wcl310 raiders of the elevated token
Post on 21-May-2015
991 Views
Preview:
DESCRIPTION
TRANSCRIPT
Raiders of the Elevated Token: Understanding User Account Control and Session Isolation (repeats on May 19 at 1pm)
Raymond P.L. Comvalius MCT, MVPIndependent IT Infrastructure SpecialistThe Netherlands
WCL310
Introducing Raymond Comvalius
Independent Consultant, Trainer, and AuthorMVP: Expert Windows IT ProBlog: www.xpworld.comTwitter: @xpworldEditor for bink.nuwww.books4brains.comwww.mvp-press.com
Agenda
User Account ControlWhat is UAC?Configuring User Account ControlIntegrity LevelsFile & Registry VirtualizationHow to Control Elevation
Session 0 IsolationService ID
Disabled by Default in Windows 7 and Vista
Most Secure – Best Choice for IT
Windows 7 and Vista - Default
XP Default
Windows User Types
The AdministratorThe account named ‘administrator’
An AdministratorYour name with administrator privileges
Protected AdministratorAKA: ‘Administrator in Admin Approval Mode’
Standard UserYour name without administrator privileges
Standardizing the User Token
User-SID
Local/Builtin Group SIDs
Domain Group SIDs
Mandatory Label
Rights/Privileges
Create a token objectAct as part of the operating system Take ownership of files and other objects Load and unload device driversBack up files and directoriesRestore files and directoriesImpersonate a client after authentication Modify an object labelDebug programs
AdministratorsBackup OperatorsPower UsersNetwork Configuration Operators
Group Policy Creator OwnersSchema AdminsEnterprise AdminsDenied RODC Password Replication Group
demo
Examining the Access Token
Consent UI
The ‘face’ of UACWarns you for a User State change (AKA new token creation)Secure Desktop
Screen mode like pressing Ctrl-Alt-DelCreates screenshot of the desktop (programs keep running in the background)Keeps scripts etc. from pressing keys or clicking the mouse
Configuring UAC in the Control Panel
From the Control PanelAlways notifyDefaultDo not dim the displayNever notify
With Group PolicyMore granular controls
Configuring UAC in Group Policy
Behaviour for Standard UsersDeny AccessPrompt for Credentials
Admin Approval Mode for the built-in Administrator accountFor Administrators in Admin Approval Mode
Prompt for ConsentPrompt for CredentialsElevate without prompting
Not same as disable UAC!
demo
Configuring UAC
UIAccess Applications
Software alternatives for the mouse and keyboardFor example Remote Assistance
User Interface Accessibility integrity levelWindows always checks signature on UIAccess ApplicationsUIAccess applications must be installed in secure locationsOptionally these applications can disable the secure desktop (used with Remote Assistance)
Remote Assistance and the Secure Desktop
for non-administrative users
Integrity Levels
Mandatory Access ControlLevels are part of the ACLs and TokensLower level object has limited access to higher level objectsUsed to protect the OS and for Internet Explorer Protected Mode
System High Medium(Default)
Low
Services Administrators Standard Users
IE Protected Mode
Standardizing the User Token
User-SID
Local/Builtin Group SIDs
Domain Group SIDs
Mandatory Label
Rights/Privileges
Integrity level: High (Elevated Token)
Integrity level: Medium
IE protected mode
Only with User Account Control enablediexplore.exe runs with Low Integrity LevelUser Interface Privilege Isolation (UIPI)
Internet Explorer 8
Internet Explorer 9
IE Broker mechanismiexplore.exe
Protected-mode Broker Object
UI frame Favorites Bar Command Bar
iexplore.exe (tab process 1)
Browser Helper Objects
Toolbar Extensions
ActiveX Controls
Tab 1 Tab n
iexplore.exe (tab process n)
Browser Helper Objects
Toolbar Extensions
ActiveX Controls
Tab 1 Tab n
Low Integrity LevelProtected Mode = On
Medium Integrity LevelProtected Mode = Off
Internet/Intranet
Trusted S
ites
demo
Integrity Levels
File Virtualization
File Virtualization is a compatibility featureThe following folders and subfolders are virtualized:
%WinDir% \Program Files \Program Files (x86)
Virtual Store:%UserProfile%\AppData\Local\VirtualStore
Troubleshooting file virtualizationEvent Log: UAC-FileVirtualization
Disabling file virtualization
Registry Virtualization
Virtualizes most locations under HKLM\SoftwareKeys that are not virtualized:
HKLM\Software\Microsoft\WindowsHKLM\Software\Microsoft\Windows NT\HKLM\Software\Classes
Per user location: HKCU\Software\Classes\VirtualStoreFlag on a registry key defines if it can be virtualized
“Reg flags HKLM\Software” shows flags for HKLM\Software
Registry Virtualization is NOT logged in the EventLog
demo
File & Registry Virtualization
What defines a UAC state change
Executables that are part of the Windows OSFile NameManifestCompatibility SettingsShims
UAC for the Windows OS
Default no warning when elevating Windows OS programsExcept for:
CMD.exeRegedit.exe
What’s in a name?
Evaluation of the file name determines need for elevationSetupInstalUpdate
Disable this feature in Group Policy when needed
UAC and Manifests
Configure the need for elevation per file:asInvokerhighestAvailablerequireAdministrator
External or InternalUse mt.exe from the SDK to inject a manifestUse SigCheck.exe from SysInternals to view the manifest
demo
File names and manifests
UAC and compatibility settings
Configure the shortcutRequireAdministratorRunAsInvoker
Create a ShimNeed the Application Compatibility Toolkit Compatibility AdministratorCompatibility ModesCompatibility Fixes
demo
Compatibility Settings
Does this look familiar?
Session 0 isolation
Services run in session 0Before Vista, session 0 belonged to the consoleUsers logon to session 1 and higherIf a service interacts in session 0 you see this message
demo
Session 0 isolation
Why is this?
Services SID
A service can be a security entityWindows uses TrustedInstaller (Windows Installer Service)Only TrustedInstaller has Full Control accessTrustedInstaller = “NT Service\TrustedInstaller”TrustedInstaller installs:
Windows Service PacksHotfixesOperating System UpgradesPatches and installations by Windows Update
demo
TrustedInstaller
Yes you can!
User Account Control is no black magicUAC makes Internet Explorer a safer browserAnalyze your applicationsGet to know the tools
Whoami.exeicacls.exeSysInternalsApplication Compatibility Toolkit (ACT)Windows SDK
Related Content
WCL312: Sysinternals Primer: Autoruns, Disk2vhd, ProcDump, BgInfo and AccessChkWCL402: Troubleshooting Application Compatibility Issues with Windows 7
Find Me At The Springboard booth
Track Resources
Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.
You can also find the latest information about our products at the following links:
Windows Azure - http://www.microsoft.com/windowsazure/
Microsoft System Center - http://www.microsoft.com/systemcenter/
Microsoft Forefront - http://www.microsoft.com/forefront/
Windows Server - http://www.microsoft.com/windowsserver/
Cloud Power - http://www.microsoft.com/cloud/
Private Cloud - http://www.microsoft.com/privatecloud/
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
Complete an evaluation on CommNet and enter to win!
Scan the Tag to evaluate this session now on myTech•Ed Mobile
top related