Download - Wcl310 Raiders of the Elevated Token
![Page 1: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/1.jpg)
![Page 2: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/2.jpg)
Raiders of the Elevated Token: Understanding User Account Control and Session Isolation (repeats on May 19 at 1pm)
Raymond P.L. Comvalius MCT, MVPIndependent IT Infrastructure SpecialistThe Netherlands
WCL310
![Page 3: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/3.jpg)
Introducing Raymond Comvalius
Independent Consultant, Trainer, and AuthorMVP: Expert Windows IT ProBlog: www.xpworld.comTwitter: @xpworldEditor for bink.nuwww.books4brains.comwww.mvp-press.com
![Page 4: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/4.jpg)
Agenda
User Account ControlWhat is UAC?Configuring User Account ControlIntegrity LevelsFile & Registry VirtualizationHow to Control Elevation
Session 0 IsolationService ID
![Page 5: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/5.jpg)
Disabled by Default in Windows 7 and Vista
Most Secure – Best Choice for IT
Windows 7 and Vista - Default
XP Default
Windows User Types
The AdministratorThe account named ‘administrator’
An AdministratorYour name with administrator privileges
Protected AdministratorAKA: ‘Administrator in Admin Approval Mode’
Standard UserYour name without administrator privileges
![Page 6: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/6.jpg)
Standardizing the User Token
User-SID
Local/Builtin Group SIDs
Domain Group SIDs
Mandatory Label
Rights/Privileges
Create a token objectAct as part of the operating system Take ownership of files and other objects Load and unload device driversBack up files and directoriesRestore files and directoriesImpersonate a client after authentication Modify an object labelDebug programs
AdministratorsBackup OperatorsPower UsersNetwork Configuration Operators
Group Policy Creator OwnersSchema AdminsEnterprise AdminsDenied RODC Password Replication Group
![Page 7: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/7.jpg)
demo
Examining the Access Token
![Page 8: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/8.jpg)
Consent UI
The ‘face’ of UACWarns you for a User State change (AKA new token creation)Secure Desktop
Screen mode like pressing Ctrl-Alt-DelCreates screenshot of the desktop (programs keep running in the background)Keeps scripts etc. from pressing keys or clicking the mouse
![Page 9: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/9.jpg)
Configuring UAC in the Control Panel
From the Control PanelAlways notifyDefaultDo not dim the displayNever notify
With Group PolicyMore granular controls
![Page 10: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/10.jpg)
Configuring UAC in Group Policy
Behaviour for Standard UsersDeny AccessPrompt for Credentials
Admin Approval Mode for the built-in Administrator accountFor Administrators in Admin Approval Mode
Prompt for ConsentPrompt for CredentialsElevate without prompting
Not same as disable UAC!
![Page 11: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/11.jpg)
demo
Configuring UAC
![Page 12: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/12.jpg)
UIAccess Applications
Software alternatives for the mouse and keyboardFor example Remote Assistance
User Interface Accessibility integrity levelWindows always checks signature on UIAccess ApplicationsUIAccess applications must be installed in secure locationsOptionally these applications can disable the secure desktop (used with Remote Assistance)
![Page 13: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/13.jpg)
Remote Assistance and the Secure Desktop
for non-administrative users
![Page 14: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/14.jpg)
Integrity Levels
Mandatory Access ControlLevels are part of the ACLs and TokensLower level object has limited access to higher level objectsUsed to protect the OS and for Internet Explorer Protected Mode
System High Medium(Default)
Low
Services Administrators Standard Users
IE Protected Mode
![Page 15: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/15.jpg)
Standardizing the User Token
User-SID
Local/Builtin Group SIDs
Domain Group SIDs
Mandatory Label
Rights/Privileges
Integrity level: High (Elevated Token)
Integrity level: Medium
![Page 16: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/16.jpg)
IE protected mode
Only with User Account Control enablediexplore.exe runs with Low Integrity LevelUser Interface Privilege Isolation (UIPI)
Internet Explorer 8
Internet Explorer 9
![Page 17: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/17.jpg)
IE Broker mechanismiexplore.exe
Protected-mode Broker Object
UI frame Favorites Bar Command Bar
iexplore.exe (tab process 1)
Browser Helper Objects
Toolbar Extensions
ActiveX Controls
Tab 1 Tab n
iexplore.exe (tab process n)
Browser Helper Objects
Toolbar Extensions
ActiveX Controls
Tab 1 Tab n
Low Integrity LevelProtected Mode = On
Medium Integrity LevelProtected Mode = Off
Internet/Intranet
Trusted S
ites
![Page 18: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/18.jpg)
demo
Integrity Levels
![Page 19: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/19.jpg)
File Virtualization
File Virtualization is a compatibility featureThe following folders and subfolders are virtualized:
%WinDir% \Program Files \Program Files (x86)
Virtual Store:%UserProfile%\AppData\Local\VirtualStore
Troubleshooting file virtualizationEvent Log: UAC-FileVirtualization
Disabling file virtualization
![Page 20: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/20.jpg)
Registry Virtualization
Virtualizes most locations under HKLM\SoftwareKeys that are not virtualized:
HKLM\Software\Microsoft\WindowsHKLM\Software\Microsoft\Windows NT\HKLM\Software\Classes
Per user location: HKCU\Software\Classes\VirtualStoreFlag on a registry key defines if it can be virtualized
“Reg flags HKLM\Software” shows flags for HKLM\Software
Registry Virtualization is NOT logged in the EventLog
![Page 21: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/21.jpg)
demo
File & Registry Virtualization
![Page 22: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/22.jpg)
What defines a UAC state change
Executables that are part of the Windows OSFile NameManifestCompatibility SettingsShims
![Page 23: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/23.jpg)
UAC for the Windows OS
Default no warning when elevating Windows OS programsExcept for:
CMD.exeRegedit.exe
![Page 24: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/24.jpg)
What’s in a name?
Evaluation of the file name determines need for elevationSetupInstalUpdate
Disable this feature in Group Policy when needed
![Page 25: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/25.jpg)
UAC and Manifests
Configure the need for elevation per file:asInvokerhighestAvailablerequireAdministrator
External or InternalUse mt.exe from the SDK to inject a manifestUse SigCheck.exe from SysInternals to view the manifest
![Page 26: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/26.jpg)
demo
File names and manifests
![Page 27: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/27.jpg)
UAC and compatibility settings
Configure the shortcutRequireAdministratorRunAsInvoker
Create a ShimNeed the Application Compatibility Toolkit Compatibility AdministratorCompatibility ModesCompatibility Fixes
![Page 28: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/28.jpg)
demo
Compatibility Settings
![Page 29: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/29.jpg)
Does this look familiar?
![Page 30: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/30.jpg)
Session 0 isolation
Services run in session 0Before Vista, session 0 belonged to the consoleUsers logon to session 1 and higherIf a service interacts in session 0 you see this message
![Page 31: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/31.jpg)
demo
Session 0 isolation
![Page 32: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/32.jpg)
Why is this?
![Page 33: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/33.jpg)
Services SID
A service can be a security entityWindows uses TrustedInstaller (Windows Installer Service)Only TrustedInstaller has Full Control accessTrustedInstaller = “NT Service\TrustedInstaller”TrustedInstaller installs:
Windows Service PacksHotfixesOperating System UpgradesPatches and installations by Windows Update
![Page 34: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/34.jpg)
demo
TrustedInstaller
![Page 35: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/35.jpg)
Yes you can!
User Account Control is no black magicUAC makes Internet Explorer a safer browserAnalyze your applicationsGet to know the tools
Whoami.exeicacls.exeSysInternalsApplication Compatibility Toolkit (ACT)Windows SDK
![Page 36: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/36.jpg)
Related Content
WCL312: Sysinternals Primer: Autoruns, Disk2vhd, ProcDump, BgInfo and AccessChkWCL402: Troubleshooting Application Compatibility Issues with Windows 7
Find Me At The Springboard booth
![Page 37: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/37.jpg)
Track Resources
Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.
You can also find the latest information about our products at the following links:
Windows Azure - http://www.microsoft.com/windowsazure/
Microsoft System Center - http://www.microsoft.com/systemcenter/
Microsoft Forefront - http://www.microsoft.com/forefront/
Windows Server - http://www.microsoft.com/windowsserver/
Cloud Power - http://www.microsoft.com/cloud/
Private Cloud - http://www.microsoft.com/privatecloud/
![Page 38: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/38.jpg)
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
![Page 39: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/39.jpg)
Complete an evaluation on CommNet and enter to win!
![Page 40: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/40.jpg)
Scan the Tag to evaluate this session now on myTech•Ed Mobile
![Page 41: Wcl310 Raiders of the Elevated Token](https://reader031.vdocuments.site/reader031/viewer/2022012403/555dc322d8b42ab56b8b4675/html5/thumbnails/41.jpg)