Understand UAC and make it work for you.Tom Decaluwétom@it-talks.be

Overview of the session1. What is UAC and why should love it2. What’s been/being done in

Windows73. How it works in the core4. How to make it work for you

1. What is UAC and why you should love it

The annoying screen that protects LOCAL administrator / power users

Version 1.0 of the Least privilage Windows environment

What is UAC

1. Split tokens

2. Consent / credential user interface3. Secure desktop => alpha blended

sceenshot

What is UAC3 components

Filtered token• Standard user• Only Deny rights for enterpise and local admin• deny rights on admin rights

Full token • Elevated rights• Full admin rights

What is UAC3 devices 2 types of users

Devices Type of user UAC setting

Servers Domain AdminsUser: Tom-a

UAC => ON / promptor

UAC => ON / auto confirm

Live Clients

Local AdminsUser: Tom

UAC => ON / Confirmor

UAC => ON / request password

Default usersUser: Karel

UAC => ON / Blockor

UAC => ON / request password

Clients being

installed

Local Admins

User: Tom

UAC => ON / Auto Confirm

UAC should not be concidered a substitute new RunAS* Set using group policies

What is UACThe need for two user accounts

Standard account

Day to day use

local admin on clients NOT on domain

Admin account Specific admin tasks on the network

domain admin and/or deleagted domain rights

Click icon to add picture

DEMO

OU design / UAC settings via GPO

Clients being installed => UAC auto confirm

Serves => UAC auto confirm

Clients => UAC auto confirm / AUC block

DEMO

Two accounts

<>

Why you should love it

• Normal users=> Awareness• Forces users to become more security aware, it looks black

and scarry, don’t make it tellitubby style soft interface.• Admin users=> More control

• It informs you of system-level changes• Forces malware to show itself• Lets you control yes/no• Solves the incompatibility issue of software across two

accounts• Developers => Mentality change

• Force software vendors to create non adminprivilaged software

Why you should love it

1. Huge reduction of apps that need admin rigths

Number of unique applications and tasks creating UAC prompts.

“Program data from August 2008 indicates the number of applications and tasks generating a prompt has declined from 775,312 to 168,149”

It’s here to stayWindows vistaWindows 2008

Windows 7

Why should I care

Why you should love itRunas compared to UAC

RunAs UACDifferent credentials

(username / password)

Different profile

Same credentials (username / password)

Same profile

2. What’s been being done in Windows7

What’s the problemWhat’s being done

1. Reduce prompts

2. Make prompts informative

3. better control

What’s the solutionReduce unneeded promptsMore prompts cause people to click yes without looking

More prompts

Relexed yes

• Educate software developers to write software according to best practices

• Internally at MS remove unneeded prompts

What’s the solutionPrompt information

Improved message dialog

What’s the solutionMore control

1. Always notify on every system change. (vista default)

2. (Default) Notify me only when programs try to make changes to my computer.

3. Notify me only when programs try to make changes to my computer, without using the Secure Desktop. (Turns off secure desktop)

4. Never notify.

Security

useability

* Controlable via GPO’s

What’s the solutionMore control

4. How it works in the core

• => when you run an exe your token is bound/copied to that process to grant the process X amount of access

How it works in the coreThe token when you logon

Logon process

Token

Logon process

How it works in the coreA split token / filtered token

Administrator token

TokenLSA service

Standard user Token

Defa

ult t

oken

Deny groups5 privileges

SeShutDownPrivilageSeChangeNotifyPrivilegeSeUndockPrivilegeSeIncreaseWorkingSetPrivilegeSeTimeZonePrivilege

Medium Integrity levelS-1-16-8192 => HEX 2000

All groupsAll privileges High Integrity levelS-1-16-12288 => HEX 3000

1. You need to ask for elevation

2. windows knows you

will need elevation

DEMO

Whoami /groups > explicit deny for admin accountsWhoami /privWhoami /fo list /all

How it works in the coreTokens in process explorer

Normal token Admin token

How it works in the coreProcess launch

Process is startedFrom explorer.exe

Standard user token

Admin user token

Default behaviourWindows knows

Windows is told

Admin user token

Standard user token

ChildProcess is launched ?

