user account control: how to make a good uac application peter r. woods senior program manager...
TRANSCRIPT
User Account Control:User Account Control:How to Make a Good How to Make a Good UAC ApplicationUAC Application
User Account Control:User Account Control:How to Make a Good How to Make a Good UAC ApplicationUAC Application
Peter R. WoodsPeter R. WoodsSenior Program ManagerSenior Program ManagerMicrosoft CorporationMicrosoft Corporation
Session ObjectivesSession Objectives
Session Objective(s): Session Objective(s): Microsoft Windows User Account Control Microsoft Windows User Account Control overviewoverview
The new Shield paradigmThe new Shield paradigm
Writing code in UAC environmentWriting code in UAC environmentWindows Vista Logo programWindows Vista Logo program
DebuggingDebugging
ServicesServices
Summary & future directionSummary & future direction
Why User Account Control?Why User Account Control?
Most user accounts have Administrator Most user accounts have Administrator privileges.privileges.
Code running without Administrator Code running without Administrator privileges is safer for the system.privileges is safer for the system.
Enterprises realize significant TCO Enterprises realize significant TCO reductions when running with managed reductions when running with managed systems. systems.
Enterprises migrating to SW that runs as Enterprises migrating to SW that runs as Standard User Standard User
User Account ControlUser Account Control
All users run as Standard User by defaultAll users run as Standard User by defaultFiltered token created during logonFiltered token created during logon
Only specially marked apps get the unfiltered tokenOnly specially marked apps get the unfiltered token
Explicit consent required for elevationExplicit consent required for elevationPredictable elevation pointsPredictable elevation points
High application compatibilityHigh application compatibilityData redirectionData redirection
Enabling legacy apps to run as standard userEnabling legacy apps to run as standard user
Installer DetectionInstaller Detection
UAC ArchitectureUAC Architecture
Admin logonAdmin logon
““Standard User” Standard User” Filtered TokenFiltered Token
Admin TokenAdmin Token Administrative RightsAdministrative Rights
Split TokenSplit Token
Standard User RightsStandard User Rights
AbbyAbby
UAC ArchitectureUAC Architecture
Admin logonAdmin logon
““Standard User” Standard User” Filtered TokenFiltered Token
User ProcessUser Process
• Change Time Change Time
ZoneZone
• Run Standard Run Standard
User Compliant User Compliant
ApplicationsApplications
• Install FontsInstall Fonts
• Install PrintersInstall Printers
• Run MSN Run MSN
MessengerMessenger
Standard User RightsStandard User Rights
AbbyAbby
UAC ArchitectureUAC Architecture
Admin logonAdmin logon
Admin TokenAdmin Token
AbbyAbby
Administrative RightsAdministrative Rights
Elevation dialogElevation dialog
Admin ProcessAdmin Process
Install ApplicationInstall Application
Admin ProcessAdmin Process
Configure IISConfigure IIS
Admin ProcessAdmin Process
Change TimeChange Time
Process IsolationProcess Isolation
Administrative and Standard User Administrative and Standard User applications share the same desktopapplications share the same desktop
Security challengesSecurity challengesCross-process Window messagesCross-process Window messages
DLL injection and create remote threadDLL injection and create remote thread
Process Isolation mechanismsProcess Isolation mechanismsIntegrity level for processesIntegrity level for processes
““Lower” cannot interfere with “Higher”Lower” cannot interfere with “Higher”
Standard User TokenStandard User Token
Privileges typically in Standard User tokenPrivileges typically in Standard User token
Bypass traverse checkingBypass traverse checking (SeChangeNotify) (SeChangeNotify)Shut down the system Shut down the system (SeShutdown)(SeShutdown)Increase Working Set SizeIncrease Working Set Size (SeIncreaseWorkingSet) (SeIncreaseWorkingSet)Remove computer from docking station Remove computer from docking station (SeUndock)(SeUndock)Change Time ZoneChange Time Zone (SeChangeTimeZone) (SeChangeTimeZone)
New in VistaNew in VistaAll other privileges removed.All other privileges removed.Privileged RIDs set to DENY_ONLYPrivileged RIDs set to DENY_ONLY
E.g. Administrators, Enterprise Admins, Policy Admins, Power E.g. Administrators, Enterprise Admins, Policy Admins, Power User, etc.User, etc.
