PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Windows 7 UAC question

From: Michael Salmon <lonestarr13 () gmail com>
Date: Fri, 11 Feb 2011 17:07:58 -0500
I have a question and not finding the answer to be very clear.  My
company has started testing Windows 7 and they want to disable UAC...
which I'm putting together an argument and recommendation on UAC
settings to provide the best mix of security and usability.  Some
users do have admin access on their PC's.  I'm unclear on what the
impact on UAC and system security is when enabling Elevating Without
Prompting for the Group Policy - User Account Control: Behavior of the
elevation prompt for administrators in Admin Approval Mode.  I see
conflicting answers from Microsoft as well as on forums.

This technet article
http://technet.microsoft.com/en-us/library/ee679793(WS.10).aspx states
towards the beginning:
If UAC is disabled to avoid the elevation prompt, all UAC
functionality is disabled. Instead, consider configuring UAC to
elevate without prompting. In this case, applications that have been
marked as administrator applications, as well as setup applications,
will automatically run with the full administrator access token. All
other applications will automatically run with the standard user
token. The additional functionality of UAC is maintained

However further in the article it says:
The Elevate without prompting setting turns UAC off. This setting
should be used only on a domain controller or server for advanced
users or server administrators. This setting should not be applied to
a client computer.
Note
Users should not use the Internet when this setting is applied.

So which is it, does it turn UAC off and should not be applied to
client computers or does generally leave UAC on except for
applications marked as administrator apps.  I'm also not yet clear on
what an Administrator Application is... can malware easily trick
Windows into thinking an administrator app and then UAC will let it
run without prompting?

What has been other's experience with configuring UAC?

Thanks,

Michael Salmon
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: