Event slides will be posted at:

http://www.microsoft.com/uk/msdnevents

User Account Controlin Windows Vista

Daniel MothDeveloper & Platform GroupMicrosoft Ltddaniel.moth@microsoft.com http://www.danielmoth.com/Blog

AGENDA

Why, What, How

Manifests

Process Elevation

Virtualisation

Compatibility Issues

UAC Goals

The Vista goal: enable users to run with standard user rights

Prevents deliberate (and accidental) modification of system settingsReduces malware impact by preventing modification of security settings and hardwarePrevents compromise of sensitive information on shared computers

UAC Challenges

The Windows usage model has been one of administrative rights

Applications use them without knowing itThose that need it don’t distinguish administrative from standard user actions

Users want administrative rights to easily perform operations that require them

Software installationsChanging the time zoneChanging firewall settingsEtc.

Administrative Rights

Problem: there are still operations that require administrative rights:

Installing applicationsModifying system-global settingsParental controls

Solution: make it convenient to access administrative rights from standard user accounts

Identify operations that require administrative rightsAllow for “run as” functionality

Called Over The Shoulder (OTS) elevation

DEMO

What UAC looks like to the end user

OTS Dialogs

User Account Control InternalsWindows Vista Logon with UAC Enabled

Administrator Token

“Filtered” token

1.Token inspected for “elevated” privileges

Explorer.execreated.

2. Elevated privileges removed.

An administrator enters credentialsin WinLogon UI

Local SecurityAuthority (LSA)verifies credentials

Windows XP

UAC Internals²Defining Elevated Privileges

User will have a filtered token if they belong to any admin-type group e.g.:

AdministratorsControllersBackup Operators

User will have a filtered token if they have any of these privileges:

Create Token, Debug, TCB, Take Ownership, Backup, Restore, Impersonate, Load Driver, Relabel

UAC Internals³Administrator’s Standard User IdentityAdministrator’s standard user token is subset of

their full administrator token

Administrator groups are marked as “deny only” groups

Applies to Domain Administrators, Builtin\Administrators and others

Can only be used to deny access, never to grantE.g. if file only allows administrator access, user is denied accessE.g. if allows a user’s group access, but denies administrators, user is denied access

All privileges except the following are stripped:Change Notify, Shutdown, Undock, Reserve Processor, Time Zone

When authenticating to remote resources:If system is non-domain joined, user authenticates as standard user

If domain-joined and an administrator of the remote resource, user authenticates as administrator

StandardUser-FriendlyWindows

In Vista, many previously-admin operations are accessible by standard users:

View system clock and calendar

Change time zone

Configure Wired Equivalent Privacy (WEP) to connect to secure wireless networks

Change power management settings

Add printers and other devices that have the required drivers installed on computer or have been allowed by an IT administrator in Group Policy

Install ActiveX Controls from sites approved by an administrator

Create and configure a Virtual Private Network connection

Install critical Windows Updates

StandardUser-FriendlyYour Application

Test your application when running as Standard User!!

Saving Per-User State as Standard User

%userprofile%HKCU

Saving Per-Machine State as Standard User

%allusersprofile%

Embed Manifest with run level = “asInvoker”

Privileges in Manifests

Manifest files were introduced in Windows XP to support side-by-side DLLs

Used for XP’s Common Control v6 dialog .NET uses it for managed code “assemblies”Embedded in resources of binary file

New key in Vista,requestedElevationLevel

asInvoker: Run with the user’s rightshighestAvailable: if standard user then don’t ask, but if user is an administrator, then askrequireAdministrator: always ask

Embedding Manifest in VS

Create Manifest in source directory

Add following lines to .rc file for project

#define MANIFEST_RESOURCE_ID 1

MANIFEST_RESOURCE_ID RT_MANIFEST "AdminApp.exe.manifest"

Add additional manifest in project properties

DEMO

Manifests

Process Creation in Vista with UAC Enabled

CreateProcess* checks the following sources for privilege information about the process

1. Embedded Application Manifest2. Side-by-Side External Manifest3. App Compatibility Database4. Installer Detection

If process requires elevated privileges and parent process token does not possess these privileges ERROR_REQUIRES_ELEVATION is returned.

