Security Summit West 2004 Redmond, WA Darren Canavor Longhorn Security

Agenda Definitions Definitions LUA Customer Pain Points LUA Customer Pain Points LUA Vision LUA Vision Desktop Control Desktop Control Tools Tools Security Questions for you Security Questions for you

Definitions LUA = Least Privileged User Account LUA = Least Privileged User Account  Run with just enough privilege to get the job done and no more!  Applications for regular users must be written to run as non-admin Administrator Administrator  A user of a machine that belongs to a user group that has permissions that are able to change local or domain state  Bluntly - a user that can destroy the user experience for everyone  Privilege == Obligation (view as a burden, not an enabler) PA = Protected Administrator PA = Protected Administrator  A user belonging to an admin group which obtains two tokens to run apps  At logon administrators will run a shell that has LUA default privilege  Elevated privileges are only granted to trusted applications AIM = Application Impact Management (aka Strongbox) AIM = Application Impact Management (aka Strongbox)  Virtualizes the legacy application view of Windows to remove admin dependency

LUA Customer Pain Points

Customer Pain Points Home: Virus and Spyware wrecks my machine Virus and Spyware wrecks my machine  Viruses and Spyware with Admin privilege can damage the machine Legacy applications require Admin to Install Legacy applications require Admin to Install  Users cannot install applications as NonAdmin Legacy applications require Admin to Run Legacy applications require Admin to Run  Users cannot run applications as NonAdmin Common OS Configuration tasks require Admin privilege Common OS Configuration tasks require Admin privilege  Users cannot perform common OS configuration tasks as LUA Users accidentally do the wrong thing Users accidentally do the wrong thing  Users running as Admin can inadvertently damage their machine Enterprise: Virus and Spyware wrecks my machine Virus and Spyware wrecks my machine  Viruses and Spyware with Admin privilege can damage the machine  Enterprise Admin attacks compromise corporation Line of Business applications require Admin to Run Line of Business applications require Admin to Run  Corporate Users cannot run applications as NonAdmin Common OS Configuration tasks require Admin privilege Common OS Configuration tasks require Admin privilege  Corporations can’t easily deploy users as LUA unless they compromise OS Security  Simple scenarios like VPN don’t work without Admin privilege  IT must reevaluate the LoB applications for each OS release due to inconsistent configuration settings

LUA Vison Vision Eliminate the risks caused by everyone running as administrator Strategy  Change the way that Windows runs so that common user tasks and most applications don’t require administrative privilege  Then advise and protect when administrator privilege is required Initiatives  Ensure Windows Users can run all Common User Tasks without Admin Privilege  Enable the Windows Infrastructure for users without Admin Privilege  Enable Apps to Install, Run, Update and Uninstall without Admin Privilege  Create Protected/Isolated Sessions for apps that do require Admin  Evangelize LUA to ISVs and Customers with Clear Guidelines, Education and Results Tracking

LUA Longhorn UX Goals OS feels like it was built for the LUA user OS feels like it was built for the LUA user Users know when they are about to do something potentially unsafe and are able to make an informed decision Users know when they are about to do something potentially unsafe and are able to make an informed decision  Windows always gives strong Security and Privacy recommendations  Users can undo damaging changes Users feel confident they can install or run any program without compromising their PC Users feel confident they can install or run any program without compromising their PC Users do not need to learn any major new concepts or procedures to be protected Users do not need to learn any major new concepts or procedures to be protected

Longhorn Is LUA Friendly Fix OS bugs (CPL, MSC, etc…) Fix OS bugs (CPL, MSC, etc…) Support Common LUA scenarios: Support Common LUA scenarios:  VPN  Display Settings  Power Management  Regional Settings  Clock  Calc  Etc. Support Per User Active X installation Support Per User Active X installation Support Per User File Extension handlers Support Per User File Extension handlers

