<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#ffffff">




Disabling User Account Control (UAC) on Windows Server - Aaron
Margosis' "Non-Admin" and App-Compat WebLog - Site Home - MSDN
Blogs:

<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://blogs.msdn.com/b/aaronmargosis/archive/2011/03/04/disabling-user-account-control-uac-on-windows-server.aspx">http://blogs.msdn.com/b/aaron_margosis/archive/2011/03/04/disabling-user-account-control-uac-on-windows-server.aspx</a&gt;

<h1 style="line-height: 16pt; margin: 24pt 0in 0pt;"><span
style="font-family: Cambria;"><span style="color: rgb(54, 95,
145); font-size: 14pt;">Applies To</span></span></h1>
<p style="line-height: 13pt; margin: 0in 0in 10pt;"
class="MsoNormal"><span style="font-family: Calibri;"><span
style="color: rgb(0, 0, 0); font-size: 11pt;">Windows Server
2008 (all editions except Server Core)</span></span></p>
<p style="line-height: 13pt; margin: 0in 0in 10pt;"
class="MsoNormal"><span style="font-family: Calibri;"><span
style="color: rgb(0, 0, 0); font-size: 11pt;">Windows Server
2008 R2 (all editions except Server Core)</span></span></p>
<h1 style="line-height: 16pt; margin: 24pt 0in 0pt;"><span
style="font-family: Cambria;"><span style="color: rgb(54, 95,
145); font-size: 14pt;">Summary</span></span></h1>
<p style="line-height: 13pt; margin: 0in 0in 10pt;"
class="MsoNormal"><span style="font-family: Calibri;"><span
style="color: rgb(0, 0, 0); font-size: 11pt;">Under certain
constrained circumstances, disabling User Account Control
(UAC) on Windows Server can be an acceptable and recommended
practice. These circumstances arise only when both of the
following are true:</span></span></p>
<p style="line-height: 13pt; text-indent: -0.25in; margin: 0in 0in
0pt 0.5in;" class="MsoListParagraphCxSpFirst"><span style="color:
rgb(0, 0, 0);"><span style=""><span style=""><span
style="font-family: Symbol;"><span style="font-size:
11pt;">·</span></span><span style="line-height: normal;"><span
style="font-family: Times New Roman;"><span
style="font-size: 7pt;">         </span></span></span></span></span><span
style="font-family: Calibri;"><span style="font-size: 11pt;">Only


Administrators are allowed to log on to the Windows Server
interactively at the console or through Remote Desktop
services.</span></span></span></p>
<p style="line-height: 13pt; text-indent: -0.25in; margin: 0in 0in
10pt 0.5in;" class="MsoListParagraphCxSpLast"><span style="color:
rgb(0, 0, 0);"><span style=""><span style=""><span
style="font-family: Symbol;"><span style="font-size:
11pt;">·</span></span><span style="line-height: normal;"><span
style="font-family: Times New Roman;"><span
style="font-size: 7pt;">         </span></span></span></span></span><span
style="font-family: Calibri;"><span style="font-size: 11pt;">Administrators


