windows vista: user account protection securing your application with least privilege user account...

Windows Vista: User Account Windows Vista: User Account ProtectionProtectionSecuring Your Application with Least Privilege Securing Your Application with Least Privilege User AccountUser Account

Steve HiskeySteve HiskeyFUN 406 FUN 406 Lead Program Manager, Lead Program Manager, SBTU - Security Business Technology UnitSBTU - Security Business Technology UnitMicrosoft CorporationMicrosoft Corporation

AgendaAgendaLUA == UAPLUA == UAPWhy User Account Protection (UAP)?Why User Account Protection (UAP)?The UAP ApproachThe UAP ApproachUAP technologies in Windows VistaUAP technologies in Windows VistaHow this affects your applications How this affects your applications todaytodayWriting Vista Logo Compliant CodeWriting Vista Logo Compliant Code

Why User Account Protection Why User Account Protection (UAP)?(UAP)?

Managed Desktops: Systematic control Managed Desktops: Systematic control over end-user clients to maintain over end-user clients to maintain security & productivitysecurity & productivityGartner: Nearly 40% TCO Savings per Gartner: Nearly 40% TCO Savings per desktop in a managed environmentdesktop in a managed environmentReduces day-to-day helpdesk callsReduces day-to-day helpdesk callsIncreases end-users productivity/uptimeIncreases end-users productivity/uptime

Security Holes Security Holes Increase Windows Increase Windows

Client TCOClient TCO14 October 200414 October 2004

Pain PointsPain PointsProductivity is lost when my machine is Productivity is lost when my machine is compromisedcompromised

Malware, without my knowledge, can modify Malware, without my knowledge, can modify Windows when run with elevated privilegesWindows when run with elevated privilegesEnterprise users running elevated privileges Enterprise users running elevated privileges can compromise the corporationcan compromise the corporation

We have to relax security to run Line of We have to relax security to run Line of Business (LoB) applications Business (LoB) applications

LoB applications require elevated privileges to LoB applications require elevated privileges to runrunSystem security must be relaxed to run the LoB System security must be relaxed to run the LoB applicationapplicationIt is costly to re-evaluate the required security It is costly to re-evaluate the required security settings for each application with every OS settings for each application with every OS release release

Common OS Configuration tasks require Common OS Configuration tasks require elevated privilegeelevated privilege

Simple scenarios like VPN don’t work Simple scenarios like VPN don’t work Standard Users are not able to manage Standard Users are not able to manage configuration changes that affect only their configuration changes that affect only their accountaccount

Windows Vista UAP GoalsWindows Vista UAP GoalsAll users run as Standard User by All users run as Standard User by default even when you log on as default even when you log on as admin!admin!

Common user tasks redesigned to work Common user tasks redesigned to work for Standard Userfor Standard User

High application compatibilityHigh application compatibilityAdministrators use full privilege only Administrators use full privilege only for administrative tasks or for administrative tasks or applicationsapplicationsUser provides explicit consent before User provides explicit consent before using elevated privilegeusing elevated privilege

The UAP ApproachThe UAP ApproachImproving productivity by granting Improving productivity by granting permissions only when neededpermissions only when needed

Allows Standard Users to perform key Allows Standard Users to perform key tasks without impacting system-wide tasks without impacting system-wide settingssettingsHelps to insulate the system files and Helps to insulate the system files and data from malicious or deceptive codedata from malicious or deceptive codeLimit potential damage to my data by Limit potential damage to my data by using Protected Mode IEusing Protected Mode IE

All apps run as Standard User unless All apps run as Standard User unless specifically markedspecifically markedProcess isolation of Admin apps and Process isolation of Admin apps and higher risk applicationshigher risk applicationsEnabling Parental Control ScenariosEnabling Parental Control Scenarios

Impact on ISV ApplicationsImpact on ISV ApplicationsHigh Application Compatibility for High Application Compatibility for Legacy ApplicationsLegacy Applications

Auto-fix Legacy Compatibility via Data Auto-fix Legacy Compatibility via Data Redirection Redirection

All users run as Standard User by All users run as Standard User by defaultdefault

Applications will run as Standard User by Applications will run as Standard User by default – Start testing now!default – Start testing now!

Use full privilege only for Use full privilege only for administrative tasks or applicationsadministrative tasks or applications

Elevation Consent required for admin Elevation Consent required for admin tasks!tasks!

