Presentation is loading. Please wait.

Presentation is loading. Please wait.

User Account Control: How to Make a Good UAC Application Peter R. Woods Senior Program Manager Microsoft Corporation.

Similar presentations


Presentation on theme: "User Account Control: How to Make a Good UAC Application Peter R. Woods Senior Program Manager Microsoft Corporation."— Presentation transcript:

1 User Account Control: How to Make a Good UAC Application Peter R. Woods Senior Program Manager Microsoft Corporation

2 Session Objectives Session Objective(s): Microsoft Windows User Account Control overview The new Shield paradigm Writing code in UAC environment Windows Vista Logo program DebuggingServices Summary & future direction

3 Why User Account Control? Most user accounts have Administrator privileges. Code running without Administrator privileges is safer for the system. Enterprises realize significant TCO reductions when running with managed systems. Enterprises migrating to SW that runs as Standard User

4 User Account Control All users run as Standard User by default Filtered token created during logon Only specially marked apps get the unfiltered token Explicit consent required for elevation Predictable elevation points High application compatibility Data redirection Enabling legacy apps to run as standard user Installer Detection

5 UAC Architecture Admin logon Standard User Filtered Token Admin Token Administrative Rights Split Token Standard User Rights Abby

6 UAC Architecture Admin logon Standard User Filtered Token User Process Change Time ZoneChange Time Zone Run Standard User Compliant ApplicationsRun Standard User Compliant Applications Install FontsInstall Fonts Install PrintersInstall Printers Run MSN MessengerRun MSN Messenger Standard User Rights Abby

7 UAC Architecture Admin logon Admin Token Abby Administrative Rights Elevation dialog Admin Process Install Application Admin Process Configure IIS Admin Process Change Time

8 Process Isolation Administrative and Standard User applications share the same desktop Security challenges Cross-process Window messages DLL injection and create remote thread Process Isolation mechanisms Integrity level for processes Lower cannot interfere with Higher

9 Standard User Token Privileges typically in Standard User token Bypass traverse checking (SeChangeNotify) Shut down the system (SeShutdown) Increase Working Set Size (SeIncreaseWorkingSet) Remove computer from docking station (SeUndock) Change Time Zone (SeChangeTimeZone) New in Vista All other privileges removed. Privileged RIDs set to DENY_ONLY E.g. Administrators, Enterprise Admins, Policy Admins, Power User, etc.

10 Token Sample - Admin _User SID_ Account = Abby SID = S Domain = LH-X937PF8H3FFT _Groups SIDs_ Account = None SID = S Domain = LH-X937PF8H3FFT Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED Account = Everyone SID = S Domain = Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED Account = Administrators SID = S Domain = BUILTIN Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED Attribute: SE_GROUP_OWNER Account = INTERACTIVE SID = S Domain = NT AUTHORITY Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED Account = High Mandatory Level SID = S Domain = Mandatory Label _Restricted SIDs_ _Privileges_ Privilege: SeIncreaseQuotaPrivilege (Disabled) Privilege: SeSecurityPrivilege (Disabled) Privilege: SeTakeOwnershipPrivilege (Disabled) Privilege: SeLoadDriverPrivilege (Disabled) Privilege: SeSystemProfilePrivilege (Disabled) Privilege: SeSystemtimePrivilege (Disabled) Privilege: SeProfileSingleProcessPrivilege (Disabled) Privilege: SeIncreaseBasePriorityPrivilege (Disabled) Privilege: SeCreatePagefilePrivilege (Disabled) Privilege: SeBackupPrivilege (Disabled) Privilege: SeRestorePrivilege (Disabled) Privilege: SeShutdownPrivilege (Disabled) Privilege: SeDebugPrivilege (Disabled) Privilege: SeSystemEnvironmentPrivilege (Disabled) Privilege: SeChangeNotifyPrivilege (Enabled) Privilege: SeRemoteShutdownPrivilege (Disabled) Privilege: SeUndockPrivilege (Disabled) Privilege: SeManageVolumePrivilege (Disabled) Privilege: SeImpersonatePrivilege (Enabled) Privilege: SeCreateGlobalPrivilege (Enabled) Privilege: SeIncreaseWorkingSetPrivilege (Disabled) Privilege: SeTimeZonePrivilege (Disabled) Privilege: SeCreateSymbolicLinkPrivilege (Disabled)

