Transcript Non-Admin and the World of Tomorrow

Non-Admin and the
World of Tomorrow
Presented by: Robert Hensing
Microsoft Secure Windows
Initiative
Microsoft Confidential
2
Agenda
Houston – we admit we have a problem!
Great! So what is the problem exactly?
How we got here . . .
Why running as non-admin is important
When you come to a fork in the road – take
it!
Two paths to non-admin righteousness – which
is right for you?
Demonstrations (time permitting)
Elevating up
Dropping down
Copyright Microsoft Corp. 2004
3
The problem
90% of all people do not need to run with
Administrative privileges on Windows (give
or take)
Running as administrator grants software
excessive privileges & permissions that allow it
to do VBT™
Dangerous Admin-only permissions
(examples)
Writing to HKCR (Spyware / Adware invoked
as COM objects)
Writing to HKLM (Malware can create services
that auto-start regardless of who logs in)
Writing to %WINDIR% & %PROGRAMFILES%
(malware hidden with system files)
Copyright Microsoft Corp. 2004
4
The problem . . .
Dangerous Admin-only privileges (examples)
Debug programs (SeDebugPrivilege)
Allows malware to write to other processes memory (think rootkits)
Backup up files and directories (SeBackup/RestorePrivilege)
Allows malware to bypass NTFS permissions to read + write files
Load and unload device drivers (SeLoadDriverPrivilege)
Allows malware to easily load code into the kernel (rootkits)
Manage auditing and security log (SeSecurityPrivilege)
Allows malware to clear the event logs and erase evidence
Take ownership of files or other objects
(SeTake0wnershipPrivilege)
Allows malware to more easily own access to files you own and have
ACL’d properly
SeImpersonatePrivilege
Don’t have enough priv’s? Impersonate the system account!
Copyright Microsoft Corp. 2004
5
The problem . . .
This is Internet Explorer as a non-admin
account
Copyright Microsoft Corp. 2004
6
The problem . . .
This is Internet
Explorer on drugs
(admin)
Any questions?
Copyright Microsoft Corp. 2004
7
How we got here
For decades consumer versions of
Windows had a flat permissions model
Window XP was the first mass-marketed
consumer OS based on the NT kernel
Remember Windows 2000 Professional and NT 4.0
Workstation were lower volume and were targeted
primarily at corporate users.
Historically the core focus of consumer
versions of Windows was application and
backwards compatibility – NOT security.
Most applications had been developed with the
flat permissions model
Apps could write anything anywhere anytime
This encouraged bad behaviors
Copyright Microsoft Corp. 2004
8
Why running as non-admin is so
important
It’s about risk avoidance and attack surface
reduction
Malware running as Administrator can modify
the operating system and affect all users of a
PC
Recovery often involves re-installing the OS
Malware running as a limited user account can
impact a users profile and may only affect that
user.
Clean-up and recovery is often much easier if the
malware runs at all!
Copyright Microsoft Corp. 2004
9
Why running as non-admin is so
important
The simple fact is most, if not all, of today’s top malware
will fail to run properly, if run from a regular user account.
Don’t believe me?
W32.Mytob.IE@mm
Copies itself to %system%
Oops – users can’t write there
Modifies HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Oops – users can’t write there
Creates a new service
Oops – users can’t do that
Tries to block access to dozens of security and AV sites
Oops – users can’t modify hosts files
Attempts to kill a bunch of processes running as SYSTEM
Oops – users can’t kill processes not running as them.
Copyright Microsoft Corp. 2004
When you come to a fork in the
road . . . Take it!
- Yogi Berra
Microsoft Confidential
11
Two approaches to reducing
privilege
In Windows there are two ways to run
applications with reduced privileges.
1.
Login at the regular user privilege level
Temporarily elevate the privilege level of specific
applications as needed
2.
Login at the administrator privilege level
Decrease the privilege level of specific applications as
needed
Copyright Microsoft Corp. 2004
12
Login at the regular user privilege level
Modus Operandi
Login as a regular user
Use Runas.exe or similar tools to elevate permissions of known
good applications to administrator level as needed.
Pro’s
Fails closed (i.e. new / unknown apps run as user by default)
Supported and tested configuration by the product group (sort of).
Con’s
Application compatibility
Hundreds if not thousands of applications fail to run, sometimes in
spectacular fashion with no warnings or meaningful errors.
