microsoft confidential non-admin and the world of tomorrow presented by: robert hensing microsoft...

Microsoft Confidential

Non-Admin and the Non-Admin and the World of TomorrowWorld of Tomorrow

Presented by: Robert HensingPresented by: Robert HensingMicrosoft Secure Windows Microsoft Secure Windows InitiativeInitiative

Copyright Microsoft Corp. 2004

22

AgendaAgenda

Houston – we Houston – we admitadmit we have a problem! we have a problem!Great! So what Great! So what isis the problem exactly? the problem exactly?

How we got here . . .How we got here . . .

Why running as non-admin is importantWhy running as non-admin is important

When you come to a fork in the road – take When you come to a fork in the road – take it!it!

Two paths to non-admin righteousness – which Two paths to non-admin righteousness – which is right for you?is right for you?

Demonstrations (time permitting)Demonstrations (time permitting)Elevating upElevating up

Dropping downDropping down


33

The problemThe problem90% of all people do not need to run with 90% of all people do not need to run with Administrative Administrative privilegesprivileges on Windows (give on Windows (give or take)or take)

Running as administrator grants software Running as administrator grants software excessiveexcessive privileges & permissions that allow it privileges & permissions that allow it to do VBT™to do VBT™

Dangerous Admin-only permissions Dangerous Admin-only permissions (examples)(examples)

Writing to HKCR (Spyware / Adware invoked Writing to HKCR (Spyware / Adware invoked as COM objects)as COM objects)

Writing to HKLM (Malware can create services Writing to HKLM (Malware can create services that auto-start regardless of who logs in)that auto-start regardless of who logs in)

Writing to %WINDIR% & %PROGRAMFILES% Writing to %WINDIR% & %PROGRAMFILES% (malware hidden with system files)(malware hidden with system files)


44

The problem . . .The problem . . .Dangerous Admin-only privileges (examples)Dangerous Admin-only privileges (examples)

Debug programs (SeDebugPrivilege)Debug programs (SeDebugPrivilege)Allows malware to write to other processes memory (think rootkits)Allows malware to write to other processes memory (think rootkits)

Backup up files and directories (SeBackup/RestorePrivilege)Backup up files and directories (SeBackup/RestorePrivilege)Allows malware to bypass NTFS permissions to read + write filesAllows malware to bypass NTFS permissions to read + write files

Load and unload device drivers (SeLoadDriverPrivilege)Load and unload device drivers (SeLoadDriverPrivilege)Allows malware to easily load code into the kernel (rootkits)Allows malware to easily load code into the kernel (rootkits)

Manage auditing and security log (SeSecurityPrivilege)Manage auditing and security log (SeSecurityPrivilege)Allows malware to clear the event logs and erase evidenceAllows malware to clear the event logs and erase evidence

Take ownership of files or other objects Take ownership of files or other objects (SeTake0wnershipPrivilege)(SeTake0wnershipPrivilege)

Allows malware to more easily own access to files you own and have Allows malware to more easily own access to files you own and have ACL’d properlyACL’d properly

SeImpersonatePrivilegeSeImpersonatePrivilegeDon’t have enough priv’s? Impersonate the system account!Don’t have enough priv’s? Impersonate the system account!


55

The problem . . . The problem . . .

This is Internet Explorer as a non-admin This is Internet Explorer as a non-admin accountaccount


66

The problem . . . The problem . . .

This is Internet This is Internet Explorer on drugs Explorer on drugs (admin)(admin)

Any questions?Any questions?


77

How we got hereHow we got hereFor decades consumer versions of For decades consumer versions of Windows had a flat permissions modelWindows had a flat permissions model

Window XP was the first Window XP was the first mass-marketedmass-marketed consumer OS based on the NT kernelconsumer OS based on the NT kernel

Remember Windows 2000 Professional and NT 4.0 Remember Windows 2000 Professional and NT 4.0 Workstation were lower volume and were targeted Workstation were lower volume and were targeted primarily at corporate users.primarily at corporate users.

Historically the core focus of consumer Historically the core focus of consumer versions of Windows was application and versions of Windows was application and backwards compatibility – NOT security.backwards compatibility – NOT security.

Most applications had been developed with the Most applications had been developed with the flat permissions modelflat permissions model

Apps could write anything anywhere anytimeApps could write anything anywhere anytime

This encouraged bad behaviorsThis encouraged bad behaviors


88

Why running as non-admin is so Why running as non-admin is so importantimportant

It’s about risk avoidance and attack surface It’s about risk avoidance and attack surface reductionreduction

Malware running as Administrator can modify Malware running as Administrator can modify the operating system and affect all users of a the operating system and affect all users of a PCPC

Recovery often involves re-installing the OSRecovery often involves re-installing the OS

Malware running as a limited user account can Malware running as a limited user account can impact a users profile and may only affect that impact a users profile and may only affect that user.user.

Clean-up and recovery is often much easier if the Clean-up and recovery is often much easier if the malware runs at all!malware runs at all!


99

Why running as non-admin is so Why running as non-admin is so importantimportant

The simple fact is most, if not all, of today’s top malware The simple fact is most, if not all, of today’s top malware will fail to run properly, if run from a regular user account.will fail to run properly, if run from a regular user account.

Don’t believe me?Don’t believe me?

[email protected]@mmCopies itself to %system%Copies itself to %system%

Oops – users can’t write thereOops – users can’t write there

Modifies HKLM\Software\Microsoft\Windows\CurrentVersion\RunModifies HKLM\Software\Microsoft\Windows\CurrentVersion\RunOops – users can’t write thereOops – users can’t write there

Creates a new serviceCreates a new serviceOops – users can’t do thatOops – users can’t do that

Tries to block access to dozens of security and AV sitesTries to block access to dozens of security and AV sitesOops – users can’t modify hosts filesOops – users can’t modify hosts files

Attempts to kill a bunch of processes running as SYSTEMAttempts to kill a bunch of processes running as SYSTEMOops – users can’t kill processes not running as them.Oops – users can’t kill processes not running as them.


When you come to a fork in the When you come to a fork in the road . . . Take it!road . . . Take it!

- Yogi Berra- Yogi Berra


1111

Two approaches to reducing Two approaches to reducing privilegeprivilege

In Windows there are two ways to run In Windows there are two ways to run applications with reduced privileges.applications with reduced privileges.

1.1. Login at the regular user privilege levelLogin at the regular user privilege levelTemporarily elevate the privilege level of specific Temporarily elevate the privilege level of specific applications as neededapplications as needed

2.2. Login at the administrator privilege levelLogin at the administrator privilege levelDecrease the privilege level of specific applications as Decrease the privilege level of specific applications as neededneeded


1212

Login at the regular user privilege levelLogin at the regular user privilege level

Modus OperandiModus OperandiLogin as a regular userLogin as a regular user

Use Runas.exe or similar tools to elevate permissions of known Use Runas.exe or similar tools to elevate permissions of known good applications to administrator level as needed.good applications to administrator level as needed.

Pro’sPro’sFails closed (i.e. new / unknown apps run as user by default)Fails closed (i.e. new / unknown apps run as user by default)

Supported and tested configuration by the product group (sort of).Supported and tested configuration by the product group (sort of).

Con’sCon’sApplication compatibilityApplication compatibility

Hundreds if not thousands of applications fail to run, sometimes in Hundreds if not thousands of applications fail to run, sometimes in spectacular fashion with no warnings or meaningful errors.spectacular fashion with no warnings or meaningful errors.

Runas.exe doesn’t work with everything (various system level Runas.exe doesn’t work with everything (various system level adjustments like date/time, power settings, RAS/VPN adjustments like date/time, power settings, RAS/VPN connectoids, specific types of applications)connectoids, specific types of applications)

Also requires that the user know an admin password!Also requires that the user know an admin password!

Can require some non-trivial OS re-configuring and/or scripting to Can require some non-trivial OS re-configuring and/or scripting to implement seamlesslyimplement seamlessly


1313

How I roll at home . . .How I roll at home . . .

I login as a regular user for day to day tasks I login as a regular user for day to day tasks at home (e-mail, web surfing, watching at home (e-mail, web surfing, watching shows (Media Center), video editing*, shows (Media Center), video editing*, photo-sharing)photo-sharing)

I login as an administrative account only to I login as an administrative account only to update and install software.update and install software.

I use Fast User Switching and my biometric I use Fast User Switching and my biometric keyboard.keyboard.

My pinky’s are my administrator accountMy pinky’s are my administrator account

My index fingers are my regular user accountMy index fingers are my regular user account

My middle finger is my wife’s account (sssshhhh!!!)My middle finger is my wife’s account (sssshhhh!!!)


1414

Login at the administrator privilege levelLogin at the administrator privilege levelModus OperandiModus Operandi

Login with an account that is a member of AdministratorsLogin with an account that is a member of Administrators

Create un-documented registry settings or use tools making use of obscure Create un-documented registry settings or use tools making use of obscure API’s to reduce the privilege level of dangerous / known-bad applications API’s to reduce the privilege level of dangerous / known-bad applications down to that of a regular user by having the OS modify the processes down to that of a regular user by having the OS modify the processes token.token.

Pro’sPro’sIt just works – all applications except ones you choose continue run with It just works – all applications except ones you choose continue run with admin rightsadmin rights

Some users may encounter fewer problems like thisSome users may encounter fewer problems like thisDecreased help desk costs?Decreased help desk costs?

May require less application compatibility testingMay require less application compatibility testingOnly target applications identified as high-risk and test running those applications Only target applications identified as high-risk and test running those applications at the regular user level.at the regular user level.

Con’sCon’sFails open (i.e. new applications default to running as admin)Fails open (i.e. new applications default to running as admin)

Assumes it is possible for you to know what your dangerous / high-risk Assumes it is possible for you to know what your dangerous / high-risk apps areapps are

Officially NOT supported and the API’s used Officially NOT supported and the API’s used willwill change in future versions change in future versions of Windows.of Windows.


