Windows Vista User Account Control (UAC) and Delphi Fredrik Haglund Developer Evangelist.

Slides:

Advertisements

Similar presentations

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.

Advertisements

Where Developers Matter Vista Enable Your Applications Fredrik Haglund, Regional Developer Evangelist

Installation & User Guide

Chapter 7 – Managing Windows XP. Control Panel The main tool for configuring your system. Most of the tools to configure the system come with the normal.

DIVIJ IT SERVICES LLP. 1) System Settings 2)Enrollment3) ERA Server 4)Certificate Download.

CREATING USER ACCOUNTS Group accounts simplify administration by organizing user accounts into a single administrative unit. They provide a convenient.

Digital Certificate Installation & User Guide For Class-2 Certificates.

©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation

Lesson 17: Configuring Security Policies

NetAcumen ActiveX Download Instructions

Windows Vista Security model and vulnerabilities.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installation Requirements. Agenda Installation requirements Installation options Installing to correct folder locations Installing Windows resources Creating.

File sharing. Connect the two win 7 systems with LAN card Open the network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

Corso referenti S.I.R.A. – Modulo 2 Local Security 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.

Digital Certificate Installation & User Guide For Class - 2 Certificates.

Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely John Deere presents:

Troubleshoot Access, Authentication, and User Account Control Issues Lesson 8.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

®® Microsoft Windows 7 for Power Users Tutorial 8 Troubleshooting Windows 7.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.

Barbara Peisch.  eTechnologia .Net Extender available now for $120  VFP compiler for.Net alpha free with.Net Extender (will cost a moderate amount.

Managing User Accounts, Passwords and Logon Chapter 5 powered by dj.

Chapter Six Windows XP Security and Access Controls.

Operation system(windows) User Accounts. What is a user account?  A collection of information that tells Windows which files and folders you can access,

Operating Systems JEOPARDY Computer Repair GeneralConcepts OS Tasks MoreConcepts Using the OS Misc

Troubleshooting Windows Vista Security Chapter 4.

Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.

Module 7: Fundamentals of Administering Windows Server 2008.

Testing Applications on Windows Vista TM Edited By Michael Shaw.

Gorman, Stubbs, & CEP Inc. 1 Introduction to Operating Systems Lesson 4 Microsoft Windows XP.

CSAS 2009 Running Windows as a Non- Administrator or how I learned to love “User” By: Kasey Dennler.

CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+

CMPF124 Personal Productivity with Information Technology Chapter 1 – Part 4 Introduction To Windows Operating Systems Basic Windows Admin Introduction.

Database-Driven Web Sites, Second Edition1 Chapter 5 WEB SERVERS.

Module 2 Part IV Introduction To Windows Operating Systems Basic Windows Admin Introduction To Windows Operating Systems Basic Windows Admin.

DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.

Windows Vista Inside Out Chapter 22 - Monitoring System Activities with Event Viewer Last modified am.

®® Microsoft Windows 7 for Power Users Tutorial 9 Evaluating System Performance.

User Account Control Requirements. Agenda Introducing UAC The shield icon UAC manifests Least User Access (LUA) predictor tool Partitioning an application.

Introduction to Microsoft Management Console (MMC) MMC is a common console framework for management applications. MMC provides a common environment for.

Windows Vista Inside Out Ch 10: Ch 10: Security Essentials Last modified

Compatibility and Interoperability Requirements

Getting Ready for Windows Vista ® Chuck Walbourn SDE, Game Technology Group.

Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.

Security Windows 2000 Richard Goldman © December 4, 2001.

Troubleshooting Security Issues Lesson 6. Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer.

Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.

11 SUPPORTING THE WINDOWS DESKTOP Chapter 4. Chapter 4: Supporting the Windows Desktop2 SUPPORTING THE WINDOWS DESKTOP  Troubleshoot and customize the.

Security Summit West 2004 Redmond, WA Darren Canavor Longhorn Security.

NetTech Solutions Security and Security Permissions Lesson Nine.

Windows Vista: User Account Protection Securing Your Application with Least Privilege User Account Steve Hiskey FUN 406 Lead Program Manager, SBTU - Security.

Windows 2000 Unit A A1 – A24 and Ap1 – Ap3 (Formatting a Disk)

Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.

Windows Vista Inside Out Ch 3: Personalizing Windows Vista Last modified am.

Windows 7 SW Logo Kit No cost, Self-test w/ online submission 9 Requirements Less than 30 mins Windows ACK Windows App Certification Kit No cost,

© ExplorNet’s Centers for Quality Teaching and Learning 1 Describe applications and services. Objective Course Weight 5%

Windows Vista Configuration MCTS : User Account Security.

