Embed Size (px)
Citation preview
Best Practices for
User Account Control (UAC) in
Windows Vista
蔡孟儒 (Raymond)
Consultant
Microsoft Technology Center
Session Objectives
User Account Control (UAC) Overview
The new Shield paradigm
Running application in UAC environment
Coding in UAC environment
Summary
Microsoft
Confidential
Session Objectives
User Account Control (UAC) Overview
The new Shield paradigm
Running application in UAC environment
Coding in UAC environment
Summary
Microsoft
Confidential
Why User Account Control?
Most user accounts have Administrator privileges.
Code running without Administrator privileges is safer for the system.
Enterprises realize significant TCO reductions when running with managed systems.
Enterprises migrating to software that runs as Standard User
Microsoft
Confidential
Microsoft
Confidential
Windows Vista UAC goals
All users run as Standard User by default
Filtered token created during logon
Only specially marked apps get the unfiltered token
Explicit consent required for elevation
Predictable shell elevation paths
High application compatibility
Data Redirection
Enabling legacy apps to run as standard user
Installer Detection
UAC Architecture Standard User Rights
Administrative Rights
Admin logon
“Standard User” Token
Admin Token
User Process
• Change Time
Zone
• Run IT Approved
Applications
• Install Fonts
• Install Printers
• Run MSN
Messenger
• Etc.
Standard User ModeSplit TokenAdmin Privileges
Admin Privilege
Standard User Privilege
Admin Privilege
Admin Privilege
Abby
Microsoft
Confidential
DEMO:Standard User Rights vs. Administrative Rights
Microsoft
Confidential
Data Redirection for Legacy Apps
Legacy apps write to admin locations
HKLM\Software;
%SystemDrive%\Program Files
%WinDir%\System32
Redirection removes need for elevation
Writes to HKLM go to HKCU redirected store
Writes to system directories redirected to per-user store
Copy-on-write
This is a crutch for legacy applications.
Files, registry keys are redirected when written to privileged areas
This is not a feature!
Only a mitigation for UAC, WRP
Redirection is per user
Redirection
Files, registry keys are redirected when written to privileged areas
This is not a feature!
Only a mitigation for UAC, WRP
Redirection is per user
APP A
WRITE
Redirection
HKLM
HKCU
APP A
WRITE
REDIRECT
APP A
WRITE
HKLM
Files, registry keys are redirected when written to privileged areas
This is not a feature!
Only a mitigation for UAC, WRP
Redirection is per user
Redirection
HKCU
HKCU
APP A
WRITE
REDIRECT
APP A
WRITE
HKLM
HKCU
Files, registry keys are redirected when written to privileged areas
This is not a feature!
Only a mitigation for UAC, WRP
Redirection is per user
READ/
WRITE
Redirection
APP B
HKCU
APP A
WRITE
REDIRECT
APP A
WRITE
HKLM
HKCU
READ/
WRITE
APP B
Files, registry keys are redirected when written to privileged areas
This is not a feature!
Only a mitigation for UAC, WRP
Redirection is per user
READ/WRITE
Redirection
APP C
DEMO:Data Redirection
Session Objectives
User Account Control (UAC) Overview
The new Shield paradigm
Running application in UAC environment
Coding in UAC environment
Summary and future direction
Microsoft
Confidential
Microsoft
Confidential
UX: The Shield
Goal is to make your application simple & predictable
Attached to controls which, if clicked, will require elevation as the next step
Has only one state (I.e. no hover, disabled etc.)
