Is disabling UAC on a Windows 2008 server a bad idea?

windows-server-2008 uac

7,293

Solution 1

It shouldn't be bothering you too much because you shouldn't be working directly on the server computer's desktop all that much for it to be an issue. You should be installing the admin. tools on a client computer, logging-on with a non-administrative account on that client computer for day-to-day work, and running the admin. tools with "Run As" and an administrative account.

It sounds painful, but it's the best strategy for keeping server computers secure from unwanted malicious software or accidental damage.

If this is just your personal machine then turn UAC off. It's a business machine, leave UAC on and stop using the server's desktop.

Solution 2

Yes diabling UAC is a bad idea. You should not disable it on your personal machines or your servers. It's a minor inconvienience with a sizeable payoff. The UAC on the server should be annoying as a reminder that everythig you are doing should and could be done without being logged onto the servers desktop.

Solution 3

In an ideal world you could just turn UAC off and everything would hum along fine with no isues. It's not an ideal world, and UAC exists for a reason - to warn you that an application you're using is about to make some potentially serious changes or do some deep-down OS-level stuff that might make your system unhappy IF the app is in any way malicious or plain-old-fashioned badly-written.

I'd be seriously concerned about the kind of apps you're running on your server if you're generating a lot of UAC prompts. On the other hand, if it's something like Lotus Domino that might just be the way things have got to be (we don't all have nice clean servers that only require the MS admin tools to manage...)

Solution 4

We found that we are not able to assign Microsoft SQL Server Reportin Services Report Manager roles to NT Groups unless the User Access Control is turned off. This is a Microsoft application that does not work well with their own security settings. Since we are using Groups in role assignment to implement security, having this security setting prevent it is an oxymoron. It depends on why you want to disable UAC.

Solution 5

Added safety, to be simple. If users aren't regularly installing software on the server, it's probably best to leave it on there.

View more solutions

7,293

Nik Reiman

I develop audio and music software. I started Teragon Audio, and have produced a number of AU/VST plugins, hosts, and other stuff. I am not seeking employment; please do not contact me with job offers, project proposals, and the like.

Updated on September 17, 2022

Comments

Nik Reiman almost 2 years

We've just upgraded to Windows 2008 server, and I'm already getting really sick of approving dozens of UAC messages. I normally disable UAC on my personal Vista machines, but I'm reluctant to do this on our server. Is there any particular reason I should leave it on?
radzi0_0 almost 15 years

Agreed, UAC is there to help you even though you may not want its help. Learn to work with UAC, it is worth the small bit of aggrevation. The Mainframe and *NIX world deal with this daily and you don't see any of them complaining.
Dave Klotz over 14 years

Disabling security measures is by default usually not a good idea unless there is valid reason or it impedes the business to have enabled. Your 3 seconds(if you're really slow) is not worth less secure servers.
Triynko over 14 years

UAC is a huge disaster. The OS is designed ass-backwards. Permissions should be granted to executable code instances, not users. User's don't do anything, only executable code does things. User's need be granted only one kind of right -- to launch and provide input or not (to use or not use). The future of OS security is a single code base, instantiated into virtual processes. The virtual processes are assigned permissions, and users are granted the right to launch a particular VP or not. Problem solved forever
Triynko over 14 years

It's hillarious. You can see it more and more with so-called "new features", such as Managed Service accounts. Individual application pools are now getting thier own user accounts in IIS 7.5. How long will it take them to realize that we don't need to use the "user account" as a proxy for permissions, assign the damn permissions directly to the processes that actually do stuff!!! Man.
raja over 13 years

It's assigned by user because it's USERS that execute processes. granting processes rights seems like a security nightmnare to me. Instead off worrying about whether a user account was compromised, now I have to worry about which among thousands of processes have been compromised. Additionaly you've have to have some sort of crystal ball to determine which processes are going to be started on a given server ij norder to grant it the appropriate perms
Admin about 13 years

With respect, your 3rd party custom apps have been coded by morons if they can't abide by the permissions UAC/Windows tries to enforce. Vista has been out a long time now. It's time for software vendors to get with the program.
Admin almost 12 years

Are you calling VISTA an actual OS?
John Gardeniers over 11 years

If you were'nt a first time poster I would downvote this answer. The correct solution is not to disable UAC but to configure the system and software so that disabling is not required.
chicks about 7 years

Welcome to ServerFault. meta.stackexchange.com/questions/8231/… Can you make your answer stand on its own?