log on to the Windows Server only to perform legitimate
system administrative functions on the Server.</span></span></span></p>
<p style="line-height: 13pt; margin: 0in 0in 10pt;"
class="MsoNormal"><span style="font-family: Calibri;"><span
style="color: rgb(0, 0, 0); font-size: 11pt;">If either of the
above is not true, then UAC should remain enabled. For
example, if the Server is configured with the Remote Desktop
Services role so that non-administrative users can log on to
the Server to run applications, UAC should remain enabled.
Similarly, UAC should also remain enabled if administrators
run risky applications on the Server such as web browsers,
email or instant messaging clients, or perform other
operations that should be performed from a client operating
system such as Windows 7.</span></span></p>
<p style="line-height: 13pt; margin: 0in 0in 10pt;"
class="MsoNormal"><span style="font-family: Calibri;"><span
style="color: rgb(0, 0, 0); font-size: 11pt;">Note that this
guidance applies only to Windows Server operating systems such
as Windows Server 2008 and Windows Server 2008 R2. UAC should
always remain enabled on client operating systems such as
Windows Vista and Windows 7.</span></span></p>
<p style="line-height: 13pt; margin: 0in 0in 10pt;"
class="MsoNormal"><span style="font-family: Calibri;"><span
style="color: rgb(0, 0, 0); font-size: 11pt;">Note also that
UAC is always disabled on Windows Server 2008 R2 Server Core
and should always be kept disabled on Windows Server 2008
Server Core. A hotfix is available for Windows Server 2008
Server Core (KB 969371) to prevent UAC from being enabled
accidentally.</span></span></p>
<h1 style="line-height: 16pt; margin: 24pt 0in 0pt;"><span
style="font-family: Cambria;"><span style="color: rgb(54, 95,
145); font-size: 14pt;">More Information</span></span></h1>
<p style="line-height: 13pt; margin: 0in 0in 10pt;"
class="MsoNormal"><span style="font-family: Calibri;"><span
style="color: rgb(0, 0, 0); font-size: 11pt;">User Account
Control (UAC) was introduced in Windows Vista and enhanced in
Windows 7 to help Windows users move toward using standard
user rights by default. UAC includes several technologies to
achieve this:</span></span></p>
<p style="line-height: 13pt; text-indent: -0.25in; margin: 0in 0in
0pt 0.5in;" class="MsoListParagraphCxSpFirst"><span style="color:
rgb(0, 0, 0);"><span style=""><span style=""><span
style="font-family: Symbol;"><span style="font-size:
11pt;">·</span></span><span style="line-height: normal;"><span
style="font-family: Times New Roman;"><span
style="font-size: 7pt;">         </span></span></span></span></span><span
style="font-family: Calibri;"><b style=""><span
style="font-size: 11pt;">File and Registry Virtualization</span></b><span
style="font-size: 11pt;">. When a “legacy” application tries
to write to protected areas of the file system or registry,
Windows silently and transparently redirects the access to a
portion of the file system or registry that the user is
allowed to modify. This enables many applications that
required administrative rights on earlier versions of
Windows to run successfully with only standard user rights
on Windows Vista and Windows 7.</span></span></span></p>
<p style="line-height: 13pt; text-indent: -0.25in; margin: 0in 0in
0pt 0.5in;" class="MsoListParagraphCxSpMiddle"><span style="color:
rgb(0, 0, 0);"><span style=""><span style=""><span
style="font-family: Symbol;"><span style="font-size:
11pt;">·</span></span><span style="line-height: normal;"><span
style="font-family: Times New Roman;"><span
style="font-size: 7pt;">         </span></span></span></span></span><span
style="font-family: Calibri;"><b style=""><span
style="font-size: 11pt;">Same-desktop Elevation</span></b><span
style="font-size: 11pt;">. Elevation allows an authorized
user to run a program with greater rights than those of the
interactive desktop user. Combined with UAC’s “Filtered
Token” feature, this allows administrators to run all
programs with standard user rights by default and to elevate
only those programs that require administrative rights with
the same user account. (This feature is also known as “Admin
Approval Mode”.) Programs can also be launched with elevated
rights under a different user account, so that an
administrator can perform administrative tasks on a standard
user’s desktop.</span></span></span></p>
<p style="line-height: 13pt; text-indent: -0.25in; margin: 0in 0in
0pt 0.5in;" class="MsoListParagraphCxSpMiddle"><span style="color:
rgb(0, 0, 0);"><span style=""><span style=""><span
style="font-family: Symbol;"><span style="font-size:
11pt;">·</span></span><span style="line-height: normal;"><span
style="font-family: Times New Roman;"><span
style="font-size: 7pt;">         </span></span></span></span></span><span
style="font-family: Calibri;"><b style=""><span
style="font-size: 11pt;">Filtered Token</span></b><span
style="font-size: 11pt;">. When a user with administrative
or other powerful privileges or group memberships logs on,
Windows creates two access tokens representing the user
account. One has all the user’s group memberships and
privileges, while the “filtered” token represents the user
with the equivalent of standard user rights and is used to
run the user’s programs by default. The unfiltered token is
associated only with elevated programs. An account that is a
member of the Administrators group and gets a filtered token
at logon is often called a “Protected Administrator”
account.</span></span></span></p>
<p style="line-height: 13pt; text-indent: -0.25in; margin: 0in 0in
0pt 0.5in;" class="MsoListParagraphCxSpMiddle"><span style="color:
rgb(0, 0, 0);"><span style=""><span style=""><span
style="font-family: Symbol;"><span style="font-size:
11pt;">·</span></span><span style="line-height: normal;"><span
style="font-family: Times New Roman;"><span
style="font-size: 7pt;">         </span></span></span></span></span><span
style="font-family: Calibri;"><b style=""><span
style="font-size: 11pt;">User Interface Privilege
Isolation (UIPI)</span></b><span style="font-size: 11pt;">.
UIPI prevents a lower-privileged program from sending window
messages such as synthetic mouse or keyboard events to a
window belonging to a higher-privileged process and thus
controlling it.</span></span></span></p>
<p style="line-height: 13pt; text-indent: -0.25in; margin: 0in 0in
0pt 0.5in;" class="MsoListParagraphCxSpMiddle"><span style="color:
rgb(0, 0, 0);"><span style=""><span style=""><span
style="font-family: Symbol;"><span style="font-size:
11pt;">·</span></span><span style="line-height: normal;"><span
style="font-family: Times New Roman;"><span
style="font-size: 7pt;">         </span></span></span></span></span><span
style="font-family: Calibri;"><b style=""><span
style="font-size: 11pt;">Protected Mode Internet Explorer
(PMIE)</span></b><span style="font-size: 11pt;">. PMIE is
a defense-in-depth feature in which Internet Explorer
operates in low-privileged “Protected Mode” and cannot write
to most areas of the file system or registry. Protected Mode
is “on” by default when browsing sites in the Internet or
Restricted Sites zones. PMIE makes it more difficult for
malware that infects a running instance of IE to change the
user’s settings, such as by configuring itself to start
every time the user logs on. (PMIE is not actually part of
UAC but depends on UAC features such as UIPI.)</span></span></span></p>
