Is disabling UAC on a Windows 2008 server a bad idea?

Question

We've just upgraded to Windows 2008 server, and I'm already getting really sick of approving dozens of UAC messages. I normally disable UAC on my personal Vista machines, but I'm reluctant to do this on our server. Is there any particular reason I should leave it on?

score 12 · Accepted Answer · answered Jul 21 '09 at 19:16

12

It shouldn't be bothering you too much because you shouldn't be working directly on the server computer's desktop all that much for it to be an issue. You should be installing the admin. tools on a client computer, logging-on with a non-administrative account on that client computer for day-to-day work, and running the admin. tools with "Run As" and an administrative account.

It sounds painful, but it's the best strategy for keeping server computers secure from unwanted malicious software or accidental damage.

If this is just your personal machine then turn UAC off. It's a business machine, leave UAC on and stop using the server's desktop.

answered Jul 21 '09 at 19:16

Evan Anderson

141,881
20
196
331

Agreed, UAC is there to help you even though you may not want its help. Learn to work with UAC, it is worth the small bit of aggrevation. The Mainframe and *NIX world deal with this daily and you don't see any of them complaining. – pulcher Jul 21 '09 at 19:22
2

They don't complain because they're so busy editing a thousand text files in a thousand folders just to mount a new volume that they don't have time – Mark Henderson Jul 21 '09 at 21:19
Disabling security measures is by default usually not a good idea unless there is valid reason or it impedes the business to have enabled. Your 3 seconds(if you're really slow) is not worth less secure servers. – sclarson Nov 03 '09 at 20:39
4

UAC is a huge disaster. The OS is designed ass-backwards. Permissions should be granted to executable code instances, not users. User's don't do anything, only executable code does things. User's need be granted only one kind of right -- to launch and provide input or not (to use or not use). The future of OS security is a single code base, instantiated into virtual processes. The virtual processes are assigned permissions, and users are granted the right to launch a particular VP or not. Problem solved forever – Triynko Nov 03 '09 at 20:54
1

It's hillarious. You can see it more and more with so-called "new features", such as Managed Service accounts. Individual application pools are now getting thier own user accounts in IIS 7.5. How long will it take them to realize that we don't need to use the "user account" as a proxy for permissions, assign the damn permissions directly to the processes that actually do stuff!!! Man. – Triynko Nov 03 '09 at 21:13
It's assigned by user because it's USERS that execute processes. granting processes rights seems like a security nightmnare to me. Instead off worrying about whether a user account was compromised, now I have to worry about which among thousands of processes have been compromised. Additionaly you've have to have some sort of crystal ball to determine which processes are going to be started on a given server ij norder to grant it the appropriate perms – Jim B Jan 31 '11 at 01:55

score 4 · Answer 2 · answered Nov 03 '09 at 20:33

4

It's easy to say it's a bad idea to turn it off, but if you run tons of 3rd party custom apps like we do through a citrix environment, UAC steps all over program's ability to run properly.

answered Nov 03 '09 at 20:33

6

With respect, your 3rd party custom apps have been coded by morons if they can't abide by the permissions UAC/Windows tries to enforce. Vista has been out a long time now. It's time for software vendors to get with the program. – Ryan Bolger Apr 14 '11 at 14:28
Are you calling VISTA an actual OS? – Vick Vega Sep 04 '12 at 21:12

score 2 · Answer 3 · answered Jul 21 '09 at 19:39

Yes diabling UAC is a bad idea. You should not disable it on your personal machines or your servers. It's a minor inconvienience with a sizeable payoff. The UAC on the server should be annoying as a reminder that everythig you are doing should and could be done without being logged onto the servers desktop.

score 1 · Answer 4 · answered Jun 28 '11 at 14:22

We found that we are not able to assign Microsoft SQL Server Reportin Services Report Manager roles to NT Groups unless the User Access Control is turned off. This is a Microsoft application that does not work well with their own security settings. Since we are using Groups in role assignment to implement security, having this security setting prevent it is an oxymoron. It depends on why you want to disable UAC.

score 1 · Answer 5 · answered Jul 21 '09 at 19:08

1

Added safety, to be simple. If users aren't regularly installing software on the server, it's probably best to leave it on there.

answered Jul 21 '09 at 19:08

Sampson

530
2
6
18

score 1 · Answer 6 · answered Jul 21 '09 at 19:31

In an ideal world you could just turn UAC off and everything would hum along fine with no isues. It's not an ideal world, and UAC exists for a reason - to warn you that an application you're using is about to make some potentially serious changes or do some deep-down OS-level stuff that might make your system unhappy IF the app is in any way malicious or plain-old-fashioned badly-written.

I'd be seriously concerned about the kind of apps you're running on your server if you're generating a lot of UAC prompts. On the other hand, if it's something like Lotus Domino that might just be the way things have got to be (we don't all have nice clean servers that only require the MS admin tools to manage...)

score 0 · Answer 7 · answered Jul 21 '09 at 19:12

It depends on your environment really. I'd say if you consider yourself a decent admin with a secure environment, then it's probably safe to turn off. I've turned it off on a few of our boxes partly due to my ignorance of forgetting to run things as an admin. It saves me time and hassle. And honestly some of these boxes are so protected and locked down already, I'm not missing much if I turn it off.

score 0 · Answer 8 · answered May 04 '17 at 14:42

0

In short: Yes!
Per this.

(This question here is old.)

answered May 04 '17 at 14:42

mYnDstrEAm

101
2

Welcome to ServerFault. https://meta.stackexchange.com/questions/8231/are-answers-that-just-contain-links-elsewhere-really-good-answers Can you make your answer stand on its own? – chicks May 04 '17 at 16:43

score -1 · Answer 9 · answered Oct 03 '12 at 00:27

-1

our monitoring software need WMI to run the types of windows reports we want instead of SNMP...but of course UAC is not allowing it access. Seems a no brainer to turn it off!

answered Oct 03 '12 at 00:27

celest

1

2

If you were'nt a first time poster I would downvote this answer. The correct solution is not to disable UAC but to configure the system and software so that disabling is not required. – John Gardeniers Oct 03 '12 at 02:37

Is disabling UAC on a Windows 2008 server a bad idea?

9 Answers9

Linked