1 2 Previous Next 22 Replies Latest reply on Apr 21, 2011 8:23 AM by mrspike

    Windows 7 User Access Control (UAC) - Best Practice?

    Specialist

      Hello Landesk Users!

       

      What is the Best Practice for User Access Control (UAC) in Windows 7, with Software Distribution Packages (BAT, EXE, MSI etc)?

      (Some Examples: Enable, Enable (never notfiy), Disable, Disable for Administrators only)

       

      What is your personal advice, how are you using UAC in your Company?

      (Please tell me also the reason, why you choose this UAC option.)

       

      Best Regards

      Troga

       

      PS: We are using Landesk 9 SP2

        • 1. Re: Windows 7 User Access Control (UAC) - Best Practice?
          Employee

          Hello,

           

           

          UAC is an evilsh functionality and we do not use it.

          It is disabled by GPO. In my experience give more problems than advantages.

          Regards,

          StockTrader

          • 2. Re: Windows 7 User Access Control (UAC) - Best Practice?
            Specialist

            @Stocktrader

            Thank you for your Opinion.

             

            @All

            Any other answers are still welcome, I like to hear from all of you.

            So what is your UAC Best Practice?

             

            Best Regards

            Troga

            • 3. Re: Windows 7 User Access Control (UAC) - Best Practice?
              zman Master

              This will depend on your companies security polices. Some will say turn off, Microsoft says leave it on, and there is some truth in the middle. We have it on with default settings in our test environment. If you use LANDesk to install you applications then there should be no issues, per se.  The premise behind UAC is that it is a transitional technology for Windows to get everyone and everything (hard/software) to run as a standard user. It is there as a bridge until software vendors catch up with current standards. I'm not going to go into the debate about Standard vs Administrative users. The biggest problem is going to be legacy applications that require Administrative rights. If you have really good packagers, like we do, it is an issue that can be worked around, virtualizaiton helps but is not a 100% solution, etc...

               

              I think I saw a stat from Microsoft is that 88% of users have UAC on.  Again this is a security driven setting so Security will be one of the main drivers followed by your application base, user tolerance, etc... It can be left on and still have a manageable environment and not tick off your users.

              • 4. Re: Windows 7 User Access Control (UAC) - Best Practice?
                Specialist

                So we now have a opinion about UAC Disable and one about UAC Enable.

                Anyone else? What did you think about User Acccess Control in Windows 7?

                 

                Best Regards

                Troga

                • 5. Re: Windows 7 User Access Control (UAC) - Best Practice?
                  Expert

                  88% of users beacuse joe user either doesn't know how to turn it off, doesn't have admin rights to turn it off, or has that glazed look in their eyes as they blindly panic click the yes/ok button(s) to make the annoying dialogue go away while never reading what they just agreed to. UAC does nothing to prevent any type of security issues and is a failure on all accounts IMO.

                   

                  Ok, rant over, but it does make me wonder how MS came up with that number when absolutely no one I know intentionally leaves UAC on.

                   

                  So back to the question. UAC on or off? Depends on your companies users and policies. If you have people that know little to nothing about computers and you don't have full time IT admins (think that your a part time IT contractor), then I would leave it on and instruct them to read the message or the support call is going to be expensive. If you have a large base of developers and programmers and a trained IT department with a properly secured network and a managed desktop/patch management/strong anti-virus solution in place, then you most likely don't need it and would just frustrate your users in to hacking their system to disable it.

                   

                  Get to know your users is my suggestion.

                  • 6. Re: Windows 7 User Access Control (UAC) - Best Practice?
                    Specialist

                    Awesome.

                    But forget our Policies, we want to define them completely new.

                    It is very interessting to hear, how other companys handle UAC on Windows 7.

