Do you Disable UAC on Windows 7

[Wipeout]

I'm really considering just to disable UAC, but I'm not sure if it would be the best Idea.I feel pretty safe with current settings, but the real question is about UAC.

I use Comodo Firewall.Its free and very easy to configure.I even have this set up with my vpn.I cant go online without connecting my vpn, and if I lose my vpn, I am automatically cut off.I also have this configured to block out the most commonly hacked ports.When I look in my firewall events, these ports are always getting hit constantly, but there blocked now.( Ports 135-139 )

Some good info below.

***Warning: if running a server on your network these can effect communication with local network peers.

The main reason for using NetBIOS if for two machines to communicate on a local network which rarely is needed except for file and printer sharing on a local network but leaves the door wide open for being hacked. You can remove this risk in two ways and I personally do it both ways.

Firewall: Block ports 135-139 plus 445 in and out. These are used by hackers to steal your info and take control of your pc and after doing so will use NetBIOS to then use your computer to take over another, etc, etc.. Port 137-139 is for Windows Printer and File Sharing but also creates a security risk if unblocked. But if you share a printer on your network you will have to allow this one but I recommend just go to the pc the printer is hooked up to and use. Port 135 is for RPC service on a remote machine. Port 136 is used for Profile Name Service which I don't even think is used any longer but opens a door for hackers.

Disable NetBIOS: Route depends on OS but go to the network connections and find your ethernet adapter which should be called local area connection, right click, click properties, double click TCP/IPv4 in the list, click advanced, click WINS, uncheck LMHosts lookup, choose disable NetBIOS near the bottom. Click ok, ok, ok to close all three windows. Also disable these the same way for the TAP Win32 adapter but LMHost lookup should already be unchecked.

Disable TCP/IP NetBIOS Helper service: From start type services, click services, go down to TCP/IP NetBIOS Helper and right click, click properties, click stop, switch automatically to disabled, click apply, close services.

Remote control ports: You should disable 5500, 5800 and 5900-5903 and 3389 (Windows uses for remote) in and out unless you need remote assistance on your pc which most people do not or do not use this. It's just an open doorway for hackers. This includes software such as VNC. If you ever notice VNC suddenly installed and you didn't then worry a lot and you have already been taken.

Note: If you disable Remote Access Connection Manager it will cause PPTP VPN to not work and connections disappear.

Disable UPnP port 5000: Universal Plug and Play allows your computer to automatically integrate with other network devices. There are known security vulnerabilities associated with this service and should be blocked as well but will eliminate sharing devices on the local network but the risk outways the use. Also it uses port 1900 for UPnP and should be blocked as well. Disable SSDP Discovery service.

You can also disable SMB (server message block) port 445 using regedit. Find HKLM/system/currentcontrolset/services/NetBS/parameters and find transportbindname, delete default value, reboot.

Other ports of interest: 8080 is used for HTTP proxy but also used by hackers to impersonate your pc and hack others. If you don't use a HTTP proxy you might want to block this one. Port 1080 is used for socks proxy and can be attacked and mine is every day by China. Port 500 is for IPSEC VPN use but also listed as a risk to Cisco systems and used mainly to carry the Isass trojan. Other ports known to be directly attacked by a long list of trojans is 21 FTP, 23 telnet dos, 1243, 3128, 3410, 6776, 7000, 12345, 12348, 20034, 27374, 31337. Technically any open port can be a risk but with a good firewall setup correctly you should be stealth for all of these ports. To test commonly attacked ports and check whether you are stealth go here.. https://www.securitymetrics.com/portscan.adp ..also can check here.. http://www.pcflank.com/scanner1.htm ..also.. https://www.grc.com/x/ne.dll?bh0bkyd2

Update: A new customizable port scanner I just found.. http://www.t1shopper.com/tools/port-scan/#

Messenger: Unless you use messenger it's best to uninstall because open up way too many ports and leaves to much at risk. Here are the ports used by MSN Messenger: 135 to get connection port, 1026, 1027, 1028, 1863, 5190, 6891-6900, 6901 voice pc to pc, 2001-2120 voice to phone. Yahoo ports: 80, 5000-5010, 5050, 5100. I'm still working on the different messenger service ports so will update as I go.

I personal recommend using Comodo Firewall and very easy to use and works perfectly. If using Comodo click firewall tab, advanced, network security policy, global rules click add and setup like illustrated below. It's 2 rules created but just showing the port settings of source and destination of each. To make simpler to understand.. the IN block rule is destination port you choose and source is ANY.. the OUT rule is the port you choose and the destination is ANY.

