Best Practices for Using UAC

To receive the security benefits of UAC while minimizing the costs, follow these best practices:

• Leave UAC enabled for client computers in your organization.
• Have all users-especially IT staff-log on with standard user privileges.
• Each user should have a single account with only standard user privileges. Do not give users accounts with administrative privileges to their local computers. If you follow this guideline, you should also disable the UAC elevation prompts as described in the section titled "How to Configure User Account Control" earlier in this tutorial.
• Domain administrators should have two accounts: a standard user account that they use to log on to their computers, and a second Administrator account that they can use to elevate privileges.
• Admin Approval Mode can slow down administrators by requiring them to frequently confirm elevation for administrative tools. If your administrators use a standard user account for day-to-day privileges and only log on with an Administrator account when managing a computer, your IT department might be more efficient if you disable the elevation prompt. To do this, configure the UAC policy setting Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode to Elevate Without Prompting. However, changing this policy may increase the security risk in your environment, and the Windows Security Center will report it.
• Train users with local administrator credentials not to approve a UAC prompt if it appears unexpectedly. UAC prompts should appear only when the user is installing an application or starting a tool that requires elevated privileges. A UAC prompt that appears at any other time might have been initiated by malware. Rejecting the prompt will help prevent the malware from making permanent changes to the computer.
• Thoroughly test all applications with a standard user account in Windows Vista prior to deploying Windows Vista. If a third-party application does not work properly with a standard user account, contact the application developer and request an update for the application. If an internal application does not work properly, refer the developers to "Windows Vista Application Development Requirements for User Account Control Compatibility" at http://msdn.microsoft.com/en-us/library/bb530410.aspx. Although that document was written for Windows Vista, it also applies to Windows 7.
• Create Windows Firewall exceptions for users before deploying an application.
• Use GPSI, SMS, or another similar application-deployment technology to deploy applications. Disable application-installer detection using the User Account Control: Detect Application Installations And Prompt For Elevation setting, as described in the section titled "How to Configure User Account Control" earlier in this tutorial.
• When users do require elevated privileges, administrators can provide the necessary credentials either by using Remote Assistance or by physically typing administrator credentials while at the user's computer.
• Use UAC as part of a defense-in-depth, client-security strategy that includes antispyware and antivirus applications, update management, and security auditing.