<p style="line-height: 13pt; text-indent: -0.25in; margin: 0in 0in
10pt 0.5in;" class="MsoListParagraphCxSpLast"><span style="color:
rgb(0, 0, 0);"><span style=""><span style=""><span
style="font-family: Symbol;"><span style="font-size:
11pt;">·</span></span><span style="line-height: normal;"><span
style="font-family: Times New Roman;"><span
style="font-size: 7pt;">         </span></span></span></span></span><span
style="font-family: Calibri;"><b style=""><span
style="font-size: 11pt;">Installer Detection</span></b><span
style="font-size: 11pt;">. When an interactive user running
with standard user rights starts a program that Windows
heuristically determines is likely to be a legacy
installation program, Windows proactively prompts the user
for elevation, rather than allow the program to run with
standard user rights and possibly fail. Note that if the
interactive user does not have administrative credentials,
the user will not be able to run the program.</span></span></span></p>
<p style="line-height: 13pt; margin: 0in 0in 10pt;"
class="MsoNormal"><span style="font-family: Calibri;"><span
style="color: rgb(0, 0, 0); font-size: 11pt;">In Local
Security Policy | Security Settings | Local Policies |
Security Options, disabling the policy named “User Account
Control: Run all administrators in Admin Approval Mode”
disables all the UAC features described above. Legacy
applications with standard user rights that expect to write to
protected folders or registry keys will fail. Filtered tokens
are not created, and all programs run with the logged on
user’s full rights. This includes Internet Explorer, as
Protected Mode is “off” for all security zones.</span></span></p>
<p style="line-height: 13pt; margin: 0in 0in 10pt;"
class="MsoNormal"><span style="font-family: Calibri;"><span
style="color: rgb(0, 0, 0); font-size: 11pt;">One of the
common misconceptions about UAC – and same-desktop elevation
in particular – is that it prevents malware from being
installed or from gaining administrative rights. First,
malware can be written not to require administrative rights,
and to write only to areas in the user’s profile. More
importantly, UAC’s same-desktop elevation is not a <i
style="">security boundary</i> and can be hijacked by
unprivileged software running on the same desktop.
Same-desktop elevation should be considered a convenience
feature, and for security purposes “Protected Administrator”
should be considered equivalent to “Administrator”. By
contrast, logging in or Fast User Switching to a different
session with an administrator account involves a security
boundary between it and the standard user session. (See the
References section for more information about security
boundaries.)</span></span></p>
<p style="line-height: 13pt; margin: 0in 0in 10pt;"
class="MsoNormal"><span style="font-family: Calibri;"><span
style="color: rgb(0, 0, 0); font-size: 11pt;">The purpose of
the Protected Administrator account on end user client
operating systems (Windows Vista and Windows 7) is to
encourage developers to write their applications to require
only standard user rights while enabling as many applications
that share state between administrative components and
standard user components to continue working. The stated goal
and expectation is that over time end users would see few if
any elevation prompts, as the programs they run should never
require administrative rights. This becomes increasingly
necessary as more enterprises adopt a model in which their end
users log on as standard users and do not have credentials for
administrative accounts with which to allow elevations.</span></span></p>
<p style="line-height: 13pt; margin: 0in 0in 10pt;"
class="MsoNormal"><span style="font-family: Calibri;"><span
style="color: rgb(0, 0, 0); font-size: 11pt;">However, for a
Windows Server on which the sole reason for interactive logon
is to administer the system, the goal of fewer elevation
prompts is neither feasible nor desirable. System
administrative tools legitimately require administrative
rights. When all the administrative user’s tasks require
administrative rights and each task could trigger an elevation
prompt, the prompts are only a hindrance to productivity. In
this context, they do not and cannot promote the goal of
encouraging development of applications that require standard
user rights. Nor do they improve security posture. Instead
they simply encourage users to click through dialog boxes
without reading them.</span></span></p>
<p style="line-height: 13pt; margin: 0in 0in 10pt;"
class="MsoNormal"><span style="font-family: Calibri;"><span
style="color: rgb(0, 0, 0); font-size: 11pt;">Note that this
guidance applies only to well-managed Servers on which only
administrative users are allowed to log on interactively or
through Remote Desktop services, and they do so only to
perform legitimate administrative functions. If they run risky
applications such as web browsers, email or instant messaging
clients, or perform other operations that should be performed
from a client operating system, then the Server should be
considered equivalent to a client system and UAC should remain
enabled as a defense-in-depth measure.</span></span></p>
<p style="line-height: 13pt; margin: 0in 0in 10pt;"
class="MsoNormal"><span style="font-family: Calibri;"><span
style="color: rgb(0, 0, 0); font-size: 11pt;">Further, if
standard users log on to the Server at the console or through
Remote Desktop services to run applications, including web
browsers, UAC should remain enabled to support file and
registry virtualization as well as Protected Mode Internet
Explorer.</span></span></p>
<p style="line-height: 13pt; margin: 0in 0in 10pt;"
class="MsoNormal"><span style="font-family: Calibri;"><span
style="color: rgb(0, 0, 0); font-size: 11pt;">Another option
to avoid elevation prompts without disabling UAC is to set the
security policy, “User Account Control: Behavior of the
elevation prompt for administrators in Admin Approval Mode” to
“Elevate without prompting.” With this setting, elevation
requests are silently approved if the logged-on user is a
member of the Administrators group. This also leaves PMIE and
other UAC features enabled. However, not all operations that
require administrative rights request elevation. This can
result in a situation in which some of the user’s programs are
elevated and some are not, often with no way to distinguish
between them. For example, most console utilities that require
administrative rights expect to be launched from an
already-elevated Command Prompt or other elevated program.
Such utilities simply fail when launched from a non-elevated
Command Prompt.</span></span></p>
<h2 style="padding: 0px; line-height: 15pt; margin: 10pt 0in 0pt;"><span
style="font-family: Cambria;"><span style="color: rgb(79, 129,
189); font-size: 13pt;">Additional impact of disabling UAC</span></span></h2>
<p style="line-height: 13pt; text-indent: -0.25in; margin: 0in 0in
0pt 0.5in;" class="MsoListParagraphCxSpFirst"><span style="color:
rgb(0, 0, 0);"><span style=""><span style=""><span
style="font-family: Symbol;"><span style="font-size:
11pt;">·</span></span><span style="line-height: normal;"><span
style="font-family: Times New Roman;"><span
style="font-size: 7pt;">         </span></span></span></span></span><span
style="font-family: Calibri;"><span style="font-size: 11pt;">With