                     

                    Best Regards

                    Troga

                    • 7. Re: Windows 7 User Access Control (UAC) - Best Practice?
                      Apprentice

                      My personal opinion is that UAC is a good security measure. I think this will curb many of the viruses in our environment due to accounts not having the administrative rights to install. Additionally, now with Windows 7 we have been able to standardize our applications and users will not be granted administrative privs to install some random application. Any "administrative privs" need to be channeled through our Service Desk. For things we need to give users rights to modify/edit we can do so through Group Policy. (i.e. Adding Printers)

                      • 8. Re: Windows 7 User Access Control (UAC) - Best Practice?
                        Apprentice

                        Personally, I think UAC performs a very valuable function and I intend to leave it enabled if at all possible. Our environment is Active Directory with about 3,000 client computers. They are mostly XP SP3 but all our new deployments are Windows 7. Currently we have 333 Windows 7 clients.

                         

                        Since we use Active Directory I could easily turn UAC off, or modify the settings, but I really don't want to do that. I find that there are very few apps that will cause Windows 7 UAC to throw an alert. Most apps are written correctly to respect HKLM in the Registry and to save all user files in the user's profile. Those that don't do this will throw a UAC prompt, but I tend to blame the application developer and not Microsoft. As far as I'm concerned MS is just trying to enforce programming guidelines that were first published something like 14 years ago.

                         

                        I have to admit though that we are currently struggling with some of our LANDesk software deployment packages. We tend to use a lot of BAT scripts to deploy software. Most of them work ok but we're finding quite a few that will only succeed on Windows 7 if we run them in an elevated command prompt. Launching a command prompt with SYSTEM credentials does not work for these scripts and I haven't yet figured out the reason. Since LANDesk runs it's deployment packages using "System" credentials these particular deployments will always fail. We have also tried to use LANDesk to deploy Powershell scripts - we'd like to use these to configure the Roles on our Windows 2008 servers. Again, the PowerShell scripts will fail if we try to deploy them with LANDesk but they succeed if we run them in an elevated command prompt on the server.

                         

                        I would very much like to see a "Best Known Methods" document from LANDesk on how UAC should be configured so that it won't interfere with LANDesk software deployments.

                         

                        Oh yeah - I have one other problem with LANDesk and UAC. The LANDesk Management Console (LDMS 9 SP2) always throws a UAC alert when I launch it on a Windows 7 machine! What's that about? As far as I can see there's no reason the console should throw a UAC prompt. Is this a problem with the LDMS console program, or is it a problem with the way I installed it? I don't really mind clicking "Yes I want to run this program" but I'm only able to do that because I'm logged in as an Administrator. We're trying to get away from our IT staff logging in as Admins - we'd like to follow more of a "Least Privileges" practice where we would log in with normal user privileges. I go back to my earlier statement - if a program triggers UAC every time it is launched, then the application developers have done something wrong. Does anybody else find it odd that the LDMS console triggers UAC? Or has somebody figured out why this happens? I'd love to know the answer to that one.

                        • 9. Re: Windows 7 User Access Control (UAC) - Best Practice?
                          Specialist

                          I also wish me a "Best Known Methods document" from LANDesk on how UAC should be  configured so that it won't interfere with LANDesk software deployments.

                          Most of our packages are using also Batch Files and our Windows 7 x64 Systems are growing from day to day. I wonder why only a few people complained here about that behaviour.

                           

                          Best Regards

                          Troga

                          • 10. Re: Windows 7 User Access Control (UAC) - Best Practice?
                            Apprentice

                            Wow we are in our beginning stages of a campus-wide Windows7 migration and I do not believe that anyone has brought up UAC as a topic. I never did consider how this could affect users after using XP for so many years. The majority of our users have administrative rights on their desktops and laptops so I would see this as more of an annoyancein our situation. The addition of the UAC to Windows (since Vista) has not decreased the amount of requests that we have received to remove viruses/malware so I would not see a benefit of having it enabled for Windows 7.

                             

                            @Jayson-- how are you running the batch files as an elevated command prompt? Are you using "runas"? I am also having this issue with some batch SWD.