Token Sample - AdminToken Sample - Admin_User SID_--------------------------- Account = Abby SID = S-1-5-21-1805867774-1466862479-406111094-1000 Domain = LH-X937PF8H3FFT_Groups SIDs_--------------------------- Account = None SID = S-1-5-21-1805867774-1466862479-406111094-513 Domain = LH-X937PF8H3FFT Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED--------------------------- Account = Everyone SID = S-1-1-0 Domain = Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED---------------------------
Account = Administrators SID = S-1-5-32-544 Domain = BUILTIN Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED Attribute: SE_GROUP_OWNER--------------------------- Account = INTERACTIVE SID = S-1-5-4 Domain = NT AUTHORITY Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED
.
.
.---------------------------
Account = High Mandatory Level SID = S-1-16-12288 Domain = Mandatory Label---------------------------_Restricted SIDs__Privileges_ Privilege: SeIncreaseQuotaPrivilege (Disabled) Privilege: SeSecurityPrivilege (Disabled) Privilege: SeTakeOwnershipPrivilege (Disabled) Privilege: SeLoadDriverPrivilege (Disabled) Privilege: SeSystemProfilePrivilege (Disabled) Privilege: SeSystemtimePrivilege (Disabled) Privilege: SeProfileSingleProcessPrivilege (Disabled) Privilege: SeIncreaseBasePriorityPrivilege (Disabled) Privilege: SeCreatePagefilePrivilege (Disabled) Privilege: SeBackupPrivilege (Disabled) Privilege: SeRestorePrivilege (Disabled) Privilege: SeShutdownPrivilege (Disabled) Privilege: SeDebugPrivilege (Disabled) Privilege: SeSystemEnvironmentPrivilege (Disabled) Privilege: SeChangeNotifyPrivilege (Enabled) Privilege: SeRemoteShutdownPrivilege (Disabled) Privilege: SeUndockPrivilege (Disabled) Privilege: SeManageVolumePrivilege (Disabled) Privilege: SeImpersonatePrivilege (Enabled) Privilege: SeCreateGlobalPrivilege (Enabled) Privilege: SeIncreaseWorkingSetPrivilege (Disabled) Privilege: SeTimeZonePrivilege (Disabled) Privilege: SeCreateSymbolicLinkPrivilege (Disabled)
Token Sample - FilteredToken Sample - Filtered
_User SID_--------------------------- Account = Abby SID = S-1-5-21-1805867774-1466862479-406111094-1000 Domain = LH-X937PF8H3FFT_Groups SIDs_--------------------------- Account = None SID = S-1-5-21-1805867774-1466862479-406111094-513 Domain = LH-X937PF8H3FFT Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED---------------------------
Account = Administrators SID = S-1-5-32-544 Domain = BUILTIN Attribute: SE_GROUP_USE_FOR_DENY_ONLY--------------------------- Account = Users SID = S-1-5-32-545 Domain = BUILTIN Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED--------------------------- .
.
.
Account = INTERACTIVE SID = S-1-5-4 Domain = NT AUTHORITY Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED---------------------------
Account = Medium Mandatory Level SID = S-1-16-8192 Domain = Mandatory Label---------------------------_Restricted SIDs__Privileges_ Privilege: SeShutdownPrivilege (Disabled) Privilege: SeChangeNotifyPrivilege (Enabled) Privilege: SeUndockPrivilege (Disabled) Privilege: SeIncreaseWorkingSetPrivilege (Disabled) Privilege: SeTimeZonePrivilege (Disabled)
User Experience (UX)User Experience (UX)The Security Shield IconThe Security Shield Icon
The Security ShieldThe Security Shield
Goal is to make your application simple & Goal is to make your application simple & predictablepredictable
Attached to controls which, if clicked, will Attached to controls which, if clicked, will require elevation as the next steprequire elevation as the next step
Has only one state (i.e. no hover, disabled Has only one state (i.e. no hover, disabled etc.)etc.)