High Application Compatibility High Application Compatibility for Legacy Applicationsfor Legacy Applications

Legacy apps write to admin locationsLegacy apps write to admin locationsHLKM\SoftwareHLKM\Software%SystemDrive%\Program Files%SystemDrive%\Program Files%SystemRoot%%SystemRoot%

Redirection allows legacy apps to run Redirection allows legacy apps to run as Standard Useras Standard User

Writes to HKLM go to HKCU redirected Writes to HKLM go to HKCU redirected storestoreWrites to system directories redirected Writes to system directories redirected to per-user store, copy-on-write to per-user store, copy-on-write

… … you can still write Admin codeyou can still write Admin code

Impact on ISV ApplicationsImpact on ISV Applications

Darren CanavorDarren CanavorProgram ManagerProgram ManagerSBTU - Security Business Technology UnitSBTU - Security Business Technology UnitMicrosoft CorporationMicrosoft Corporation

Admin Applications vs Running Admin Applications vs Running ElevatedElevatedBy default apps run as Standard User By default apps run as Standard User

unless:unless:Application Manifest requests Admin Application Manifest requests Admin Identification in App Compat databaseIdentification in App Compat databaseHeuristic installer detectionHeuristic installer detection

““Shield” concept for UI “in place” Shield” concept for UI “in place” elevationelevation

clicking on the item will immediatelyclicking on the item will immediately produce the elevation prompt. produce the elevation prompt. Run Elevated…Run Elevated…

Right mouse click menu optionRight mouse click menu option

AbbyAbby

UAP User Experience UAP User Experience Goals: Simple and Goals: Simple and PredictablePredictableDesigning a great UAP User ExperienceDesigning a great UAP User Experience

First Choice:First Choice: Make application Standard user only Make application Standard user onlySecond Choice:Second Choice: Clearly identify Administrative Clearly identify Administrative taskstasks

Identify tasks that need elevation with a “shield” Identify tasks that need elevation with a “shield” Ensure Standard users can be fully productiveEnsure Standard users can be fully productive

UAP User Experience “Rules of the Road”UAP User Experience “Rules of the Road”Use common Shield graphicUse common Shield graphicUse design practices to separate Administrative Use design practices to separate Administrative taskstasksUse provided API to show Elevation Dialog and run Use provided API to show Elevation Dialog and run Elevated objects / processesElevated objects / processes

Elements of UAP User Elements of UAP User ExperienceExperienceThe Shield indicates tasks requiring The Shield indicates tasks requiring immediate immediate

elevationelevationHas only one state.Has only one state.

If it is shown, it will always be active.If it is shown, it will always be active.Does not remember elevated state.Does not remember elevated state.

In a wizard if you navigate back and forth, every time In a wizard if you navigate back and forth, every time you hit Shield, you elevateyou hit Shield, you elevate

Shield

Elevation Dialog

For signed application:

Admin Application MarkingAdmin Application Marking

Darren CanavorDarren CanavorProgram ManagerProgram ManagerSBTU - Security Business Technology SBTU - Security Business Technology UnitUnitMicrosoft CorporationMicrosoft Corporation

Process isolation of Admin Process isolation of Admin apps and higher risk apps and higher risk applicationsapplicationsAdministrative and Standard User Administrative and Standard User

applications share the same desktopapplications share the same desktopPrimary threatsPrimary threats

Cross-process Window messages (Shatter)Cross-process Window messages (Shatter)DLL injection and create remote threadDLL injection and create remote thread

Process Isolation mechanismsProcess Isolation mechanismsIntegrity level for processesIntegrity level for processesUI privilege isolationUI privilege isolation

““Lower” can no longer attack Lower” can no longer attack “Higher”“Higher”

Summary: Impact on ISV Summary: Impact on ISV AppsApps

Windows XP Logo’d for Standard User? Windows XP Logo’d for Standard User? It will just work on VistaIt will just work on Vista

Fails on Windows XP as Standard UserFails on Windows XP as Standard UserMitigated by RedirectionMitigated by RedirectionMitigated by App Compat Shim Mitigated by App Compat Shim “IsAdmin()?”“IsAdmin()?”Simple app with Admin dependenciesSimple app with Admin dependencies

Admin app on Windows XP? Needs to be Admin app on Windows XP? Needs to be marked!marked!

Web apps need special attention due to Web apps need special attention due to Protected Mode IEProtected Mode IE

Use the LUA Predictor to fix your app Use the LUA Predictor to fix your app now!now!

Using the LUA PredictorUsing the LUA Predictor

Darren CanavorDarren CanavorProgram ManagerProgram ManagerSBTU - Security Business Technology UnitSBTU - Security Business Technology UnitMicrosoft CorporationMicrosoft Corporation

Logo Application - ConfigurationLogo Application - Configuration

Best PracticesBest PracticesYour app’s per-user setup is performed at first Your app’s per-user setup is performed at first runrunPlace per-user data into %LOCALAPPDATA%Place per-user data into %LOCALAPPDATA%

Roaming into %APPDATA%Roaming into %APPDATA%Place Per-Machine (Shared) data into Place Per-Machine (Shared) data into %ALLUSERPROFILE% %ALLUSERPROFILE%