                            • 11. Re: Windows 7 User Access Control (UAC) - Best Practice?
                              Apprentice

                              As I mentioned in the earlier post, some of our BAT install scripts seem to work ok when LANDesk schedules them using System credentials. (That is, they work the same on Windows 7 as they did in Windows XP.) We are discovering though that quite a few of our BAT installation scripts will fail, and for those I usually log into the target computer and launch an elevated command prompt, and then run the BAT script in that. I really need to understand this whole process a lot better before I can give any helpful answers on this. Maybe we have to start digitally signing our install scripts so that Windows 7 knows that they are ok to run. (If that actually is the answer then that's the kind of information I would hope to see in a LANDesk "Best Known Methods" document.)

                               

                              Note that in Windows 7 you won't find a "Run As" option on the command prompt. That's because Windows 7 always launches certain applications in Low Privilege mode, even if the user has a privileged account. I think this rule applies to Internet Explorer and the Command Prompt - I'm not sure which other applications. The solution provided in the Windows 7 user interface is to right-click on the exe or shortcut and select "Run as Administrator". If you are logged in with an Admin account the program will launch immediately without prompting for credentials and you will have full admin access to the computer. If you are logged in to the computer with a normal user account then you will be prompted for admin credentials before the application will launch.

                               

                              I actually think this new behavior in Windows 7 is a really good change and it will make things much easier for us as we try to transition our IT Department to follow best practice and log in to computers with normal user accounts rather than administrator accounts. I really don't want to disable UAC - I want to understand how to configure it so that LANDesk software distribution is more reliable.

                               

                              Jayson

                              • 12. Re: Windows 7 User Access Control (UAC) - Best Practice?
                                Apprentice

                                As one of the rare IT departments that did choose to go with Vista a few years back, we have some experience with UAC. And it's not the horrible goblin most make it out to be--even under Vista. We have had no problems with Landesk and UAC (unless you count that if you're manually installing the agent, you have to run as admin.)

                                 

                                We install virtually everything under localsystem. I have one package that I have to install as a user, and that simply requires a phone call or email warning the user to allow the installer to run.

                                 

                                We use UAC in full nastiness mode--in other words, we prompt for credentials from admin users. Most of them have no problem with it, and run into it very infrequently. The only times we've really seen trouble is not when you'd expect--it's when users don't want to allow certain things to run that they should run, such as SSL VPN updaters and the like.

                                • 13. Re: Windows 7 User Access Control (UAC) - Best Practice?
                                  Apprentice

                                  "Run as Administrator" is actually what I was wondering about- I didn't mean runas. It would be nice if it was possible to use the "Run as Administrator" option with the command line. I was currently having this problem with creating a batch file to uninstall the LD agent via the software portal. We provide full support for personal student laptops at our University, as well as select software. I would like to make the removal of LANDesk and LDAV available to the students through Desktop Manager so that they remove the agent if they want. The problem is that I would get the UAC prompt, this Interactive Services Detection popup would get in the way, or it would just fail with no details in the task or vulscan logs.

                                  • 14. Re: Windows 7 User Access Control (UAC) - Best Practice?
                                    Apprentice

                                    Thanks for the update Ken. It's good to hear your confirmation that LANDesk SWD can co-exist with UAC and there won't necessarily be any fights. It kind of confirms what I suspected - I've got some deployments that need to be tweaked but in general this should work. Now that we've got 300+ Windows 7 clients on our network I'm sure I'll eventually develop enough experience to figure out why some of our BAT file deployments are failing. If I find any useful tricks I'll post them back to the forum.

                                     

                                    For anyone like me who is trying to understand UAC and how it works I came across an excellent article by Mark Russinovich. This guy is highly credible in my opinion, having extremely deep knowledge of Windows and security in general. Mark has written about UAC in a Blog post and he covers everything in very clear terms, with several very useful links to provide additional details and context. You can find his Blog post at http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx?rss_fdn=TNTopNewInfo .

                                     

                                    Jayson

                                    1 2 Previous Next