1. Make Your Mark.

2. Rocky Heckman Senior Security Technologist UAC Beyond the Hype SEC308

3. Make Your Mark. User Account Control Goals Running as Standard User Conveniently Accessing Administrative Rights Isolating Elevated Processes UAC’s Impact on Malware

4. Demo

5. Make Your Mark. Senior Security Technologist – Microsoft ACE Services MCSD, CISSP Written articles for MSDN, Developer.AU, and others Started in software in ‘95 on Windows 95 Helpdesk Post-Grad Research into secure software development

6. Make Your Mark. User Account Control Goals Running as Standard User Conveniently Accessing Administrative Rights Isolating Elevated Processes UAC’s Impact on Malware

7. Make Your Mark. The Vista goal: Enable users run to run with standard user rights Prevents unauthorized (and accidental) modification of system settings Reduces malware impact by preventing modification of security settings and hardware Prevents compromise of sensitive information on shared computers

8. Make Your Mark. To get there Windows had to address several problems: The Windows usage model has been one of administrative rights Applications use them without knowing it Those that need it don’t distinguish administrative from standard user actions Users want administrative rights to easily perform operations that require them Software installations Changing the time zone Changing firewall settings Etc.

9. Make Your Mark. Make it possible to run most applications with standard user rights Remove reasons for users to run as administrators at all times Encourage ISVs to code new applications to run with standard user rights

10. Make Your Mark. User Account Control Goals Running as Standard User Conveniently Accessing Administrative Rights Isolating Elevated Processes UAC’s Impact on Malware

11. Make Your Mark. In Vista, many previously-admin operations are accessible by standard users: View system clock and calendar Change time zone Configure WEP/WAP to connect to secure wireless networks Change power management settings Add printers and other devices that have the required drivers installed on computer or have been allowed by an IT administrator in Group Policy Install ActiveX Controls from sites approved by an administrator Create and configure a Virtual Private Network connection Install critical Windows Updates

12. Make Your Mark. Many applications would run fine as standard user, but they needlessly store data in HKLM\Software or %ProgramFiles% They use these locations for per-user data, not global data These locations are system-global and so only writeable by administrators It’s always worked because Windows users have always been administrators The solution: help them through virtualization Modifications of most system-global locations go to per-user areas Reads generally go to the per-user location and fall back to the global location

13. Make Your Mark. Processes are virtualized unless: They are 64-bit They have a requestedExecutionLevel in their executable manifest Most Windows Vista executables They are running with administrative rights (described later) Note: operations not originating from an interactive login session are not virtualized e.g. file sharing Can be turned off globally via local security policy setting (secpol.msc):

14. Make Your Mark. Redirected file system locations: %ProgramFiles% (\Program Files) %AllUsersProfile% (\ProgramData – what was \Documents and Settings\All Users) %SystemRoot% (\Windows) %SystemRoot%\System32 (\Windows\System32) Exceptions: Files that have executable extensions (.exe,.bat,.vbs,.scr, etc) Exceptions can be added in HKLM\System\CurrentControlSet\Services\Luafv\Parameters \ExcludedExtensionsAdd Per-user virtual root: %UserProfile%\AppData\Local\VirtualStore Note: Virtual files do not roam with Roaming Profiles

15. File Virtualisation Demo

16. Make Your Mark. Explorer shows a Compatibility Files button when there are virtual files present Opens view of virtual location

17. Make Your Mark. File system virtualization is implemented in a file system filter driver, luafv.sys Luafv.sys Ntfs.sys Legacy Application Legacy Application User Mode Kernel Mode \Windows\App.ini \Users\ \AppData\Local\ VirtualStore\Windows\App.ini Vista Application Vista Application \Windows\App.ini

18. Make Your Mark. Redirected locations: HKLM\Software Exceptions: HKLM\Software\Microsoft\Windows HMLM\Software\Microsoft\Windows NT Other subkeys under Microsoft Per-user virtual root: HKEY_CURRENT_USER\Software\Classes\VirtualStore

19. Registry Virtualisation Demo

20. Make Your Mark. Each Registry key under HKLM\Software has three new flags: Don’t Virtualize: disable virtualization Don’t Silent Fail: if not virtualized, return access-denied errors instead of faking success Recurse: propagate flags to child keys Windows Vista Reg.exe is flag-aware:

21. Virtualization Flags Demo

22. Make Your Mark. Registry virtualization is built-into the Registry Ntoskrnl.exe Legacy Application Legacy Application User Mode Kernel Mode HKLM\Software\App HKCU\Software\Classes\VirtualStore\ Machine\Software\App Vista Application Vista Application Registry

23. Make Your Mark. Some applications have to be helped in other ways to run as Standard User Windows Vista includes built-in application-compatibility shims Users can define shims for other applications Most common standard user shims: ForceAdminAccess: spoofs queries of administrator group membership VirtualizeDeleteFile: spoofs deletion of global file LocalMappedObject: forces global section objects into user’s namespace VirtualizeHKCRLite, VirtualizeRegisterTypeLib: redirects global registration of COM objects

