1. TechEd 2013
4/20/2018 7:32 PM
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Raiders of the Elevated Token
4/20/2018 7:32 PM
WCA-B335
Raiders of the Elevated Token
Raymond Comvalius & Erdal Ozkaya
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3. About the speakers Raymond P. L. Comvalius MVP Text/Icon/Pic
Consultant, trainer and author
MVP Windows Expert IT Pro since 2011
Text/Icon/Pic
MVP
@nextxpert

4. About the speakers Erdal Ozkaya MVP
Regional Director – Kemp Technologies
MVP Windows Expert IT Pro since 2009
Blog:
MVP
@Erdal_Ozkaya

5. Agenda User Account Control AppContainers
What is UAC?
Configuring User Account Control
Integrity Levels
File & Registry Virtualization
File Names & Manifests
AppContainers
What is an AppContainer?
Identifying AppContainers and Capabilities
Browsers and User Account Control

6. User Account Control

7. What is User Account Control?
“The UAC solution is to run most applications with standard user rights…., and encourage software developers to create applications that run with standard user rights. UAC accomplishes this by enabling legacy applications to run with standard user rights, making it convenient for standard users to access administrative rights when they need them.” From: Microsoft Technet
“UAC is not a security boundary”

8. Windows User Types The Administrator An Administrator
The account named ‘Administrator’
An Administrator
Your name with administrator privileges
Protected Administrator
AKA ‘Administrator in Admin Approval Mode’
Standard User
Your name without administrator privileges

9. Standardizing the User Token
Administrators
Backup Operators
Power Users
Network Configuration Operators
Cryptographic Operators
Domain Admins
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Domain Controllers
Enterprise Read-Only Domain Controllers
Account Operators
Print Operators
Server Operators
RAS Servers
Pre-Windows 2000 Compatible Access
User SID
Deny
Group SIDs
Mandatory Label
Remove all except:
Bypass traverse checking
Shutdown the System
Remove computer from Docking station
Increase a process working set
Change the Time zone
Rights/Privileges

10. Demo
Analyzing the user token

11. Consent UI The ‘face’ of UAC
Warns for User State change (AKA new token creation)
Secure Desktop
Screen mode like pressing Ctrl-Alt-Del
Creates screenshot of the desktop (programs keep running in the background)
Keeps scripts etc. from pressing keys or clicking the mouse

12. Configuring UAC in the Control Panel
From the Control Panel
Always notify
Default
Do not dim the display
Never notify
With Group Policy
More granular controls

13. Configuring UAC in Group Policy
Behavior for Standard Users
Deny Access
Prompt for Credentials
Admin Approval Mode for the built-in Administrator account
For Administrators in Admin Approval Mode
Prompt for Consent
Elevate without prompting
Not same as disable UAC!

14. Demo
Configuring User Account Control

15. UIAccess Applications
Software alternatives for the mouse and keyboard
For example: Remote Assistance
User Interface Accessibility integrity level
Windows always checks signature on UIAccess Applications
UIAccess applications must be installed in secure locations
Optionally these applications can disable the secure desktop (used with Remote Assistance)

16. Remote Assistance and the Secure Desktop
for non-administrative users

17. File Virtualization File Virtualization is a compatibility feature
The following folders and subfolders are virtualized:
%WinDir%
\Program Files
\Program Files (x86)
Virtual Store:
%UserProfile%\AppData\Local\VirtualStore
Troubleshooting file virtualization
Event Log: UAC-FileVirtualization
Disabling File Virtualization

18. Registry Virtualization
Virtualizes most locations under HKLM\Software
Keys that are not virtualized:
HKLM\Software\Microsoft\Windows
HKLM\Software\Microsoft\Windows NT\
HKLM\Software\Classes
Per user location: HKCU\Software\Classes\VirtualStore
Flag on a registry key defines if it can be virtualized
“Reg flags HKLM\Software” shows flags for HKLM\Software
Registry Virtualization is NOT logged in the EventLog

