Download presentation
Presentation is loading. Please wait.
1
4/21/ :35 AM
2
Windows Vista Application Compatibility 101
4/21/ :35 AM 4/21/ :35 AM Windows Vista Application Compatibility 101 Heinrich Gantenbein Senior Consultant Application Experience SWAT 2
3
4/21/ :35 AM Session Objectives You will gain knowledge about known Windows Vista application compatibility issues You will learn best practices for troubleshooting some of the more common known Windows Vista application compatibility issues
4
What We Will Cover Today
4/21/ :35 AM What We Will Cover Today Program Compatibility Assistant AppHelp Messages In-depth look at the most common issues: OS Version User Account Control (UAC) Windows Resource Protection (WRP) Internet Explorer Protected Mode A brief look at some less common issues
5
Program Compatibility Assistant
Install Failures Application Failures Excluding Applications
6
Program Compatibility Assistant
Program Compatibility Assistant (PCA) is a new, client-only feature PCA automatically detects and mitigates some known application compatibility issues If PCA detects a compatibility issue in a program, it… Notifies the user Offers to apply solutions that could resolve the issue
7
PCA: Detecting Install Failure
4/21/ :35 AM PCA: Detecting Install Failure Monitors a program detected as an installer by Windows Vista and checks whether the program registers an entry in Add or Remove Programs (ARP) If no entries are created in ARP, PCA concludes that setup did not complete successfully
8
PCA: Detecting Install Failure (cont.)
4/21/ :35 AM PCA: Detecting Install Failure (cont.) PCA relies on the User Access Control (UAC) feature in Windows Vista to know if a program is an installer UAC includes detection for installers and will make sure the detected setup programs will run elevated (as administrator) This includes getting administrative credentials or confirmation from the user before launching the program
9
4/21/ :35 AM PCA: Install Failure Typical Error Message
10
PCA: Install Failure (cont.)
4/21/ :35 AM PCA: Install Failure (cont.) PCA will detect this failure scenario and display a user interface similar to this.
11
PCA: Install Failure Actions
4/21/ :35 AM PCA: Install Failure Actions 'Reinstall using recommended settings' Applies the Windows XP compatibility mode and restarts the program. 'The program installed correctly' In some cases, PCA might come up for a setup program that completed correctly but did not create an entry in ARP. In those cases, users can use this option. 'Cancel' PCA will do nothing.
12
PCA: Install Failure Fix Under the Hood
4/21/ :35 AM PCA: Install Failure Fix Under the Hood The compatibility mode will be applied to programs by setting a registry key under ‘HKLM\Software\Microsoft\Windows NT\ CurrentVersion\AppCompatFlags\ Layers’ with key name = ‘full path of the exe’ and string value = ‘WINXPSP2’ indicating the compatibility mode The fix is effective for all users (due to HKLM).
13
PCA: Detecting Application Failure
4/21/ :35 AM PCA: Detecting Application Failure Problem scenario Child process launch fails due to the requirement to run elevated. Detection mechanism CreateProcess API Instrumentation Solution Applies the ElevateCreateProcess Compatibility Fix automatically due to high confidence on the issue detection
14
Detecting Application Failure (cont.)
4/21/ :35 AM Detecting Application Failure (cont.)
15
PCA: Application Failure Fix Under the Hood
4/21/ :35 AM PCA: Application Failure Fix Under the Hood The compatibility mode will be applied to programs by setting a registry key under ‘HKCU\Software\Microsoft\Windows NT\ CurrentVersion\AppCompatFlags\Layers’ with key name = ‘full path of the exe’ and string value = ‘ElevateCreateProcess’ indicating the compatibility mode The fix is effective only for the current user (due to HKCU).
16
Excluding Programs from PCA
PCA is intended to detect issues with programs designed for previous versions of Windows. To exclude a program from PCA include an application manifest with run level (either admin or as limited user) marking for UAC. This applies to both installer and regular programs.
17
Excluding Programs from PCA (cont.)
A group policy setting is provided to disable PCA for all programs if required. The name of the policy is ‘Turn Off Program Compatibility Assistant’ and can be found under ‘Administrative Templates Windows Components Application Compatibility’ in the group policy editor (gpedit.msc). To keep tests from succeeding by accident During application development
18
Application Help Messages
4/21/ :35 AM Application Help Messages
19
Application Help Messages
4/21/ :35 AM Application Help Messages System contains list of programs known to have compatibility issues. The list is stored in the System application database. Messages are known as the Application Help (apphelp) messages. Messages must be approved by the ISV to be included.
20
4/21/ :35 AM AppHelp: Hard Block If the program is known to be incompatible and if allowing the program may result in severe impact to the system (for example, a stop error or unable to boot after the install, etc.) the following blocking message will be displayed.
21
4/21/ :35 AM AppHelp: Soft Block This type of warning message is used in the case of programs that have known compatibility issues but the impact is not severe to the system.
22
AppHelp: Check for Solutions
4/21/ :35 AM AppHelp: Check for Solutions Typically the response will be one of three types: Pointing the user to an update from the software vendor for that program. Pointing the user to a Software vendor website for more information. Pointing the user to a Microsoft Knowledge base article for more information.
