Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using Least Privilege to reduce your security exposure Steve Lamb IT Pro Evangelist Blog:

Published byAngelina French Modified over 8 years ago

Similar presentations

Presentation on theme: "Using Least Privilege to reduce your security exposure Steve Lamb IT Pro Evangelist Blog:"— Presentation transcript:

1 Using Least Privilege to reduce your security exposure Steve Lamb IT Pro Evangelist Email: stephen.lamb@microsoft.comstephen.lamb@microsoft.com Blog: http://blogs.technet.com/steve_lambhttp://blogs.technet.com/steve_lamb

2 Agenda Least Privilege for Admins – How to elevate only as needed Least Privilege for Users – Addressing LUA bugs

3 Managed Desktop Challenges Today Increased IT spending required to support users, maintain existing desktops, and prevent downtime Employees lose productivity by inadvertently changing system configurations Security threats increase the IT management burden; breaches can hobble critical systems and data

4 Gartner: Nearly 40% TCO Savings per desktop in a managed environment 1 Managed Desktops: Systematic control over end- user clients to maintain security & productivity Reducing the desktop attack surface Reduces day-to-day helpdesk calls Increases end-users productivity/uptime 1 Security Holes Increase Windows Client TCO, Gartner 2005. Managed Desktop What’s the Value?

5 Definitions Non-Admin – “Power Users” is not non-Admin! – Typically: “Users”, “Domain Users” LUA – Limited User Account – Least-privileged User Account LUA Bugs User Account Protection (Windows Vista)

6 Principle of Least Privilege Most computer use does not require admin privilege But, typical usage: “Max Privilege” Most malware expects “Max Privilege”

7 Admin Can, LUA Can’t: Install kernel-mode rootkits Install system-level keyloggers (including capturing passwords entered into the Ctrl-Alt-Del logon dialog) Install ActiveX controls, including IE and Explorer extensions (common with spyware and adware) Install and start services Stop existing services (such as the firewall) Access data belonging to other users Cause code to run whenever anybody else logs on Replace OS and other program files with Trojan horses Access LSA Secrets, including other sensitive account information, possibly including account info for domain accounts Disable/uninstall anti-virus Create and modify user accounts Reset passwords Modify the “HOSTS” file and other system configuration settings Cover its tracks in the event log Render your machine unbootable …

8 For Developers Why develop as a non-admin? – Better software – Catch LUA bugs sooner – Cheaper development costs – Market advantage – Safer security practices

9 The Twin Challenge on Windows XP For Sysadmins and Developers How to run with least privilege and elevate only as needed? For regular users: How to always run with least privilege when so many apps (and sometimes Windows) requires more?

10 How to Elevate as Needed Fast User Switching – Windows XP Home – Windows XP Professional – If not joined to a domain – fixed in Windows Vista! – Logon sessions isolated from each other Suggestion for home users: – One LUA for each person, Guest optional – One admin account – No passwords!

11 Fast User Switching Demo

12 RunAs Start a program as a different user – Same desktop Command line or graphical dialog Programs inherit security context from “parent” – Start CMD as admin – Launch apps from admin CMD – Those apps also run as admin

13 RunAs Dialog Right-click context menu – Apps, shortcuts – Common Console (.msc) Shift+right-click for: – Control Panel applets (.cpl) – “Special Microsoft Windows Installer links”

14 RunAs Dialog Make “RunAs” the default for a shortcut Shortcut  Properties, Advanced Properties

15 RunAs Command Line E.g., runas /u:Administrator cmd.exe

16 RunAs – Visual Differentiation Set privileged console windows apart visually cmd.exe /t:fc /k cd c:\ && title ***** Admin console *****

17 RunAs – Visual Differentiation Background bitmap for IE and Explorer Set it with TweakUI

18 PrivBar Running IE as admin: … as Power User: … as “User”: … with “Protect my computer”:

19 RunAs Demo

20 When RunAs Doesn’t Work Some apps reuse existing instances – Windows Explorer – Microsoft Office Word Some apps get started through the shell – ShellExecute[Ex] – DDE Current version of WindowsUpdate!  – And Microsoft Update! 

