1 / 49

Understand UAC and make it work for you.

Understand UAC and make it work for you. Tom Decaluwé tom@it-talks.be. Overview of the session. What is UAC and why should love it What’s been/ being done in Windows7 How it works in the core How to make it work for you. 1. What is UAC and why you should love it. What is UAC.

kimi
Download Presentation

Understand UAC and make it work for you.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Understand UAC and make it work for you. Tom Decaluwé tom@it-talks.be

  2. Overview of the session What is UAC and whyshould love it What’s been/being done in Windows7 How it works in the core How to make it work for you

  3. 1. What is UAC and why you should love it

  4. What is UAC The annoying screen that protects LOCAL administrator / power users Version 1.0 of the Least privilage Windows environment

  5. What is UAC3 components Split tokens Consent / credential user interface Secure desktop => alpha blended sceenshot

  6. What is UAC3 devices 2 types of users * Set usinggrouppolicies UAC should not be concidered a substitute new RunAS

  7. What is UACThe need for two user accounts

  8. OU design / UAC settings via GPO Clients => UAC auto confirm / AUC block Serves => UAC auto confirm Clientsbeinginstalled => UAC auto confirm DEMO

  9. Two accounts <> DEMO

  10. Why you should love it • Normal users=> Awareness • Forces users to become more security aware, it looks black and scarry, don’t make it tellitubby style soft interface. • Admin users=> More control • It informs you of system-level changes • Forces malware to show itself • Lets you control yes/no • Solves the incompatibility issue of software across two accounts • Developers => Mentality change • Force software vendors to create non adminprivilaged software

  11. Why you should love it “Program data from August 2008 indicates the number of applications and tasks generating a prompt has declined from 775,312 to 168,149” Huge reduction of apps that need admin rigths Number of unique applications and tasks creating UAC prompts.

  12. Whyshould I care It’s here to stay Windows vista Windows 2008 Windows 7

  13. WhyyoushouldloveitRunas compared to UAC

  14. 2. What’s been being done in Windows7

  15. What’s the problemWhat’s being done Reduce prompts Make prompts informative better control

  16. What’s the solutionReduce unneeded prompts More prompts cause people to click yes without looking More prompts • Educate software developers to write software according to best practices • Internally at MS remove unneeded prompts Relexed yes

  17. What’s the solutionPrompt information Improved message dialog

  18. What’s the solutionMore control Security useability * Controlable via GPO’s Always notify on every system change. (vista default) (Default) Notify me only when programs try to make changes to my computer. Notify me only when programs try to make changes to my computer, without using the Secure Desktop. (Turns off secure desktop) Never notify.

  19. What’s the solution More control

  20. 4. How it works in the core

  21. How it works in the coreThe token when you logon • => when you run an exe your token is bound/copied to that process to grant the process X amount of access Logon process Token

  22. How it works in the coreA split token / filtered token Logon process Token LSA service Youneed to askforelevation windowsknowsyouwillneedelevation Standard user Token Administrator token • Deny groups • 5 privileges • SeShutDownPrivilage • SeChangeNotifyPrivilege • SeUndockPrivilege • SeIncreaseWorkingSetPrivilege • SeTimeZonePrivilege • Medium Integrity level • S-1-16-8192 => HEX 2000 Default token All groups All privileges High Integrity level S-1-16-12288 => HEX 3000

  23. Whoami /groups > explicit deny for admin accounts Whoami /priv Whoami /fo list /all DEMO

  24. How it works in the coreTokens in process explorer Normal token Admin token

  25. How it works in the coreProcess launch Standard user token Admin user token Process is started From explorer.exe Default behaviour Windows knows Windows is told Standard user token Admin user token ? Child Process is launched

  26. How it works in the coreApplication Information service

  27. How it works in the core Windows knows it needs to elevate • Windows knows it needs elevation • Windows marks the icons • Heuristic Install detection • Manifest

  28. How it works in the core Windows knows it needs to elevate Windows marks the icons

  29. How it works in the coreWindows auto detect elevation • Vista look for popular install strings • Setup • Instal • Update • Vista detects installers from • Wyse installer • Installshield installer • Check for the manifest => manifest overrules above *ony works for 32bit installers

  30. Calc.Exe => setup.exe DEMO

  31. How it works in the core Windows knows it needs to elevate • You tell windows • Right click => run as admin • Tag icon for elevation • Add manifest • Shim fixets

  32. How it works in the coreTell windows to elevate • Mark an Icon for automatic elevation=> only works on legacy apps • Only for you • For all users

  33. How it works in the coreEmbeded manifest • RequestExecutionLevel • asInvoker => use current security token • highestAvailable => give the highest available token • requireAdministrator => app requires admin token and if it does not exist, don’t run

  34. How it works in the coretell windows to elevate • Use manifest file => this is the best way as it’s a 1|0 situation

  35. Manifest internal and external DEMO

  36. How it works in the coreInteract with secure desktop To interact with the secure desktop you must adhere to thee pre-requisets: • Entry in secure desktop uiAccess=“True” • Code must be signed by Microsoft • Code must be put in secure location • \windows\system32\* • \Program files\* • \Program files (x86)\*

  37. Secure desktop does not pause the processes DEMO

  38. How it works in the coreConsent UI’s 4 different levels of BEWARE • RED => Programm is signed by apublisher you blocked via GPO • TEAL => Digitally signed by Microsoft • Gray => Digitally signed by 3rd party • Orange => other situations * Concent UI times out after 2 minutes * The dialogs are also linked to IE bars

  39. 5. How to make it work for you

  40. How to make it work for you • Staging OU • GPO’s > manipulating UAC • UseRunAs / ShellRunAs • Computer => all computers • Create folder • Copy file • User => target groupLocal_admins • Elevate.exe + Start++.exe => cmd lineelevation • Elevatecmdhere • Keep an elevated prompt => cmd /T:1F • Automate a scheduled task • Compatibilitytoolkit

  41. Controle UAC via GPO/security options

  42. Run as different user…. DEMO

  43. Elevatefromcommand prompt DEMO

  44. Elevate command prompt here DEMO

  45. Privlated cmd prompt + no prompt elevation C:\Windows\System32\schtasks.exe /run /tn "CMD without UAC" DEMO

  46. Program compatibility Toolkit Fixup / Shim DEMO

  47. How to make it work for you Two problems • SMB Access => when accessing an SMB share using a local admin (non domain) you will be using filtered token • Remote Assistance => Secure desktops don’t prompt on the remote session, only on the local system

  48. How to make it work for you Configure elevation logging New Process ID Target Process ID • Success / failure auditing of process tracking & privilage tracking • ID 4688 => what process was created • ID 4696 => elevated credential • * We can not see who initiated the elevation

  49. Thankyou www.it-talks.be Tom Decaluwé tom@it-talks.be

More Related