1 / 20

Non-Admin and the World of Tomorrow

Non-Admin and the World of Tomorrow. Presented by: Robert Hensing Microsoft Secure Windows Initiative. Agenda. Houston – we admit we have a problem! Great! So what is the problem exactly? How we got here . . . Why running as non-admin is important

kylar
Download Presentation

Non-Admin and the World of Tomorrow

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Non-Admin and the World of Tomorrow Presented by: Robert Hensing Microsoft Secure Windows Initiative

  2. Agenda • Houston – we admit we have a problem! • Great! So what is the problem exactly? • How we got here . . . • Why running as non-admin is important • When you come to a fork in the road – take it! • Two paths to non-admin righteousness – which is right for you? • Demonstrations (time permitting) • Elevating up • Dropping down

  3. The problem • 90% of all people do not need to run with Administrative privileges on Windows (give or take) • Running as administrator grants software excessive privileges & permissions that allow it to do VBT™ • Dangerous Admin-only permissions (examples) • Writing to HKCR (Spyware / Adware invoked as COM objects) • Writing to HKLM (Malware can create services that auto-start regardless of who logs in) • Writing to %WINDIR% & %PROGRAMFILES% (malware hidden with system files)

  4. The problem . . . • Dangerous Admin-only privileges (examples) • Debug programs (SeDebugPrivilege) • Allows malware to write to other processes memory (think rootkits) • Backup up files and directories (SeBackup/RestorePrivilege) • Allows malware to bypass NTFS permissions to read + write files • Load and unload device drivers (SeLoadDriverPrivilege) • Allows malware to easily load code into the kernel (rootkits) • Manage auditing and security log (SeSecurityPrivilege) • Allows malware to clear the event logs and erase evidence • Take ownership of files or other objects (SeTake0wnershipPrivilege) • Allows malware to more easily own access to files you own and have ACL’d properly • SeImpersonatePrivilege • Don’t have enough priv’s? Impersonate the system account!

  5. The problem . . . • This is Internet Explorer as a non-admin account

  6. The problem . . . • This is Internet Explorer on drugs (admin) • Any questions?

  7. How we got here • For decades consumer versions of Windows had a flat permissions model • Window XP was the first mass-marketed consumer OS based on the NT kernel • Remember Windows 2000 Professional and NT 4.0 Workstation were lower volume and were targeted primarily at corporate users. • Historically the core focus of consumer versions of Windows was application and backwards compatibility – NOT security. • Most applications had been developed with the flat permissions model • Apps could write anything anywhere anytime • This encouraged bad behaviors

  8. Why running as non-admin is so important • It’s about risk avoidance and attack surface reduction • Malware running as Administrator can modify the operating system and affect all users of a PC • Recovery often involves re-installing the OS • Malware running as a limited user account can impact a users profile and may only affect that user. • Clean-up and recovery is often much easier if the malware runs at all!

  9. Why running as non-admin is so important • The simple fact is most, if not all, of today’s top malware will fail to run properly, if run from a regular user account. • Don’t believe me? • W32.Mytob.IE@mm • Copies itself to %system% • Oops – users can’t write there • Modifies HKLM\Software\Microsoft\Windows\CurrentVersion\Run • Oops – users can’t write there • Creates a new service • Oops – users can’t do that • Tries to block access to dozens of security and AV sites • Oops – users can’t modify hosts files • Attempts to kill a bunch of processes running as SYSTEM • Oops – users can’t kill processes not running as them.

