560 likes | 1.37k Views
User Account Control: How to Make a Good UAC Application. Peter R. Woods Senior Program Manager Microsoft Corporation. Session Objectives. Session Objective(s): Microsoft Windows User Account Control overview The new Shield paradigm Writing code in UAC environment
E N D
User Account Control:How to Make a Good UAC Application Peter R. Woods Senior Program Manager Microsoft Corporation
Session Objectives • Session Objective(s): • Microsoft Windows User Account Control overview • The new Shield paradigm • Writing code in UAC environment • Windows Vista Logo program • Debugging • Services • Summary & future direction
Why User Account Control? • Most user accounts have Administrator privileges. • Code running without Administrator privileges is safer for the system. • Enterprises realize significant TCO reductions when running with managed systems. • Enterprises migrating to SW that runs as Standard User
User Account Control • All users run as Standard User by default • Filtered token created during logon • Only specially marked apps get the unfiltered token • Explicit consent required for elevation • Predictable elevation points • High application compatibility • Data redirection • Enabling legacy apps to run as standard user • Installer Detection
Admin logon Abby Administrative Rights Standard User Rights UAC Architecture Admin Token Split Token “Standard User” Filtered Token
Standard User Rights Abby UAC Architecture Admin logon • Change Time Zone • Run Standard User Compliant Applications • Install Fonts • Install Printers • Run MSN Messenger “Standard User” Filtered Token User Process
Abby Administrative Rights Change Time Admin Process Configure IIS Admin Process Install Application Admin Process UAC Architecture Admin logon Elevation dialog Admin Token
Process Isolation • Administrative and Standard User applications share the same desktop • Security challenges • Cross-process Window messages • DLL injection and create remote thread • Process Isolation mechanisms • Integrity level for processes • “Lower” cannot interfere with “Higher”
Standard User Token Privileges typically in Standard User token • Bypass traverse checking (SeChangeNotify) • Shut down the system (SeShutdown) • Increase Working Set Size (SeIncreaseWorkingSet) • Remove computer from docking station (SeUndock) • Change Time Zone (SeChangeTimeZone) • New in Vista • All other privileges removed. • Privileged RIDs set to DENY_ONLY • E.g. Administrators, Enterprise Admins, Policy Admins, Power User, etc.
Token Sample - Admin _User SID_ --------------------------- Account = Abby SID = S-1-5-21-1805867774-1466862479-406111094-1000 Domain = LH-X937PF8H3FFT _Groups SIDs_ --------------------------- Account = None SID = S-1-5-21-1805867774-1466862479-406111094-513 Domain = LH-X937PF8H3FFT Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED --------------------------- Account = Everyone SID = S-1-1-0 Domain = Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED --------------------------- Account = Administrators SID = S-1-5-32-544 Domain = BUILTIN Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED Attribute: SE_GROUP_OWNER --------------------------- Account = INTERACTIVE SID = S-1-5-4 Domain = NT AUTHORITY Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED . . . --------------------------- Account = High Mandatory Level SID = S-1-16-12288 Domain = Mandatory Label --------------------------- _Restricted SIDs_ _Privileges_ Privilege: SeIncreaseQuotaPrivilege (Disabled) Privilege: SeSecurityPrivilege (Disabled) Privilege: SeTakeOwnershipPrivilege (Disabled) Privilege: SeLoadDriverPrivilege (Disabled) Privilege: SeSystemProfilePrivilege (Disabled) Privilege: SeSystemtimePrivilege (Disabled) Privilege: SeProfileSingleProcessPrivilege (Disabled) Privilege: SeIncreaseBasePriorityPrivilege (Disabled) Privilege: SeCreatePagefilePrivilege (Disabled) Privilege: SeBackupPrivilege (Disabled) Privilege: SeRestorePrivilege (Disabled) Privilege: SeShutdownPrivilege (Disabled) Privilege: SeDebugPrivilege (Disabled) Privilege: SeSystemEnvironmentPrivilege (Disabled) Privilege: SeChangeNotifyPrivilege (Enabled) Privilege: SeRemoteShutdownPrivilege (Disabled) Privilege: SeUndockPrivilege (Disabled) Privilege: SeManageVolumePrivilege (Disabled) Privilege: SeImpersonatePrivilege (Enabled) Privilege: SeCreateGlobalPrivilege (Enabled) Privilege: SeIncreaseWorkingSetPrivilege (Disabled) Privilege: SeTimeZonePrivilege (Disabled) Privilege: SeCreateSymbolicLinkPrivilege (Disabled)