23
Common Issues OS Version User Account Control
4/21/ :35 AM Common Issues OS Version User Account Control Windows Resource Protection Internet Explorer Protected Mode
24
Common Issues OS Version User Account Control
4/21/ :35 AM Common Issues OS Version User Account Control Windows Resource Protection Internet Explorer Protected Mode
25
Operating System Version
4/21/ :35 AM Operating System Version Internal version number for Windows Vista is 6.0. GetVersion function returns this version number. Symptoms Applications that check for OS version will get higher version number. Application installers may prevent themselves from installing the app and apps may prevent themselves from starting. Applications may warn users and continue to function properly.
26
OS Version: Mitigation
4/21/ :35 AM OS Version: Mitigation For apps and installers that check for OS version, a Compatibility mode is provided in Windows Vista. Users can right-click the shortcut or the EXE and apply the Windows XP SP2 compatibility mode from the Compatibility tab. This applies multiple shims including “WinXPSP2VersionLie”. Better: Apply the shim “WinXPSP2VersionLie” In many cases, applications will work the same way that it did in Windows XP and there is no need for changes to the application.
27
Version Problem and Mitigation
4/21/ :35 AM Version Problem and Mitigation
28
Demo: Versioning Double click “AppCompatDemo.exe”
4/21/ :35 AM Demo: Versioning Double click “AppCompatDemo.exe” Select tests “Version tested unnecessarily” Click Execute
29
Demo: Versioning (cont.)
4/21/ :35 AM Demo: Versioning (cont.) Right-click on “AppCompatDemo.exe” Select “Properties” Select Compatibility tab Select “Run this program in compatibility mode for” and “Windows XP (Service Pack 2)”
30
Demo: Versioning (cont.)
4/21/ :35 AM Demo: Versioning (cont.) Double click “AppCompatDemo.exe” Select tests “Version tested unnecessarily” Click Execute
31
4/21/ :35 AM OS Version: Fixes Applications should not perform version checks for equality (== 5.1) If you need a specific feature, check whether the feature is available If you need Windows XP, check for Windows XP or later (>= 5.1) Exceptions to this occur when there is a very specific business, or legal need to do a version check, such as a regulatory body requires you to certify your application for each operating system and version
32
Common Issues OS Version User Account Control
4/21/ :35 AM Common Issues OS Version User Account Control Windows Resource Protection Internet Explorer Protected Mode
33
Why: User Account Control
4/21/ :35 AM 4/21/ :35 AM Why: User Account Control OS is at risk from malware when user is running as Administrator Ease with which malware can self-install Privilege elevation through security holes in software Extent of damage caused by malware is potentially greater Accidental damage caused by user 33
34
How: User Account Control
4/21/ :35 AM 4/21/ :35 AM How: User Account Control With Windows Vista, all users run as Standard User by default, including members of Admin group Only true for interactive logins; services continue to run as before in Windows XP Two tokens are created at logon (split token) Standard User Token Administrator SID set as Deny Only (can still be used to deny access, but not to grant) Runs with medium integrity level (IL) Most privileges removed (e.g. SeDebugPrivilege) Administrator Token Administrator SID has all rights assigned Runs with high integrity level (IL) All privileges are present 34
35
How: User Account Control (cont.)
4/21/ :35 AM 4/21/ :35 AM How: User Account Control (cont.) Standard User Token is used until explicit consent is given, then Administrator Token is used (Consent UI) Supporting feature: Unnecessary Administrator checks (in XP) have been removed Example: Change time zone 35
36
4/21/ :35 AM UAC Split Token
37
Demo: UAC Split Token Double click “AppCompatDemo.exe”
4/21/ :35 AM Demo: UAC Split Token Double click “AppCompatDemo.exe” Select “Administrator Test” Click Execute Click “Execute”
38
Demo: UAC Split Token (cont.)
4/21/ :35 AM Demo: UAC Split Token (cont.) Right-click on short cut “AppCompatDemo.exe” and select “Run as administrator” Note: This prompt is your consent to run at the elevated level. If you are not an administrator you would be given the chance to enter administrator credentials
39
Demo: UAC Split Token (cont.)
4/21/ :35 AM Demo: UAC Split Token (cont.) Select tests “Administrator Test” Click “Execute”
40
UAC: Automatic Mitigations
4/21/ :35 AM UAC: Automatic Mitigations PCA automates mitigation of some UAC compatibility issues UAC detects installers and automatically elevates them to admin status Heuristics such as string “Setup” in: Name Resource strings Application Compatibility shims in system database
41
UAC: Automatic Mitigations (cont.)
4/21/ :35 AM UAC: Automatic Mitigations (cont.) Virtualization Redirects privileged file access to C:\Users\%username%\AppData\Local\VirtualStore C:\Program Files C:\Program Data C:\Windows Redirects registry access from HKLM to HKCU\Software\Classes\VirtualStore\MACHINE
42
UAC: Automatic Mitigations (cont.)
4/21/ :35 AM UAC: Automatic Mitigations (cont.) Virtualization (cont.) Redirection is “sticky” Deleting all virtual copies removes the “stickiness” Elevated process not affected Executables with manifest do not participate Side effects: multiple virtualized copies (one per user and one for all elevated processes)
43
Redirection of Privileged File Access
4/21/ :35 AM Redirection of Privileged File Access
44
Demo: Redirection of Privileged File Access
4/21/ :35 AM Demo: Redirection of Privileged File Access Create directory C:\Program Files\AppCompatDemo Double click “AppCompatDemo.exe” Select tests “UAC: file access to C:\Program Files\AppCompatDemo\ UacTest.exe” Click “Execute”
45
Demo: Redirection of Privileged File Access (cont.)