11 Token Sample - Filtered _User SID_ Account = Abby SID = S Domain = LH-X937PF8H3FFT _Groups SIDs_ Account = None SID = S Domain = LH-X937PF8H3FFT Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED Account = Administrators SID = S Domain = BUILTIN Attribute: SE_GROUP_USE_FOR_DENY_ONLY Account = Users SID = S Domain = BUILTIN Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED Account = INTERACTIVE SID = S Domain = NT AUTHORITY Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED Account = Medium Mandatory Level SID = S Domain = Mandatory Label _Restricted SIDs_ _Privileges_ Privilege: SeShutdownPrivilege (Disabled) Privilege: SeChangeNotifyPrivilege (Enabled) Privilege: SeUndockPrivilege (Disabled) Privilege: SeIncreaseWorkingSetPrivilege (Disabled) Privilege: SeTimeZonePrivilege (Disabled)

12 User Experience (UX) The Security Shield Icon

13 The Security Shield Goal is to make your application simple & predictable Attached to controls which, if clicked, will require elevation as the next step Has only one state (i.e. no hover, disabled etc.) Does not remember elevated state Not an unlock operation

14 Security Shield UI Examples

15 Consent UI OS Application Unsigned Application Signed Application

16 Credential UI

17 User Experience Guidelines Rules for shield and elevation MSDN and Windows Vista website us/dnlong/html/AccProtVista.asp us/dnlong/html/AccProtVista.asp us/UxGuide/UXGuide/Home.asp?frame=true us/UxGuide/UXGuide/Home.asp?frame=true New documents are being added. Check under Whats new heading

18 Coding for UAC in a nutshell Design code to not require any Administrative privileges whenever possible. Per-machine settings during install Place Per-Machine (Shared) data into %ALLUSERPROFILE% Place Per-Machine registry setting in HKLM Per-user settings at first run Store per-user data in user profile Place per-user data into %LOCALAPPDATA% Place per-user registry settings in HKCU Store user shared data in User\Public Take advantage of the Windows Vista Logo program!

19 Coding for UAC in a nutshell Examples of what not to do: Avoid self updating code. Major Application Compatibility issue Do not perform admin configuration at first run. Do not rely on explicit Admin checks for Standard User applications

20 Applications that require Administrator privileges Administrative applications can be marked to identify them to the O/S Mark application as requiring Administrator privileges using embedded manifest. Installer detection Application Compatibility shims Compatibility Tab on Program Properties Right-click Run as administrator

21 Applications that require Administrator privileges Mixed use applications: Application is bifurcated into Non administrative and administrative sections… Application launches as Standard user Within UI, clearly identify Administrative tasks Ensure Standard users can be fully productive Identify tasks that need elevation with a shield Elevated tasks launch in separate process Separately marked executable Elevated COM object Object should request confirmation Command line tools should run AsInvoker…

22 Separation of Admin Code Cannot elevate a running process Communication: Two Design Patterns Service Broker Model IPC Globally mapped shared memory Side by Side Processes IPC Named pipes Global or locally mapped shared memory

23 RequestedExecutionLevels Level = asInvoker Launch with the same token as the parent process Level = highestAvailable Launch with the highest token this user possesses Level = requireAdministrator Highest token of the User provided User is a member of Administrators group

24 Sample Manifest MyAdminApp.exe.manifest

25 Admin Application Marking

26 Manifest marking in VS 2005 for c/c++

27 Manifest marking in VS 2005

28 Shield UI Examples … Add a Shield glyph to my UI // if you want the small icon #include SHSTOCKICONINFO sii; sii.cbSize = sizeof(sii); SHGetStockIconInfo(SIID_SHIELD, SHGSI_ICON | SHGSI_SMALLICON, &sii); hiconShield = sii.hIcon; // if you want the large icon SHSTOCKICONINFO sii; sii.cbSize = sizeof(sii); SHGetStockIconInfo(SIID_SHIELD, SHGSI_ICON | SHGSI_LARGEICON, &sii); hiconShield = sii.hIcon; // if you want an icon at a custom size SHSTOCKICONINFO sii; sii.cbSize = sizeof(sii); SHGetStockIconInfo(SIID_SHIELD, SHGSI_ICONLOCATION, &sii); hiconShield = ExtractIconEx(sii....);