How it works in the coreApplication Information service

How it works in the core Windows knows it needs to elevate

1. Windows knows it needs elevation1. Windows marks the icons2. Heuristic Install detection3. Manifest

How it works in the core Windows knows it needs to elevate

Windows marks the icons

• Vista look for popular install strings• Setup• Instal• Update

• Vista detects installers from• Wyse installer• Installshield installer

• Check for the manifest => manifest overrules above

How it works in the coreWindows auto detect elevation

*ony works for 32bit installers

DEMO

Calc.Exe => setup.exe

How it works in the core Windows knows it needs to elevate

1. You tell windows1. Right click => run as admin2. Tag icon for elevation3. Add manifest4. Shim fixets

• Mark an Icon for automatic elevation => only works on legacy apps• Only for you• For all users

How it works in the coreTell windows to elevate

• RequestExecutionLevel• asInvoker => use current security token• highestAvailable => give the highest available token• requireAdministrator => app requires admin token and if

it does not exist, don’t run

How it works in the coreEmbeded manifest

• Use manifest file => this is the best way as it’s a 1|0 situation

How it works in the coretell windows to elevate

DEMO

Manifest internal and external

To interact with the secure desktop you must adhere to thee pre-requisets:1. Entry in secure desktop uiAccess=“True”2. Code must be signed by Microsoft3. Code must be put in secure location

• \windows\system32\*• \Program files\*• \Program files (x86)\*

How it works in the coreInteract with secure desktop

Click icon to add picture

DEMO

Secure desktop does not pause the processes

4 different levels of BEWARE

• RED => Programm is signed by apublisher you blocked via GPO

• TEAL => Digitally signed by Microsoft

• Gray => Digitally signed by 3rd party

• Orange => other situations

How it works in the coreConsent UI’s

* Concent UI times out after 2 minutes* The dialogs are also linked to IE bars

5. How to make it work for you

How to make it work for you

1. Staging OU2. GPO’s > manipulating UAC3. Use RunAs / ShellRunAs

1. Computer => all computers1. Create folder2. Copy file

2. User => target group Local_admins4. Elevate.exe + Start++.exe => cmd line elevation5. Elevate cmd here6. Keep an elevated prompt => cmd /T:1F7. Automate a scheduled task8. Compatibility toolkit

Controle UAC via GPO/security options

41

Policy What it doesAdmin approval mode for the built-in admin account

Local admin is disabled by default but if you enable the user => make him comply to UAC

Allow UIaccess applications to prompt for elevatrion without using the secure desktop

Applications like Remote assistent => when enabled local users who needed help will need to know an admin PWDisable if you use vista speech recognition

Behavoir for the elevation prompt for administrators in admin approval mode

Do you want to be reprompted for credentials or just approve

Behavoir of the elevation prompt for standard users

Set to deny if you want normal users to get an access denied instead of a credential prompt

Detect application installations and prompt for elevation

Not required when using SMS or GPSI, but when you want local people to be able to install apps starting with: setu, instl, update

Only elevate executables that are signed and validated

You can controle what is trusted by populating the computers trusted root store

Only elevate UIAccess applications that are installed in secure locations

AUI apps must run out of- \Program files\- \Windows\system32\- \program files (x86)\

Run All Administrators in admin approval mode If disabled => turns off UAC totallySwitch to the secure desktop when prompting for elevation

Secure desktop vs interactive desktop

Virtualize file and registry write filure to per-user location

Determins how file redirection reacts

DEMO

Run as different user….

DEMO

Elevate from command prompt

DEMO

Elevate command prompt here

DEMO

C:\Windows\System32\schtasks.exe /run /tn "CMD without UAC"

Privlated cmd prompt + no prompt elevation

DEMO

Fixup / Shim

Program compatibility Toolkit

How to make it work for youTwo problems

- SMB Access => when accessing an SMB share using a local admin (non domain) you will be using filtered token

- Remote Assistance => Secure desktops don’t prompt on the remote session, only on the local system

How to make it work for youConfigure elevation logging

Success / failure auditing of process tracking & privilage tracking- ID 4688 => what process was created

- ID 4696 => elevated credential

* We can not see who initiated the elevation

Target Process ID

New Process ID

Thank you

Tom Decaluwétom@it-talks.be

www.it-talks.be