21 RunAs and Explorer Two viable options: 1. Use Internet Explorer, or 2. Set the flag that lets Windows Explorer run multiple instances “The flag…” – “Launch folder windows in a separate process” Caveats about this setting

22 RunAs and Explorer Demo

23 Issues Using Local Admin Account No access to domain resources Different profile settings Some apps assume that the installer is the user Per-user Policy settings Power Options applet Resolution? MakeMeAdmin

24 MakeMeAdmin Temporary elevation of your current account Result: CMD running with your normal account but with admin privileges Apps started from it inherit context Posted on my blog

25 MakeMeAdmin Demo

26 Dealing with Legacy Apps with LUA Bugs App works only with admin privileges The easy fix: Add the user to the local Admins group!

27 Dealing with Legacy 1. Fix the LUA Bugs Make the developers fix their bugs! Preferred option Don’t continue to create “legacy”

28 Dealing with Legacy 2. Hiding LUA Bugs LUA modes in the Application Compatibility Toolkit Shims to redirect registry and file access But: XP’s shims don’t work.  (Windows Vista’s will work better…)

29 Dealing with Legacy 3. Remediating LUA Bugs Loosen ACLs Only on app-specific resources! – %ProgramFiles%\MyApp\MyDataFolder – HKLM\SOFTWARE\MyApp\Settings Not on OS resources! – %windir%, %windir%\System32 – HKLM\SOFTWARE\Microsoft\Windows Use a granular, surgical approach – Least additional privilege Deployment options

30 Dealing with Legacy 3a. Remediating LUA Bugs – HKCR to HKCU Writing to HKCR is usually a LUA bug HKCR is a merged view of – HKLM\SOFTWARE\Classes – HKCU\SOFTWARE\Classes Write to HKCR goes to HKCU if key already exists there So: Pre-create keys under HKCU

31 Dealing with Legacy 4. Running one app as admin Run the app with admin privileges. Some options: – RunAs / MakeMeAdmin: requires giving the user the admin password – DesktopStandard PolicyMaker Application Security – “RunAsAdmin” by Valery Pryamikov Highest risk

32 The Limits of LUA Value? Two (incorrect) extremes – Silver bullet – “Not the answer” What it protects against today What it doesn’t protect against today What happens when everyone is LUA?

33 LUA doesn’t protect against… Anything you can do to yourself Weak admin passwords Attacks on services Phishing Stupidity Capturing RunAs credentials – fixed in Windows Vista!

34 When everyone is LUA… Attackers will adjust Elevation of privilege becomes more interesting

35 Non-Admin Blog The easiest way to run as non-admin (Fast User Switching) "RunAs" basic (and intermediate) topics RunAs with Explorer MakeMeAdmin – temporary admin for your Limited User account PrivBar – An IE/Explorer toolbar to show current privilege level Running restricted – What does the "protect my computer" option mean? Remembering Calculator and Character Map Settings Managing Power Options as a non-administrator Ctrl-C doesn't work in RUNAS or MakeMeAdmin command shells Changing the system date, time and/or time zone How to allow users to manage file and print shares without granting other advanced privileges (More coming!) http://blogs.msdn.com/aaron_margosis

36 Resources Non-Admin Wiki: http://nonadmin.editme.comhttp://nonadmin.editme.com Non-Admin blog: http://blogs.msdn.com/aaron_margosishttp://blogs.msdn.com/aaron_margosis DesktopStandard PolicyMaker Application Security: http://www.desktopstandard.com/PolicyMakerApplicationSecurity.aspx http://www.desktopstandard.com/PolicyMakerApplicationSecurity.aspx RunAsAdmin: http://www.harper.no/valery/CategoryView,category,RunAsAdmin.aspxhttp://www.harper.no/valery/CategoryView,category,RunAsAdmin.aspx Technet Webcast http://msevents.microsoft.com/cui/eventdetail.aspx?eventID=1032274954 http://msevents.microsoft.com/cui/eventdetail.aspx?eventID=1032274954 “Browsing the Web and Reading E-mail Safely as an Administrator” Part 1: http://msdn.microsoft.com/library/en-us/dncode/html/secure11152004.asp Part 2: http://msdn.microsoft.com/library/en-us/dncode/html/secure01182005.asphttp://msdn.microsoft.com/library/en-us/dncode/html/secure11152004.asphttp://msdn.microsoft.com/library/en-us/dncode/html/secure01182005.asp TweakUI: http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspxhttp://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx SysInternals tools: http://www.sysinternals.comhttp://www.sysinternals.com