4/21/ :35 AM Demo: Redirection of Privileged File Access (cont.) Open Explorer and browse to “C:\Program Files\AppCompatDemo”; the file does not exist.
46
Demo: Redirection of Privileged File Access (cont.)
4/21/ :35 AM Demo: Redirection of Privileged File Access (cont.) Browse to “C:|\Users\%username%\AppData\Local\VirtualStore\Program Files\AppCompatDemo”; the file is here.
47
Demo: Redirection of Privileged File Access - Part 2
4/21/ :35 AM Demo: Redirection of Privileged File Access - Part 2 Start application again by right clicking and selecting “Run as administrator.” Select tests “UAC: file access to C:\Program Files\AppCompatDemo\UacTest.exe.” Click Execute.
48
Demo: Redirection of Privileged File Access - Part 2 ( cont.)
4/21/ :35 AM Demo: Redirection of Privileged File Access - Part 2 ( cont.) Open a new explorer and browse to “C:\Program Files\AppCompatDemo”; the file exists. Think about why this might occur.
49
UAC: Generic Symptoms Explicit access right error message
4/21/ :35 AM UAC: Generic Symptoms Explicit access right error message Event Log contains security or application messages indicating security problems Application crashes or fails to install Application fails to update for automatic updater Application fails to remember saved settings Symptoms vary widely and are difficult to diagnose
50
Investigation Steps and Tools
Determine whether application was designed to run as administrator Run as administrator – does it work? Check redirection locations C:\Users\%username%\AppData\Local\VirtualStore HKCU\Software\Classes\VirtualStore\MACHINE Event Log Regmon for failed registry access Filemon for failed file access
51
Investigation Steps and Tools (cont.)
Application Compatibility specific tools Enterprises: UAC Compatibility Evaluator in ACT 5.0 Standard User Analyzer (SUA) LUA Buglight Debuggers (if all else fails) Visual Studio Debugging Tools for Windows (e.g. Windbg)
52
Failure to work Run elevated
4/21/ :35 AM Failure to work Run elevated
53
Demo: Failure to Run Elevated
4/21/ :35 AM Demo: Failure to Run Elevated Switch to demo app Select “UAC: file access to C:\UACTest.txt” Click Execute. It fails (no redirection) Click OK Quit application .
54
Demo: Failure to Run Elevated (cont.)
4/21/ :35 AM Demo: Failure to Run Elevated (cont.) Start application elevated Select UAC: file access to C:\UacTest.txt Click Execute. It Succeeds
55
4/21/ :35 AM Event Log
56
Demo: Event Log Open Event Viewer Expand Windows Logs
4/21/ :35 AM Demo: Event Log Open Event Viewer Expand Windows Logs Select the first entry Find and double click on entry from latest failed UAC test. This should be the last entry
57
4/21/ :35 AM Demo: Event Log (cont.) Show Details tab
58
4/21/ :35 AM Demo: Eventlog (cont.) Scroll down and find the UAC Demo failure text data Switch to friendly view
59
4/21/ :35 AM Regmon and Filemon
60
Demo: Regmon and Filemon
4/21/ :35 AM Demo: Regmon and Filemon
61
Demo: Regmon and Filemon
4/21/ :35 AM Demo: Regmon and Filemon
62
4/21/ :35 AM UAC: Mitigation Right click on executable Select Run as administrator (elevated) Set Properties Compatibility Tab Run as administrator Use an application manifest to specify desired run level All applications should have one Removes application compatibility overhead (Shims, PCA, virtualization) at run time Internal manifest (compiled into the application) External manifest (added as a separate file)
63
Properties Compatibility Tab
4/21/ :35 AM Properties Compatibility Tab
64
Demo: Properties Compatibility Tab
4/21/ :35 AM Demo: Properties Compatibility Tab Open properties for an executable Select tab Compatibility and discuss content
65
4/21/ :35 AM UAC Manifest File ?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="Win32" processorArchitecture="*" version=" " name="AppCompatDemo.exe"/> <description>Vista Application Compatibility Class Demo</description> <ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2"> <ms_asmv2:security> <ms_asmv2:requestedPrivileges> <ms_asmv2:requestedExecutionLevel level="highestAvailable" uiAccess="false"/> </ms_asmv2:requestedPrivileges> </ms_asmv2:security> </ms_asmv2:trustInfo> </assembly>
66
Possible Execution Levels
requireAdministrator The application runs only for administrators and requires that the application be launched with the full token of an administrator asInvoker The application runs with the same token as the parent process highestAvailable The application runs with the highest privileges the current user can obtain
67
UAC External Manifest Create a manifest file with the name <app_name>.exe.manifest and put in the same directory as the EXE Ignored if application has an internal manifest Many applications have an internal manifest
68
4/21/ :35 AM UAC External Manifest
69
Demo: External Manifest
4/21/ :35 AM Demo: External Manifest Run “AppCompatDemo.exe”. It does not run elevated Rename file “AppCompatDemo.exe.manifestIgnored” to “AppCompatDemo.exe.manifest” Edit “AppCompatDemo.exe.manifest” with Notepad and show content; talk about RequestedExecutionLevel Run “AppCompatDemo.exe”. It does run elevated
70
UAC Internal Manifest Build manifest into application binary
4/21/ :35 AM UAC Internal Manifest Build manifest into application binary Disables PCA, shims and virtualization Preferred method for all new applications To learn more check the following resources:
71
UAC: Installer Fails (1)
4/21/ :35 AM UAC: Installer Fails (1) Symptoms No UAC prompt Failure of installer Cause Installer not detected due to non-standard name and therefore not elevated Fixes Rename to setup.exe Mark executable to run elevated
72
Rename Custom Installer
73
Demo: Rename Custom Installer
Start badly named setup application “AppCompatBitDepositor.exe”. Click Quit.
