Microsoft’s UAC has come under intense fire.  It appears that the consensus among security researchers is that UAC is not an effective security control.  An example of the arguments against relying on it as a workstation access control is contained in an eWeek article by Lisa Vaas (“Microsoft: UAC Can Be Hijacked by Social Engineering”, 26 Feb 2007).

From the perspective of a security director, I tend to agree that UAC is problematic.  This is not only because social engineering—a big vulnerability in many organizations—can be easily employed to bypass it.  It also has the potential of lulling less security-aware organizations into that proverbial false sense of security.

Restricting local administrator access for workstations to a restricted group of support/engineering employees is a basic security control.  A review of Microsoft’s monthly patch list quickly shows that most exploits require the user to have local administrator privileges.  Although UAC attempts to resolve this issue, I don’t believe it goes far enough.

Users today are frequently tricked into running malicious applications on their workstations.  This usually requires an affirmation by the user—in the form of clicking OK or some other method.  The only thing UAC introduces is an additional step, assuming local admin access hasn’t been removed.