Presentation is loading. Please wait.

Presentation is loading. Please wait.

User Account Control Requirements. Agenda Introducing UAC The shield icon UAC manifests Least User Access (LUA) predictor tool Partitioning an application.

Published byStella Carson Modified over 9 years ago

Similar presentations

Presentation on theme: "User Account Control Requirements. Agenda Introducing UAC The shield icon UAC manifests Least User Access (LUA) predictor tool Partitioning an application."— Presentation transcript:

1 User Account Control Requirements

2 Agenda Introducing UAC The shield icon UAC manifests Least User Access (LUA) predictor tool Partitioning an application UAC test cases

3 Introducing UAC Silent installation of malicious software Compromised machine = lost productivity Some line of business (LOB) applications require elevated privileges Common configuration tasks require elevated privileges Reduced total cost of ownership (TOC) with standard user desktop UAC facilitates use of standard user

4

5 UAC Features By default, applications run as standard user Reduction of attack surface No need for dual accounts for administrative users Process separation Seamless transition –Eliminate unnecessary elevation –Be predictable –Require minimal effort –Revert to least privileges

6

7 UAC Architecture Standard User Rights Administrator Rights Administrator logon “Standard User” Token Administrator Token User Process Change Time ZoneChange Time Zone Run IT-Approved ApplicationsRun IT-Approved Applications Install FontsInstall Fonts Install PrintersInstall Printers Run MSN MessengerRun MSN Messenger Admin Process Install Application Admin Process Configure IIS Admin Process Change Time Standard User Mode Split Token Administrator Privileges Administrator Privilege Standard User Privilege Administrator Privilege Abby Token

8

9 Agenda Introducing UAC The shield icon UAC manifests LUA predictor tool Partitioning an application UAC test cases

10 The Shield Icon Make applications run without elevation –Ensure standard users can be fully productive –After installation administrative intervention NOT required Clearly identify administrative tasks –Consistently use shield icon –Allow users to predict elevation requirement –Displayed if UAC disabled –Only one state –Does not retain state

11 UAC in Action

12 Agenda Introducing UAC The shield icon UAC manifests LUA predictor tool Partitioning an application UAC test cases

13 UAC Manifest Allows operating system to identify application context Embeds in application manifest Legacy code still runs –Nonmanifested code can run with administrator privileges An extension to existing manifest schema

14 Manifest Requirement To meet the UAC requirement, every executable (with an.exe extension) included with an application must have an embedded manifest. <requestedExecutionLevel level="asInvoker| highestAvailable| requireAdministrator" />

15 Creating an Embedded Manifest with Visual Studio 7 Automatically embed manifest in PE Create manifest in text editor Same name as target.exe With.manifest extension Set requestedExecutionLevel

16

17 Building Manifests Within C/C++ Code Attach manifest to executable –Add to resource file –Put manifest in source code directory –Rebuild application

18 Building Manifests for Applications Built on the.NET Framework Post-build step MT tool Add contents of manifest file into PE

19 Embedding Manifests with Command-Line Compilation Include manifest in PE image from command line Command-line switches –/win32res (VB/C#/J#) C# –Post-build step –Call mt.exe –Point to manifest file

20 Creating and Embedding UAC Manifests

21 Agenda Introducing UAC The shield icon UAC manifests LUA predictor tool Partitioning an application UAC test cases

22 Using the LUA Privilege Predictor Tool Run application as nonadministrator Bug-fixing labor-intensive Least User Access (LUA) Predict privilege problems Diagnose privilege problems

23 Agenda Introducing UAC The shield icon UAC manifests LUA predictor tool Partitioning an application UAC test cases

24 Separation of Administrator Code Elevated privileges for certain tasks Launch separate process ShellExecute or Create an administrator COM object to perform elevated task –Use the COM elevation moniker

25 Agenda Introducing UAC The shield icon UAC manifests LUA predictor tool Partitioning an application UAC test cases

26 UAC Test Cases Verify that all of the application’s executables contain an embedded manifest that define its execution level Verify that least-privilege users cannot modify other users’ documents or files Verify that least-privilege user is not able to save files to the Windows System directory

27 Summary Introducing UAC The shield icon UAC manifests LUA predictor tool Partitioning an application UAC test cases

28 Professional Developers Conference 2005: http://commnet.microsoftpdc.com /content/downloads.aspx (search for FUN406) http://commnet.microsoftpdc.com /content/downloads.aspx Windows Vista security: http://msdn.microsoft.com/windowsvista /security/ http://msdn.microsoft.com/windowsvista /security/ Getting Started with User Account Control on Windows Vista Beta 1: http://www.microsoft.com/technet /windowsvista/evaluate/feat/uaprot.mspx http://www.microsoft.com/technet /windowsvista/evaluate/feat/uaprot.mspx Developer Best Practices and Guidelines for Applications in a Least Privileged Environment: http://msdn.microsoft.com/library /default.asp?url=/library /en-us/dnlong/html/AccProtVista.asp http://msdn.microsoft.com/library /default.asp?url=/library /en-us/dnlong/html/AccProtVista.asp UACBlog: http://blogs.msdn.com/uac Additional Resources

Download ppt "User Account Control Requirements. Agenda Introducing UAC The shield icon UAC manifests Least User Access (LUA) predictor tool Partitioning an application."

Similar presentations

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.
Where Developers Matter Vista Enable Your Applications Fredrik Haglund, Regional Developer Evangelist

Where Developers Matter Vista Enable Your Applications Fredrik Haglund, Regional Developer Evangelist
Chapter 7 – Managing Windows XP. Control Panel The main tool for configuring your system. Most of the tools to configure the system come with the normal.

Chapter 7 – Managing Windows XP. Control Panel The main tool for configuring your system. Most of the tools to configure the system come with the normal.
Microsoft Dynamics® SL

Microsoft Dynamics® SL
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Windows Vista Security model and vulnerabilities.

Windows Vista Security model and vulnerabilities.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:

CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Installation Requirements. Agenda Installation requirements Installation options Installing to correct folder locations Installing Windows resources Creating.

Installation Requirements. Agenda Installation requirements Installation options Installing to correct folder locations Installing Windows resources Creating.
Using Least Privilege to reduce your security exposure Steve Lamb IT Pro Evangelist Blog:

Using Least Privilege to reduce your security exposure Steve Lamb IT Pro Evangelist Blog:
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
Ch 11 Managing System Reliability and Availability 1.

Ch 11 Managing System Reliability and Availability 1.
Working with Workgroups and Domains

Working with Workgroups and Domains
© Copyright 2009 Microsoft Corporation. Alle Rechte vorbehalten. MSDN Webcasts:

© Copyright 2009 Microsoft Corporation. Alle Rechte vorbehalten. MSDN Webcasts:

Similar presentations

Ads by Google