UAC disabled, Windows Explorer continues to display UAC
“shield” icons for items that require elevation and to
include “Run as administrator” in the context menus of
applications and application shortcuts. Because the UAC
elevation mechanism is disabled, these have no effect, and
applications run in the same security context as the
logged-on user.</span></span></span></p>
<p style="line-height: 13pt; text-indent: -0.25in; margin: 0in 0in
0pt 0.5in;" class="MsoListParagraphCxSpMiddle"><span style="color:
rgb(0, 0, 0);"><span style=""><span style=""><span
style="font-family: Symbol;"><span style="font-size:
11pt;">·</span></span><span style="line-height: normal;"><span
style="font-family: Times New Roman;"><span
style="font-size: 7pt;">         </span></span></span></span></span><span
style="font-family: Calibri;"><span style="font-size: 11pt;">With


UAC enabled, when the console utility Runas.exe is used to
launch a program as a user that is subject to token
filtering, the launched program runs with the user’s
filtered token. With UAC disabled, the launched program runs
with the user’s full token.</span></span></span></p>
<p style="line-height: 13pt; text-indent: -0.25in; margin: 0in 0in
10pt 0.5in;" class="MsoListParagraphCxSpLast"><span style="color:
rgb(0, 0, 0);"><span style=""><span style=""><span
style="font-family: Symbol;"><span style="font-size:
11pt;">·</span></span><span style="line-height: normal;"><span
style="font-family: Times New Roman;"><span
style="font-size: 7pt;">         </span></span></span></span></span><span
style="font-family: Calibri;"><span style="font-size: 11pt;">With