LUA Infrastructure Support Make Per User installs work for LUA Make Per User installs work for LUA  Visual Studio, MSI 4.0, and OS support “MyPrograms”  Location: %USERPROFILE%\Local Settings\My Programs All LH Logo Applications run as LUA All LH Logo Applications run as LUA  AppCompat shims top X ISV applications Applications have manifests (Application or Deployment) Applications have manifests (Application or Deployment)  Defines what the application is and its system impact  Signed by either ISV or IT Department Trust infrastructure to support manifest signature validation Trust infrastructure to support manifest signature validation

LUA Deployments Support Runtime File/Registry Virtualization Runtime File/Registry Virtualization  Support / Management tools (debug transaction logs)  Educate PSS on how to debug Virtualization  Explorer support correct File view Trust infrastructure support Trust infrastructure support  Trust Manager  Application Information Service Simple Secure Consent UI Simple Secure Consent UI

Desktop Control Full control over what applications and drivers can be installed or run Full control over what applications and drivers can be installed or run Desktop Control Policy settings: Desktop Control Policy settings:  Lockdown: Only predefined publishers can install or run  Prompt: For unknown publishers ask the user for install or run permission  XP compatibility: No Trust check

Application Information Svc Overview

Managing Application Trust Trust determined by certificate used to sign code with a.k.a. ‘publisher’ Trust determined by certificate used to sign code with a.k.a. ‘publisher’  Authenticate against set of “Trusted Publishers” Administrators set policies controlling which publishers to trust Administrators set policies controlling which publishers to trust  Decide which are “Trusted Publishers”  Pre-populate “Trusted Publishers” certificates in OS Image (IBS)  GP Certificate trust download for machines joined to domain

Permissions For Installing Drivers Driver Store Driver Store  Repository of drivers on local machine  Requires Administrator permission to populate  “Stage” drivers for install  Once drivers are added to store they will install regardless of user permission Driver Package Integrity Driver Package Integrity  Longhorn will require all drivers to be digitally signed to install  Authenticode™ code signing works for all driver types in Longhorn  Signing check occurs before adding a driver to the Driver Store

Code Validation Process All code validation is a human decision All code validation is a human decision  Publishers can get signed app manifest (need to be in cert store)  Domain admins can sign deployment manifest (enterprise store)  Local admins can “bless” apps  By policy user can decide to change default behavior All local validation decisions are preserved in App Context All local validation decisions are preserved in App Context Code Integrity is assured by checking every.EXE and.DLL for validity Code Integrity is assured by checking every.EXE and.DLL for validity Application trust is assured at Runtime Application trust is assured at Runtime

LUA Predictor AppVerifier Intended to predict whether an application would work correctly as a non-admin. Intended to predict whether an application would work correctly as a non-admin.  Identifies API calls that would fail if attempted by a non-administrator  Identifies all Access requiring Admin privilege Example LUA Predictor test pass: Example LUA Predictor test pass:  Logon as Administrator and install LUA Predictor Shim  Build affinity to the applicable application  Test application and save log  Logon as Non Admin  Test application and save log Tool Location: Tool Location:

Security Questions For You Do you test applications as Least Privileged User (LUA) – non-administrators? Do you test applications as Least Privileged User (LUA) – non-administrators? Do you perform a threat analysis of applications before deploying them? Do you perform a threat analysis of applications before deploying them? Is it your goal to provision users to run with out administrator credentials, if so what percentage of your users run as non administrators? Is it your goal to provision users to run with out administrator credentials, if so what percentage of your users run as non administrators? Do your IT administrators have a secondary LUA account? Do your IT administrators have a secondary LUA account? Do you have a hard policy on what IT administrators can do when they are logged on? Do you have a hard policy on what IT administrators can do when they are logged on?  Ie. Not surf the internet? Do you write line-of-business applications in.NET managed code? Do you write line-of-business applications in.NET managed code? Do you see value in writing managed code with permission sets that limit what the application can do? Do you see value in writing managed code with permission sets that limit what the application can do? Do you see value in writing line-of-business apps to a highly restricted environment (a sandbox) that restricts that application enough that it doesn’t need a trust dialog to deploy? Do you see value in writing line-of-business apps to a highly restricted environment (a sandbox) that restricts that application enough that it doesn’t need a trust dialog to deploy?

© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.