74
Demo: Rename Custom Installer (cont.)
Rename “AppCompatBitDepositor.exe” to “Setup.exe”. Start “Setup.exe” -> autodetected installer need to run elevated. Click “Allow” in elevation prompt. Click OK Click Close
75
UAC: Installer Fails (2)
4/21/ :35 AM 4/21/ :35 AM UAC: Installer Fails (2) Symptom MSI with delayed custom action runs elevated but fails Cause MSI contains delayed custom action (ActionType=1025) Fixes Redesign to use non-delayed custom action (ActionType=3073) Edit MSI to change ActionType to 3073 Run from elevated command prompt 75
76
Change Action Type in MSI Using ORCA
4/21/ :35 AM Change Action Type in MSI Using ORCA . 76
77
Demo: Changing Action Type in MSI Using ORCA
4/21/ :35 AM 4/21/ :35 AM Demo: Changing Action Type in MSI Using ORCA Start All Programs ORCA Click Allow on UAC Consent UI Select File Open 77
78
Demo: Changing Action Type in MSI Using ORCA (cont.)
4/21/ :35 AM 4/21/ :35 AM Demo: Changing Action Type in MSI Using ORCA (cont.) Navigate to Communicator3073.msi Click Open Select CustomAction in Tables pane Find the offending 3073 action type. Double click on the number Select File Save As Type a new file name. Done 78
79
Demo: Changing Action Type in MSI Using ORCA (cont.)
4/21/ :35 AM 4/21/ :35 AM Demo: Changing Action Type in MSI Using ORCA (cont.) Replace with correct type 1025 79
80
UAC: Installer Fails (3)
4/21/ :35 AM 4/21/ :35 AM UAC: Installer Fails (3) Symptom Self-extracting EXE or custom wrapper runs elevated and executes a script, but script fails Cause UAC prompt occurs on self-extracting EXE or custom wrapper, but elevated privileges are not transferred to script Fixes Redesign to use MSI Run from elevated command prompt 80
81
UAC: Integrated Updater Fails
4/21/ :35 AM 4/21/ :35 AM UAC: Integrated Updater Fails Symptoms Update fails when application with integrated updater tries to update itself Various manifestations: silent, error message, crash, etc. Cause Application not running elevated Application not designed to prompt for elevation Fixes Redesign by separating the privileged functions Separate EXE Use Shield Icon when redesigning Use alternate deployment technologies ClickOnce MSI patching Run application elevated (not recommended) 81
82
Setting up a Security Shield
4/21/ :35 AM Setting up a Security Shield Send the BCM_SETSHIELD message to a button control, using SendMessage Fails for owner-drawn buttons Get icon and render in owner draw handler HICON shieldIcon = LoadIcon(null, IDI_SHIELD); Unmanaged code (C++) SendMessage call can be invoked more easily using the Button_SetElevationRequiredState macro Managed code (C#, VB.NET) Use pinvoke
83
Proper Design for Elevation UI
4/21/ :35 AM Proper Design for Elevation UI .
84
Demo: Proper Design for Elevation UI
4/21/ :35 AM Demo: Proper Design for Elevation UI Start “Task Manager” Click “Processes” tab Show “Show processes from all users” button and shield icon Click “Show processes from all users” button Click continue on elevation prompt Tell audience about closing of standard Task Manager and opening of elevated one
85
UAC: Separate Updater Fails
4/21/ :35 AM 4/21/ :35 AM UAC: Separate Updater Fails Symptoms Update fails when application with separate updater tries to update itself Various manifestations: silent, error message, crash, etc. Causes Separate updater not detected and therefore not elevated by PCA Fixes Mark updater to run elevated Use alternate deployment technologies ClickOnce MSI patching 85
86
UAC: Application Fails (1)
4/21/ :35 AM 4/21/ :35 AM UAC: Application Fails (1) Symptoms Many – from minor feature misbehavior to spectacular crash Cause Application attempts to execute privileged operation; access denied because not running elevated Mitigation & Fixes Redesign to work with least privileged resources Eliminate need for privilege completely (least privilege) Separate administrative functions from regular operations 86
87
UAC: Application Fails (1) (cont.)
4/21/ :35 AM 4/21/ :35 AM UAC: Application Fails (1) (cont.) Mitigations and Fixes (cont.) Apply a redirection shim (e.g. RedirectFiles, RedirectRegistry) Change ACL for selected files and registry keys Deployment time mitigation using scripting or group policy Warning: Perform a full security review first Mark application to run elevated Good solution if application has only administrative tasks. (e.g. Event Viewer) Bad solution if mixed usage 87
88
4/21/ :35 AM ACL Relaxing
89
Demo: ACL Relaxing Create directory “C:\Program Files\AppCompatDemoAcl” Right click and select “Properties” Select tab “Security” Select Edit Click Continue Select “Users (<machinename>\Users)” Check “Modify” Click OK twice .
