490 likes | 646 Views
Understand UAC and make it work for you. Tom Decaluwé tom@it-talks.be. Overview of the session. What is UAC and why should love it What’s been/ being done in Windows7 How it works in the core How to make it work for you. 1. What is UAC and why you should love it. What is UAC.
E N D
Understand UAC and make it work for you. Tom Decaluwé tom@it-talks.be
Overview of the session What is UAC and whyshould love it What’s been/being done in Windows7 How it works in the core How to make it work for you
What is UAC The annoying screen that protects LOCAL administrator / power users Version 1.0 of the Least privilage Windows environment
What is UAC3 components Split tokens Consent / credential user interface Secure desktop => alpha blended sceenshot
What is UAC3 devices 2 types of users * Set usinggrouppolicies UAC should not be concidered a substitute new RunAS
OU design / UAC settings via GPO Clients => UAC auto confirm / AUC block Serves => UAC auto confirm Clientsbeinginstalled => UAC auto confirm DEMO
Two accounts <> DEMO
Why you should love it • Normal users=> Awareness • Forces users to become more security aware, it looks black and scarry, don’t make it tellitubby style soft interface. • Admin users=> More control • It informs you of system-level changes • Forces malware to show itself • Lets you control yes/no • Solves the incompatibility issue of software across two accounts • Developers => Mentality change • Force software vendors to create non adminprivilaged software
Why you should love it “Program data from August 2008 indicates the number of applications and tasks generating a prompt has declined from 775,312 to 168,149” Huge reduction of apps that need admin rigths Number of unique applications and tasks creating UAC prompts.
Whyshould I care It’s here to stay Windows vista Windows 2008 Windows 7
What’s the problemWhat’s being done Reduce prompts Make prompts informative better control
What’s the solutionReduce unneeded prompts More prompts cause people to click yes without looking More prompts • Educate software developers to write software according to best practices • Internally at MS remove unneeded prompts Relexed yes
What’s the solutionPrompt information Improved message dialog
What’s the solutionMore control Security useability * Controlable via GPO’s Always notify on every system change. (vista default) (Default) Notify me only when programs try to make changes to my computer. Notify me only when programs try to make changes to my computer, without using the Secure Desktop. (Turns off secure desktop) Never notify.
What’s the solution More control
How it works in the coreThe token when you logon • => when you run an exe your token is bound/copied to that process to grant the process X amount of access Logon process Token
How it works in the coreA split token / filtered token Logon process Token LSA service Youneed to askforelevation windowsknowsyouwillneedelevation Standard user Token Administrator token • Deny groups • 5 privileges • SeShutDownPrivilage • SeChangeNotifyPrivilege • SeUndockPrivilege • SeIncreaseWorkingSetPrivilege • SeTimeZonePrivilege • Medium Integrity level • S-1-16-8192 => HEX 2000 Default token All groups All privileges High Integrity level S-1-16-12288 => HEX 3000
Whoami /groups > explicit deny for admin accounts Whoami /priv Whoami /fo list /all DEMO
How it works in the coreTokens in process explorer Normal token Admin token
How it works in the coreProcess launch Standard user token Admin user token Process is started From explorer.exe Default behaviour Windows knows Windows is told Standard user token Admin user token ? Child Process is launched
How it works in the core Windows knows it needs to elevate • Windows knows it needs elevation • Windows marks the icons • Heuristic Install detection • Manifest
How it works in the core Windows knows it needs to elevate Windows marks the icons
How it works in the coreWindows auto detect elevation • Vista look for popular install strings • Setup • Instal • Update • Vista detects installers from • Wyse installer • Installshield installer • Check for the manifest => manifest overrules above *ony works for 32bit installers
How it works in the core Windows knows it needs to elevate • You tell windows • Right click => run as admin • Tag icon for elevation • Add manifest • Shim fixets
How it works in the coreTell windows to elevate • Mark an Icon for automatic elevation=> only works on legacy apps • Only for you • For all users
How it works in the coreEmbeded manifest • RequestExecutionLevel • asInvoker => use current security token • highestAvailable => give the highest available token • requireAdministrator => app requires admin token and if it does not exist, don’t run
How it works in the coretell windows to elevate • Use manifest file => this is the best way as it’s a 1|0 situation
How it works in the coreInteract with secure desktop To interact with the secure desktop you must adhere to thee pre-requisets: • Entry in secure desktop uiAccess=“True” • Code must be signed by Microsoft • Code must be put in secure location • \windows\system32\* • \Program files\* • \Program files (x86)\*
How it works in the coreConsent UI’s 4 different levels of BEWARE • RED => Programm is signed by apublisher you blocked via GPO • TEAL => Digitally signed by Microsoft • Gray => Digitally signed by 3rd party • Orange => other situations * Concent UI times out after 2 minutes * The dialogs are also linked to IE bars
How to make it work for you • Staging OU • GPO’s > manipulating UAC • UseRunAs / ShellRunAs • Computer => all computers • Create folder • Copy file • User => target groupLocal_admins • Elevate.exe + Start++.exe => cmd lineelevation • Elevatecmdhere • Keep an elevated prompt => cmd /T:1F • Automate a scheduled task • Compatibilitytoolkit
Privlated cmd prompt + no prompt elevation C:\Windows\System32\schtasks.exe /run /tn "CMD without UAC" DEMO
Program compatibility Toolkit Fixup / Shim DEMO
How to make it work for you Two problems • SMB Access => when accessing an SMB share using a local admin (non domain) you will be using filtered token • Remote Assistance => Secure desktops don’t prompt on the remote session, only on the local system
How to make it work for you Configure elevation logging New Process ID Target Process ID • Success / failure auditing of process tracking & privilage tracking • ID 4688 => what process was created • ID 4696 => elevated credential • * We can not see who initiated the elevation
Thankyou www.it-talks.be Tom Decaluwé tom@it-talks.be