User Account Control in Windows 7 Best Practices

Applies To: Windows 7, Windows Server 2008 R2

Note

This document contains detailed information about User Account Control (UAC) in Windows 7 for the IT professional. If you need help and how-to information for using User Account Control in Windows 7 at home, see the following:

This document provides additional information about UAC that can help IT professionals develop UAC best practices for their Windows 7 and Windows Server 2008 R2 environments. This document does not include comprehensive information for administering UAC.

Do not disable UAC

It is recommended that UAC prompting not be turned off in Group Policy settings or by changing the slider setting.

Although the elevation prompt is the most visible part of UAC, UAC also provides the underlying components that allow for increased security with a minimal amount of disruption, especially for standard users. Two of these benefits include:

  • Protected Mode in Internet Explorer

  • File and registry virtualization

If UAC is disabled to avoid the elevation prompt, all UAC functionality is disabled. Instead, consider configuring UAC to elevate without prompting. In this case, applications that have been marked as administrator applications, as well as setup applications, will automatically run with the full administrator access token. All other applications will automatically run with the standard user token. The additional functionality of UAC is maintained.

The UAC slider in the enterprise

  • The slider setting on each Windows 7 client computer is derived from Group Policy.

  • Standard users can view and change the slider settings only by providing the credentials for a local administrator account in the User Account Control credential prompt.

  • Users that are running as a local administrator receive a consent prompt when viewing or changing the slider settings.

  • Turning UAC off in Group Policy or setting the slider to Never notify requires a restart, which refreshes and reapplies Group Policy settings.

The following table provides equivalent Group Policy settings for each slider setting. Refer to the Configure UAC Group Policy settings section for information and recommendations about the Group Policy settings.

Slider setting Equivalent Group Policy settings

Always notify

  • The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Prompt for consent on the secure desktop.

  • The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is enabled.

Notify only when programs try to make change to the computer (default)

  • The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Prompt for consent for non-Windows binaries.

  • The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is enabled.

Notify only when programs try to make change to the computer (without secure desktop)

  • The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Prompt for consent for non-Windows binaries.

  • The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is disabled.

  • The Behavior of the elevation prompt for standard users policy setting is set to Prompt for credentials.

Never notify

Note
This setting requires a restart to take effect.

  • The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Elevate without prompting.

  • The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is disabled.

  • The User Account Control: Run all administrators in Admin Approval Mode policy setting is disabled.

  • UAC is disabled.

Use standard user accounts

Users should always run as standard users with the following exceptions:

Make the primary user account a standard user account. For users who are allowed to perform administrative tasks on their client computers, create a local administrator account for performing those administrative tasks. When a user is logged on as a standard user and attempts to perform an administrative task, the credential prompt is presented. The user must enter an administrator user name and password, and then click Yes to perform the task.

When users are logged on as standard users and need to perform administrative tasks, they can also quickly switch between the two accounts by using the Fast User Switching feature. Fast User Switching is a feature in Windows that allows a user to switch to a different user account without closing programs or files first. The user can quickly transition to the administrator account without disrupting their current activities.

To switch users without logging off

  1. Click Start, and then click the arrow to the right of the Shut down button.

  2. Click Switch user.

  3. Click the user account that you want to use.

Important

Although it is not necessary to close programs or files before switching users, it is a good idea to save any open files before switching users. If the user switches to a second user and the second user shuts down the computer, any unsaved changes made by the first user may be lost.

Configure UAC Group Policy settings

There are 10 Group Policy settings that control the behavior of UAC. As a best practice, configure UAC Group Policy settings appropriately for your environment. The following table describes best practices for the UAC Group Policy settings.

Group Policy setting Default Best practice

User Account Control: Admin Approval Mode for the built-in Administrator account

Disabled

When this policy setting is disabled, it is the equivalent to Never notify on the slider when a user is logged on as the built-in administrator.

While using the built-in administrator account is not recommended, if it is used, this policy setting should be enabled so that the user receives a UAC prompt. Disable this policy setting only when there are critical legacy applications that are not UAC compliant and that cannot be fixed with any other solution. For information about how to fix application compatibility issues, see User Account Control: Planning and Deploying Application Compatibility Databases for Windows 7 (https://go.microsoft.com/fwlink/?LinkID=148442).