90
Demo: ACL Relaxing (cont.)
4/21/ :35 AM Demo: ACL Relaxing (cont.) Start “AppCompatDemo.exe” Select “UAC: file access to C:\Program Files\AppCompatDemoAcl\UacTest.txt”
91
Demo: ACL Relaxing (cont.)
4/21/ :35 AM Demo: ACL Relaxing (cont.) Click Execute. Click OK. Open Explorer and browse to “C:\Program files\AppCompatDemoAcl”. Here is the file (not redirected).
92
ACL Relaxing Script Enterprises will use a script to relax ACLs
4/21/ :35 AM ACL Relaxing Script Enterprises will use a script to relax ACLs Warning: Perform a full security review first Deploy with standard enterprise deployment XCACLS Script Helper XCACLS <dirname> /G <domain>\<username>:M Package in .cmd file Download and documents
93
Common Issues OS Version User Account Control
4/21/ :35 AM Common Issues OS Version User Account Control Windows Resource Protection Internet Explorer Protected Mode
94
Why: Windows Resource Protection
4/21/ :35 AM 4/21/ :35 AM Why: Windows Resource Protection Core operating system files and registry keys can be overwritten with older versions or malicious code causing serious stability and security issues. Windows Resource Protection (WRP) is designed to protect those objects from being overwritten. Increases system stability, predictability, and reliability 94
95
How: Windows Resource Protection
4/21/ :35 AM 4/21/ :35 AM How: Windows Resource Protection Updates to protected resources are restricted to the OS trusted installers, such as Windows Update Affects specific files, folders, and registry keys The majority of core OS modules (EXE and DLL) Majority of core OS HKCR Registry Keys Folders used exclusively by OS resources, (e.g. some of the inetpub folders) 95
96
WRP: Application Fails
4/21/ :35 AM 4/21/ :35 AM WRP: Application Fails Symptoms Application does not install or fails to work properly Similar to those of UAC issues but UAC mitigation does not work Generally only affects installers Cause Application tries to modify or delete a protected resource 96
97
WRP: Mitigations and Fixes
4/21/ :35 AM 4/21/ :35 AM WRP: Mitigations and Fixes Automatic Mitigation Access Denied return codes are suppressed if the application is detected as a legacy installer (no manifest) Manual Mitigation Apply shim “WRPMitigation” Rename custom installer to setup.exe to trigger automatic mitigation Fixes Use Microsoft-provided redistributable packages designed specifically for Windows Vista. Never redistribute system files. Redesign apps that use protected system resources. 97 97
98
4/21/ :35 AM WRP in Action
99
Demo: WRP in Action “Run as administrator” “AppCompatDemo.exe”
4/21/ :35 AM Demo: WRP in Action “Run as administrator” “AppCompatDemo.exe” Select “WRP: overwrite file C:\Windows\System32\append.exe” . Click Execute; operation fails despite running as administrator. This is WRP in action.
100
Demo: WRP in Action (cont.)
4/21/ :35 AM Demo: WRP in Action (cont.) Rename resulting duplicate to “Setup.exe” Start “Setup.exe” Select “WRP: overwrite file C:\Windows\System32\append.exe” Click Execute; operation succeeds. This is WRP mitigation in action.
101
Demo: WRP in Action (cont.)
4/21/ :35 AM Demo: WRP in Action (cont.) Browse to the file and notice that the date and timestamp or size has not changed
102
Common Issues OS Version User Account Control
4/21/ :35 AM Common Issues OS Version User Account Control Windows Resource Protection Internet Explorer Protected Mode
103
4/21/ :35 AM 4/21/ :35 AM Why: IE7 Protected Mode Helps protect users from attack by running IE process with greatly restricted privileges Significantly reduces the ability of an attack to write, alter, or destroy data on user's machine or to install malicious code Helps protect a user from malicious code installing itself without authorization 103
104
4/21/ :35 AM 4/21/ :35 AM How: IE7 Protected Mode In Windows Vista, Microsoft Internet Explorer 7 runs in Protected Mode (IEPM) for non-trusted sites (installation default) IE runs as separate process instances for different protection modes Prevents buffer overflow exploits from affecting higher trust level sites Required by IEPM’s underlying mechanism: Mandatory Integrity Control (MIC) User Interface Process Isolation (UIPI) 104
105
How: IE7 Protected Mode (cont.)
4/21/ :35 AM 4/21/ :35 AM How: IE7 Protected Mode (cont.) Integrity Levels (IL) for IE7 IEPM: Low Integrity Level Unprotected: Medium Integrity Level Low-integrity processes (such as IEPM) can only write to folders, files, and registry keys that have been assigned a low-integrity mandatory label. Temporary Internet Files folder History folder Cookies folder Favorites folder Windows Temporary Files folders 105
106
Integrity Levels Explained
4/21/ :35 AM Integrity Levels Explained Windows Vista implements Mandatory Integrity Control (MIC). Processes run at one of four Integrity Levels: System processes run at System IL Applications that require administrative privileges run at High IL Standard applications run at Medium IL Restricted apps run at Low IL
107
Integrity Levels Explained (cont.)