Does not remember elevated stateDoes not remember elevated stateNotNot an unlock operation an unlock operation
Security Shield UI ExamplesSecurity Shield UI Examples
Consent UIConsent UIOS ApplicationOS Application
Unsigned ApplicationUnsigned Application
Signed ApplicationSigned Application
Credential UICredential UI
User Experience GuidelinesUser Experience Guidelines
Rules for shield and elevationRules for shield and elevation
MSDN and Windows Vista websiteMSDN and Windows Vista websitehttp://msdn.microsoft.com/library/default.asp?url=/http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AccProtVista.asp library/en-us/dnlong/html/AccProtVista.asp
http://msdn.microsoft.com/library/?url=/library/en-http://msdn.microsoft.com/library/?url=/library/en-us/UxGuide/UXGuide/Home.asp?frame=true us/UxGuide/UXGuide/Home.asp?frame=true
www.microsoft.com/windowsvistawww.microsoft.com/windowsvista
New documents are being added. New documents are being added. Check under ‘What’s new’ headingCheck under ‘What’s new’ heading
Coding for UAC in a nutshellCoding for UAC in a nutshell
Design code to not require any Administrative privileges Design code to not require any Administrative privileges whenever possible.whenever possible.
Per-machine settings during installPer-machine settings during install
Place Per-Machine (Shared) data into %ALLUSERPROFILEPlace Per-Machine (Shared) data into %ALLUSERPROFILE% %
Place Per-Machine registry setting in HKLMPlace Per-Machine registry setting in HKLM
Per-user settings at first runPer-user settings at first run
Store per-user data in user profile Store per-user data in user profile
Place per-user data into %LOCALAPPDATA%Place per-user data into %LOCALAPPDATA%
Place per-user registry settings in HKCUPlace per-user registry settings in HKCU
Store user shared data in User\PublicStore user shared data in User\Public
Take advantage of the Windows Vista Logo program!Take advantage of the Windows Vista Logo program!
Coding for UAC in a nutshellCoding for UAC in a nutshell
Examples of what not to do:Examples of what not to do:Avoid self updating code. Avoid self updating code.
Major Application Compatibility issueMajor Application Compatibility issue
Do not perform admin configuration at first run. Do not perform admin configuration at first run.
Do not rely on explicit Admin checks for Do not rely on explicit Admin checks for Standard User applicationsStandard User applications
Applications that require Applications that require Administrator privilegesAdministrator privileges
Administrative applications can be marked Administrative applications can be marked to identify them to the O/Sto identify them to the O/S
Mark application as requiring Administrator privileges Mark application as requiring Administrator privileges using embedded manifest.using embedded manifest.
Installer detectionInstaller detection
Application Compatibility shimsApplication Compatibility shims
Compatibility Tab on Program PropertiesCompatibility Tab on Program Properties
Right-click Run as administratorRight-click Run as administrator
Applications that require Applications that require Administrator privilegesAdministrator privileges
Mixed use applications:Mixed use applications:Application is bifurcated into Non administrative Application is bifurcated into Non administrative and administrative sections… Application and administrative sections… Application launches as Standard userlaunches as Standard user
Within UI, clearly identify Administrative Within UI, clearly identify Administrative taskstasks
Ensure Standard users can be fully productiveEnsure Standard users can be fully productive
Identify tasks that need elevation with a Identify tasks that need elevation with a “shield” “shield”
Elevated tasks launch in separate processElevated tasks launch in separate processSeparately marked executableSeparately marked executable