Examples of what not to do:Examples of what not to do:Do not perform admin configuration at first Do not perform admin configuration at first run. Do your admin operations during setuprun. Do your admin operations during setupDo not perform explicit Admin checks for Do not perform explicit Admin checks for Standard User applicationsStandard User applications

UAP and Code Access Security (CAS) can UAP and Code Access Security (CAS) can be used together for defense in depthbe used together for defense in depth

Logo Application InstallLogo Application InstallBest PracticesBest Practices

Use MSI 3.1 for Install and UpdateUse MSI 3.1 for Install and UpdateAlternate to MSI3.1 – call Update.exe marked Alternate to MSI3.1 – call Update.exe marked as admin to do the updateas admin to do the update

Self Updating Code – DON’T DO ITSelf Updating Code – DON’T DO ITThis is our LARGEST App Compat problem This is our LARGEST App Compat problem Home consumer user applicationsHome consumer user applications

Examples of what not to do:Examples of what not to do:Do not assume the user is an Do not assume the user is an administratoradministratorRun Custom Actions in right context!Run Custom Actions in right context!

ClickOnce is a great deployment ClickOnce is a great deployment technology for Standard User appstechnology for Standard User apps

Call to ActionCall to ActionIn Windows Vista Beta 1 In Windows Vista Beta 1

Toggle UAP Settings ONToggle UAP Settings ONTest your product or componentTest your product or componentas a Standard User!as a Standard User!

Prepare for Beta 2Prepare for Beta 2User Account Protection User Account Protection On by defaultOn by defaultReview design decisions. Assume the Review design decisions. Assume the user user is a Standard Useris a Standard UserContinue to test applications, especially Continue to test applications, especially older LoB and internal applicationsolder LoB and internal applications

Top Takeaways!Top Takeaways!1.1. Window Vista users will run most Window Vista users will run most

applications as Standard User applications as Standard User by by defaultdefault

Even if they log on as Admin!Even if they log on as Admin!2.2. Write UAP compliant software!Write UAP compliant software!

We have a whitepaper at the We have a whitepaper at the FUNDamentals LoungeFUNDamentals Lounge

3.3. Current applications will just run as Current applications will just run as Standard User on Windows Vista Standard User on Windows Vista because of new UAP technologybecause of new UAP technology

More InformationMore InformationHands On Lab – Room 505Hands On Lab – Room 505

Test your application against the LUA Predictor Test your application against the LUA Predictor to make it UAP compliant – to make it UAP compliant – all weekall week

FUN222 Exploring the Windows Installer FUN222 Exploring the Windows Installer (MSI) and ClickOnce Options (MSI) and ClickOnce Options

Friday, 1:00 PM Room: 406 ABFriday, 1:00 PM Room: 406 ABUAP Ask the Experts UAP Ask the Experts

Wednesday night Wednesday night FUNL03 – Protected Mode IEFUNL03 – Protected Mode IE

12:30 Today in 402AB12:30 Today in 402ABFUN210 – Enhancing the Windows Vista FUN210 – Enhancing the Windows Vista Security PlatformSecurity Platform

Wednesday, 3:15 PM Room: 515Wednesday, 3:15 PM Room: 515Come get UAP Whitepaper from Come get UAP Whitepaper from FUNdamentals Lounge!FUNdamentals Lounge!

Top 10 QuestionsTop 10 QuestionsIf I mark my app as “admin”, can I skip the elevation If I mark my app as “admin”, can I skip the elevation consent dialog? consent dialog? – No– NoCan you modify the privilege of a running Can you modify the privilege of a running application? application? - No- NoWill LUA elevate whenever a privileged API is used? Will LUA elevate whenever a privileged API is used? – No, the entire process is either elevated or – No, the entire process is either elevated or notnotHow long does the elevated process last? Can it How long does the elevated process last? Can it time out? time out? – Life of the process– Life of the processCan I enable which users will use UAP? Can I enable which users will use UAP? – Currently – Currently this is a per machine setting this is a per machine setting Does UAP apply to all processes and services? Does UAP apply to all processes and services? – – Interactive processes onlyInteractive processes onlyWhat areas of the Registry and File system get What areas of the Registry and File system get redirected? redirected? – HKLM\Software, %SystemRoot%, – HKLM\Software, %SystemRoot%, %ProgramFiles%%ProgramFiles%Won’t Redirection de-motivate developers to fix Won’t Redirection de-motivate developers to fix their code? their code? – Yes, it is a short term mitigation, – Yes, it is a short term mitigation, not in 64bitnot in 64bitWhat happens when installer detection fails? What happens when installer detection fails? – The – The app runs as non-adminapp runs as non-adminWill UAP be going down-level? Will UAP be going down-level? - No- No

Questions?Questions?

appendixappendix

UAP User Experience: UAP User Experience: ExampleExample

windows vista: user account protection securing your application with least privilege user account...

Documents