24. Make Your Mark. If an application runs as administrator, but fails as standard user, use the Standard User Analyzer (SUA) to watch its behavior Free download from Microsoft Doesn’t necessarily see all administrator operations Assign the application shims with the Compatibility Administrator Part of the Application Compatibility Toolkit from Microsoft Creates a Shim Database (.sdb) that you can install manually or with Sdbinst.exe

25. Make Your Mark. User Account Control Goals Running as Standard User Conveniently Accessing Administrative Rights Isolating Elevated Processes UAC’s Impact on Malware

26. Make Your Mark. Problem: there are still operations that require administrative rights: Installing applications Modifying system-global settings Parental controls Solution: make it convenient to access administrative rights from standard user accounts Identify operations that require administrative rights Allow for “run as” functionality Over The Shoulder (OTS) or Admin Approval Mode (AAM)

27. OTS Credentials Demo

28. Make Your Mark. Problem: even administrators should run as standard user Otherwise, no change from Windows XP environment It must be convenient to access administrator rights Solution: have administrators run with a split personality Two identities (tokens) created for user when they login: User as standard user User as administrator Called Admin Approval Mode (AAM)

29. Split Tokens Demo

30. Make Your Mark. User is considered an administrator if they belong to any admin-type group e.g.: Administrators Controllers Certificate Administrators Enterprise Administrators Schema Administrators

31. Make Your Mark. User is considered an administrator if they have any administrator privileges: Create Token TCB Take Ownership Backup Restore Debug Impersonate Relabel Load Driver

32. Make Your Mark. Administrator’s standard user token is subset of their full administrator token Administrator groups are marked as “deny only” groups Applies to Domain Administrators, Builtin\Administrators and others Can only be used to deny access, never to grant E.g. if file only allows administrator access, user is denied access E.g. if allows a user’s group access, but denies administrators, user is denied access

33. Make Your Mark. Microsoft Confidential All privileges except the following are stripped: Change Notify Shutdown Undock Reserve Processor Time Zone When authenticating to remote resources: If system is non-domain joined, user authenticates as standard user If domain-joined and an administrator of the remote resource, user authenticates as administrator

34. Make Your Mark. There are four mechanisms whereby administrator rights can be requested: Executable Manifest: includes a elevation level that asks for it Setup Identifier: System believes executable is a setup program E.g. name has “setup”, “update” or “install” or it has bytes of known setup engines “Run as administrator”: Option from Explorer context menu or shortcut property Application Compatibility Database: Includes an ElevateCreateProcess shim for the executable Administrator operations identified with a shield icon

35. Make Your Mark. Manifest files were introduced in Windows XP to support side-by-side DLLs Used for XP’s Common Control v6 dialog.NET uses it for managed code “assemblies” Embedded in resources of binary file Vista introduces a new key, requestedElevationLevel, that can be one of three values: asInvoker: Run with the user’s rights highestAvailable: if standard user then don’t ask, but if user is an administrator, then ask requireAdministrator: always ask

36. Make Your Mark. Dialog gives user information on what is asking for administrative rights File description or file name, Publisher, Command line in Details Coloration indicates level of trust for the application source Blue: core Windows components in protected locations Grey: all other digitally signed code Orange: unsigned code - do not run unless you know the source Red: known untrusted publisher OTS: D ialog contains “tiles” for known administrator accounts Credentials create new logon session token AAM: Dialog has “Continue” and “Cancel” button Continue unlocks Administrative token

37. Make Your Mark.

38. Elevation dialog is presented by Consent.exe Displays on secure desktop to prevent UI interference Child of Service Host (Svchost.exe) process containing AppInfo service Elevated processes are created by AppInfo service It’s re-parented to look like a child of the requesting process via a new CreateProcess parameter

39. Make Your Mark. USERSYSTEM App Compat Fusion Installer Detect. KERNEL Explorer ShellExecuteCreateProcessCreateProcessAsUser Application Information Service NTCreateProcess File Sys & Registry Consent ERROR_ELEVATION_REQUIRED Virtualisation

40. Make Your Mark. Consent and OTS dialogs only identify the primary executable Display on a secure desktop does not prevent credential dialog spoofing Allows user to “own” the administrator account and its data (not the system, though) Home users should configure Control+Alt+Del

41. Make Your Mark. Microsoft Confidential Access the setting with the Group Policy Editor (gpedit.msc) Note that AAM elevation will not go to the secure desktop when this is enabled (will be fixed in SP1)

42. Make Your Mark. User Account Control Goals Running as Standard User Conveniently Accessing Administrative Rights Isolating Elevated Processes UAC’s Impact on Malware

43. Make Your Mark. Problem: elevated processes run on the same desktop as standard user processes Solution: Windows Vista isolates the windows and processes of elevated processes Window isolation is called User Interface Privilege Isolation (UIPI) Prevents malware from “driving” the input of an elevated process Does not prevent accessibility apps (e.g. on-screen keyboard) from sending input Prevents malware from executing “shatter attacks” In AAM, additional process isolation is required because otherwise a user has full access to their own process, including elevated processes

