1 / 28

Windows Vista: User Account Protection Securing Your Application with Least Privilege User Account

Windows Vista: User Account Protection Securing Your Application with Least Privilege User Account. Steve Hiskey FUN 406 Lead Program Manager, SBTU - Security Business Technology Unit Microsoft Corporation. Agenda. LUA == UAP Why User Account Protection (UAP)? The UAP Approach

marisa
Download Presentation

Windows Vista: User Account Protection Securing Your Application with Least Privilege User Account

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Vista: User Account ProtectionSecuring Your Application with Least Privilege User Account Steve Hiskey FUN 406 Lead Program Manager, SBTU - Security Business Technology Unit Microsoft Corporation

  2. Agenda • LUA == UAP • Why User Account Protection (UAP)? • The UAP Approach • UAP technologies in Windows Vista • How this affects your applications today • Writing Vista Logo Compliant Code

  3. Why User Account Protection (UAP)? Managed Desktops: Systematic control over end-user clients to maintain security & productivity Gartner: Nearly 40% TCO Savings per desktop in a managed environment Reduces day-to-day helpdesk calls Increases end-users productivity/uptime Security Holes Increase Windows Client TCO 14 October 2004

  4. Pain Points • Productivity is lost when my machine is compromised • Malware, without my knowledge, can modify Windows when run with elevated privileges • Enterprise users running elevated privileges can compromise the corporation • We have to relax security to run Line of Business (LoB) applications • LoB applications require elevated privileges to run • System security must be relaxed to run the LoB application • It is costly to re-evaluate the required security settings for each application with every OS release • Common OS Configuration tasks require elevated privilege • Simple scenarios like VPN don’t work • Standard Users are not able to manage configuration changes that affect only their account

  5. Windows Vista UAP Goals • All users run as Standard User by default even when you log on as admin! • Common user tasks redesigned to work for Standard User • High application compatibility • Administrators use full privilege only for administrative tasks or applications • User provides explicit consent before using elevated privilege

  6. The UAP Approach • Improving productivity by granting permissions only when needed • Allows Standard Users to perform key tasks without impacting system-wide settings • Helps to insulate the system files and data from malicious or deceptive code • Limit potential damage to my data by using Protected Mode IE • All apps run as Standard User unless specifically marked • Process isolation of Admin apps and higher risk applications • Enabling Parental Control Scenarios

  7. Impact on ISV Applications • High Application Compatibility for Legacy Applications • Auto-fix Legacy Compatibility via Data Redirection • All users run as Standard User by default • Applications will run as Standard User by default – Start testing now! • Use full privilege only for administrative tasks or applications • Elevation Consent required for admin tasks!

  8. High Application Compatibility for Legacy Applications • Legacy apps write to admin locations • HLKM\Software • %SystemDrive%\Program Files • %SystemRoot% • Redirection allows legacy apps to run as Standard User • Writes to HKLM go to HKCU redirected store • Writes to system directories redirected to per-user store, copy-on-write • … you can still write Admin code

  9. Impact on ISV Applications Darren Canavor Program Manager SBTU - Security Business Technology Unit Microsoft Corporation

  10. Abby Admin Applications vs Running Elevated • By default apps run as Standard User unless: • Application Manifest requests Admin • Identification in App Compat database • Heuristic installer detection • “Shield” concept for UI “in place” elevation • clicking on the item will immediately produce the elevation prompt. • Run Elevated… • Right mouse click menu option

  11. UAP User Experience Goals: Simple and Predictable • Designing a great UAP User Experience • First Choice: Make application Standard user only • Second Choice: Clearly identify Administrative tasks • Identify tasks that need elevation with a “shield” • Ensure Standard users can be fully productive • UAP User Experience “Rules of the Road” • Use common Shield graphic • Use design practices to separate Administrative tasks • Use provided API to show Elevation Dialog and run Elevated objects / processes

