are there other Vista security features that can be used to secure the OS when UAC is disabled?
Disabling User Account Control (UAC) in Windows Vista does make quite a difference to both the user experience and the security posture of Windows Vista, improving the former while degradating the latter. As you say, ignoring the mechanism leaves Vista acting a bit like XP. Many readers might say that is not all bad, at least if the client machine has been properly configured and the user is reasonably experienced and security-savvy.

While most Vista users would probably agree that UAC, with its scary prompts and darkening of the screen, is the most annoying "feature" of Vista, many could probably live with the Microsoft OS asking user permission to install software, just as users are asked in Linux or Mac OS X. But when Vista asks about each and every change to things like Start menu folders or even the system clock, it can get a bit much. Hence the abundance of Web pages out there devoted to showing you how to turn off UAC.

So why didn't Microsoft set Vista's default level of user interrogation closer to that of rival OSes? The answer may lie in the many different avenues of attack that exist on a Windows system running Microsoft applications, whether it's Vista or XP.

Microsoft evolved its software, both OS and applications, from a closed environment to the wide-open world of Internet hosts, without a fundamental redesign. Just as Microsoft Office applications have had to live with Microsoft's decision to embed programming capabilities within data files (resulting in the abuse of macros and VB script), its operating systems have had to live with an excess of sharing abilities and other hooks originally designed for home and office environments where users are known and trusted (not untrusted networks like the Internet).

Now Vista offers the ability to run Internet Explorer in a secure "protected mode." Obviously, in an enterprise setting, it makes sense to control who can turn off UAC. For the general user population, consider denying administrator privileges altogether, forcing users to work at the level of a standard user so they won't be able to do things that trigger UAC elevation prompts for administrators.

For a group of experienced, responsible users who are running Vista with administrator privileges but getting annoyed by it, consider allowing them to run UAC in "quiet mode." This setting leaves UAC on, preserves protected mode in Internet Explorer, and prevents prompts when a user attempts an administrative task. The UAC will run, however, with the standard user permissions by default. There are several free utilities, such as TweakUAC, that simplify setting up quiet mode. The Group Policy Editor in Vista Ultimate also works. In Vista Home Basic or Home Premium, two registry key values must be changed from their default of 2 to 0: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem]

The values to change are: "ConsentPromptBehaviorAdmin" and "ConsentPromptBehaviorUser"

These modifications do not leave the user completely unprotected. UAC will still offer up an alert if the user, or some process, tries to run unsigned code, provided "ValidateAdminCodeSignatures" has not been changed from the default of 0 for "Off." As more code is being signed, I suggest avoiding the temptation to turn off validation.

In fact, exercise caution when changing any of the policy settings unless you are sure what the implications will be. In regard to other Vista features that can be used to secure Vista when UAC is disabled, I'm not sure what those might be, other than perhaps some restrictive combination of user groups and permission settings, the basic logon/startup protection and file encryption. I would certainly want to make sure some sort of memory-resident malware detection was running before UAC was disabled. While UAC is annoying, it is likely to get less annoying over time as fewer events trigger alerts, and running in "quiet mode" seems like a good compromise for experienced users.

More information:

This was last published in June 2008

Dig Deeper on Microsoft Windows security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.