4/21/ :35 AM Integrity Levels Explained (cont.) Securable objects (Files, Processes, Windows Stations, Message queues) define the minimum IL for a process to access them Low IL: All processes can access this object Medium IL: Only medium IL and higher processes can access this object High IL: Only high and system IL processes can access this object System IL: Only system IL processes can access this object Default IL: Objects that do not specify an IL are defaulted to Medium IL
108
UI Process Isolation (UIPI)
4/21/ :35 AM UI Process Isolation (UIPI) UIPI uses MIC’s Integrity Levels to restrict sending Windows Messages Applications cannot send messages to other applications running at a higher integrity level Where compatibility impact is high, lower IL applications can be manifested to opt out of UIPI. (This setting should only be used for UI accessibility applications)
109
UIPI In Action High IL Administrator Medium IL Standard User Low IL
4/21/ :35 AM UIPI In Action High IL Administrator Medium IL Standard User Low IL IE7 PM
110
4/21/ :35 AM 4/21/ :35 AM IE7 PM: Symptoms Attempts by ActiveX controls to modify medium and higher IL objects fail e.g. writing to the user’s Documents folder ActiveX controls fail to install 110
111
IE7 PM: Automatic Mitigation
4/21/ :35 AM IE7 PM: Automatic Mitigation Redirects access to medium integrity files, such as the Documents folder to %userprofile%\LocalSettings\ Temporary Internet Files\Virtualized Redirects access to HKCU registry hive to HKCU\Software\Microsoft\ InternetExplorer\InternetRegistry
112
IE7 PM: Automatic Mitigation (cont.)
4/21/ :35 AM IE7 PM: Automatic Mitigation (cont.) Two higher privilege broker processes allow Internet Explorer and extensions to perform elevated operations The user privilege broker (ieuser.exe) process provides a set of functions that let the user save files to areas outside of low-integrity areas The administrator privilege broker (ieinstal.exe) process allows Internet Explorer to install ActiveX controls
113
IE Compatibility Architecture
4/21/ :35 AM 4/21/ :35 AM IE Compatibility Architecture Internet Explorer 7 in Protected Mode (Low IL) Compatibility Layer ieinstal.exe Admin Broker (High IL) Integrity Mechanism Administrative Rights Required ieuser.exe User Broker (Medium IL) User Rights Required Low Rights Virtualized Files and Registry Keys 113
114
IE7 PM: Manual Mitigation
4/21/ :35 AM 4/21/ :35 AM IE7 PM: Manual Mitigation Add site to trusted sites. Protected Mode is not enabled for trusted sites Use new ActiveX Install Server (AXIS) for enterprise deployments 114
115
Motivation for the ActiveX Installer Service
4/21/ :35 AM Motivation for the ActiveX Installer Service ActiveX controls are installed on a per- machine basis and require Admin privileges for installation This creates a challenge to deploying ActiveX controls across an enterprise running Standard User desktops. ActiveX Installer Service (AXIS) is a new solution to address this issue.
116
AXIS: How It Works IE7 parses a page that requires an ActiveX control.
4/21/ :35 AM AXIS: How It Works IE7 parses a page that requires an ActiveX control. If the user is a Standard User, the ActiveX Installer Service is called. The ActiveX Installer Service will perform a lookup in the Allowed Installation Sites list deployed via Group Policy. If the Host URL is within policy, the control will be downloaded by the service. If the control meets the signing criteria, it will be installed as the LocalSystem account.
117
AXIS: Enabling the Service
4/21/ :35 AM AXIS: Enabling the Service The ActiveX Installer Service is an optional component that must be enabled Deploy through SMS Run cmd.exe as Administrator, then run this command: ocsetup.exe AxInstallService Control Panel Programs Turn Windows Features on or off
118
AXIS: Configuring the Policy
4/21/ :35 AM AXIS: Configuring the Policy Policy is configured using an Administrative Template in Group Policy. Run gpedit.msc Navigate to Computer Settings Administrative Templates Windows Components ActiveX Installer Service Enter in the Host URL and the policy…
119
AXIS: Configuring the Policy (cont.)
4/21/ :35 AM AXIS: Configuring the Policy (cont.) The policy consists of the Host URL and the install policy settings Host URL Must specify protocol: http or https(preferred) Example: Install Policy consists of 4 comma separated values. 1. Trusted Signature behavior: 1 is best value 2. Signed Controls behavior: 1 is best value 3. Unsigned Controls behavior: 1 is best value 4. HTTPS connection flags: 0 is best value
120
AXIS: Host URL Install Policy Values
4/21/ :35 AM AXIS: Host URL Install Policy Values Install Policy consists of 4 comma separated values. 1. Trusted Signature behavior Can be Silent (2* or 1) or Disallowed (0) 2. Signed Controls behavior Can be Silent (2), Prompt (1*), or Disallowed (0) 3. Unsigned Controls behavior Can be Prompt(1) or Disallowed (0*) 4. HTTPS connection flags Bitmask of the following values. 0* means all connections checks must pass. 0x Ignore Unknown CA 0x Ignore Invalid CN 0x Ignore invalid certificate date 0x Ignore wrong certificate usage * Means default setting if no policy is specified for the Host URL.