44. Make Your Mark. Security token in every process is assigned an integrity level Examples of assigned levels: Low Protected-mode IE, and processes started by PM IE Medium Standard user processes, non-elevated admin Accessibility processes run at slightly above Medium High Elevated Administrator processes SystemLocal System and local Service processes Process usually inherits the IL of its parent If an executable file has an explicit IL, process will have an IL that is the minimum of parent’s and file’s Processes can also be created at an explicit IL (e.g. elevation) Ways to view a process’ integrity level: Command: Whoami /all Sysinternals Process Explorer and AccessChk

45. Process Isolation Demo

46. Make Your Mark. Every securable object has an IL, either explicit or implicit Processes, threads and tokens always have an explicit IL Objects have an implicit level of Medium Most objects are Medium IL Objects created by medium+ processes get medium IL Objects created by low IL processes get low IL Built-in Icacls utility and Sysinternals AccessChk show object integrity levels

47. Make Your Mark. Integrity check implemented in AccessCheck() API Integrity check happens before discretionary access check A thread can only open an object for write access if its token IL is equal to or higher than that of the object For example, a Low IL process cannot open a Medium object for Write access, even if the DACL grants the user Write access Threads can open any object for read access Exception is process/thread because “no read up” flag is set in their label ACE Thread IL must be equal to or higher than process IL to open it Prevents sensitive information (e.g. passwords) leakage via memory reads

48. Make Your Mark. Medium IL Process Medium IL Process High Medium Low High Medium Low Read Write Low IL Process Low IL Process Processes Objects

49. Make Your Mark. The Windows subsystem also honors integrity levels with UIPI Lower IL process cannot send window messages to a window of a higher IL app based on filter Certain read-type messages are allowed past filter and can be sent to the higher IL windows process Higher IL process can register additional messages that pass filter (ChangeWindowMessageFilter) Lower IL process cannot install hooks Prevents “shatter” attacks

50. Make Your Mark. Elevations are not a security boundary There is no guarantee that malware can’t hijack the elevation process or compromise an elevated application Potential elevation techniques include: Side-by-Side code injection or replacement of private DLLs Squatting on or compromising Base Named Objects (e.g. shared memory, synchronization objects, etc.) Running something other than what you specified In AAM, elevated processes share state with standard user environment e.g. HCKU, environment variables In AAM, malware can drive input Switch to a dedicated administrator account for securely running as administrator

51. Make Your Mark. How does UAC Affect COM How do you deal with elevation from COM Admin tasks can be factored out into seperate COM objects Allows a user to run majority of application without elevation Both the client and server must be configured for elevation Client uses Elevation Moniker COM class needs to annotate its registry entry

52. Make Your Mark. Elevation does not flow from a client to a remote COM server If an elevated COM class uses impersonation during a COM call, it might lose its elevated privileges during the impersonation If an elevated COM server registers a class in the Running Object Table (ROT), the class will not be available to non-elevated clients. A process running with an Integrity Level (IL) above Medium will not load per-user classes during COM activations. The application's COM classes must be installed in HKLM if the application is used by non-privileged and privileged accounts. The application's COM classes need only be installed in HKU if the application is never used by privileged accounts. Drag and drop is not allowed from non-elevated to elevated applications.

53. Make Your Mark. UAC can be turned off through security policy (and UI): Note: this also turns off Protected-Mode IE

54. Make Your Mark. A Better Approach Fine tuned control of UAC through policy

55. Make Your Mark. User Account Control Goals Running as Standard User Conveniently Accessing Administrative Rights Isolating Elevated Processes UAC’s Impact on Malware

56. Make Your Mark. Malware developers are ISV’s too They will code for standard user Malware will thrive in a standard user environment It can still read all the user’s data, hide from the user with user-mode rootkits, control what applications (e.g. anti-malware) the user can access Malware will develop elevation techniques Malware will spoof the OTS credential prompt

57. Make Your Mark. UAC’s fundamental contribution is making it possible in most cases to run as standard user Protects the system Protects other users on the system Elevations are a convenience and not a security boundary Prevents malware from automatically obtaining administrative rights Gives antimalware a chance to mitigate Switching to a dedicated administrator account is more secure

58. Make Your Mark. Reading Material Ch2 Writing Secure Code for Windows Vista, Howard, LeBlanc, MS Press 07 Ch4 Windows Vista Security, Grimes, Johansson, Wiley 07 COM Elevation Moniker http://msdn2.microsoft.com/en- us/library/ms679687.aspx http://msdn2.microsoft.com/en- us/library/ms679687.aspx Tools Used in this Presentation Zoomit – Sysinternals: http://www.microsoft.com/technet/sysinternals/Miscellaneous/ZoomIt.mspx http://www.microsoft.com/technet/sysinternals/Miscellaneous/ZoomIt.mspx Strings – Sysinternals: http://www.microsoft.com/technet/sysinternals/Miscellaneous/Strings.mspx http://www.microsoft.com/technet/sysinternals/Miscellaneous/Strings.mspx Accesschk – Sysinternals: http://www.microsoft.com/technet/sysinternals/Security/AccessChk.mspx http://www.microsoft.com/technet/sysinternals/Security/AccessChk.mspx

61. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.