User Account Control in Windows Vista

Slides:



Advertisements
Similar presentations
IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.
Advertisements

Where Developers Matter Vista Enable Your Applications Fredrik Haglund, Regional Developer Evangelist
Faith Allington Program Manager Microsoft Corporation WSV322.
Event slides will be posted at:
Remote Desktop Services
Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Windows Server 2003 SP1. Windows Server™ 2003 Service Pack 1 Technical Overview Jill Steinberg: Added TM Jill Steinberg: Added TM.
Windows Vista Security model and vulnerabilities.
Connect with life Gopikrishna Kannan Program Manager | Microsoft Corporation
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:
Make Your Mark.. Rocky Heckman Senior Security Technologist UAC Beyond the Hype SEC308.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Fall 2011 Nassau Community College ITE153 – Operating Systems Session 24 NTFS Permissions and Sharing Printers 1.
Understanding Active Directory
Mark RussinovichMark Russinovich Technical Fellow PSDTechnical Fellow PSD Microsoft CorporationMicrosoft Corporation EUSEC West February 2, 2007.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
Working with Workgroups and Domains
Troubleshoot Access, Authentication, and User Account Control Issues Lesson 8.
Using the WDK for Windows Logo and Signature Testing Craig Rowland Program Manager Windows Driver Kits Microsoft Corporation.
Windows Vista User Account Control (UAC) and Delphi Fredrik Haglund Developer Evangelist.
Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect.
Operating Systems JEOPARDY Computer Repair GeneralConcepts OS Tasks MoreConcepts Using the OS Misc
Troubleshooting Windows Vista Security Chapter 4.
Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.
Testing Applications on Windows Vista TM Edited By Michael Shaw.
DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.
Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders Permissions Inheritance Access Control List NTFS Permissions.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
1 © 2004, Cisco Systems, Inc. All rights reserved. CISCO CONFIDENTIAL Support for Vista Unity 5.0(1)
Mark Aslett Microsoft Introduction to Application Compatibility.
User Account Control Requirements. Agenda Introducing UAC The shield icon UAC manifests Least User Access (LUA) predictor tool Partitioning an application.
Few Changes: Most software that runs on Windows Vista will run on Windows 7 - exceptions will be low level code (AV, Firewall, Imaging, etc). Hardware.
Windows Vista Inside Out Ch 10: Ch 10: Security Essentials Last modified
Compatibility and Interoperability Requirements
Sudarshan Yadav Sr. Program Manager, Microsoft
WCL312: Standard User Desktops with Windows Vista User Account Control (UAC) (WCL312) Alex Heaton Sr. Product Manager Chris Corio Program Manager.
Windows CardSpace Martin Parry Developer Evangelist Microsoft
Working with Workgroups and Domains Lesson 9. Objectives Understand users and groups Create and manage local users and groups Understand the difference.
Troubleshooting Security Issues Lesson 6. Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer.
Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.
Security Summit West 2004 Redmond, WA Darren Canavor Longhorn Security.
NetTech Solutions Security and Security Permissions Lesson Nine.
The world leader in serving science Overview of Thermo 21 CFR Part 11 tools Overview of software used by multiple business units within the Spectroscopy.
Windows Vista: User Account Protection Securing Your Application with Least Privilege User Account Steve Hiskey FUN 406 Lead Program Manager, SBTU - Security.
CHAPTER 5 MANAGING USER ACCOUNTS & GROUPS. User Accounts Windows 95, 98 & Me do not need a user account like Windows XP Professional to access computer.
Windows Vista for developers Beyond NetFx3 Daniel Moth Developer & Platform Group, Microsoft msdn.
Windows Vista Platform for the next generation of software.
Microsoft Virtual Academy Chris Oakman | Managing Partner Infrastructure Team | Eastridge Technology Curtis Sawin | Technical Solutions Professional |
Windows Vista Configuration MCTS : User Account Security.
Network and Server Basics. Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server network.
A deep dive into Azure AD B2C
Malware attack hardening using Software Restriction Policies
TechEd /20/2018 7:32 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Configuring Windows Firewall with Advanced Security
O365 & AZURE ADDS Mladen Baranek, Miadria
6/16/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Tactic 4: Defend Your Domain Controllers
Visual Studio Tools for Office 2005
Active Directory Administration
Common Security Mistakes
Excel Services Deployment and Administration
Lesson #8 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 8 Configuring Applications and Internet Explorer.
Microsoft Build /8/2018 8:41 PM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY,
Service Template Creation from the Ground Up
Martin Parry Developer Evangelist Microsoft
SBS 2008 – One year on David Overton
Presentation transcript:

User Account Control in Windows Vista Daniel Moth Developer & Platform Group Microsoft Ltd daniel.moth@microsoft.com

AGENDA Why, What, How Manifests Process Elevation Virtualisation Compatibility Issues

UAC Goals The Vista goal: enable users to run with standard user rights Prevents deliberate (and accidental) modification of system settings Reduces malware impact by preventing modification of security settings and hardware Prevents compromise of sensitive information on shared computers

UAC Challenges The Windows usage model has been one of administrative rights Applications use them without knowing it Those that need it don’t distinguish administrative from standard user actions Users want administrative rights to easily perform operations that require them Software installations Changing the time zone Changing firewall settings Etc.

Administrative Rights Problem: there are still operations that require administrative rights: Installing applications Modifying system-global settings Parental controls Solution: make it convenient to access administrative rights from standard user accounts Identify operations that require administrative rights Allow for “run as” functionality Called Over The Shoulder (OTS) elevation

What UAC looks like to the end user DEMO What UAC looks like to the end user

OTS Dialogs

User Account Control Internals Windows Vista Logon with UAC Enabled An administrator enters credentials in WinLogon UI Local Security Authority (LSA) verifies credentials Administrator Token Windows XP 1.Token inspected for “elevated” privileges Explorer.exe created. “Filtered” token 2. Elevated privileges removed.

UAC Internals² Defining Elevated Privileges User will have a filtered token if they belong to any admin-type group e.g.: Administrators Controllers Backup Operators User will have a filtered token if they have any of these privileges: Create Token, Debug, TCB, Take Ownership, Backup, Restore, Impersonate, Load Driver, Relabel

UAC Internals³ Administrator’s Standard User Identity Administrator’s standard user token is subset of their full administrator token Administrator groups are marked as “deny only” groups Applies to Domain Administrators, Builtin\Administrators and others Can only be used to deny access, never to grant E.g. if file only allows administrator access, user is denied access E.g. if allows a user’s group access, but denies administrators, user is denied access All privileges except the following are stripped: Change Notify, Shutdown, Undock, Reserve Processor, Time Zone When authenticating to remote resources: If system is non-domain joined, user authenticates as standard user If domain-joined and an administrator of the remote resource, user authenticates as administrator

StandardUser-Friendly Windows In Vista, many previously-admin operations are accessible by standard users: View system clock and calendar Change time zone Configure Wired Equivalent Privacy (WEP) to connect to secure wireless networks Change power management settings Add printers and other devices that have the required drivers installed on computer or have been allowed by an IT administrator in Group Policy Install ActiveX Controls from sites approved by an administrator Create and configure a Virtual Private Network connection Install critical Windows Updates

StandardUser-Friendly Your Application Test your application when running as Standard User!! Saving Per-User State as Standard User %userprofile% HKCU Saving Per-Machine State as Standard User %allusersprofile% Embed Manifest with run level = “asInvoker”

Privileges in Manifests Manifest files were introduced in Windows XP to support side-by-side DLLs Used for XP’s Common Control v6 dialog .NET uses it for managed code “assemblies” Embedded in resources of binary file New key in Vista, requestedElevationLevel asInvoker: Run with the user’s rights highestAvailable: if standard user then don’t ask, but if user is an administrator, then ask requireAdministrator: always ask

Embedding Manifest in VS Create Manifest in source directory Add following lines to .rc file for project #define MANIFEST_RESOURCE_ID 1 MANIFEST_RESOURCE_ID RT_MANIFEST "AdminApp.exe.manifest" Add additional manifest in project properties

DEMO Manifests

Process Creation in Vista with UAC Enabled CreateProcess* checks the following sources for privilege information about the process 1. Embedded Application Manifest 2. Side-by-Side External Manifest 3. App Compatibility Database 4. Installer Detection If process requires elevated privileges and parent process token does not possess these privileges ERROR_REQUIRES_ELEVATION is returned.