37 Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.microsoft.com/communities/mvp Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://communities2.microsoft.com/communities /newsgroups/en-us/default.aspx http://communities2.microsoft.com/communities /newsgroups/en-us/default.aspx User Groups - Meet and learn with your peers http://www.microsoft.com/communities/usergroups /default.mspx http://www.microsoft.com/communities/usergroups /default.mspx

38 Running with Least Privileges in Windows Vista

39 What do we call this technology? Flexible Account Control Technologies Least User-privileges Access (LUA) Least User Account (LUA) User Account Protection (UAP) User Account Control (UAC) For the purposes of this talk we will refer to this technology as: User Account Control

40 Desktop Lockdown Enables I.T. to take back control of desktop management Gives standard users the “Just Enough Privilege” on desktops Reduces lost productivity and downtime Available as part of Windows Vista Protecting Against Security Threats User Account Control Greater Confidence and Control Reduces OS attack surface from malware, root kits, and shatter attacks Isolates admin processes to helps prevent compromise by malware Framework for Developing Least-Privilege Applications Provides safe, stable model for software applications to execute tasks without exposing the system to malware Ensures logo-compliant applications will run properly in Windows Vista. Also includes virtualization feature for legacy applications.

41 Administrator Approval Mode Allows admins to operate with standard privileges for common tasks Prompts when admin mode is necessary Application Manifest defines permission levels Administrator Approval Mode Allows admins to operate with standard privileges for common tasks Prompts when admin mode is necessary Application Manifest defines permission levels User Experience Ability to perform common tasks as a Standard User, (e.g. Time-Zone changes) Installation of printers and device drivers just works VPN, wireless, and remote access just work User Experience Ability to perform common tasks as a Standard User, (e.g. Time-Zone changes) Installation of printers and device drivers just works VPN, wireless, and remote access just work Application Compatibility Protects System files from rogue applications Protects Registry from Corruption Application Compatibility Protects System files from rogue applications Protects Registry from Corruption User Account Control Features

42 Firewall settings are locked down (grayed out) User clicks button to unlock settings Admin is prompted to approve process or supply credentials User Account Control: User Experience

43 UAP Architecture Standard User Rights Administrative Rights Admin logon User Privilege Admin Privilege User Process Change Time ZoneChange Time Zone Run IT Approved ApplicationsRun IT Approved Applications Install FontsInstall Fonts Install PrintersInstall Printers Run MSN MessengerRun MSN Messenger Etc.Etc. Admin Process Install Application Admin Process Configure IIS Admin Process Change Time Standard User Mode Split Token Admin Privileges Admin Privilege User Privilege Admin Privilege Abby Token Administrator Approval Mode Mode

44 User Account Control in Windows Vista Demo

45 How do I deploy Software? Group Policy Software Installation Package Applications in to MSI Publish or Advertise through GPOs System Management Server Create deployment packages in SMS Updating Applications Use MSI 3.1 Patching Infrastructure Initial MSI will include certificates to allowed elevated patching

46 Apps write to admin locations HLKM\Software %SystemDrive%\Program Files %SystemRoot% Windows Vista Redirection This is a temporary solution Use the LUA Predictor Application Compatibility Administrator by Accident Redirection allows legacy apps to run as Standard User Writes to HKLM go to HKCU redirected store Writes to system directories redirected to per-user store, copy-on-write

47 Application Compatibility LUA Predictor Guidance provided for developing compliant UI, file, registry, and deployment functionality Predictor AppVerifier tool tests applications for compliance App Verifier Toolkit Plug in Show all Files, Registry Keys, and Admin APIs that need Admin privilege Available Today!