Elevated COM objectElevated COM object
Object should request confirmationObject should request confirmation
Command line tools should run AsInvoker…Command line tools should run AsInvoker…
Separation of Admin CodeSeparation of Admin Code
Cannot elevate a running processCannot elevate a running process
Communication: Two Design PatternsCommunication: Two Design PatternsService Broker Model Service Broker Model
IPCIPC
Globally mapped shared memoryGlobally mapped shared memory
Side by Side ProcessesSide by Side ProcessesIPCIPC
Named pipesNamed pipes
Global or locally mapped shared memoryGlobal or locally mapped shared memory
RequestedExecutionLevelsRequestedExecutionLevels
Level = asInvokerLevel = asInvokerLaunch with the same token as the parent Launch with the same token as the parent processprocess
Level = highestAvailableLevel = highestAvailableLaunch with the highest token this user Launch with the highest token this user possessespossesses
Level = requireAdministratorLevel = requireAdministratorHighest token of the User provided User is Highest token of the User provided User is a member of Administrators groupa member of Administrators group
Sample ManifestSample Manifest
MyAdminApp.exe.manifestMyAdminApp.exe.manifest
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" processorArchitecture="X86“
name="MyAdminApp" type="win32"/>
<!-- Identify the application security requirements. -->
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
Admin Application MarkingAdmin Application Marking
Manifest marking in VS 2005 for Manifest marking in VS 2005 for c/c++c/c++
Manifest marking in VS 2005Manifest marking in VS 2005
Shield UI ExamplesShield UI Examples
… Add a Shield glyph to my UI
// if you want the small icon#include <shellapi.h>SHSTOCKICONINFO sii;sii.cbSize = sizeof(sii);SHGetStockIconInfo(SIID_SHIELD, SHGSI_ICON | SHGSI_SMALLICON, &sii);hiconShield = sii.hIcon;// if you want the large iconSHSTOCKICONINFO sii;sii.cbSize = sizeof(sii);SHGetStockIconInfo(SIID_SHIELD, SHGSI_ICON | SHGSI_LARGEICON, &sii);hiconShield = sii.hIcon;// if you want an icon at a custom sizeSHSTOCKICONINFO sii;sii.cbSize = sizeof(sii);SHGetStockIconInfo(SIID_SHIELD, SHGSI_ICONLOCATION, &sii);hiconShield = ExtractIconEx(sii. ...);
Security Shield UI ExamplesSecurity Shield UI Examples
The standard button control (PUSHBUTTON, DEFPUSHBUTTON) has been enhanced to allow you to add an icon along with the displayed text, without requiring the BS_ICON or BS_BITMAP styles to be set. To show the shield icon, you can call the following macro (defined in commctrl.h):
Button_SetElevationRequiredState(hwndButton, fRequired);
Where hwndButton is the HWND of the buttonfRequired determines whether to show (TRUE)
or hide (FALSE) the LUA shield.
A Windows Message can also be used to enable the shield on a button.
lresult = SendMessage(hwndButton, BCM_SETSHIELD, 0, fRequired);
Where hwndButton is the HWND of the buttonfRequired determines whether to show (TRUE) or hide
(FALSE) the LUA shield.
Coding samplesCoding samples
Use ShellExecute() rather than Use ShellExecute() rather than CreateProcess() when launching other CreateProcess() when launching other applications.applications.
CreateProcess() will return error if elevation is CreateProcess() will return error if elevation is requiredrequired
ShellExecute() sends to the Application ShellExecute() sends to the Application Information Service (AIS) for elevated launch.Information Service (AIS) for elevated launch.
retHandle = ShellExecute(NULL, L"open“, L”\\Program Files\\MyApp\\MyAdminApp.exe”, NULL, NULL, SW_SHOWNORMAL);
Coding samplesCoding samples
Runas verb to ShellExecuteEx()Runas verb to ShellExecuteEx()Allows caller to request elevation of normally Allows caller to request elevation of normally unelevated apps.unelevated apps.
