Transcript Fundamental Changes in teh Vista Application Security
Windows Vista: User Account Protection Securing Your Application with Least Privilege User Account Steve Hiskey FUN 406 Lead Program Manager, SBTU - Security Business Technology Unit Microsoft Corporation
Agenda
LUA == UAP Why User Account Protection (UAP)?
The UAP Approach UAP technologies in Windows Vista How this affects your applications today Writing Vista Logo Compliant Code
Why User Account Protection (UAP)?
Managed Desktops: Systematic control over end user clients to maintain security & productivity Gartner: Nearly 40% TCO Savings per desktop in a managed environment Reduces day-to-day helpdesk calls Increases end-users productivity/uptime Security Holes Increase Windows Client TCO
14 October 2004
Pain Points
Productivity is lost when my machine is compromised Malware, without my knowledge, can modify Windows when run with elevated privileges Enterprise users running elevated privileges can compromise the corporation We have to relax security to run Line of Business (LoB) applications LoB applications require elevated privileges to run System security must be relaxed to run the LoB application It is costly to re-evaluate the required security settings for each application with every OS release Common OS Configuration tasks require elevated privilege Simple scenarios like VPN don’t work Standard Users are not able to manage configuration changes that affect only their account
Windows Vista UAP Goals
All users run as Standard User by default even when you log on as admin!
Common user tasks redesigned to work for Standard User High application compatibility Administrators use full privilege only for administrative tasks or applications User provides explicit consent before using elevated privilege
The UAP Approach
Improving productivity by granting permissions only when needed Allows Standard Users to perform key tasks without impacting system-wide settings Helps to insulate the system files and data from malicious or deceptive code Limit potential damage to my data by using Protected Mode IE All apps run as Standard User unless specifically marked Process isolation of Admin apps and higher risk applications Enabling Parental Control Scenarios
Impact on ISV Applications
High Application Compatibility for Legacy Applications Auto-fix Legacy Compatibility via Data Redirection All users run as Standard User by default Applications will run as Standard User by default – Start testing now!
Use full privilege only for administrative tasks or applications Elevation Consent required for admin tasks!
High Application Compatibility for Legacy Applications
Legacy apps write to admin locations HLKM\Software %SystemDrive%\Program Files %SystemRoot% Redirection allows legacy apps to run as Standard User Writes to HKLM go to HKCU redirected store Writes to system directories redirected to per user store, copy-on-write … you can still write Admin code
Impact on ISV Applications
Darren Canavor Program Manager SBTU - Security Business Technology Unit Microsoft Corporation
Admin Applications vs Running Elevated
By default apps run as Standard User unless: Application Manifest requests Admin Identification in App Compat database Heuristic installer detection “Shield” concept for UI “in place” elevation clicking on the item will immediately
Abby
produce the elevation prompt. Run Elevated… Right mouse click menu option
UAP User Experience Goals: Simple and Predictable
Designing a great UAP User Experience First Choice: Make application Standard user only Second Choice: Clearly identify Administrative tasks Identify tasks that need elevation with a “shield” Ensure Standard users can be fully productive UAP User Experience “Rules of the Road” Use common Shield graphic Use design practices to separate Administrative tasks Use provided API to show Elevation Dialog and run Elevated objects / processes
Elements of UAP User Experience
Shield The Shield indicates tasks requiring
immediate
elevation Has only one state.
If it is shown, it will always be active.
Does not remember elevated state.
In a wizard if you navigate back and forth, every time you hit Shield, you elevate Elevation Dialog For signed application:
Admin Application Marking
Darren Canavor Program Manager SBTU - Security Business Technology Unit Microsoft Corporation
Process isolation of Admin apps and higher risk applications
Administrative and Standard User applications share the same desktop Primary threats Cross-process Window messages (Shatter) DLL injection and create remote thread Process Isolation mechanisms Integrity level for processes UI privilege isolation
“Lower” can no longer attack “Higher”
Summary: Impact on ISV Apps
Windows XP Logo’d for Standard User? It will just work on Vista Fails on Windows XP as Standard User Mitigated by Redirection Mitigated by App Compat Shim “IsAdmin()?” Simple app with Admin dependencies Admin app on Windows XP? Needs to be marked!
Web apps need special attention due to Protected Mode IE Use the LUA Predictor to fix your app now!
Using the LUA Predictor
Darren Canavor Program Manager SBTU - Security Business Technology Unit Microsoft Corporation
Logo Application - Configuration
Best Practices Your app’s per-user setup is performed at first run Place per-user data into %LOCALAPPDATA% Roaming into %APPDATA% Place Per-Machine (Shared) data into %ALLUSERPROFILE% Examples of what not to do: Do not perform admin configuration at first run. Do your admin operations during setup Do not perform explicit Admin checks for Standard User applications UAP and Code Access Security (CAS) can be used together for defense in depth
Logo Application Install
Best Practices Use MSI 3.1 for Install and Update Alternate to MSI3.1 – call Update.exe marked as admin to do the update Self Updating Code – DON’T DO IT This is our LARGEST App Compat problem Home consumer user applications Examples of what not to do: Do not assume the user is an administrator Run Custom Actions in right context!
ClickOnce is a great deployment technology for Standard User apps
Call to Action
In Windows Vista Beta 1 Toggle UAP Settings ON Test your product or component as a Standard User!
Prepare for Beta 2 User Account Protection On by default Review design decisions. Assume the user is a Standard User Continue to test applications, especially older LoB and internal applications
Top Takeaways!
1.
2.
3.
Window Vista users will run most applications as Standard User by default Even if they log on as Admin!
Write UAP compliant software!
We have a whitepaper at the FUNDamentals Lounge Current applications will just run as Standard User on Windows Vista because of new UAP technology
More Information
Hands On Lab – Room 505 Test your application against the LUA Predictor to make it UAP compliant –
all week
FUN222 Exploring the Windows Installer (MSI) and ClickOnce Options Friday, 1:00 PM Room: 406 AB UAP Ask the Experts Wednesday night FUNL03 – Protected Mode IE 12:30 Today in 402AB FUN210 – Enhancing the Windows Vista Security Platform Wednesday, 3:15 PM Room: 515 Come get UAP Whitepaper from FUNdamentals Lounge!
Top 10 Questions
If I mark my app as “admin”, can I skip the elevation consent dialog?
– No
Can you modify the privilege of a running application?
- No
Will LUA elevate whenever a privileged API is used?
– No, the entire process is either elevated or not
How long does the elevated process last? Can it time out?
– Life of the process
Can I enable which users will use UAP?
– Currently this is a per machine setting
Does UAP apply to all processes and services?
– Interactive processes only
What areas of the Registry and File system get redirected?
– HKLM\Software, %SystemRoot%, %ProgramFiles%
Won’t Redirection de-motivate developers to fix their code?
– Yes, it is a short term mitigation, not in 64bit
What happens when installer detection fails?
– The app runs as non-admin
Will UAP be going down-level?
- No
Questions?
© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.