UAC enabled, local accounts cannot be used for remote
administration over network interfaces other than Remote
Desktop (e.g., via NET USE or IIS’ Windows authentication).
A local account that authenticates over such an interface
gets only the privileges granted to the account’s filtered
token. With UAC disabled, this restriction is removed. (This
feature and a configuration setting to remove it are
described in Microsoft KB article 951016.)</span></span></span></p>
<h2 style="padding: 0px; line-height: 15pt; margin: 10pt 0in 0pt;"><span
style="font-family: Cambria;"><span style="color: rgb(79, 129,
189); font-size: 13pt;">References</span></span></h2>
<p style="line-height: 13pt; margin: 0in 0in 10pt;"
class="MsoNormal"><span style="font-family: Calibri;"><span
style="color: rgb(0, 0, 0);"><span style="font-size: 11pt;">Inside


Windows Vista User Account Control</span></span><span
style="font-size: 11pt;">

</span></span><a moz-do-not-send="true"
href="http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx"><span
style="font-family: Calibri;"><span style="color: rgb(0, 0,
255); font-size: 11pt;">http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx</span></span></a></p&gt;
<p style="line-height: 13pt; margin: 0in 0in 10pt;"
class="MsoNormal"><span style="font-family: Calibri;"><span
style="color: rgb(0, 0, 0);"><span style="font-size: 11pt;">Inside


Windows 7 User Account Control</span></span><span
style="font-size: 11pt;">

</span></span><a moz-do-not-send="true"
href="http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx"><span
style="font-family: Calibri;"><span style="color: rgb(0, 0,
255); font-size: 11pt;">http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx</span></span></a></p&gt;
<p style="line-height: 13pt; margin: 0in 0in 10pt;"
class="MsoNormal"><span style="font-family: Calibri;"><span
style="color: rgb(0, 0, 0);"><span style="font-size: 11pt;">PsExec,


User Account Control and Security Boundaries</span></span><span
style="font-size: 11pt;">

</span></span><a moz-do-not-send="true"
href="http://blogs.technet.com/b/markrussinovich/archive/2007/02/12/638372.aspx"><span
style="font-family: Calibri;"><span style="color: rgb(0, 0,
255); font-size: 11pt;">http://blogs.technet.com/b/markrussinovich/archive/2007/02/12/638372.aspx</span></span></a></p&gt;
</body>
</html>

show