Token Sample - Filtered _User SID_ --------------------------- Account = Abby SID = S-1-5-21-1805867774-1466862479-406111094-1000 Domain = LH-X937PF8H3FFT _Groups SIDs_ --------------------------- Account = None SID = S-1-5-21-1805867774-1466862479-406111094-513 Domain = LH-X937PF8H3FFT Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED --------------------------- Account = Administrators SID = S-1-5-32-544 Domain = BUILTIN Attribute: SE_GROUP_USE_FOR_DENY_ONLY --------------------------- Account = Users SID = S-1-5-32-545 Domain = BUILTIN Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED --------------------------- . . . Account = INTERACTIVE SID = S-1-5-4 Domain = NT AUTHORITY Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED --------------------------- Account = Medium Mandatory Level SID = S-1-16-8192 Domain = Mandatory Label --------------------------- _Restricted SIDs_ _Privileges_ Privilege: SeShutdownPrivilege (Disabled) Privilege: SeChangeNotifyPrivilege (Enabled) Privilege: SeUndockPrivilege (Disabled) Privilege: SeIncreaseWorkingSetPrivilege (Disabled) Privilege: SeTimeZonePrivilege (Disabled)
The Security Shield • Goal is to make your application simple & predictable • Attached to controls which, if clicked, will require elevation as the next step • Has only one state (i.e. no hover, disabled etc.) • Does not remember elevated state • Not an unlock operation
Consent UI OS Application Unsigned Application Signed Application
User Experience Guidelines • Rules for shield and elevation • MSDN and Windows Vista website • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AccProtVista.asp • http://msdn.microsoft.com/library/?url=/library/en-us/UxGuide/UXGuide/Home.asp?frame=true • www.microsoft.com/windowsvista • New documents are being added. • Check under ‘What’s new’ heading
Coding for UAC in a nutshell • Design code to not require any Administrative privileges whenever possible. • Per-machine settings during install • Place Per-Machine (Shared) data into %ALLUSERPROFILE% • Place Per-Machine registry setting in HKLM • Per-user settings at first run • Store per-user data in user profile • Place per-user data into %LOCALAPPDATA% • Place per-user registry settings in HKCU • Store user shared data in User\Public • Take advantage of the Windows Vista Logo program!
Coding for UAC in a nutshell • Examples of what not to do: • Avoid self updating code. • Major Application Compatibility issue • Do not perform admin configuration at first run. • Do not rely on explicit Admin checks for Standard User applications
Applications that require Administrator privileges • Administrative applications can be marked to identify them to the O/S • Mark application as requiring Administrator privileges using embedded manifest. • Installer detection • Application Compatibility shims • Compatibility Tab on Program Properties • Right-click Run as administrator
Applications that require Administrator privileges • Mixed use applications: • Application is bifurcated into Non administrative and administrative sections… Application launches as Standard user • Within UI, clearly identify Administrative tasks • Ensure Standard users can be fully productive • Identify tasks that need elevation with a “shield” • Elevated tasks launch in separate process • Separately marked executable • Elevated COM object • Object should request confirmation • Command line tools should run AsInvoker…
Separation of Admin Code • Cannot elevate a running process • Communication: Two Design Patterns • Service Broker Model • IPC • Globally mapped shared memory • Side by Side Processes • IPC • Named pipes • Global or locally mapped shared memory
RequestedExecutionLevels • Level = asInvoker • Launch with the same token as the parent process • Level = highestAvailable • Launch with the highest token this user possesses • Level = requireAdministrator • Highest token of the User provided User is a member of Administrators group
Sample Manifest • MyAdminApp.exe.manifest <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86“ name="MyAdminApp" type="win32"/> <!-- Identify the application security requirements. --> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator"/> </requestedPrivileges> </security> </trustInfo> </assembly>
Shield UI Examples … Add a Shield glyph to my UI // if you want the small icon #include <shellapi.h> SHSTOCKICONINFO sii; sii.cbSize = sizeof(sii); SHGetStockIconInfo(SIID_SHIELD, SHGSI_ICON | SHGSI_SMALLICON, &sii); hiconShield = sii.hIcon; // if you want the large icon SHSTOCKICONINFO sii; sii.cbSize = sizeof(sii); SHGetStockIconInfo(SIID_SHIELD, SHGSI_ICON | SHGSI_LARGEICON, &sii); hiconShield = sii.hIcon; // if you want an icon at a custom size SHSTOCKICONINFO sii; sii.cbSize = sizeof(sii); SHGetStockIconInfo(SIID_SHIELD, SHGSI_ICONLOCATION, &sii); hiconShield = ExtractIconEx(sii. ...);
Security Shield UI Examples The standard button control (PUSHBUTTON, DEFPUSHBUTTON) has been enhanced to allow you to add an icon along with the displayed text, without requiring the BS_ICON or BS_BITMAP styles to be set. To show the shield icon, you can call the following macro (defined in commctrl.h): Button_SetElevationRequiredState(hwndButton, fRequired); Where hwndButton is the HWND of the button fRequired determines whether to show (TRUE) or hide (FALSE) the LUA shield. A Windows Message can also be used to enable the shield on a button. lresult = SendMessage(hwndButton, BCM_SETSHIELD, 0, fRequired); Where hwndButton is the HWND of the button fRequired determines whether to show (TRUE) or hide (FALSE) the LUA shield.