1515

How I roll at work . . .How I roll at work . . .My work and home environments are completely My work and home environments are completely different with different needs.different with different needs.

At home I only ever use 3 maybe 4 applications and At home I only ever use 3 maybe 4 applications and Microsoft Update patches them for me once a month.Microsoft Update patches them for me once a month.

At work I frequently have the need to install and At work I frequently have the need to install and remove applications, stop and start services, re-remove applications, stop and start services, re-configure my system settings etc.configure my system settings etc.I feel that I have a fairly good grasp of what my I feel that I have a fairly good grasp of what my high-risk applications and their associated high-risk applications and their associated threats are. threats are.

As a result I run as admin on my work laptop and As a result I run as admin on my work laptop and desktop to avoid typical non-admin headaches and desktop to avoid typical non-admin headaches and drop the rights of high-risk apps.drop the rights of high-risk apps.

I run Internet Explorer, MSN Messenger, Office I run Internet Explorer, MSN Messenger, Office Communicator and all Office applications at the Communicator and all Office applications at the regular user privilege level using Software regular user privilege level using Software Restriction Policies.Restriction Policies.


1616

Resources for Elevating Privileges to AdminResources for Elevating Privileges to Admin

Aaron Margosis Non-Admin WeblogAaron Margosis Non-Admin Webloghttp://blogs.msdn.com/Aaron_Margosis/http://blogs.msdn.com/Aaron_Margosis/

MakeMeAdmin.cmd scriptMakeMeAdmin.cmd scriptCreates an elevated command shell running with Creates an elevated command shell running with administrator rights.administrator rights.

Combine with PrivBar for IECombine with PrivBar for IEAllows you to see what privilege level IE is running at.Allows you to see what privilege level IE is running at.

Non-Admin WikiNon-Admin Wikihttp://nonadmin.editme.com http://nonadmin.editme.com


Logging in at the regular user Logging in at the regular user privilege level and elevating up.privilege level and elevating up.

DemonstrationDemonstrationRun Internet Explorer as Run Internet Explorer as Administrator to install updatesAdministrator to install updates


1818

Resources for Decreasing Privileges to Resources for Decreasing Privileges to Regular UserRegular User

Michael Howard’s blogMichael Howard’s bloghttp://blogs.msdn.com/michael_howard/default.aspxhttp://blogs.msdn.com/michael_howard/default.aspx

DropMyRightsDropMyRightshttp://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure11152004.asp library/en-us/dncode/html/secure11152004.asp

SetSAFERSetSAFERhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure01182005.aspsecure01182005.asp

33rdrd party OSS RunAsAdmin Explorer Shim party OSS RunAsAdmin Explorer Shimhttp://sourceforge.net/projects/runasadminhttp://sourceforge.net/projects/runasadmin

Replaces your shell entry in the registry with a shimReplaces your shell entry in the registry with a shim

It then uses SAFER to start the real shell with reduced rightsIt then uses SAFER to start the real shell with reduced rights

Adds icon to the TaskBar to allow starting specified programs as Adds icon to the TaskBar to allow starting specified programs as administrator without having to type in your credentials again.administrator without having to type in your credentials again.


Logging in at the administrator Logging in at the administrator privilege level and dropping down.privilege level and dropping down.

DemonstrationDemonstrationRun Internet Explorer as a Run Internet Explorer as a regular user to prevent regular user to prevent software installationsoftware installation

Run Internet Explorer as Run Internet Explorer as admin to isntall updatesadmin to isntall updates


2020

Final thoughts . . . Final thoughts . . . Is reducing the rights of dangerous applications or Is reducing the rights of dangerous applications or my logon session as a whole the answer to all my my logon session as a whole the answer to all my malware problems?malware problems?

No, but it’s a great start!No, but it’s a great start!There are still architectural security issues that can be exploited There are still architectural security issues that can be exploited between processes within the same non-admin logon session between processes within the same non-admin logon session that still need to be addressed.that still need to be addressed.

There is still plenty of bad that can be done by malware running There is still plenty of bad that can be done by malware running without admin rights – if suddenly tomorrow the world were non-without admin rights – if suddenly tomorrow the world were non-admin the malware would change and adapt.admin the malware would change and adapt.

We truly understand the security threat We truly understand the security threat environment facing our customers.environment facing our customers.

Hundreds of passionate employees are aggressively Hundreds of passionate employees are aggressively pushing the non-admin boundaries and applying pushing the non-admin boundaries and applying sustained thinking in this area each day! sustained thinking in this area each day!

We are definitely committed to tackling and We are definitely committed to tackling and solving this problem.solving this problem.

microsoft confidential non-admin and the world of tomorrow presented by: robert hensing microsoft...

Documents

copyright microsoft

nonadmin account slide

os malware

hklm malware

nonadmin righteousness

drugs admin

vbt dangerous admin

permissions examples