TechEd 2013 4/20/2018 7:32 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Raiders of the Elevated Token 4/20/2018 7:32 PM WCA-B335 Raiders of the Elevated Token Raymond Comvalius & Erdal Ozkaya © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
About the speakers Raymond P. L. Comvalius MVP Text/Icon/Pic Consultant, trainer and author MVP Windows Expert IT Pro since 2011 raymond.comvalius@nextxpert.nl Text/Icon/Pic MVP @nextxpert
About the speakers Erdal Ozkaya MVP Regional Director – Kemp Technologies MVP Windows Expert IT Pro since 2009 eozkaya@kemptechnologies.com Blog: www.YourMCT.com MVP @Erdal_Ozkaya
Agenda User Account Control AppContainers What is UAC? Configuring User Account Control Integrity Levels File & Registry Virtualization File Names & Manifests AppContainers What is an AppContainer? Identifying AppContainers and Capabilities Browsers and User Account Control
User Account Control
What is User Account Control? “The UAC solution is to run most applications with standard user rights…., and encourage software developers to create applications that run with standard user rights. UAC accomplishes this by enabling legacy applications to run with standard user rights, making it convenient for standard users to access administrative rights when they need them.” From: Microsoft Technet “UAC is not a security boundary”
Windows User Types The Administrator An Administrator The account named ‘Administrator’ An Administrator Your name with administrator privileges Protected Administrator AKA ‘Administrator in Admin Approval Mode’ Standard User Your name without administrator privileges
Standardizing the User Token Administrators Backup Operators Power Users Network Configuration Operators Cryptographic Operators Domain Admins Schema Admins Enterprise Admins Group Policy Creator Owners Domain Controllers Enterprise Read-Only Domain Controllers Account Operators Print Operators Server Operators RAS Servers Pre-Windows 2000 Compatible Access User SID Deny Group SIDs Mandatory Label Remove all except: Bypass traverse checking Shutdown the System Remove computer from Docking station Increase a process working set Change the Time zone Rights/Privileges
Demo Analyzing the user token
Consent UI The ‘face’ of UAC Warns for User State change (AKA new token creation) Secure Desktop Screen mode like pressing Ctrl-Alt-Del Creates screenshot of the desktop (programs keep running in the background) Keeps scripts etc. from pressing keys or clicking the mouse
Configuring UAC in the Control Panel From the Control Panel Always notify Default Do not dim the display Never notify With Group Policy More granular controls
Configuring UAC in Group Policy Behavior for Standard Users Deny Access Prompt for Credentials Admin Approval Mode for the built-in Administrator account For Administrators in Admin Approval Mode Prompt for Consent Elevate without prompting Not same as disable UAC!
Demo Configuring User Account Control
UIAccess Applications Software alternatives for the mouse and keyboard For example: Remote Assistance User Interface Accessibility integrity level Windows always checks signature on UIAccess Applications UIAccess applications must be installed in secure locations Optionally these applications can disable the secure desktop (used with Remote Assistance)
Remote Assistance and the Secure Desktop for non-administrative users
File Virtualization File Virtualization is a compatibility feature The following folders and subfolders are virtualized: %WinDir% \Program Files \Program Files (x86) Virtual Store: %UserProfile%\AppData\Local\VirtualStore Troubleshooting file virtualization Event Log: UAC-FileVirtualization Disabling File Virtualization
Registry Virtualization Virtualizes most locations under HKLM\Software Keys that are not virtualized: HKLM\Software\Microsoft\Windows HKLM\Software\Microsoft\Windows NT\ HKLM\Software\Classes Per user location: HKCU\Software\Classes\VirtualStore Flag on a registry key defines if it can be virtualized “Reg flags HKLM\Software” shows flags for HKLM\Software Registry Virtualization is NOT logged in the EventLog
Demo File Virtualization
Integrity Levels Mandatory Access Control Levels are part of the ACLs and Tokens Lower level has limited access to higher level Used to protect the OS and for Internet Explorer Protected Mode System System Service High Administrator Medium Standard User Low Internet Explorer Untrusted Google Chrome
Standardizing the User Token User SID Group SIDs Integrity level: High (Elevated Token) Mandatory Label Integrity level: Medium Rights/Privileges
IE Protected Mode Only Internet Zone by default Only with User Account Control enabled iexplore.exe runs with Low Integrity Level User Interface Privilege Isolation (UIPI)
Internet Explorer Broker Mechanism iexplore.exe (management process) Protected-mode Broker Object UI Frame Favorites Bar Command Bar Medium Integrity Level UI Privilege Isolation Trusted Sites/Intranet Internet iexplore.exe (content) iexplore.exe (content) Toolbar Extensions Toolbar Extensions ActiveX Controls ActiveX Controls Browser Helper Objects Browser Helper Objects Medium Integrity Level Protected Mode = Off Low Integrity Level Protected Mode = On
Demo Integrity Levels
Why the UAC state change?