Coding samples • Use ShellExecute() rather than CreateProcess() when launching other applications. • CreateProcess() will return error if elevation is required • ShellExecute() sends to the Application Information Service (AIS) for elevated launch. retHandle = ShellExecute(NULL, L"open“, L”\\Program Files\\MyApp\\MyAdminApp.exe”, NULL, NULL, SW_SHOWNORMAL);
Coding samples Runas verb to ShellExecuteEx() Allows caller to request elevation of normally unelevated apps. Pass ‘runas’ as the lpVerb in the SHELLEXECUTEINFO Structure (structure pointer)->lpVerb = L”runas”
Coding samples • Launching an elevated COM object • Accomplished using elevation moniker • Object class must be registered as being ‘elevatable’ HKLM\Software\Classes\CLSID\ {9df523b0-a6c0-4ea9-b5f1-f4565c3ac8b8}\Elevation Enabled REG_DWORD 1 • Object class must have ‘friendly name’ assigned HKLM\Software\Classes\CLSID\{9df523b0-a6c0-4ea9-b5f1-f4565c3ac8b8} “LocalizedString” REG_EXPAND_SZ “@%ProgramFiles%\YourApp\YourElevatedComObject.dll,-101” • Object has string name defined in DLL string table STRINGTABLE LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US { 101, “Your Elevated Com Object" } • Object elevation is requested at launch time
Coding samples • Elevation moniker in action Example: HRESULT CreateElevatedComObject(HWND hwnd, REFCLSID rclsid, REFIID riid, __out void ** ppv) { BIND_OPTS3 bo; WCHAR wszCLSID[50]; WCHAR wszMonikerName[300]; StringFromGUID2(rclsid, wszCLSID, sizeof(wszCLSID)/sizeof(wszCLSID[0])); HRESULT hr = StringCchPrintf(wszMonikerName,sizeof(wszMonikerName)/sizeof(wszMonikerName[0]), L"Elevation:Administrator!new:%s", wszCLSID); if (FAILED(hr))return hr; memset(&bo, 0, sizeof(bo)); bo.cbStruct = sizeof(bo); bo.hwnd = hwnd; bo.dwClassContext = CLSCTX_LOCAL_SERVER; return CoGetObject(wszMonikerName, &bo, riid, ppv); }
Windows Vista Logo Program & UAC Builds upon existing Windows XP Logo Program Enhancements around running as standard user Use Install bootstrap model if launching software directly from installation process App must contain requestedExecutionLevel in an embedded manifest to define run level Authenticode sign installation package and all binaries
Debugging Administrative Apps • Launch copy of Visual Studio 2005 elevated • Start->All Programs->Microsoft Visual Studio 2005->(right click on) Microsoft Visual Studio 2005 • Select Run as Administrator • Debug your program
Process Isolation & Assistive Technology • Mechanism exists to mark Accessibility applications • Accessibility apps (Assistive Technology) need to drive UI at higher levels. • Accessibility have a manifest requestedExecutionLevel statement of: <requestedPrivileges> <requestedExecutionLevel level=“asInvoker“ uiAccess=“true”/> </requestedPrivileges> • Assistive Technology applications Must be Authenticode signed and trusted or they will fail to launch.