121
AXIS: Other Information
4/21/ :35 AM AXIS: Other Information Auditing There are several events created by the ActiveX Installer Service Currently only success and failure are reported when the service is called For more information about centrally managing ActiveX controls, see the following article: default.asp?url=/workshop/delivery/download/ overview/implementation.asp
122
ActiveX Installer Service
4/21/ :35 AM ActiveX Installer Service
123
Demo: AXIS Open gpedit .msc (run as administrator)
4/21/ :35 AM Demo: AXIS Open gpedit .msc (run as administrator) Navigate to Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\ActiveX Installation Service Select Approved Installation Sites for ActiveX Controls Click Properties
124
Demo: Axis Change the setting to “enabled”
4/21/ :35 AM Demo: Axis Change the setting to “enabled” Click “Show” to edit URL list Click “Apply” Paste into the first box Type “1,1,1,0” into the second box Click OK, OK and OK to close
125
Critical Section Code Changes
4/21/ :35 AM Less Common Issues Session 0 Isolation Critical Section Code Changes Painting Behavior Networking IPv6 My Documents Location
126
Critical Section Code Changes
4/21/ :35 AM Less Common Issues Session 0 Isolation Critical Section Code Changes Painting Behavior Networking IPv6 My Documents Location
127
Sessions in Windows XP/2003
4/21/ :35 AM 4/21/ :35 AM Sessions in Windows XP/2003 Windows XP Creates Session 0 with interactive Windows Station for Services and User Mode Drivers The first user logging in is added to Session 0 and user applications will run in this session as well Session 0 Windows Station 0 Desktop 0 Services Windows 1st User’s Windows 127
128
Sessions in Windows Vista
4/21/ :35 AM 4/21/ :35 AM Sessions in Windows Vista Creates Session 0 for Services and User Mode Drivers Creates Session 1 for first user logging in. Applications will run in Session 1 Interaction between Session 0 and Session 1 desktops is prohibited via Windows messages Session 0 Session 1 Windows Station 1 Services User Mode Drivers Desktop 1 User’s Windows User’s Windows 128
129
Why: Session 0 Isolation
4/21/ :35 AM 4/21/ :35 AM Why: Session 0 Isolation Running services and user applications together in Session 0 is a security risk Potential exploitation by sending messages between services and applications Malicious agents looking for a means to elevate their own privilege level can target services Running services and user applications in separate sessions prevents such attacks. User mode drivers and services that work with multiple users in Windows XP (Fast User Switching) will work in most cases. 129
130
Session 0: Compatibility Impact
4/21/ :35 AM 4/21/ :35 AM Session 0: Compatibility Impact A service and a user application that use window message functions (e.g. SendMessage, PostMessage) to communicate will silently fail. A service and a user application that use local objects to communicate will silently fail. A service that uses a UI to interact with the user will display the UI on a special desktop which is inaccessible. 130
131
Session 0: Automatic Mitigation
4/21/ :35 AM Session 0: Automatic Mitigation Symptom: UI displayed by service is not visible Mitigation: Windows Vista allows the user to interact with the Session 0 UI in a special desktop Detects problem that UI is not being displayed Prompts the user to choose whether to display the message now or later Switches display to a special desktop where UI is visible
132
4/21/ :35 AM Session 0 - Service UI
133
Demo: Session 0 - Service UI
4/21/ :35 AM Demo: Session 0 - Service UI Set Windows XP compatibility for “WindowsVistaReadiness.exe” Start “WindowsVistaReadiness.exe” Click “Service UI”
134
Demo: Session 0 - Service UI
4/21/ :35 AM Demo: Session 0 - Service UI Click “Show me the message” Various messages will display
135
Demo: Session 0 - Service UI
4/21/ :35 AM Demo: Session 0 - Service UI Various messages will display.
136
Session 0: Fixes Problem: Solution:
4/21/ :35 AM 4/21/ :35 AM Session 0: Fixes Problem: Service and user application communicate using Windows message functions or local objects Solution: Redesign the application and service to use client or server mechanisms, e.g. remote procedure call (RPC) or named pipes 136
137
Session 0: Fixes (cont.) Problem: Solution:
4/21/ :35 AM 4/21/ :35 AM Session 0: Fixes (cont.) Problem: Service displays a UI to interact with user Solution: Redesign the service to no longer interact directly with the user Use the WTSSendMessage function to create a simple message box on the user’s desktop (Not recommended) 137 137
138
Critical Section Code Changes
4/21/ :35 AM Less Common Issues Session 0 Isolation Critical Section Code Changes Painting Behavior Networking IPv6 My Documents Location
139
Critical Section Code Changes
4/21/ :35 AM Critical Section Code Changes Why: Changed to increase security and robustness How: Prior versions of Windows automatically initialized Critical Sections Symptoms: Programs that relied on on-demand initializations will fail with an access violation Mitigation: apply shim “EnterUninitializedCriticalSection” Fixes: Rewrite code to initialize Critical Section .
140
Critical Section Changes
4/21/ :35 AM Critical Section Changes
141
Demo: Critical Section
4/21/ :35 AM Demo: Critical Section Start “CriticalSection.exe” Click “Locks Bug” Click “OK” Click “Cancel”
142
Critical Section Code Changes
4/21/ :35 AM Less Common Issues Session 0 Isolation Critical Section Code Changes Painting Behavior Networking IPv6 My Documents Location
143
Painting Behavior Why: To improve user experience
4/21/ :35 AM Painting Behavior Why: To improve user experience How: All top-level windows are rendered to an off-screen bitmap; Desktop Window Manager combines the images to draw the desktop Impact: Some applications will render incorrectly Mitigation: Disable desktop composition Apply shim “DisableDWM” Properties Compatibility Tab Disable desktop composition Fixes: Redesign application to not assume that it is rendering directly to the screen 143
144
Disabling Desktop Composition
4/21/ :35 AM Disabling Desktop Composition
145
Demo: Disabling Desktop Composition
4/21/ :35 AM Demo: Disabling Desktop Composition Right click “AppCompatDemo.exe”. Select Properties. Select Compatibility tab. Check “Disable desktop composition”. Run application and observe how Aero Glass disappears. Exit application and observe how Aero Glass is back.