48 Check out new whitepapers and guidance on Microsoft.com Beta 2 – Check out new features Encourage Developers to Test their applications for compatibility & become logo compliant Getting Ready for Windows Vista

49 All users run as Standard User by default even when you log on as admin! Administrators use full privilege only for administrative tasks or applications User provides explicit consent before using elevated privilege High application compatibility Windows Vista Goal Windows Vista provides a more secure and reliable foundation which brings a new level of confidence in your PC Summary User Account Control Goals

50 Provides Developers with: AppCompat – assurance that their applications will run properly Reduced support costs Improved application security Helps enterprises to: Establish increased protection against malware Control access to administrative functions Increase user productivity Simply and safely elevate privileges for administrative tasks Summary User Account Control Goals (Con’t)

51 Resources Information about the Logo Program: https://partner.microsoft.com/global/winlogo/ ISV/Developer guidelines on MSDN: http://msdn.microsoft.com/windowsvista/default.aspx?pull=/library/en- us/dnlong/html/AccProtVista.asp IT Deployment doc using AppCompat runlevel Shims: http://www.microsoft.com/technet/windowsvista/deploy/appcompat/acshims.mspx UAP Getting started Doc (targeted to Beta-1): http://www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx

52 Top 10 Questions 1. If I mark my app as “admin”, can I skip the elevation consent dialog? – No 2. Can you modify the privilege of a running application? - No 3. Will LUA elevate whenever a privileged API is used? – No, the entire process is either elevated or not 4. How long does the elevated process last? – Life of the process 5. Can I enable which users will use UAC? – Currently this is a per machine setting 6. Does UAP apply to all processes and services? – Interactive processes only 7. What areas of the Registry and File system get redirected? – HKLM\Software, %SystemRoot%, %ProgramFiles% 8. Won’t Redirection de-motivate developers to fix their code? – Yes, it is a short term mitigation, not in 64bit 9. What happens when installer detection fails? – The app runs as non-admin 10. Will UAC be going down-level? - No

53 Community Resources – http://www.microsoft.com/communities/default.mspx http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) – http://www.microsoft.com/communities/mvp http://www.microsoft.com/communities/mvp Newsgroups – Converse online with Microsoft Newsgroups, including Worldwide – http://communities2.microsoft.com/communities /newsgroups/en-us/default.aspx http://communities2.microsoft.com/communities /newsgroups/en-us/default.aspx User Groups - Meet and learn with your peers – http://www.microsoft.com/communities/usergroups /default.mspx http://www.microsoft.com/communities/usergroups /default.mspx

54 Thanks to Aaron Margosis for providing some of the content for this presentation deck

Download ppt "Using Least Privilege to reduce your security exposure Steve Lamb IT Pro Evangelist Blog:"

Similar presentations

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.
Where Developers Matter Vista Enable Your Applications Fredrik Haglund, Regional Developer Evangelist

Where Developers Matter Vista Enable Your Applications Fredrik Haglund, Regional Developer Evangelist
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Windows Vista Security model and vulnerabilities.

Windows Vista Security model and vulnerabilities.
©2006 Microsoft Corporation. All rights reserved. Application Compatibility in Windows Vista and the Application Compatibility Toolkit Micheal Sciacqua.

©2006 Microsoft Corporation. All rights reserved. Application Compatibility in Windows Vista and the Application Compatibility Toolkit Micheal Sciacqua.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:

CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:
11.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

11.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.
File sharing. Connect the two win 7 systems with LAN card Open the network.

File sharing. Connect the two win 7 systems with LAN card Open the network.
© 2012 Lathrop & Gage LLP ILTA SOS Webinar: Remove Administrator Rights and Secure a Law Firm’s Greatest Asset- Its Reputation Sean M. Power Chief Information.

© 2012 Lathrop & Gage LLP ILTA SOS Webinar: Remove Administrator Rights and Secure a Law Firm’s Greatest Asset- Its Reputation Sean M. Power Chief Information.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Guide to MCSE 70-290, Enhanced 1 Activity 10-1: Restarting Windows Server 2003 Objective: to restart Windows Server 2003 Start  Shut Down  Restart Configure.

Guide to MCSE , Enhanced 1 Activity 10-1: Restarting Windows Server 2003 Objective: to restart Windows Server 2003 Start  Shut Down  Restart Configure.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

Similar presentations

Ads by Google