Is turning off User Account Control in Windows a good idea?

Old-school admins might be tempted to turn off User Account Control for the sake of their legacy programs, but the practice could easily do more harm than good.

This Content Component encountered an error

Question: Is it a good idea to disable User Account Control (UAC) for the sake of allowing utility programs to run properly on Windows Server?

Before we get into the answer, let me start by saying that instead of turning UAC off, I traditionally leave it on the default settings for all my systems that support it. Why? Well when the feature was first introduced on both the client (Windows Vista, Windows 7) and server (Windows 2008), I decided that -- like Product Activation before it – UAC wouldn’t be going away any time soon. So I figured the best thing to do was get used to it, learn its quirks and change my own work habits where necessary.

With that being said, let me explain what prompted this whole discussion of whether or not to disable UAC. Not long ago, a Windows Server 2008 R2 machine that I remotely administer was running low on disk space. I cleaned up all the usual suspects: some archived log files that hadn’t been moved out of the system, a bunch of backups that weren’t needed anymore, and so on.

On a whim, I decided to see if other people had run into issues while clearing disk space. After some searching, I ran into this blog post about an admin that was freeing up disk space that seemed to be hidden on Small Business Server 2008.

The author had been using JAM Software’s TreeSize utility to scan the system and determine where his disk space might have gone. After some inconclusive inspection, he realized that due to UAC, he needed to run the program as an administrator for the program to see everything on the drive. (I’m guessing it didn’t automatically ask for elevation when launched.) This helped him find a few things that didn’t show up before, but also prompted some speculation:

Should old-time admins from earlier versions of Windows Server disable UAC as a way of getting the same expected behavior from utilities?

I’m not convinced this is a good idea for several reasons, the first being that UAC is here to stay. That being the case, it’s probably best to work with it rather than against it. For older programs that aren’t UAC-aware and you implicitly trust yourself with, the best solution is to create a shortcut to it, modify it to launch as administrator by default and rename it to say “Utility - Admin Mode” -- or something along those lines. This is not all that hard to get into the habit of doing and has the added bonus of letting you create a one-stop shop (i.e. a folder full of shortcuts) for most of the common things you need to work with in this regard.

Another reason not to turn off User Account Control is that any interaction with a server is going to increase the available attack surface -- even when running what appears to be a thoroughly benign, well-pedigreed program. It doesn’t make sense to preemptively disable one of the very things you have to offset that.

Lastly, the more time you spend with UAC turned off, the less advance warning you’ll receive about an attempted modification to the system. That warning box gives you a chance to stop and reflect on what’s about to happen. It’s certainly saved my bacon several times by keeping me from doing something inadvertently foolish (and I don’t just mean launching malware, but making system-wide changes that didn’t need to happen).

You can follow SearchWindowsServer.com on Twitter @WindowsTT.

ABOUT THE AUTHOR
Serdar Yegulalp has been writing about computers and information technology for more than 15 years for a variety of publications, including InformationWeek and Windows Magazine.

This was first published in January 2011

Dig deeper on Microsoft Windows Server 2008 Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close