  12. Shield Elements of UAP User Experience • The Shield indicates tasks requiring immediate elevation • Has only one state. • If it is shown, it will always be active. • Does not remember elevated state. • In a wizard if you navigate back and forth, every time you hit Shield, you elevate Elevation Dialog For signed application:

  13. Admin Application Marking Darren Canavor Program Manager SBTU - Security Business Technology Unit Microsoft Corporation

  14. Process isolation of Admin apps and higher risk applications • Administrative and Standard User applications share the same desktop • Primary threats • Cross-process Window messages (Shatter) • DLL injection and create remote thread • Process Isolation mechanisms • Integrity level for processes • UI privilege isolation • “Lower” can no longer attack “Higher”

  15. Summary: Impact on ISV Apps • Windows XP Logo’d for Standard User? • It will just work on Vista • Fails on Windows XP as Standard User • Mitigated by Redirection • Mitigated by App Compat Shim “IsAdmin()?” • Simple app with Admin dependencies • Admin app on Windows XP? Needs to be marked! • Web apps need special attention due to Protected Mode IE • Use the LUA Predictor to fix your app now!

  16. Using the LUA Predictor Darren Canavor Program Manager SBTU - Security Business Technology Unit Microsoft Corporation

  17. Logo Application - Configuration • Best Practices • Your app’s per-user setup is performed at first run • Place per-user data into %LOCALAPPDATA% • Roaming into %APPDATA% • Place Per-Machine (Shared) data into %ALLUSERPROFILE% • Examples of what not to do: • Do not perform admin configuration at first run. Do your admin operations during setup • Do not perform explicit Admin checks for Standard User applications • UAP and Code Access Security (CAS) can be used together for defense in depth

  18. Logo Application Install • Best Practices • Use MSI 3.1 for Install and Update • Alternate to MSI3.1 – call Update.exe marked as admin to do the update • Self Updating Code – DON’T DO IT • This is our LARGEST App Compat problem Home consumer user applications • Examples of what not to do: • Do not assume the user is an administrator • Run Custom Actions in right context! • ClickOnce is a great deployment technology for Standard User apps

  19. Call to Action • In Windows Vista Beta 1 • Toggle UAP Settings ON • Test your product or componentas a Standard User! • Prepare for Beta 2 • User Account Protection On by default • Review design decisions. Assume the user is a Standard User • Continue to test applications, especially older LoB and internal applications

  20. Top Takeaways! • Window Vista users will run most applications as Standard User by default • Even if they log on as Admin! • Write UAP compliant software! • We have a whitepaper at the FUNDamentals Lounge • Current applications will just run as Standard User on Windows Vista because of new UAP technology

  21. More Information • Hands On Lab – Room 505 • Test your application against the LUA Predictor to make it UAP compliant – all week • FUN222 Exploring the Windows Installer (MSI) and ClickOnce Options • Friday, 1:00 PM Room: 406 AB • UAP Ask the Experts • Wednesday night • FUNL03 – Protected Mode IE • 12:30 Today in 402AB • FUN210 – Enhancing the Windows Vista Security Platform • Wednesday, 3:15 PM Room: 515 • Come get UAP Whitepaper from FUNdamentals Lounge!

  22. Top 10 Questions • If I mark my app as “admin”, can I skip the elevation consent dialog? – No • Can you modify the privilege of a running application? - No • Will LUA elevate whenever a privileged API is used? – No, the entire process is either elevated or not • How long does the elevated process last? Can it time out? – Life of the process • Can I enable which users will use UAP? – Currently this is a per machine setting • Does UAP apply to all processes and services? – Interactive processes only • What areas of the Registry and File system get redirected? – HKLM\Software, %SystemRoot%, %ProgramFiles% • Won’t Redirection de-motivate developers to fix their code? – Yes, it is a short term mitigation, not in 64bit • What happens when installer detection fails? – The app runs as non-admin • Will UAP be going down-level? - No

  23. Questions?

  24. © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

  25. appendix

  26. UAP User Experience: Example

  27. UAP User Experience: Example

  28. UAP User Experience: Example

More Related