User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop

Disabled

When this policy setting is disabled, the elevation prompt is displayed on the secure desktop. If you plan to use the Remote Assistance feature, this policy setting should be enabled. If the policy setting is not enabled, the remote assistant receives a blank screen when the elevation prompt is displayed on the secure desktop of the remote computer.

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

Prompt for consent for non-Windows binaries

The default setting (Prompt for consent for non-Windows binaries) only prompts for consent to run non-Windows executable files and applications.

The Prompt for consent setting is recommended in a less secure environment where credentials are not required.

The Prompt for credentials setting is recommended in high security environments where credentials are required but the additional security of the secure desktop is not required.

The Prompt for consent on the secure desktop setting is recommended in less secure environments where credentials are not required but the additional security of the secure desktop is required.

Note
Some issues with video drivers can result in a delay when switching to the secure desktop.

The Prompt for credentials on the secure desktop setting is recommended in high security environments where credentials and the additional security of the secure desktop are required.

Note

Some issues with video drivers can result in a delay when switching to the secure desktop.

The Elevate without prompting setting turns UAC off. This setting should be used only on a domain controller or server for advanced users or server administrators. This setting should not be applied to a client computer.

Note

Users should not use the Internet when this setting is applied.

User Account Control: Behavior of the elevation prompt for standard users

Prompt for credentials on the secure desktop

The default setting (Prompt for credentials on the secure desktop) allows standard users to perform tasks that require elevation of privilege by presenting the credential prompt on the secure desktop. The user must provide valid credentials to continue. This setting is not recommended for managed environments. The Automatically deny elevation requests setting is recommended for managed environments. Elevations are automatically denied, and a configurable access denied message is displayed.

User Account Control: Detect application installations and prompt for elevation

Enabled (home)

Disabled (enterprise)

This policy setting should be disabled if you have standard users and use Group Policy Software Installation or Microsoft System Center Configuration Manager to deploy applications. When this policy setting is disabled, application installation package detection does not occur.

User Account Control: Only elevate executables that are signed and validated

Disabled

If there are applications in your environment that are not signed and validated, this policy setting should not be enabled. When this policy setting is enabled, only signed applications and other executable files are permitted to run. Depending on the behavior of the elevation prompt settings for the user account, a consent or credential prompt is presented.

User Account Control: Only elevate UIAccess applications that are installed in secure locations

Enabled

When this policy setting is enabled, only UIAccess applications that are installed in secure locations in the file system are allowed to run. Secure locations are limited to:

  • Program Files\, including subfolders

  • Windows\System32\

  • Program files (x86)\, including subfolders (for 64-bit versions)

This is the recommended setting.

User Account Control: Run all administrators in Admin Approval Mode

Enabled

This policy setting must be enabled and related UAC policy settings must be set appropriately to allow the built-in Administrator account and all other user accounts that are members of the Administrators group to run in Admin Approval Mode.

When disabled, Admin Approval Mode and all related UAC policy settings are disabled.

Note

If this policy setting is disabled, the Security Center notifies the user that the overall security of the operating system is reduced.

User Account Control: Switch to the secure desktop when prompting for elevation

Enabled

Prompt behavior policy settings are used for administrators and standard users to determine whether the elevation prompt is presented on the interactive desktop or the secure desktop.

When this policy setting is enabled, all elevation requests are presented on the secure desktop regardless of the prompt behavior settings for administrators and standard users. Users must respond to the prompt before they can continue. This setting is not recommended for managed environments.

When this policy setting is disabled, requests for privilege elevation are allowed to go the interactive desktop. Prompt behavior policy settings for administrators and standard users are used. The prompt remains on the interactive desktop until the user responds to it, but the user can continue working without responding to the prompt.

User Account Control: Virtualize file and registry write failures to per-user locations

Enabled

When this policy setting is enabled, application write failures are redirected at run time to defined user locations. Enable this policy setting in environments where legacy applications need to run as if they were running in Windows XP.

When this policy setting is disabled, applications that attempt to write in privileged resources, such as the Program Files folder, fail. Disable this policy setting in environments where file and registry virtualization is not required.

For more information about UAC Group Policy settings, see User Account Control in Windows 7 Technical Reference (https://go.microsoft.com/fwlink/?LinkID=146195).