Explorer.exe

UAC Prompt Internals

ShellExecute

AppInfo Service2. RPC

Consent.exe

Admin.exe

CreateProcess( Admin.exe)

Standard User Local System Administrator

3. Re-parented

CreateProcessAsUser( Admin.exe)

CreateProcess

1. ERROR_ELEVATION_REQUIRED

DEMO

Launching Elevated-Shield-Extract admin pieces as other manifested processes-Re-launch ourselves elevated

COM Elevation

COM ElevationAccomplished using elevation monikerObject class must contain elevation attributes

Example: File Operation elevationHKCR\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}

\Elevation

REG_DWORD Enabled=1

HKCR\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}

REG_EXPAND_SZ LocalizedString=

“@%SystemRoot%\system32\shell32.dll,-50176”

DEMO

Shell “access denied” to file

Common AppCompat IssueFile and Registry Permissions

Many applications would run fine as standard user

…but they needlessly store data in HKLM\Software or %ProgramFiles%

They use these locations for per-user data, not global dataThese locations are system-global and so only writeable by administratorsIt’s always worked because Windows users have always been administrators

DEMO

VirtualisationModifications of most system-global locations go to per-user areas

Reads generally go to the per-user location and fall back to the global location

File Virtualisation

Redirected file system locations:%ProgramFiles% (\Program Files)%SystemRoot% (\Windows)%SystemRoot%\System32 (\Windows\System32)%AllUsersProfile% (\ProgramData – what was \Documents and Settings\All Users)Exceptions:

Files that have executable extensions (.exe, .bat, .vbs, .scr, etc)Exceptions can be added in HKLM\System\CurrentControlSet\Services\Luafv\Parameters

\ExcludedExtensionsAdd

Per-user virtual root:%UserProfile%\AppData\Local\VirtualStore

Registry Virtualization

Redirected locations:HKLM\SoftwareExceptions:

HKLM\Software\Microsoft\Windows

HMLM\Software\Microsoft\Windows NT

Other subkeys under Microsoft

Per-user virtual root:HKEY_CURRENT_USER\Software\Classes\VirtualStore

Virtualized Processes

Processes are virtualized unlessThey are running with administrative rights They are 64-bitThey have a requestedExecutionLevel in their executable manifest

Most Windows Vista executables

Can be turned off globally via local security policy setting (secpol.msc)

DEMO

UAC: Local Security Policies

Installation AppCompat IssuesDon’t Perform Administrator

Operations on First RunConfigure all machine-wide state during install

Updating Application Binaries Usually Requires Administrator Privileges

Application binaries in %ProgramFile% cannot be overwritten by a Standard User.MSI updating technology (MSPs) does elevated update based on the signature of the patch

Use Bootstrapper to Launch Application As Part of Install

Summary

Understand UACFiltered Token, Elevation, Process creation, Prompts, Shields, Manifests, Virtualisation

Act NowTest your applications as a Standard User

Use the Standard User Analyzer to help

Embed a manifest in your EXEsFix your installation programs (use MSI)

UAC ResourcesUser Account Control Resources for IT Professionals (TechNet Landing Page) 

http://www.microsoft.com/technet/windowsvista/security/uac.mspx Windows Vista Application Development Requirements for UAC Compatibility                    

http://download.microsoft.com/download/5/6/a/56a0ed11-e073-42f9-932b-38acd478f46d/WindowsVistaUACDevReqs.doc 

UAC Team blog                                                                http://blogs.msdn.com/uac 

COM Elevation Moniker http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/html/1595ebb8-65af-4609-b3e7-a21209e64391.asp  

Windows Vista UX Guidelines for UAC  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/UxGuide/UXGuide/Environment/UAC/UAC.asp

MSI Patching Technologyhttp://msdn2.microsoft.com/en-us/library/aa372388.aspx

Service Securityhttp://www.microsoft.com/whdc/system/vista/Vista_Services.mspx

Event slides will be posted at:

http://www.microsoft.com/uk/msdnevents

Get the latest technology previews, trial software, special offers

Get information tailored to your needs

Pick your RSS feeds

Sign up for MSDN Connection at:

http://www.msdn.co.uk

Additional Information

UK MSDN Events Post events page including slide decks

http://www.microsoft.com/uk/msdnevents

Upcoming eventshttp://www.microsoft.com/uk/msdn/events/upcoming.aspx

UK MSDN Site & Flash NewsletterLocal news, events, nuggets & webcasts

http://www.microsoft.com/uk/msdn

Register to receive the bi-weekly MSDN Flash by email

http://www.microsoft.com/uk/msdn/flash.aspx

© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.