Debugging Assistive Technology (AT) Apps Defined as apps with manifest tag: uiAccess=true AT apps must be Authenticode signed (root in trusted root store) Launch your AT app from Windows Explorer Launch copy of Visual Studio 2005 Remote Debugger (msvsmon.exe) from within your app using shellExecute(). On the remote debugger, Select tools->options Click No Authentication (native only) and Allow any user to debug
Debugging Assistive Technology (AT) Apps • On Visual Studio 2005 • Select Debug->attach to process • Under transport, select • Remote (Native only with no authentication) • Under Qualifier, enter the local machine name • Select the process to debug (your app) and click attach
Marking managed code • No obvious way to do this in VS UI for managed code • Manifest can be added after .exe is built • Use tool MT.exe, part of the Windows SDK • (add in link) • Steps: • Create manifest file • Use mt.exe to embed manifest • Mt.exe –manifest yourapp.manifest -outputresource:yourapp.exe;#1 • Works for all languages • c/c++, c#, j#, and VB
Guides for Services Don’t create interactive services No UI from services on the user desktop Use RPC, sockets, named-pipes, or COM to communicate Use reduced privileged account: Local Service or Network Service, if possible User prompted to shift to special session 0 viewer for interactive services
‘Going the other way’ – from high to medium No direct method Use a bootstrap EXE and launch the elevated EXE/MSI from there. Create/register a COM server marked to run as Interactive User and use it from your Less desirable since it leaves the COM server around for anybody else to use later on Register a WMI.Job (formerly scheduled task) that runs as the interactive user.
Data Redirection for Legacy Apps • Some legacy apps write to admin locations • HLKM\Software • %SystemDrive%\Program Files etc. • Redirection removes need for elevation • Writes to HKLM go to HKU redirected store • HKU->(user SID)_classes->VirtualStore • Writes to system directories redirected to per-user store • (%localappdata%\virtualstore) • Copy-on-write
Developer Impact Summary • Windows XP Logo’d for Standard User? • It will just work on Windows Vista • Fails on Windows XP as Standard User? • Use the SUA Analyzer tool to look for Admin dependences • Admin app on Windows XP? • Needs to be marked as requireAdministrator • Web apps need special attention due to Protected Mode IE
Developer Impact Summary • Installation Best Practices • Use MSI 3.1 for Install and Update • Alternate to MSI3.1 – call Update.exe marked as admin to do the update • Be careful with Self Updating Code • ClickOnce is a great deployment technology for Standard User apps
Future UAC Direction • Continue Isolation of Admin code on Standard User Desktop • Integrate Application IDs into OS for Standard User code • Integrate Software Restriction Policies into AppIDs • Tighten down power of Setup applications • Metadata in Manifests • Rollout of Windows Vista Logo program to help ISVs write compliant code. • Work with Developers to reduce dependence on Data Redirection
ToolsStandard User Analyzer (SUA) • Intended to predict whether an application would work correctly as standard user • Identifies API calls that would fail if attempted by a user • Identifies all Access requiring elevated privileges • Available for download at the Microsoft Download Center: • http://www.microsoft.com/downloads/details.aspx?FamilyID=df59b474-c0b7-4422-8c70-b0d9d3d2f575&DisplayLang=en
SUA Analyzer • Enter Target App Name • Enter parameters • Check Launch Elevated Checkbox • Click Launch button. • (On Vista, approve two elevation dialogs) • Exit notepad • (On Vista, approve elevation dialog) • Tool shows interaction that would fail as standard user. In this case, boot.ini is not accessible to standard users. • Send comments to: luatools@microsoft.com
FAQ • If I mark my app as “admin”, can I skip the elevation consent dialog? – No • Can you modify the privilege of a running application? - No • Will LUA elevate whenever a privileged API is used? – No, the entire process is either elevated or not • How long does the elevated process last? Can it time out? – Life of the process • Can I enable which users will use UAC? – Currently this is a per machine setting • Does UAC apply to all processes and services? – Interactive processes only • What areas of the Registry and File system get redirected? – HKLM\Software, %SystemRoot%, subdirectories of %ProgramFiles% • Won’t Redirection de-motivate developers to fix their code? – Yes, it is a short term mitigation, not in 64bit • What happens when installer detection fails? – The app runs as non-admin • Will UAC be going down-level? – No