UAC for the Windows OS Default no warning when elevating Windows OS programs Except for: CMD.exe RegEdit.exe
What’s in a Name? The file name determines need for elevation Setup Instal Update Disable this feature in Group Policy when needed User Account Control: Detect application installations and prompt for elevation
UAC and Manifests Configure the need for elevation per file: asInvoker highestAvailable requireAdministrator External or Internal Use mt.exe from the SDK to inject a manifest Use SigCheck.exe from SysInternals to view the manifest
Demo File Names & Manifests
AppContainers
Windows Store App Restricted Token Sandboxed in AppContainer Runs at Low Integrity Level Can only access its own folder in: %programfiles%\WindowsApps Capabilities defined by the developer Helper Processes can do some common tasks
Windows 8 AppContainers Another Integrity Level in Process Explorer Each App has a unique AppContainer Each AppContainer has a SID {S-1-15-2-…} Special group: All Application Packages Locate the AppContainer: icacls %programfiles%\WindowsApps Use Process Explorer App State in: %userprofile%\AppData\Local\Packages More info: www.nextxpert.com
Lock sreen status and Notifications App Capabilities Defined in the apps manifest Each Capability has a SID {S-1-15-3-…} Documents Music Microphone WebCam Removable Storage Location Lock sreen status and Notifications Pictures Video Home or work Network Internet Client Domain Credentials Certificates Text Messaging Proximity Internet ClientServer
Capabilities Some capabilities are switchable
Demo AppContainers
More About Browsers
IE10 Enhanced Protected Mode Default for Desktop Internet Explorer 32-bits content process default Low Mandatory Label No AppContainer restrictions Default for Modern UI Internet Explorer 64-bits content process default Runs in AppContainer
Demo Enhanced Protected Mode & Other Browsers’ Security TechEd 2013 4/20/2018 7:32 PM Demo Enhanced Protected Mode & Other Browsers’ Security © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Wrap up!
Yes you can! User Account Control has changed in Windows 8 UAC makes Internet Explorer a safer browser What if your apps run as Admin? AppContainers are the new UAC Checkout www.nextxpert.com to find more information about AppContainers Get to know the tools Process Explorer Whoami.exe icacls.exe SigCheck.exe
Resources Learning TechNet msdn http://channel9.msdn.com/Events/TechEd 4/20/2018 7:32 PM Resources Learning Sessions on Demand http://channel9.msdn.com/Events/TechEd Microsoft Certification & Training Resources www.microsoft.com/learning TechNet msdn Resources for IT Professionals http://microsoft.com/technet Resources for Developers http://microsoft.com/msdn © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Evaluate this session Scan this QR code to evaluate this session. 4/20/2018 7:32 PM Required Slide *delete this box when your slide is finalized Your MS Tag will be inserted here during the final scrub. Evaluate this session Scan this QR code to evaluate this session. © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
4/20/2018 7:32 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.