Pass ‘runas’ as the lpVerb in the Pass ‘runas’ as the lpVerb in the SHELLEXECUTEINFO Structure SHELLEXECUTEINFO Structure
(structure pointer)->lpVerb = L”runas”
Coding samplesCoding samplesLaunching an elevated COM objectLaunching an elevated COM object
Accomplished using elevation monikerAccomplished using elevation moniker
Object class must be registered as being Object class must be registered as being ‘elevatable’‘elevatable’HKLM\Software\Classes\CLSID\
{9df523b0-a6c0-4ea9-b5f1-f4565c3ac8b8}\Elevation
Enabled REG_DWORD 1
Object class must have ‘friendly name’ assignedObject class must have ‘friendly name’ assignedHKLM\Software\Classes\CLSID\{9df523b0-a6c0-4ea9-b5f1-f4565c3ac8b8}
“LocalizedString” REG_EXPAND_SZ “@%ProgramFiles%\YourApp\YourElevatedComObject.dll,-101”
Object has string name defined in DLL string tableObject has string name defined in DLL string tableSTRINGTABLE
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
{
101, “Your Elevated Com Object"
}
Object elevation is requested at launch timeObject elevation is requested at launch time
Coding samplesCoding samples
Elevation moniker in actionElevation moniker in actionExample:
HRESULT CreateElevatedComObject(HWND hwnd, REFCLSID rclsid, REFIID riid, __out void ** ppv)
{ BIND_OPTS3 bo; WCHAR wszCLSID[50]; WCHAR wszMonikerName[300];
StringFromGUID2(rclsid, wszCLSID, sizeof(wszCLSID)/sizeof(wszCLSID[0])); HRESULT hr = StringCchPrintf(wszMonikerName,
sizeof(wszMonikerName)/sizeof(wszMonikerName[0]),L"Elevation:Administrator!new:%s", wszCLSID);
if (FAILED(hr)) return hr; memset(&bo, 0, sizeof(bo)); bo.cbStruct = sizeof(bo); bo.hwnd = hwnd; bo.dwClassContext = CLSCTX_LOCAL_SERVER; return CoGetObject(wszMonikerName, &bo, riid, ppv);}
Windows Vista Logo Program & Windows Vista Logo Program & UACUAC
Builds upon existing Windows XP Logo Builds upon existing Windows XP Logo ProgramProgram
Enhancements around running as standard Enhancements around running as standard useruser
Use Install bootstrap model if launching Use Install bootstrap model if launching software directly from installation processsoftware directly from installation process
App must contain requestedExecutionLevel App must contain requestedExecutionLevel in an embedded manifest to define run levelin an embedded manifest to define run level
Authenticode sign installation package and Authenticode sign installation package and all binariesall binaries
Debugging Administrative AppsDebugging Administrative Apps
Launch copy of Visual Studio 2005 Launch copy of Visual Studio 2005 elevatedelevated
Start->All Programs->Microsoft Visual Studio 2005-Start->All Programs->Microsoft Visual Studio 2005->(right click on) Microsoft Visual Studio 2005>(right click on) Microsoft Visual Studio 2005
Select Run as AdministratorSelect Run as Administrator
Debug your programDebug your program
Process Isolation & Assistive Process Isolation & Assistive TechnologyTechnology
Mechanism exists to mark Accessibility Mechanism exists to mark Accessibility applications applications
Accessibility apps (Assistive Technology) need Accessibility apps (Assistive Technology) need to drive UI at higher levels.to drive UI at higher levels.
Accessibility have a manifest Accessibility have a manifest requestedExecutionLevel statement of:requestedExecutionLevel statement of:
<requestedPrivileges> <requestedExecutionLevel level=“asInvoker“ uiAccess=“true”/></requestedPrivileges>
• Assistive Technology applications Must be Authenticode signed and trusted or they will fail to launch.
Debugging Assistive Debugging Assistive Technology (AT) AppsTechnology (AT) Apps
Defined as apps with manifest tag: Defined as apps with manifest tag: uiAccess=trueuiAccess=true
AT apps must be Authenticode signed (root AT apps must be Authenticode signed (root in trusted root store)in trusted root store)
Launch your AT app from Windows Launch your AT app from Windows ExplorerExplorer
Launch copy of Visual Studio 2005 Remote Launch copy of Visual Studio 2005 Remote Debugger (msvsmon.exe) from within your app Debugger (msvsmon.exe) from within your app using shellExecute().using shellExecute().