Does not remember elevated state
Not an unlock operation
Microsoft
Confidential
Shield UI Examples
Microsoft
Confidential
Elevation Prompts
Microsoft
Confidential
Consent UIOS Application
Unsigned ApplicationSigned Application
Session Objectives
User Account Control (UAC) Overview
The new Shield paradigm
Running application in UAC environment
Coding in UAC environment
Summary
Microsoft
Confidential
Microsoft
Confidential
How to Run Code Elevated
Mark application as requiring Administrator privileges using manifest
Heuristic Installer detection
Application Compatibility shims
Compatibility Tab on Program Properties
Right-click Run as administrator
Sample Manifest
MyAdminApp.exe.manifest
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" processorArchitecture="X86“
name="MyAdminApp" type="win32"/>
<!-- Identify the application security requirements. -->
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
RequestedExecutionLevels
Level = asInvoker
Launch with the same token as the parent process
Level = highestAvailable
Launch with the highest token this user possesses
Level = requireAdministrator
Highest token of the User provided User is a member of Administrators group
Marking managed codeManifest can be added after .exe is built
Use tool MT.exe, part of the Windows SDK
(add in link)
Steps:
Create manifest file
Use mt.exe to embed manifestMt.exe –manifest yourapp.manifest
-outputresource:yourapp.exe;
DEMO:Manifest
Compatibility Tab
Session Objectives
User Account Control (UAC) Overview
The new Shield paradigm
Running application in UAC environment
Coding in UAC environment
Summary
Microsoft
Confidential
UAC Architecture
Microsoft
Confidential
Microsoft
Confidential
UX Goals: Simple & Predictable
1st Choice: Make application Standard user only
2nd Choice: Clearly identify Administrative tasks
Ensure Standard users can be fully productive
Identify tasks that need elevation with a “shield”
Microsoft
Confidential
Shield Implementation APIs
Microsoft
Confidential
Separation of Admin CodeCannot elevate a running process
Communication: Two Design Patterns
Service Broker Model
RPC
Globally mapped shared memory
Side by Side Processes
RPC
Named pipes
Global or locally mapped shared memory
Creation of an Administrator COM object to perform elevated task.
CoCreateInstanceAsAdmin
Coding for UAC in a nutshell
Design code to not require any Administrative privileges whenever possible.
Per-machine settings during install
Place Per-Machine (Shared) data into %ALLUSERSPROFILE%
Place Per-Machine registry setting in HKLM
Per-user settings at first run
Place per-user data into %LOCALAPPDATA%
Place per-user registry settings in HKCU
Store user shared data in User\Public
Coding for UAC in a nutshell
Examples of what not to do:
Do not perform admin configuration at first run
Do your admin operations during setup
Do not rely on explicit Admin checks for Standard User applications
Summary
Microsoft
Confidential
Application Impact SummaryWorks on Windows XP as Standard User?
It will just work on Windows Vista
Fails on Windows XP as Standard User?Mitigated by Redirection
Mitigated by App Comp Shim via ACT
Simple app with Admin dependencies
Admin app on Windows XP? Needs to be marked!
Web apps need special attention due to Protected Mode IE
Use the Standard User Analyzer to fix your appTool Location: http://www.microsoft.com/windows/appcompatibility/default.mspx
Microsoft
Confidential
Process Isolation
Administrative and Standard User applications share the same desktop
Security challenges
Cross-process Window messages
DLL injection and create remote thread
Process Isolation mechanisms
Integrity level for processes
“Lower” cannot interfere with “Higher”
DEMO:User Interface Privilege Isolation (UIPI)
Microsoft
Confidential
UAC Blog: http://blogs.msdn.com/uac
Deck from PDC2005:
http://commnet.microsoftpdc.com/content/downloads.aspx
General Security Info: http://msdn.microsoft.com/windowsvista/security/
Getting Started with UAC:
http://www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx
UAP Developer Guidelines:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AccProtVista.asp
UAC Question on Update:
http://forums.microsoft.com/msdn/showpost.aspx?postid=111453&siteid=1
Aaron’s Blog: “Not running as administrator” http://blogs.msdn.com/Aaron_Margosis
More Information on UAC
Microsoft
Confidential
FAQIf I mark my app as “admin”, can I skip the elevation consent dialog? – No
Can you modify the privilege of a running application? - No
Will UAC elevate whenever a privileged API is used? – No, the entire process is either elevated or not
How long does the elevated process last? Can it time out? – Life of the process
Can I enable which users will use UAC? – Currently this is a per machine setting
Does UAC apply to all processes and services? – Interactive processes only
What areas of the Registry and File system get redirected? –HKLM\Software, %SystemRoot%, %ProgramFiles%
Won’t Redirection de-motivate developers to fix their code? – Yes, it is a short term mitigation, not in 64bit
What happens when installer detection fails? – The app runs as non-admin
Will UAC be going down-level? - No
Q&A
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not
be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
User Control Policies
Admin Approval Mode for the built-in Administrator account
Default: Not Defined
Behavior of the elevation prompt for administrators in Admin Approval Mode
Default: Prompt for consent
Behavior of the elevation prompt for standard users:
Default: Prompt for credentials
Detect application installations and prompt for elevation
Default: Enabled
Microsoft
Confidential
User Control Policies (conti.)
Only elevate executables that are signed and trusted
Default: Disabled
Run all administrators in Admin Approval Mode
Default: Enabled
Switch to the secure desktop when prompting for elevation
Default: Enabled
Virtualized file and registry write failures to per-user locations
Microsoft
Confidential