 

[Culbrelai]

I always disable it. It's very nanny-OS ish. I'm not 5, I don't need parental controls.

My Zone Alarm firewall is so powerful it stops most viruses at the door, or asks me about suspicious programs trying to access files, and I can stop it myself there. And besides, most hackers program their malware to automatically go around built in OS malware countermeasures.

 

[Codeman05]

Disabling UAC is one of the first things I do after every reinstall.
I use comodo as well currently fwiw

 

[Wipeout]

Thanks for the comments.I feel much better about hitting the disable button.As far us all the ports listed, It takes a little time, but then you save your configuration file for future use. I grabbed that information from a guy that was pretty good in explaining basic security measures.Firewalls are definitely a personal choice, but I use a version of Comodo thats a year or two old.The interface interaction is alot easier to understand vs never versions. One reason I like File Hippo.They have many versions of the same program.

 

[Arbiter Odie]

Let me jump in with an opposing view.

Disabling UAC is a very bad idea.

Unless you're using No-Script, Click-to-play, EMET, and never download any files, there's always a significant risk of getting a virus.
UAC is a "last ditch" type of protection, intended to stop a virus from executing itself without your input.

Unless you really really can't stand it's constant requests for input, it's best to leave it on.

 

[Automata]

I leave it on for all systems, even virtual machines.

 

[Wipeout]

Those are good points. Regardless of how careful I am, it's always possible that an application might do something shady, and without UAC I'd have less ability to know about certain actions.This helps making a more informative choice.

I log on as a user vs admin.It seems impossible to even save a text file without getting permission.What is the best way to make that process less painful?

 

[Antillian]

I've personally always felt like if you have a good protection framework in place (antivirus/antimalware/firewall/etc.) and use good sense when browsing and downloading, I'd say it is fine to disable it.

 

[TollhouseFrank]

For the average person, I would leave it on. However, for myself, I just find it to be a massive annoyance and leave it off.

 

[redduc900]

You can disable the UAC prompts without disabling UAC completely, and still retain UAC security like Protected Mode in IE by merging the following registry edit...

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000000

The default Value data for the ConsentPromptBehaviorAdmin DWORD is 2, which results in the darkened screen and UAC pop-up to verify consent before proceeding. This setting can also be changed via Local Security Policy | Security Settings | Local Policies | Security Options | User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Set to Elevate without prompting.

 

[freeagent]

I disable it everytime

I also dont use av either, or a firewall.. just stock windows

I install malwarebytes now and then just to see if there are nastys in the box, its always clean

 

[Culbrelai]

Let me jump in with an opposing view.

Disabling UAC is a very bad idea.

Unless you're using No-Script, Click-to-play, EMET, and never download any files, there's always a significant risk of getting a virus.
UAC is a "last ditch" type of protection, intended to stop a virus from executing itself without your input.

Unless you really really can't stand it's constant requests for input, it's best to leave it on.

Huh, on my Windows XP systems... UAC didn't exist at all, and it was just fine with a good firewall, the only viruses I ever got is because I was a dumb 14 year old kid lol.

Now on my W7 systems, its disabled and I havent gotten a virus in... uh... years?

I leave it on. I don't understand what people could possibly be doing that it is an annoyance. Sure, it pops up when you install something, but who the eff is installing a new thing every five minutes? I think people just have a strange compulsion to disable system services, and UAC is the easiest one to disable without overtly breaking anything.

The compulsion is anti-OS bloat. All of these services (Superfetch, UAC, etc) serve little purpose, and only slow down productivity, or play.

 

[petteyg359]

I leave it on. I don't understand what people could possibly be doing that it is an annoyance. Sure, it pops up when you install something, but who the eff is installing a new thing every five minutes? I think people just have a strange compulsion to disable system services, and UAC is the easiest one to disable without overtly breaking anything.

 

[Solder]

I don't mind the UAC prompt. The only issue I've had is the secure desktop portion of it. I haven't figured out why or how to fix it but when the prompt would appear, switching to the secure desktop would take a had full of seconds. The screen would go black and sit for a few before coming back to allow me to respond to it. Because of this, I disabled the secure desktop feature but it will still prompt for a yes/no response from me.

 

[Randyman...]

I disable it with RT 7 Lite before ever installing the OS

I leave it on for my buddies' and family member's PC's that I support.