On the remote debugger, Select tools-On the remote debugger, Select tools->options>options
Click No Authentication (native only) and Click No Authentication (native only) and Allow any user to debugAllow any user to debug
Debugging Assistive Debugging Assistive Technology (AT) AppsTechnology (AT) Apps
On Visual Studio 2005On Visual Studio 2005
Select Debug->attach to processSelect Debug->attach to process
Under transport, selectUnder transport, selectRemote (Native only with no authentication)Remote (Native only with no authentication)
Under Qualifier, enter the local machine Under Qualifier, enter the local machine namename
Select the process to debug (your app) and Select the process to debug (your app) and click attachclick attach
Debugging AT AppsDebugging AT Apps
Marking managed codeMarking managed codeNo obvious way to do this in VS UI for No obvious way to do this in VS UI for managed codemanaged code
Manifest can be added after .exe is builtManifest can be added after .exe is built
Use tool MT.exe, part of the Windows SDK Use tool MT.exe, part of the Windows SDK (add in link)(add in link)
Steps:Steps:Create manifest fileCreate manifest file
Use mt.exe to embed manifestUse mt.exe to embed manifestMt.exe –manifest yourapp.manifest
-outputresource:yourapp.exe;#1
Works for all languagesWorks for all languagesc/c++, c#, j#, and VBc/c++, c#, j#, and VB
Guides for ServicesGuides for Services
Don’t create interactive servicesDon’t create interactive servicesNo UI from services on the user desktopNo UI from services on the user desktop
Use RPC, sockets, named-pipes, or COM to Use RPC, sockets, named-pipes, or COM to communicatecommunicate
Use reduced privileged account: Local Use reduced privileged account: Local Service or Network Service, if possibleService or Network Service, if possible
User prompted to shift to special session 0 User prompted to shift to special session 0 viewer for interactive servicesviewer for interactive services
‘‘Going the other way’ – from Going the other way’ – from high to mediumhigh to medium
No direct methodNo direct methodUse a bootstrap EXE and launch the Use a bootstrap EXE and launch the elevated EXE/MSI from there. elevated EXE/MSI from there. Create/register a COM server marked to Create/register a COM server marked to run as Interactive User and use it from run as Interactive User and use it from youryour
Less desirable since it leaves the COM server Less desirable since it leaves the COM server around for anybody else to use later on around for anybody else to use later on
Register a WMI.Job (formerly scheduled Register a WMI.Job (formerly scheduled task) that runs as the interactive user. task) that runs as the interactive user.
Data Redirection for Legacy Data Redirection for Legacy AppsApps
Some legacy apps write to admin locationsSome legacy apps write to admin locationsHLKM\SoftwareHLKM\Software
%SystemDrive%\Program Files etc.%SystemDrive%\Program Files etc.
Redirection removes need for elevationRedirection removes need for elevationWrites to HKLM go to HKU redirected storeWrites to HKLM go to HKU redirected store
HKU->(user SID)_classes->VirtualStoreHKU->(user SID)_classes->VirtualStore
Writes to system directories redirected to per-Writes to system directories redirected to per-user storeuser store
(%localappdata%\virtualstore)(%localappdata%\virtualstore)
Copy-on-write Copy-on-write
Developer Impact SummaryDeveloper Impact Summary
Windows XP Logo’d for Standard User?Windows XP Logo’d for Standard User?It will just work on Windows VistaIt will just work on Windows Vista
Fails on Windows XP as Standard User?Fails on Windows XP as Standard User?Use the SUA Analyzer tool to look for Admin Use the SUA Analyzer tool to look for Admin dependencesdependences
Admin app on Windows XP? Admin app on Windows XP? Needs to be marked as requireAdministratorNeeds to be marked as requireAdministrator
Web apps need special attention due Web apps need special attention due to Protected Mode IEto Protected Mode IE
Developer Impact SummaryDeveloper Impact Summary
Installation Best PracticesInstallation Best PracticesUse MSI 3.1 for Install and UpdateUse MSI 3.1 for Install and Update
Alternate to MSI3.1 – call Update.exe marked as Alternate to MSI3.1 – call Update.exe marked as admin to do the updateadmin to do the update
Be careful with Self Updating CodeBe careful with Self Updating Code
ClickOnce is a great deployment ClickOnce is a great deployment technology for Standard User appstechnology for Standard User apps
Future UAC DirectionFuture UAC Direction
Continue Isolation of Admin code on Standard Continue Isolation of Admin code on Standard User DesktopUser Desktop
Integrate Application IDs into OS for Standard Integrate Application IDs into OS for Standard User codeUser code
Integrate Software Restriction Policies into AppIDsIntegrate Software Restriction Policies into AppIDs
Tighten down power of Setup applicationsTighten down power of Setup applicationsMetadata in ManifestsMetadata in Manifests
Rollout of Windows Vista Logo program to help Rollout of Windows Vista Logo program to help ISVs write compliant code.ISVs write compliant code.