19. Demo
File Virtualization

20. Integrity Levels Mandatory Access Control
Levels are part of the ACLs and Tokens
Lower level has limited access to higher level
Used to protect the OS and for Internet Explorer Protected Mode
System
System Service
High
Administrator
Medium
Standard User
Low
Internet Explorer
Untrusted
Google Chrome

21. Standardizing the User Token
User SID
Group SIDs
Integrity level: High (Elevated Token)
Mandatory Label
Integrity level: Medium
Rights/Privileges

22. IE Protected Mode Only Internet Zone by default
Only with User Account Control enabled
iexplore.exe runs with Low Integrity Level
User Interface Privilege Isolation (UIPI)

23. Internet Explorer Broker Mechanism
iexplore.exe (management process)
Protected-mode Broker Object
UI Frame
Favorites Bar
Command Bar
Medium Integrity Level
UI Privilege Isolation
Trusted Sites/Intranet
Internet
iexplore.exe (content)
iexplore.exe (content)
Toolbar Extensions
Toolbar Extensions
ActiveX Controls
ActiveX Controls
Browser Helper Objects
Browser Helper Objects
Medium Integrity Level
Protected Mode = Off
Low Integrity Level
Protected Mode = On

24. Demo
Integrity Levels

25. Why the UAC state change?

26. UAC for the Windows OS
Default no warning when elevating Windows OS programs
Except for:
CMD.exe
RegEdit.exe

27. What’s in a Name? The file name determines need for elevation
Setup
Instal
Update
Disable this feature in Group Policy when needed
User Account Control: Detect application installations and prompt for elevation

28. UAC and Manifests Configure the need for elevation per file:
asInvoker
highestAvailable
requireAdministrator
External or Internal
Use mt.exe from the SDK to inject a manifest
Use SigCheck.exe from SysInternals to view the manifest

29. Demo
File Names & Manifests

30. AppContainers

32. Windows Store App Restricted Token Sandboxed in AppContainer
Runs at Low Integrity Level
Can only access its own folder in:
%programfiles%\WindowsApps
Capabilities defined by the developer
Helper Processes can do some common tasks

33. Windows 8 AppContainers
Another Integrity Level in Process Explorer
Each App has a unique AppContainer
Each AppContainer has a SID {S …}
Special group: All Application Packages
Locate the AppContainer:
icacls %programfiles%\WindowsApps
Use Process Explorer
App State in: %userprofile%\AppData\Local\Packages
More info:

34. Lock sreen status and Notifications
App Capabilities
Defined in the apps manifest
Each Capability has a SID {S …}
Documents
Music
Microphone
WebCam
Removable Storage
Location
Lock sreen status and Notifications
Pictures
Video
Home or work Network
Internet
Client
Domain Credentials
Certificates
Text Messaging
Proximity
Internet
ClientServer

35. Capabilities
Some capabilities are switchable

36. Demo
AppContainers

37. More About Browsers

38. IE10 Enhanced Protected Mode
Default for Desktop Internet Explorer
32-bits content process default
Low Mandatory Label
No AppContainer restrictions
Default for Modern UI Internet Explorer
64-bits content process default
Runs in AppContainer

39. Demo Enhanced Protected Mode & Other Browsers’ Security TechEd 2013
4/20/2018 7:32 PM
Demo
Enhanced Protected Mode &
Other Browsers’ Security
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

40. Wrap up!

41. Yes you can! User Account Control has changed in Windows 8
UAC makes Internet Explorer a safer browser
What if your apps run as Admin?
AppContainers are the new UAC
Checkout to find more information about AppContainers
Get to know the tools
Process Explorer
Whoami.exe
icacls.exe
SigCheck.exe

42. Resources Learning TechNet msdn http://channel9.msdn.com/Events/TechEd
4/20/2018 7:32 PM
Resources
Learning
Sessions on Demand
Microsoft Certification & Training Resources
TechNet
msdn
Resources for IT Professionals
Resources for Developers
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

43. Evaluate this session Scan this QR code to evaluate this session.
4/20/2018 7:32 PM
Required Slide
*delete this box when your slide is finalized
Your MS Tag will be inserted here during the final scrub.
Evaluate this session
Scan this QR code to
evaluate this session.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

44. 4/20/2018 7:32 PM
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.