Runas.exe doesn’t work with everything (various system level
adjustments like date/time, power settings, RAS/VPN
connectoids, specific types of applications)
Also requires that the user know an admin password!
Can require some non-trivial OS re-configuring and/or scripting to
implement seamlessly
Copyright Microsoft Corp. 2004
13
How I roll at home . . .
I login as a regular user for day to day tasks
at home (e-mail, web surfing, watching
shows (Media Center), video editing*,
photo-sharing)
I login as an administrative account only to
update and install software.
I use Fast User Switching and my biometric
keyboard.
My pinky’s are my administrator account
My index fingers are my regular user account
My middle finger is my wife’s account (sssshhhh!!!)
Copyright Microsoft Corp. 2004
14
Login at the administrator privilege level
Modus Operandi
Login with an account that is a member of Administrators
Create un-documented registry settings or use tools making use of
obscure API’s to reduce the privilege level of dangerous / known-bad
applications down to that of a regular user by having the OS modify the
processes token.
Pro’s
It just works – all applications except ones you choose continue run with
admin rights
Some users may encounter fewer problems like this
Decreased help desk costs?
May require less application compatibility testing
Only target applications identified as high-risk and test running those applications
at the regular user level.
Con’s
Fails open (i.e. new applications default to running as admin)
Assumes it is possible for you to know what your dangerous / high-risk
apps are
Officially NOT supported and the API’s used will change in future versions
of Windows.
Copyright Microsoft Corp. 2004
15
How I roll at work . . .
My work and home environments are completely
different with different needs.
At home I only ever use 3 maybe 4 applications and
Microsoft Update patches them for me once a month.
At work I frequently have the need to install and
remove applications, stop and start services, reconfigure my system settings etc.
I feel that I have a fairly good grasp of what my
high-risk applications and their associated
threats are. 
As a result I run as admin on my work laptop and
desktop to avoid typical non-admin headaches and
drop the rights of high-risk apps.
I run Internet Explorer, MSN Messenger, Office
Communicator and all Office applications at the
regular user privilege level using Software
Restriction Policies.
Copyright Microsoft Corp. 2004
16
Resources for Elevating Privileges to Admin
Aaron Margosis Non-Admin Weblog
http://blogs.msdn.com/Aaron_Margosis/
MakeMeAdmin.cmd script
Creates an elevated command shell running with
administrator rights.
Combine with PrivBar for IE
Allows you to see what privilege level IE is running at.
Non-Admin Wiki
http://nonadmin.editme.com
Copyright Microsoft Corp. 2004
Logging in at the regular user
privilege level and elevating up.
Demonstration
Run Internet Explorer as
Administrator to install updates
Microsoft Confidential
18
Resources for Decreasing Privileges to
Regular User
Michael Howard’s blog
http://blogs.msdn.com/michael_howard/default.aspx
DropMyRights
http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/lib
rary/en-us/dncode/html/secure11152004.asp
SetSAFER
http://msdn.microsoft.com/library/default.asp?url=/library/enus/dncode/html/secure01182005.asp
3rd party OSS RunAsAdmin Explorer Shim
http://sourceforge.net/projects/runasadmin
Replaces your shell entry in the registry with a shim
It then uses SAFER to start the real shell with reduced rights
Adds icon to the TaskBar to allow starting specified programs as
administrator without having to type in your credentials again.
Copyright Microsoft Corp. 2004
Logging in at the administrator
privilege level and dropping down.
Demonstration
Run Internet Explorer as a
regular user to prevent
software installation
Run Internet Explorer as
admin to isntall updates
Microsoft Confidential
20
Final thoughts . . .
Is reducing the rights of dangerous applications or
my logon session as a whole the answer to all my
malware problems?
No, but it’s a great start!
There are still architectural security issues that can be exploited
between processes within the same non-admin logon session
that still need to be addressed.
There is still plenty of bad that can be done by malware running
without admin rights – if suddenly tomorrow the world were nonadmin the malware would change and adapt.
We truly understand the security threat
environment facing our customers.
Hundreds of passionate employees are aggressively
pushing the non-admin boundaries and applying
sustained thinking in this area each day! 
We are definitely committed to tackling and
solving this problem.
Copyright Microsoft Corp. 2004