UAC Prompt Internals CreateProcessAsUser ( Admin.exe) CreateProcess( Admin.exe) Explorer.exe AppInfo Service Admin.exe 2. RPC ShellExecute Consent.exe 1. ERROR_ELEVATION_REQUIRED 3. Re-parented CreateProcess Standard User Local System Administrator

DEMO Launching Elevated Shield -Extract admin pieces as other manifested processes -Re-launch ourselves elevated

COM Elevation COM Elevation Example: File Operation elevation Accomplished using elevation moniker Object class must contain elevation attributes Example: File Operation elevation HKCR\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09} \Elevation REG_DWORD Enabled=1 REG_EXPAND_SZ LocalizedString= “@%SystemRoot%\system32\shell32.dll,-50176”

Shell “access denied” to file DEMO Shell “access denied” to file

Common AppCompat Issue File and Registry Permissions Many applications would run fine as standard user …but they needlessly store data in HKLM\Software or %ProgramFiles% They use these locations for per-user data, not global data These locations are system-global and so only writeable by administrators It’s always worked because Windows users have always been administrators

DEMO Virtualisation Modifications of most system-global locations go to per-user areas Reads generally go to the per-user location and fall back to the global location

File Virtualisation Redirected file system locations: %ProgramFiles% (\Program Files) %SystemRoot% (\Windows) %SystemRoot%\System32 (\Windows\System32) %AllUsersProfile% (\ProgramData – what was \Documents and Settings\All Users) Exceptions: Files that have executable extensions (.exe, .bat, .vbs, .scr, etc) Exceptions can be added in HKLM\System\CurrentControlSet\Services\Luafv\Parameters \ExcludedExtensionsAdd Per-user virtual root: %UserProfile%\AppData\Local\VirtualStore

Registry Virtualization Redirected locations: HKLM\Software Exceptions: HKLM\Software\Microsoft\Windows HMLM\Software\Microsoft\Windows NT Other subkeys under Microsoft Per-user virtual root: HKEY_CURRENT_USER\Software\Classes\VirtualStore

Virtualized Processes Processes are virtualized unless They are running with administrative rights They are 64-bit They have a requestedExecutionLevel in their executable manifest Most Windows Vista executables Can be turned off globally via local security policy setting (secpol.msc)

UAC: Local Security Policies DEMO UAC: Local Security Policies

Installation AppCompat Issues Don’t Perform Administrator Operations on First Run Configure all machine-wide state during install Updating Application Binaries Usually Requires Administrator Privileges Application binaries in %ProgramFile% cannot be overwritten by a Standard User. MSI updating technology (MSPs) does elevated update based on the signature of the patch Use Bootstrapper to Launch Application As Part of Install

Summary Understand UAC Act Now Filtered Token, Elevation, Process creation, Prompts, Shields, Manifests, Virtualisation Act Now Test your applications as a Standard User Use the Standard User Analyzer to help Embed a manifest in your EXEs Fix your installation programs (use MSI)

UAC Resources User Account Control Resources for IT Professionals (TechNet Landing Page)  http://www.microsoft.com/technet/windowsvista/security/uac.mspx Windows Vista Application Development Requirements for UAC Compatibility                     http://download.microsoft.com/download/5/6/a/56a0ed11-e073-42f9-932b-38acd478f46d/WindowsVistaUACDevReqs.doc  UAC Team blog                                                                 http://blogs.msdn.com/uac  COM Elevation Moniker http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/html/1595ebb8-65af-4609-b3e7-a21209e64391.asp   Windows Vista UX Guidelines for UAC  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/UxGuide/UXGuide/Environment/UAC/UAC.asp MSI Patching Technology http://msdn2.microsoft.com/en-us/library/aa372388.aspx Service Security http://www.microsoft.com/whdc/system/vista/Vista_Services.mspx

Event slides will be posted at: http://www.microsoft.com/uk/msdnevents

Get the latest technology previews, trial software, special offers Get information tailored to your needs Pick your RSS feeds Sign up for MSDN Connection at: http://www.msdn.co.uk

Additional Information UK MSDN Events Post events page including slide decks http://www.microsoft.com/uk/msdnevents Upcoming events http://www.microsoft.com/uk/msdn/events/upcoming.aspx UK MSDN Site & Flash Newsletter Local news, events, nuggets & webcasts http://www.microsoft.com/uk/msdn Register to receive the bi-weekly MSDN Flash by email http://www.microsoft.com/uk/msdn/flash.aspx

©. 2006 Microsoft Corporation. All rights reserved © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.