280 likes | 483 Views
Windows Vista: User Account Protection Securing Your Application with Least Privilege User Account. Steve Hiskey FUN 406 Lead Program Manager, SBTU - Security Business Technology Unit Microsoft Corporation. Agenda. LUA == UAP Why User Account Protection (UAP)? The UAP Approach
E N D
Windows Vista: User Account ProtectionSecuring Your Application with Least Privilege User Account Steve Hiskey FUN 406 Lead Program Manager, SBTU - Security Business Technology Unit Microsoft Corporation
Agenda • LUA == UAP • Why User Account Protection (UAP)? • The UAP Approach • UAP technologies in Windows Vista • How this affects your applications today • Writing Vista Logo Compliant Code
Why User Account Protection (UAP)? Managed Desktops: Systematic control over end-user clients to maintain security & productivity Gartner: Nearly 40% TCO Savings per desktop in a managed environment Reduces day-to-day helpdesk calls Increases end-users productivity/uptime Security Holes Increase Windows Client TCO 14 October 2004
Pain Points • Productivity is lost when my machine is compromised • Malware, without my knowledge, can modify Windows when run with elevated privileges • Enterprise users running elevated privileges can compromise the corporation • We have to relax security to run Line of Business (LoB) applications • LoB applications require elevated privileges to run • System security must be relaxed to run the LoB application • It is costly to re-evaluate the required security settings for each application with every OS release • Common OS Configuration tasks require elevated privilege • Simple scenarios like VPN don’t work • Standard Users are not able to manage configuration changes that affect only their account
Windows Vista UAP Goals • All users run as Standard User by default even when you log on as admin! • Common user tasks redesigned to work for Standard User • High application compatibility • Administrators use full privilege only for administrative tasks or applications • User provides explicit consent before using elevated privilege
The UAP Approach • Improving productivity by granting permissions only when needed • Allows Standard Users to perform key tasks without impacting system-wide settings • Helps to insulate the system files and data from malicious or deceptive code • Limit potential damage to my data by using Protected Mode IE • All apps run as Standard User unless specifically marked • Process isolation of Admin apps and higher risk applications • Enabling Parental Control Scenarios
Impact on ISV Applications • High Application Compatibility for Legacy Applications • Auto-fix Legacy Compatibility via Data Redirection • All users run as Standard User by default • Applications will run as Standard User by default – Start testing now! • Use full privilege only for administrative tasks or applications • Elevation Consent required for admin tasks!
High Application Compatibility for Legacy Applications • Legacy apps write to admin locations • HLKM\Software • %SystemDrive%\Program Files • %SystemRoot% • Redirection allows legacy apps to run as Standard User • Writes to HKLM go to HKCU redirected store • Writes to system directories redirected to per-user store, copy-on-write • … you can still write Admin code
Impact on ISV Applications Darren Canavor Program Manager SBTU - Security Business Technology Unit Microsoft Corporation
Abby Admin Applications vs Running Elevated • By default apps run as Standard User unless: • Application Manifest requests Admin • Identification in App Compat database • Heuristic installer detection • “Shield” concept for UI “in place” elevation • clicking on the item will immediately produce the elevation prompt. • Run Elevated… • Right mouse click menu option
UAP User Experience Goals: Simple and Predictable • Designing a great UAP User Experience • First Choice: Make application Standard user only • Second Choice: Clearly identify Administrative tasks • Identify tasks that need elevation with a “shield” • Ensure Standard users can be fully productive • UAP User Experience “Rules of the Road” • Use common Shield graphic • Use design practices to separate Administrative tasks • Use provided API to show Elevation Dialog and run Elevated objects / processes
Shield Elements of UAP User Experience • The Shield indicates tasks requiring immediate elevation • Has only one state. • If it is shown, it will always be active. • Does not remember elevated state. • In a wizard if you navigate back and forth, every time you hit Shield, you elevate Elevation Dialog For signed application:
Admin Application Marking Darren Canavor Program Manager SBTU - Security Business Technology Unit Microsoft Corporation
Process isolation of Admin apps and higher risk applications • Administrative and Standard User applications share the same desktop • Primary threats • Cross-process Window messages (Shatter) • DLL injection and create remote thread • Process Isolation mechanisms • Integrity level for processes • UI privilege isolation • “Lower” can no longer attack “Higher”
Summary: Impact on ISV Apps • Windows XP Logo’d for Standard User? • It will just work on Vista • Fails on Windows XP as Standard User • Mitigated by Redirection • Mitigated by App Compat Shim “IsAdmin()?” • Simple app with Admin dependencies • Admin app on Windows XP? Needs to be marked! • Web apps need special attention due to Protected Mode IE • Use the LUA Predictor to fix your app now!
Using the LUA Predictor Darren Canavor Program Manager SBTU - Security Business Technology Unit Microsoft Corporation
Logo Application - Configuration • Best Practices • Your app’s per-user setup is performed at first run • Place per-user data into %LOCALAPPDATA% • Roaming into %APPDATA% • Place Per-Machine (Shared) data into %ALLUSERPROFILE% • Examples of what not to do: • Do not perform admin configuration at first run. Do your admin operations during setup • Do not perform explicit Admin checks for Standard User applications • UAP and Code Access Security (CAS) can be used together for defense in depth
Logo Application Install • Best Practices • Use MSI 3.1 for Install and Update • Alternate to MSI3.1 – call Update.exe marked as admin to do the update • Self Updating Code – DON’T DO IT • This is our LARGEST App Compat problem Home consumer user applications • Examples of what not to do: • Do not assume the user is an administrator • Run Custom Actions in right context! • ClickOnce is a great deployment technology for Standard User apps
Call to Action • In Windows Vista Beta 1 • Toggle UAP Settings ON • Test your product or componentas a Standard User! • Prepare for Beta 2 • User Account Protection On by default • Review design decisions. Assume the user is a Standard User • Continue to test applications, especially older LoB and internal applications
Top Takeaways! • Window Vista users will run most applications as Standard User by default • Even if they log on as Admin! • Write UAP compliant software! • We have a whitepaper at the FUNDamentals Lounge • Current applications will just run as Standard User on Windows Vista because of new UAP technology
More Information • Hands On Lab – Room 505 • Test your application against the LUA Predictor to make it UAP compliant – all week • FUN222 Exploring the Windows Installer (MSI) and ClickOnce Options • Friday, 1:00 PM Room: 406 AB • UAP Ask the Experts • Wednesday night • FUNL03 – Protected Mode IE • 12:30 Today in 402AB • FUN210 – Enhancing the Windows Vista Security Platform • Wednesday, 3:15 PM Room: 515 • Come get UAP Whitepaper from FUNdamentals Lounge!
Top 10 Questions • If I mark my app as “admin”, can I skip the elevation consent dialog? – No • Can you modify the privilege of a running application? - No • Will LUA elevate whenever a privileged API is used? – No, the entire process is either elevated or not • How long does the elevated process last? Can it time out? – Life of the process • Can I enable which users will use UAP? – Currently this is a per machine setting • Does UAP apply to all processes and services? – Interactive processes only • What areas of the Registry and File system get redirected? – HKLM\Software, %SystemRoot%, %ProgramFiles% • Won’t Redirection de-motivate developers to fix their code? – Yes, it is a short term mitigation, not in 64bit • What happens when installer detection fails? – The app runs as non-admin • Will UAP be going down-level? - No
© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.