Windows 7 / Security and Privacy

Best Practices for Using UAC

To receive the security benefits of UAC while minimizing the costs, follow these best practices:

  • Leave UAC enabled for client computers in your organization.
  • Have all users-especially IT staff-log on with standard user privileges.
  • Each user should have a single account with only standard user privileges. Do not give users accounts with administrative privileges to their local computers. If you follow this guideline, you should also disable the UAC elevation prompts as described in the section titled "How to Configure User Account Control" earlier in this tutorial.
  • Domain administrators should have two accounts: a standard user account that they use to log on to their computers, and a second Administrator account that they can use to elevate privileges.
  • Admin Approval Mode can slow down administrators by requiring them to frequently confirm elevation for administrative tools. If your administrators use a standard user account for day-to-day privileges and only log on with an Administrator account when managing a computer, your IT department might be more efficient if you disable the elevation prompt. To do this, configure the UAC policy setting Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode to Elevate Without Prompting. However, changing this policy may increase the security risk in your environment, and the Windows Security Center will report it.
  • Train users with local administrator credentials not to approve a UAC prompt if it appears unexpectedly. UAC prompts should appear only when the user is installing an application or starting a tool that requires elevated privileges. A UAC prompt that appears at any other time might have been initiated by malware. Rejecting the prompt will help prevent the malware from making permanent changes to the computer.
  • Thoroughly test all applications with a standard user account in Windows Vista prior to deploying Windows Vista. If a third-party application does not work properly with a standard user account, contact the application developer and request an update for the application. If an internal application does not work properly, refer the developers to "Windows Vista Application Development Requirements for User Account Control Compatibility" at http://msdn.microsoft.com/en-us/library/bb530410.aspx. Although that document was written for Windows Vista, it also applies to Windows 7.
  • Create Windows Firewall exceptions for users before deploying an application.
  • Use GPSI, SMS, or another similar application-deployment technology to deploy applications. Disable application-installer detection using the User Account Control: Detect Application Installations And Prompt For Elevation setting, as described in the section titled "How to Configure User Account Control" earlier in this tutorial.
  • When users do require elevated privileges, administrators can provide the necessary credentials either by using Remote Assistance or by physically typing administrator credentials while at the user's computer.
  • Use UAC as part of a defense-in-depth, client-security strategy that includes antispyware and antivirus applications, update management, and security auditing.
[Previous] [Contents] [Next]

In this tutorial:

  1. Windows 7 Client Protection
  2. Understanding the Risk of Malware
  3. User Account Control in Windows 7
  4. UAC for Standard Users
  5. UAC for Administrators
  6. UAC User Interface
  7. Secure Desktop
  8. How Windows Determines Whether an Application Needs Administrative Privileges
  9. How to Control UAC Using Application Properties
  10. How UAC Examines the Application Manifest
  11. UAC Heuristics
  12. UAC Virtualization
  13. UAC and Startup Programs
  14. Compatibility Problems with UAC
  15. How to Configure UAC
  16. Group Policy Settings
  17. Control Panel
  18. Msconfig.exe
  19. How to Configure Auditing for Privilege Elevation
  20. Other UAC Event Logs
  21. Best Practices for Using UAC
  22. AppLocker
  23. AppLocker Rule Types
  24. Auditing AppLocker Rules
  25. DLL Rules
  26. Custom Error Messages
  27. Using AppLocker with Windows PowerShell
  28. Using Windows 7 Defender
  29. Understanding Windows Defender
  30. Automatic Scanning
  31. Real-Time Protection
  32. Windows Defender Alert Levels
  33. Understanding Microsoft SpyNet
  34. Configuring Windows Defender Group Policy
  35. Configuring Windows Defender on a Single Computer
  36. How to Determine Whether a Computer Is Infected with Spyware
  37. Best Practices for Using Windows Defender
  38. How to Troubleshoot Problems with Unwanted Software
  39. Network Access Protection
  40. Forefront