146
Critical Section Code Changes
4/21/ :35 AM Less Common Issues Session 0 Isolation Critical Section Code Changes Painting Behavior Networking IPv6 My Documents Location
147
IPv6 The TCP/IP stack in Windows Vista has IPv6 enabled by default
4/21/ :35 AM 4/21/ :35 AM IPv6 The TCP/IP stack in Windows Vista has IPv6 enabled by default IPv6 traffic will be sent by the Windows Vista stack regardless of whether the network supports IPv6 or not. (e.g. router solicitation and neighbor discovery messages will be generated by default) Single stack and API for IPv4 and IPv6 Applications using the IPv4 specific API will fail 147
148
IPv6: Fix Before After StartClient(PCSTR HostName, USHORT Port) {
ClientSocket = socket(AF_INET, ...); HostEntry = gethostbyname(HostName); A.sin_addr = *(HostEntry->h_addr); A.sin_port = htons(Port); connect(ClientSocket, &A, ...); } After StartClient(PCSTR HostName, USHORT Port) { ClientSocket = socket(AF_INET6, ...); setsockopt(ClientSocket, IPPROTO_IPV6, IPV6_V6ONLY, ...); WSAConnectByName(ClientSocket, HostName, Port, ...); }
149
Critical Section Code Changes
4/21/ :35 AM Less Common Issues Session 0 Isolation Critical Section Code Changes Painting Behavior Networking IPv6 My Documents Location
150
4/21/ :35 AM My Documents Location My Documents location and structure has changed to provide a better user experience The user data is now stored in: \users\%username%\ folder structure Pictures, Music, Documents, Desktop, and Favorites are all new folders directly under this structure Apps that use the ShGetFolderPath function and the folder path dynamically are OK Never hard code absolute paths (AppVerifier includes test for this)
151
My Documents: Automatic Mitigation
4/21/ :35 AM My Documents: Automatic Mitigation Directory junction (symbolic link) Provides backward compatibility for hard-coded paths e.g. ‘Documents and Settings’ Users DENY_READ set for ‘Everyone’ Cannot be enumerated Only allows full path to be accessed e.g. ‘Documents and Settings\%username%\ My Documents\foo.doc Prevents the folders from being backed up twice
152
4/21/ :35 AM My Documents
153
Demo: My Documents Click Execute Run “AppCompatDemo.exe”
4/21/ :35 AM Demo: My Documents Run “AppCompatDemo.exe” Select “My Documents: file access to C:\Documents and Settings\%username%\My Documents\MyDocumentsRedirectionTest.txt” Click Execute
154
Demo: My Documents (cont.)
4/21/ :35 AM Demo: My Documents (cont.) Open Documents Click in Title bar Show file and explain actual path C:\User\%username%\Documents
155
Demo: My Documents (cont.)
4/21/ :35 AM Demo: My Documents (cont.) Open Computer. Navigate to C:\ Select Tools Folder Options Tab View. Select “Show hidden files and folders”. Uncheck “Hide protected operating system files (Recommended)”. Click OK
156
Demo: My Documents (cont.)
4/21/ :35 AM Demo: My Documents (cont.) Highlight “Documents and Settings” shortcut. Double click on “Documents and Settings”. Names only valid in fully qualified paths. Click OK
157
Demo: My Documents (cont.)
4/21/ :35 AM Demo: My Documents (cont.) Navigate to “C:\Users\%username%” Show “My Documents” All old names are handled in this manner
158
Help Center Deprecated
4/21/ :35 AM Low Impact Windows Vista 64-Bit Deprecated APIs Help Center Deprecated
159
4/21/ :35 AM 4/21/ :35 AM 64-bit Support 64-bit version of Windows Vista can run all 32-bit applications with the help of the WOW64 emulator 32-bit user mode drivers will work on the 64-bit version of Windows Vista 16-bit applications, 16-bit installers, and 32-bit kernel mode drivers are not supported 159
160
4/21/ :35 AM 4/21/ :35 AM 64-bit Support (cont.) All 64-bit drivers have to be digitally signed for Windows Vista. Unsigned drivers not supported and cannot be installed on 64-bit Windows Vista. The digital signature check is done both during installation and driver load time. 160 160
161
Deprecated Components
4/21/ :35 AM Deprecated Components The following components from earlier Windows releases will not be present in Windows Vista: Kernel mode Printer driver support Microsoft® FrontPage® server extensions. Services for Macintosh D3DRM Web Publishing Wizard NetDDE (optional in XP) GINA
162
4/21/ :35 AM Help and Support Previous versions of Windows included support for Win Help files (.HLP) Not included in Windows Vista Download available for Win Help support after Vista ships CHM is preferred
163
4/21/ :35 AM Wrap-up
164
4/21/ :35 AM © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.