event slides will be posted at:
TRANSCRIPT
Event slides will be posted at:
http://www.microsoft.com/uk/msdnevents
User Account Controlin Windows Vista
Daniel MothDeveloper & Platform GroupMicrosoft [email protected] http://www.danielmoth.com/Blog
AGENDA
Why, What, How
Manifests
Process Elevation
Virtualisation
Compatibility Issues
UAC Goals
The Vista goal: enable users to run with standard user rights
Prevents deliberate (and accidental) modification of system settingsReduces malware impact by preventing modification of security settings and hardwarePrevents compromise of sensitive information on shared computers
UAC Challenges
The Windows usage model has been one of administrative rights
Applications use them without knowing itThose that need it don’t distinguish administrative from standard user actions
Users want administrative rights to easily perform operations that require them
Software installationsChanging the time zoneChanging firewall settingsEtc.
Administrative Rights
Problem: there are still operations that require administrative rights:
Installing applicationsModifying system-global settingsParental controls
Solution: make it convenient to access administrative rights from standard user accounts
Identify operations that require administrative rightsAllow for “run as” functionality
Called Over The Shoulder (OTS) elevation
DEMO
What UAC looks like to the end user
OTS Dialogs
User Account Control InternalsWindows Vista Logon with UAC Enabled
Administrator Token
“Filtered” token
1.Token inspected for “elevated” privileges
Explorer.execreated.
2. Elevated privileges removed.
An administrator enters credentialsin WinLogon UI
Local SecurityAuthority (LSA)verifies credentials
Windows XP
UAC Internals²Defining Elevated Privileges
User will have a filtered token if they belong to any admin-type group e.g.:
AdministratorsControllersBackup Operators
User will have a filtered token if they have any of these privileges:
Create Token, Debug, TCB, Take Ownership, Backup, Restore, Impersonate, Load Driver, Relabel
UAC Internals³Administrator’s Standard User IdentityAdministrator’s standard user token is subset of
their full administrator token
Administrator groups are marked as “deny only” groups
Applies to Domain Administrators, Builtin\Administrators and others
Can only be used to deny access, never to grantE.g. if file only allows administrator access, user is denied accessE.g. if allows a user’s group access, but denies administrators, user is denied access
All privileges except the following are stripped:Change Notify, Shutdown, Undock, Reserve Processor, Time Zone
When authenticating to remote resources:If system is non-domain joined, user authenticates as standard user
If domain-joined and an administrator of the remote resource, user authenticates as administrator
StandardUser-FriendlyWindows
In Vista, many previously-admin operations are accessible by standard users:
View system clock and calendar
Change time zone
Configure Wired Equivalent Privacy (WEP) to connect to secure wireless networks
Change power management settings
Add printers and other devices that have the required drivers installed on computer or have been allowed by an IT administrator in Group Policy
Install ActiveX Controls from sites approved by an administrator
Create and configure a Virtual Private Network connection
Install critical Windows Updates
StandardUser-FriendlyYour Application
Test your application when running as Standard User!!
Saving Per-User State as Standard User
%userprofile%HKCU
Saving Per-Machine State as Standard User
%allusersprofile%
Embed Manifest with run level = “asInvoker”
Privileges in Manifests
Manifest files were introduced in Windows XP to support side-by-side DLLs
Used for XP’s Common Control v6 dialog .NET uses it for managed code “assemblies”Embedded in resources of binary file
New key in Vista,requestedElevationLevel
asInvoker: Run with the user’s rightshighestAvailable: if standard user then don’t ask, but if user is an administrator, then askrequireAdministrator: always ask
Embedding Manifest in VS
Create Manifest in source directory
Add following lines to .rc file for project
#define MANIFEST_RESOURCE_ID 1
MANIFEST_RESOURCE_ID RT_MANIFEST "AdminApp.exe.manifest"
Add additional manifest in project properties
DEMO
Manifests
Process Creation in Vista with UAC Enabled
CreateProcess* checks the following sources for privilege information about the process
1. Embedded Application Manifest2. Side-by-Side External Manifest3. App Compatibility Database4. Installer Detection
If process requires elevated privileges and parent process token does not possess these privileges ERROR_REQUIRES_ELEVATION is returned.