TechEd /20/2018 7:32 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

How to fix “OMCDetect” error while using OverDrive for Windows 8 and 7

Understanding Operating System Configurations

Windows xp PART 1 DR.WAFAA SHRIEF.

Better Together: Secure SQL Server on Secure Windows

User Account Control in Windows Vista

Presentation transcript:

Windows Vista User Account Control (UAC) and Delphi Fredrik Haglund Developer Evangelist

User Account Control (UAC)  Security token split during logon – one user token and one admin token  Administrator shell run with Standard User token  You have to explicitly consent every time you create a process with administrator token – this is called “elevation”

Standard User – Over the shoulder elevation

Windows Vista  UAC is Enabled by Default  All Subsequent User Accounts are Created as Standard Users  Elevation Prompts are Displayed on the Secure Desktop by Default  Elevation Prompts for Background Applications are Minimized to the Taskbar  Elevations are blocked in the User's Logon Path  Built-in Administrator Account is Disabled by Default on New Installations  New Default Access Control List (ACL) Settings

Standard User  All processes are started as Standard User as default  A Standard User can not – Change files in Program Files folders – Change files in Windows or System32 folders – Change registry under HKLM\Software – Change the local machines date and time – Install or uninstall Services – …  Earlier strong Recommendations are now enforced!

New Technologies for Windows Vista  Installer Detection  User Interface Privilege Isolation  Virtualization  Access Token Split during login  Secure Desktop

User Interface Privilege Isolation  General guideline – “lower” can not access “higher”  A lower privilege process cannot: – Perform a window handle validation – SendMessage or PostMessage – Use thread hooks to attach – Use Journal hooks to monitor – Perform dynamic link-library (DLL) injection  Some resources are still shared between processes – Desktop window, which actually owns the screen surface – Desktop heap read-only shared memory – Global atom table – Clipboard

Virtualization / Redirection  Virtualization is for compatibility – not a feature  Disabled for executables with UAC info in manifest!

UAC Architecture

The Shield  Attached to controls which, if clicked, will require elevation as the next step  Has only one state (I.e. no hover, disabled etc.)  Does not remember elevated state – Not an unlock operation

Shield UI Examples

Delphi – What you have to do…  Test your application – identify problems  Classify your application as Standard User, Admin or Mixed.  Add application Manifest  Redesign functionality – User apps should write data to correct locations – Split out admin stuff into a separate executable  Redesign user interface – Add shield to buttons  Redesign installer  Test again  Optionally sign application (Authenticode)  Determine whether to pursue the Windows Vista Logo program

Test with Standard User Analyzer Tool  SUA helps you find what you do that can break application

Requested Execution Level in Delphi  NB! Remove all references to XPMan unit from project!!!

RC-file is compiled to RES-file

Manifest

 level=”asInvoker” – Start process runing with same token as the process creating it.  level=”highestAvailable” – Ask administrators for consent to elevate but start as standard user if user has no administrative privileges  level=”requireAdministrator” – Ask administrators for consent to elevate. – Standard user will get login dialog for over the shoulder support – Will only start with administrative privileges

Windows XP Warning!  Incorrect formatting of Manifest can blue screen Windows XP  Read KB921337

Redesign  Do not open files or registry keys with Write flag  Save data, log files, etc. in the right location using SHGetFolderPath – CSIDL_PERSONAL { My Documents } – CSIDL_APPDATA { Application Data, new for NT4 } – CSIDL_LOCAL_APPDATA { non roaming, user\Local Settings\Application Data } – CSIDL_COMMON_APPDATA { All Users\Application Data } – CSIDL_MYPICTURES { My Pictures, new for Win2K } – CSIDL_COMMON_DOCUMENTS { All Users\Documents } – …

SHGetFolderPath

RunAsAdmin  Launch application running as administrator  Use Application.Handle to delay elevation if app is minimized.  No handle always gives direct foreground elevation.

Using COM class for Admin tasks  COM Server must be an EXE  EXE must have requireAdministrator to install COM objects correctly  Registration of COM Class must – add value LocalizedString (and resource string in executable) – add key Elevation and value Enabled = 1

Elevated COM calls  Use Moniker to create elevated CoClass from User Process

The Shield - SetElevationRequiredState  Call function with Button as parameter to add Shield symbol

Sign with Authenticode  Get less serious looking consent dialog  Register at winqual.microsoft.com  Buy certificate (Verisign, etc.)  Sign executables (MakeCert, Signtool.exe)  Register applications at winqual to get access to crash logs

Resources  Document – Windows Vista Application Development Requirements for User Account Control Compatibility  Tool – Microsoft Standard User Analyzer  Windows Vista Logo Program –

Thank you!