  10. When you come to a fork in the road . . . Take it! - Yogi Berra

  11. Two approaches to reducing privilege • In Windows there are two ways to run applications with reduced privileges. • Login at the regular user privilege levelTemporarily elevate the privilege level of specific applications as needed • Login at the administrator privilege levelDecrease the privilege level of specific applications as needed

  12. Login at the regular user privilege level • Modus Operandi • Login as a regular user • Use Runas.exe or similar tools to elevate permissions of known good applications to administrator level as needed. • Pro’s • Fails closed (i.e. new / unknown apps run as user by default) • Supported and tested configuration by the product group (sort of). • Con’s • Application compatibility • Hundreds if not thousands of applications fail to run, sometimes in spectacular fashion with no warnings or meaningful errors. • Runas.exe doesn’t work with everything (various system level adjustments like date/time, power settings, RAS/VPN connectoids, specific types of applications) • Also requires that the user know an admin password! • Can require some non-trivial OS re-configuring and/or scripting to implement seamlessly

  13. How I roll at home . . . • I login as a regular user for day to day tasks at home (e-mail, web surfing, watching shows (Media Center), video editing*, photo-sharing) • I login as an administrative account only to update and install software. • I use Fast User Switching and my biometric keyboard. • My pinky’s are my administrator account • My index fingers are my regular user account • My middle finger is my wife’s account (sssshhhh!!!)

  14. Login at the administrator privilege level • Modus Operandi • Login with an account that is a member of Administrators • Create un-documented registry settings or use tools making use of obscure API’s to reduce the privilege level of dangerous / known-bad applications down to that of a regular user by having the OS modify the processes token. • Pro’s • It just works – all applications except ones you choose continue run with admin rights • Some users may encounter fewer problems like this • Decreased help desk costs? • May require less application compatibility testing • Only target applications identified as high-risk and test running those applications at the regular user level. • Con’s • Fails open (i.e. new applications default to running as admin) • Assumes it is possible for you to know what your dangerous / high-risk apps are • Officially NOT supported and the API’s used will change in future versions of Windows.

  15. How I roll at work . . . • My work and home environments are completely different with different needs. • At home I only ever use 3 maybe 4 applications and Microsoft Update patches them for me once a month. • At work I frequently have the need to install and remove applications, stop and start services, re-configure my system settings etc. • I feel that I have a fairly good grasp of what my high-risk applications and their associated threats are.  • As a result I run as admin on my work laptop and desktop to avoid typical non-admin headaches and drop the rights of high-risk apps. • I run Internet Explorer, MSN Messenger, Office Communicator and all Office applications at the regular user privilege level using Software Restriction Policies.

  16. Resources for Elevating Privileges to Admin • Aaron Margosis Non-Admin Webloghttp://blogs.msdn.com/Aaron_Margosis/ • MakeMeAdmin.cmd script • Creates an elevated command shell running with administrator rights. • Combine with PrivBar for IE • Allows you to see what privilege level IE is running at. • Non-Admin Wikihttp://nonadmin.editme.com

  17. Logging in at the regular user privilege level and elevating up. Demonstration Run Internet Explorer as Administrator to install updates

  18. Resources for Decreasing Privileges to Regular User • Michael Howard’s bloghttp://blogs.msdn.com/michael_howard/default.aspx • DropMyRightshttp://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure11152004.asp • SetSAFERhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure01182005.asp • 3rd party OSS RunAsAdmin Explorer Shimhttp://sourceforge.net/projects/runasadmin • Replaces your shell entry in the registry with a shim • It then uses SAFER to start the real shell with reduced rights • Adds icon to the TaskBar to allow starting specified programs as administrator without having to type in your credentials again.

  19. Logging in at the administrator privilege level and dropping down. Demonstration Run Internet Explorer as a regular user to prevent software installation Run Internet Explorer as admin to isntall updates

  20. Final thoughts . . . • Is reducing the rights of dangerous applications or my logon session as a whole the answer to all my malware problems? • No, but it’s a great start! • There are still architectural security issues that can be exploited between processes within the same non-admin logon session that still need to be addressed. • There is still plenty of bad that can be done by malware running without admin rights – if suddenly tomorrow the world were non-admin the malware would change and adapt. • We truly understand the security threat environment facing our customers. • Hundreds of passionate employees are aggressively pushing the non-admin boundaries and applying sustained thinking in this area each day!  • We are definitely committed to tackling and solving this problem.

More Related