understand uac and make it work for you
DESCRIPTION
Understand UAC and make it work for you. Tom Decaluwé [email protected]. Overview of the session. What is UAC and why should love it What’s been/ being done in Windows7 How it works in the core How to make it work for you. 1. What is UAC and why you should love it. What is UAC. - PowerPoint PPT PresentationTRANSCRIPT
Understand UAC and make it work for you.Tom Decaluwé[email protected]
Overview of the session1. What is UAC and why should love it2. What’s been/being done in
Windows73. How it works in the core4. How to make it work for you
1. What is UAC and why you should love it
The annoying screen that protects LOCAL administrator / power users
Version 1.0 of the Least privilage Windows environment
What is UAC
1. Split tokens
2. Consent / credential user interface3. Secure desktop => alpha blended
sceenshot
What is UAC3 components
Filtered token• Standard user• Only Deny rights for enterpise and local admin• deny rights on admin rights
Full token • Elevated rights• Full admin rights
What is UAC3 devices 2 types of users
Devices Type of user UAC setting
Servers Domain AdminsUser: Tom-a
UAC => ON / promptor
UAC => ON / auto confirm
Live Clients
Local AdminsUser: Tom
UAC => ON / Confirmor
UAC => ON / request password
Default usersUser: Karel
UAC => ON / Blockor
UAC => ON / request password
Clients being
installed
Local Admins
User: Tom
UAC => ON / Auto Confirm
UAC should not be concidered a substitute new RunAS* Set using group policies
What is UACThe need for two user accounts
Standard account
Day to day use
local admin on clients NOT on domain
Admin account Specific admin tasks on the network
domain admin and/or deleagted domain rights
Click icon to add picture
DEMO
OU design / UAC settings via GPO
Clients being installed => UAC auto confirm
Serves => UAC auto confirm
Clients => UAC auto confirm / AUC block
DEMO
Two accounts
<>
Why you should love it
• Normal users=> Awareness• Forces users to become more security aware, it looks black
and scarry, don’t make it tellitubby style soft interface.• Admin users=> More control
• It informs you of system-level changes• Forces malware to show itself• Lets you control yes/no• Solves the incompatibility issue of software across two
accounts• Developers => Mentality change
• Force software vendors to create non adminprivilaged software
Why you should love it
1. Huge reduction of apps that need admin rigths
Number of unique applications and tasks creating UAC prompts.
“Program data from August 2008 indicates the number of applications and tasks generating a prompt has declined from 775,312 to 168,149”
It’s here to stayWindows vistaWindows 2008
Windows 7
Why should I care
Why you should love itRunas compared to UAC
RunAs UACDifferent credentials
(username / password)
Different profile
Same credentials (username / password)
Same profile
2. What’s been being done in Windows7
What’s the problemWhat’s being done
1. Reduce prompts
2. Make prompts informative
3. better control
What’s the solutionReduce unneeded promptsMore prompts cause people to click yes without looking
More prompts
Relexed yes
• Educate software developers to write software according to best practices
• Internally at MS remove unneeded prompts
What’s the solutionPrompt information
Improved message dialog
What’s the solutionMore control
1. Always notify on every system change. (vista default)
2. (Default) Notify me only when programs try to make changes to my computer.
3. Notify me only when programs try to make changes to my computer, without using the Secure Desktop. (Turns off secure desktop)
4. Never notify.
Security
useability
* Controlable via GPO’s
What’s the solutionMore control
4. How it works in the core
• => when you run an exe your token is bound/copied to that process to grant the process X amount of access
How it works in the coreThe token when you logon
Logon process
Token
Logon process
How it works in the coreA split token / filtered token
Administrator token
TokenLSA service
Standard user Token
Defa
ult t
oken
Deny groups5 privileges
SeShutDownPrivilageSeChangeNotifyPrivilegeSeUndockPrivilegeSeIncreaseWorkingSetPrivilegeSeTimeZonePrivilege
Medium Integrity levelS-1-16-8192 => HEX 2000
All groupsAll privileges High Integrity levelS-1-16-12288 => HEX 3000
1. You need to ask for elevation
2. windows knows you
will need elevation
DEMO
Whoami /groups > explicit deny for admin accountsWhoami /privWhoami /fo list /all
How it works in the coreTokens in process explorer
Normal token Admin token
How it works in the coreProcess launch
Process is startedFrom explorer.exe
Standard user token
Admin user token
Default behaviourWindows knows
Windows is told
Admin user token
Standard user token
ChildProcess is launched ?