Explorer.exe
UAC Prompt Internals
ShellExecute
AppInfo Service2. RPC
Consent.exe
Admin.exe
CreateProcess( Admin.exe)
Standard User Local System Administrator
3. Re-parented
CreateProcessAsUser( Admin.exe)
CreateProcess
1. ERROR_ELEVATION_REQUIRED
DEMO
Launching Elevated-Shield-Extract admin pieces as other manifested processes-Re-launch ourselves elevated
COM Elevation
COM ElevationAccomplished using elevation monikerObject class must contain elevation attributes
Example: File Operation elevationHKCR\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}
\Elevation
REG_DWORD Enabled=1
HKCR\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}
REG_EXPAND_SZ LocalizedString=
“@%SystemRoot%\system32\shell32.dll,-50176”
DEMO
Shell “access denied” to file
Common AppCompat IssueFile and Registry Permissions
Many applications would run fine as standard user
…but they needlessly store data in HKLM\Software or %ProgramFiles%
They use these locations for per-user data, not global dataThese locations are system-global and so only writeable by administratorsIt’s always worked because Windows users have always been administrators
DEMO
VirtualisationModifications of most system-global locations go to per-user areas
Reads generally go to the per-user location and fall back to the global location
File Virtualisation
Redirected file system locations:%ProgramFiles% (\Program Files)%SystemRoot% (\Windows)%SystemRoot%\System32 (\Windows\System32)%AllUsersProfile% (\ProgramData – what was \Documents and Settings\All Users)Exceptions:
Files that have executable extensions (.exe, .bat, .vbs, .scr, etc)Exceptions can be added in HKLM\System\CurrentControlSet\Services\Luafv\Parameters
\ExcludedExtensionsAdd
Per-user virtual root:%UserProfile%\AppData\Local\VirtualStore
Registry Virtualization
Redirected locations:HKLM\SoftwareExceptions:
HKLM\Software\Microsoft\Windows
HMLM\Software\Microsoft\Windows NT
Other subkeys under Microsoft
Per-user virtual root:HKEY_CURRENT_USER\Software\Classes\VirtualStore
Virtualized Processes
Processes are virtualized unlessThey are running with administrative rights They are 64-bitThey have a requestedExecutionLevel in their executable manifest
Most Windows Vista executables
Can be turned off globally via local security policy setting (secpol.msc)
DEMO
UAC: Local Security Policies
Installation AppCompat IssuesDon’t Perform Administrator
Operations on First RunConfigure all machine-wide state during install
Updating Application Binaries Usually Requires Administrator Privileges
Application binaries in %ProgramFile% cannot be overwritten by a Standard User.MSI updating technology (MSPs) does elevated update based on the signature of the patch
Use Bootstrapper to Launch Application As Part of Install
Summary
Understand UACFiltered Token, Elevation, Process creation, Prompts, Shields, Manifests, Virtualisation
Act NowTest your applications as a Standard User
Use the Standard User Analyzer to help
Embed a manifest in your EXEsFix your installation programs (use MSI)
UAC ResourcesUser Account Control Resources for IT Professionals (TechNet Landing Page)
http://www.microsoft.com/technet/windowsvista/security/uac.mspx Windows Vista Application Development Requirements for UAC Compatibility
http://download.microsoft.com/download/5/6/a/56a0ed11-e073-42f9-932b-38acd478f46d/WindowsVistaUACDevReqs.doc
UAC Team blog http://blogs.msdn.com/uac
COM Elevation Moniker http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/html/1595ebb8-65af-4609-b3e7-a21209e64391.asp
Windows Vista UX Guidelines for UAC http://msdn.microsoft.com/library/default.asp?url=/library/en-us/UxGuide/UXGuide/Environment/UAC/UAC.asp
MSI Patching Technologyhttp://msdn2.microsoft.com/en-us/library/aa372388.aspx
Service Securityhttp://www.microsoft.com/whdc/system/vista/Vista_Services.mspx
Event slides will be posted at:
http://www.microsoft.com/uk/msdnevents
Get the latest technology previews, trial software, special offers
Get information tailored to your needs
Pick your RSS feeds
Sign up for MSDN Connection at:
http://www.msdn.co.uk
Additional Information
UK MSDN Events Post events page including slide decks
http://www.microsoft.com/uk/msdnevents
Upcoming eventshttp://www.microsoft.com/uk/msdn/events/upcoming.aspx
UK MSDN Site & Flash NewsletterLocal news, events, nuggets & webcasts
http://www.microsoft.com/uk/msdn
Register to receive the bi-weekly MSDN Flash by email
http://www.microsoft.com/uk/msdn/flash.aspx
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.