29 Security Shield UI Examples The standard button control (PUSHBUTTON, DEFPUSHBUTTON) has been enhanced to allow you to add an icon along with the displayed text, without requiring the BS_ICON or BS_BITMAP styles to be set. To show the shield icon, you can call the following macro (defined in commctrl.h ): Button_SetElevationRequiredState(hwndButton, fRequired); Where hwndButton is the HWND of the button fRequired determines whether to show (TRUE) or hide (FALSE) the LUA shield. A Windows Message can also be used to enable the shield on a button. lresult = SendMessage(hwndButton, BCM_SETSHIELD, 0, fRequired); Where hwndButton is the HWND of the button fRequired determines whether to show (TRUE) or hide (FALSE) the LUA shield.

30 Coding samples Use ShellExecute() rather than CreateProcess() when launching other applications. CreateProcess() will return error if elevation is required ShellExecute() sends to the Application Information Service (AIS) for elevated launch. retHandle = ShellExecute(NULL, L"open, L\\Program Files\\MyApp\\MyAdminApp.exe, NULL, SW_SHOWNORMAL);

31 Coding samples Runas verb to ShellExecuteEx() Allows caller to request elevation of normally unelevated apps. Pass runas as the lpVerb in the SHELLEXECUTEINFO Structure (structure pointer)->lpVerb = Lrunas

32 Coding samples Launching an elevated COM object Accomplished using elevation moniker Object class must be registered as being elevatable HKLM\Software\Classes\CLSID\ {9df523b0-a6c0-4ea9-b5f1-f4565c3ac8b8}\Elevation Enabled REG_DWORD 1 Object class must have friendly name assigned HKLM\Software\Classes\CLSID\{9df523b0-a6c0-4ea9-b5f1-f4565c3ac8b8} LocalizedString Object has string name defined in DLL string table STRINGTABLE LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US { 101, Your Elevated Com Object" } Object elevation is requested at launch time

33 Coding samples Elevation moniker in action Example: HRESULT CreateElevatedComObject(HWND hwnd, REFCLSID rclsid, REFIID riid, __out void ** ppv) { BIND_OPTS3 bo; WCHAR wszCLSID[50]; WCHAR wszMonikerName[300]; StringFromGUID2(rclsid, wszCLSID, sizeof(wszCLSID)/sizeof(wszCLSID[0])); HRESULT hr = StringCchPrintf(wszMonikerName, sizeof(wszMonikerName)/sizeof(wszMonikerName[0]), L"Elevation:Administrator!new:%s", wszCLSID); if (FAILED(hr)) return hr; memset(&bo, 0, sizeof(bo)); bo.cbStruct = sizeof(bo); bo.hwnd = hwnd; bo.dwClassContext = CLSCTX_LOCAL_SERVER; return CoGetObject(wszMonikerName, &bo, riid, ppv); }

34 Windows Vista Logo Program & UAC Builds upon existing Windows XP Logo Program Enhancements around running as standard user Use Install bootstrap model if launching software directly from installation process App must contain requestedExecutionLevel in an embedded manifest to define run level Authenticode sign installation package and all binaries

35 Debugging Administrative Apps Launch copy of Visual Studio 2005 elevated Start->All Programs->Microsoft Visual Studio 2005->(right click on) Microsoft Visual Studio 2005 Select Run as Administrator Debug your program

36 Process Isolation & Assistive Technology Mechanism exists to mark Accessibility applications Accessibility apps (Assistive Technology) need to drive UI at higher levels. Accessibility have a manifest requestedExecutionLevel statement of: Assistive Technology applications Must be Authenticode signed and trusted or they will fail to launch.

37 Debugging Assistive Technology (AT) Apps Defined as apps with manifest tag: uiAccess=true AT apps must be Authenticode signed (root in trusted root store) Launch your AT app from Windows Explorer Launch copy of Visual Studio 2005 Remote Debugger (msvsmon.exe) from within your app using shellExecute(). On the remote debugger, Select tools->options Click No Authentication (native only) and Allow any user to debug

38 Debugging Assistive Technology (AT) Apps On Visual Studio 2005 Select Debug->attach to process Under transport, select Remote (Native only with no authentication) Under Qualifier, enter the local machine name Select the process to debug (your app) and click attach