Work with Developers to reduce dependence on Work with Developers to reduce dependence on Data RedirectionData Redirection
ResourcesResourcesGeneral Security Informationhttp://msdn.microsoft.com/windowsvista/security/
Getting Started with UAC:http://www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx
UA Developer Guidelines: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AccProtVista.asp
http://msdn.microsoft.com/library/?url=/library/en-us/UxGuide/UXGuide/Home.asp?frame=true
UAC Blog:http://blogs.msdn.com/uac
UAC Question on Update:http://forums.microsoft.com/msdn/showpost.aspx?postid=111453&siteid=1
ToolsToolsStandard User Analyzer (SUA)Standard User Analyzer (SUA)
Intended to predict whether an application Intended to predict whether an application would work correctly as standard userwould work correctly as standard user
Identifies API calls that would fail if attempted Identifies API calls that would fail if attempted by a userby a user
Identifies all Access requiring Identifies all Access requiring elevated privilegeselevated privileges
Available for download at the Microsoft Available for download at the Microsoft Download Center:Download Center:
http://www.microsoft.com/downloads/http://www.microsoft.com/downloads/details.aspx?FamilyID=df59b474-c0b7-4422-details.aspx?FamilyID=df59b474-c0b7-4422-8c70-b0d9d3d2f575&DisplayLang=en 8c70-b0d9d3d2f575&DisplayLang=en
SUA AnalyzerSUA Analyzer
• Enter Target App Name
• Enter parameters
• Check Launch Elevated Checkbox
• Click Launch button.
• (On Vista, approve two elevation dialogs)
• Exit notepad
• (On Vista, approve elevation dialog)
• Tool shows interaction that would fail as standard user. In this case, boot.ini is not accessible to standard users.
• Send comments to: [email protected]
FAQFAQ
If I mark my app as “admin”, can I skip the elevation consent dialog? If I mark my app as “admin”, can I skip the elevation consent dialog? – – NoNoCan you modify the privilege of a running application? Can you modify the privilege of a running application? - No- NoWill LUA elevate whenever a privileged API is used? Will LUA elevate whenever a privileged API is used? – No, the entire – No, the entire process is either elevated or notprocess is either elevated or notHow long does the elevated process last? Can it time out? How long does the elevated process last? Can it time out? – Life of – Life of the processthe processCan I enable which users will use UAC? Can I enable which users will use UAC? – Currently this is a per – Currently this is a per machine setting machine setting Does UAC apply to all processes and services? Does UAC apply to all processes and services? – Interactive – Interactive processes onlyprocesses onlyWhat areas of the Registry and File system get redirected? What areas of the Registry and File system get redirected? – HKLM\– HKLM\Software, %SystemRoot%, Software, %SystemRoot%, subdirectories ofsubdirectories of %ProgramFiles% %ProgramFiles%Won’t Redirection de-motivate developers to fix their code? Won’t Redirection de-motivate developers to fix their code? – Yes, it – Yes, it is a short term mitigation, not in 64bitis a short term mitigation, not in 64bitWhat happens when installer detection fails? What happens when installer detection fails? – The app runs as non-– The app runs as non-adminadminWill UAC be going down-level? Will UAC be going down-level? – No– No
Other UAC GoodiesOther UAC Goodies
Application Compatibility Toolkit (ACT5) Lab Application Compatibility Toolkit (ACT5) Lab in the TLC all weekin the TLC all week
UAC Chalk Talk – TechEd Theater, UAC Chalk Talk – TechEd Theater, Wednesday 2:00-3:15Wednesday 2:00-3:15
SEC310 - Account Control: Running SEC310 - Account Control: Running Windows Vista with Least Privilege, Windows Vista with Least Privilege, Wednesday 4:30-5:45, Room 210 ABCWednesday 4:30-5:45, Room 210 ABC
DEV345 - Windows Vista: Targeting Key DEV345 - Windows Vista: Targeting Key Native APIs from Managed Code, Friday Native APIs from Managed Code, Friday 9:00 - 10:15, Room 102 AB9:00 - 10:15, Room 102 AB
Wrap up & QuestionsWrap up & Questions
Fill out a session Fill out a session evaluation on evaluation on
CommNet for a CommNet for a chance tochance to
Win an XBOX Win an XBOX 360!360!
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.