How it works in the coreApplication Information service
How it works in the core Windows knows it needs to elevate
1. Windows knows it needs elevation1. Windows marks the icons2. Heuristic Install detection3. Manifest
How it works in the core Windows knows it needs to elevate
Windows marks the icons
• Vista look for popular install strings• Setup• Instal• Update
• Vista detects installers from• Wyse installer• Installshield installer
• Check for the manifest => manifest overrules above
How it works in the coreWindows auto detect elevation
*ony works for 32bit installers
DEMO
Calc.Exe => setup.exe
How it works in the core Windows knows it needs to elevate
1. You tell windows1. Right click => run as admin2. Tag icon for elevation3. Add manifest4. Shim fixets
• Mark an Icon for automatic elevation => only works on legacy apps• Only for you• For all users
How it works in the coreTell windows to elevate
• RequestExecutionLevel• asInvoker => use current security token• highestAvailable => give the highest available token• requireAdministrator => app requires admin token and if
it does not exist, don’t run
How it works in the coreEmbeded manifest
• Use manifest file => this is the best way as it’s a 1|0 situation
How it works in the coretell windows to elevate
DEMO
Manifest internal and external
To interact with the secure desktop you must adhere to thee pre-requisets:1. Entry in secure desktop uiAccess=“True”2. Code must be signed by Microsoft3. Code must be put in secure location
• \windows\system32\*• \Program files\*• \Program files (x86)\*
How it works in the coreInteract with secure desktop
Click icon to add picture
DEMO
Secure desktop does not pause the processes
4 different levels of BEWARE
• RED => Programm is signed by apublisher you blocked via GPO
• TEAL => Digitally signed by Microsoft
• Gray => Digitally signed by 3rd party
• Orange => other situations
How it works in the coreConsent UI’s
* Concent UI times out after 2 minutes* The dialogs are also linked to IE bars
5. How to make it work for you
How to make it work for you
1. Staging OU2. GPO’s > manipulating UAC3. Use RunAs / ShellRunAs
1. Computer => all computers1. Create folder2. Copy file
2. User => target group Local_admins4. Elevate.exe + Start++.exe => cmd line elevation5. Elevate cmd here6. Keep an elevated prompt => cmd /T:1F7. Automate a scheduled task8. Compatibility toolkit
Controle UAC via GPO/security options
41
Policy What it doesAdmin approval mode for the built-in admin account
Local admin is disabled by default but if you enable the user => make him comply to UAC
Allow UIaccess applications to prompt for elevatrion without using the secure desktop
Applications like Remote assistent => when enabled local users who needed help will need to know an admin PWDisable if you use vista speech recognition
Behavoir for the elevation prompt for administrators in admin approval mode
Do you want to be reprompted for credentials or just approve
Behavoir of the elevation prompt for standard users
Set to deny if you want normal users to get an access denied instead of a credential prompt
Detect application installations and prompt for elevation
Not required when using SMS or GPSI, but when you want local people to be able to install apps starting with: setu, instl, update
Only elevate executables that are signed and validated
You can controle what is trusted by populating the computers trusted root store
Only elevate UIAccess applications that are installed in secure locations
AUI apps must run out of- \Program files\- \Windows\system32\- \program files (x86)\
Run All Administrators in admin approval mode If disabled => turns off UAC totallySwitch to the secure desktop when prompting for elevation
Secure desktop vs interactive desktop
Virtualize file and registry write filure to per-user location
Determins how file redirection reacts
DEMO
Run as different user….
DEMO
Elevate from command prompt
DEMO
Elevate command prompt here
DEMO
C:\Windows\System32\schtasks.exe /run /tn "CMD without UAC"
Privlated cmd prompt + no prompt elevation
DEMO
Fixup / Shim
Program compatibility Toolkit
How to make it work for youTwo problems
- SMB Access => when accessing an SMB share using a local admin (non domain) you will be using filtered token
- Remote Assistance => Secure desktops don’t prompt on the remote session, only on the local system
How to make it work for youConfigure elevation logging
Success / failure auditing of process tracking & privilage tracking- ID 4688 => what process was created
- ID 4696 => elevated credential
* We can not see who initiated the elevation
Target Process ID
New Process ID