39 Debugging AT Apps

40 Marking managed code No obvious way to do this in VS UI for managed code Manifest can be added after.exe is built Use tool MT.exe, part of the Windows SDK (add in link) Steps: Create manifest file Use mt.exe to embed manifest Mt.exe –manifest yourapp.manifest -outputresource:yourapp.exe;#1 Works for all languages c/c++, c#, j#, and VB

41 Guides for Services Dont create interactive services No UI from services on the user desktop Use RPC, sockets, named-pipes, or COM to communicate Use reduced privileged account: Local Service or Network Service, if possible User prompted to shift to special session 0 viewer for interactive services

42 Going the other way – from high to medium No direct method Use a bootstrap EXE and launch the elevated EXE/MSI from there. Create/register a COM server marked to run as Interactive User and use it from your Less desirable since it leaves the COM server around for anybody else to use later on Register a WMI.Job (formerly scheduled task) that runs as the interactive user.

43 Data Redirection for Legacy Apps Some legacy apps write to admin locations HLKM\Software %SystemDrive%\Program Files etc. Redirection removes need for elevation Writes to HKLM go to HKU redirected store HKU->(user SID)_classes->VirtualStore Writes to system directories redirected to per-user store (%localappdata%\virtualstore)Copy-on-write

44 Developer Impact Summary Windows XP Logod for Standard User? It will just work on Windows Vista Fails on Windows XP as Standard User? Use the SUA Analyzer tool to look for Admin dependences Admin app on Windows XP? Needs to be marked as requireAdministrator Web apps need special attention due to Protected Mode IE

45 Developer Impact Summary Installation Best Practices Use MSI 3.1 for Install and Update Alternate to MSI3.1 – call Update.exe marked as admin to do the update Be careful with Self Updating Code ClickOnce is a great deployment technology for Standard User apps

46 Future UAC Direction Continue Isolation of Admin code on Standard User Desktop Integrate Application IDs into OS for Standard User code Integrate Software Restriction Policies into AppIDs Tighten down power of Setup applications Metadata in Manifests Rollout of Windows Vista Logo program to help ISVs write compliant code. Work with Developers to reduce dependence on Data Redirection

47 Resources General Security Information Getting Started with UAC: UA Developer Guidelines: UAC Blog: UAC Question on Update:

48 Tools Standard User Analyzer (SUA) Intended to predict whether an application would work correctly as standard user Identifies API calls that would fail if attempted by a user Identifies all Access requiring elevated privileges Available for download at the Microsoft Download Center: milyID=df59b474-c0b c70- b0d9d3d2f575&DisplayLang=en milyID=df59b474-c0b c70- b0d9d3d2f575&DisplayLang=en

49 SUA Analyzer Enter Target App Name Enter parameters Check Launch Elevated Checkbox Click Launch button. (On Vista, approve two elevation dialogs) Exit notepad (On Vista, approve elevation dialog) Tool shows interaction that would fail as standard user. In this case, boot.ini is not accessible to standard users. Send comments to: om

50 FAQ If I mark my app as admin, can I skip the elevation consent dialog? – No Can you modify the privilege of a running application? - No Will LUA elevate whenever a privileged API is used? – No, the entire process is either elevated or not How long does the elevated process last? Can it time out? – Life of the process Can I enable which users will use UAC? – Currently this is a per machine setting Does UAC apply to all processes and services? – Interactive processes only What areas of the Registry and File system get redirected? – HKLM\Software, %SystemRoot%, subdirectories of %ProgramFiles% Wont Redirection de-motivate developers to fix their code? – Yes, it is a short term mitigation, not in 64bit What happens when installer detection fails? – The app runs as non-admin Will UAC be going down-level? – No

51 Other UAC Goodies Application Compatibility Toolkit (ACT5) Lab in the TLC all week UAC Chalk Talk – TechEd Theater, Wednesday 2:00-3:15 SEC310 - Account Control: Running Windows Vista with Least Privilege, Wednesday 4:30-5:45, Room 210 ABC DEV345 - Windows Vista: Targeting Key Native APIs from Managed Code, Friday 9: :15, Room 102 AB

52 Wrap up & Questions

53 Fill out a session evaluation on CommNet for a chance to Win an XBOX 360!

54 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


Download ppt "User Account Control: How to Make a Good UAC Application Peter R. Woods Senior Program Manager Microsoft Corporation."

Similar presentations


Ads by Google