Using Least Privilege to reduce your security exposure Steve Lamb IT Pro Evangelist Blog:

Agenda Least Privilege for Admins – How to elevate only as needed Least Privilege for Users – Addressing LUA bugs

Managed Desktop Challenges Today Increased IT spending required to support users, maintain existing desktops, and prevent downtime Employees lose productivity by inadvertently changing system configurations Security threats increase the IT management burden; breaches can hobble critical systems and data

Gartner: Nearly 40% TCO Savings per desktop in a managed environment 1 Managed Desktops: Systematic control over end- user clients to maintain security & productivity Reducing the desktop attack surface Reduces day-to-day helpdesk calls Increases end-users productivity/uptime 1 Security Holes Increase Windows Client TCO, Gartner Managed Desktop What’s the Value?

Definitions Non-Admin – “Power Users” is not non-Admin! – Typically: “Users”, “Domain Users” LUA – Limited User Account – Least-privileged User Account LUA Bugs User Account Protection (Windows Vista)

Principle of Least Privilege Most computer use does not require admin privilege But, typical usage: “Max Privilege” Most malware expects “Max Privilege”

Admin Can, LUA Can’t: Install kernel-mode rootkits Install system-level keyloggers (including capturing passwords entered into the Ctrl-Alt-Del logon dialog) Install ActiveX controls, including IE and Explorer extensions (common with spyware and adware) Install and start services Stop existing services (such as the firewall) Access data belonging to other users Cause code to run whenever anybody else logs on Replace OS and other program files with Trojan horses Access LSA Secrets, including other sensitive account information, possibly including account info for domain accounts Disable/uninstall anti-virus Create and modify user accounts Reset passwords Modify the “HOSTS” file and other system configuration settings Cover its tracks in the event log Render your machine unbootable …

For Developers Why develop as a non-admin? – Better software – Catch LUA bugs sooner – Cheaper development costs – Market advantage – Safer security practices

The Twin Challenge on Windows XP For Sysadmins and Developers How to run with least privilege and elevate only as needed? For regular users: How to always run with least privilege when so many apps (and sometimes Windows) requires more?

How to Elevate as Needed Fast User Switching – Windows XP Home – Windows XP Professional – If not joined to a domain – fixed in Windows Vista! – Logon sessions isolated from each other Suggestion for home users: – One LUA for each person, Guest optional – One admin account – No passwords!

Fast User Switching Demo

RunAs Start a program as a different user – Same desktop Command line or graphical dialog Programs inherit security context from “parent” – Start CMD as admin – Launch apps from admin CMD – Those apps also run as admin

RunAs Dialog Right-click context menu – Apps, shortcuts – Common Console (.msc) Shift+right-click for: – Control Panel applets (.cpl) – “Special Microsoft Windows Installer links”

RunAs Dialog Make “RunAs” the default for a shortcut Shortcut  Properties, Advanced Properties

RunAs Command Line E.g., runas /u:Administrator cmd.exe

RunAs – Visual Differentiation Set privileged console windows apart visually cmd.exe /t:fc /k cd c:\ && title ***** Admin console *****

RunAs – Visual Differentiation Background bitmap for IE and Explorer Set it with TweakUI

PrivBar Running IE as admin: … as Power User: … as “User”: … with “Protect my computer”:

RunAs Demo

When RunAs Doesn’t Work Some apps reuse existing instances – Windows Explorer – Microsoft Office Word Some apps get started through the shell – ShellExecute[Ex] – DDE Current version of WindowsUpdate!  – And Microsoft Update! 

RunAs and Explorer Two viable options: 1. Use Internet Explorer, or 2. Set the flag that lets Windows Explorer run multiple instances “The flag…” – “Launch folder windows in a separate process” Caveats about this setting

RunAs and Explorer Demo

Issues Using Local Admin Account No access to domain resources Different profile settings Some apps assume that the installer is the user Per-user Policy settings Power Options applet Resolution? MakeMeAdmin

MakeMeAdmin Temporary elevation of your current account Result: CMD running with your normal account but with admin privileges Apps started from it inherit context Posted on my blog

MakeMeAdmin Demo

Dealing with Legacy Apps with LUA Bugs App works only with admin privileges The easy fix: Add the user to the local Admins group!

Dealing with Legacy 1. Fix the LUA Bugs Make the developers fix their bugs! Preferred option Don’t continue to create “legacy”

Dealing with Legacy 2. Hiding LUA Bugs LUA modes in the Application Compatibility Toolkit Shims to redirect registry and file access But: XP’s shims don’t work.  (Windows Vista’s will work better…)

Dealing with Legacy 3. Remediating LUA Bugs Loosen ACLs Only on app-specific resources! – %ProgramFiles%\MyApp\MyDataFolder – HKLM\SOFTWARE\MyApp\Settings Not on OS resources! – %windir%, %windir%\System32 – HKLM\SOFTWARE\Microsoft\Windows Use a granular, surgical approach – Least additional privilege Deployment options

Dealing with Legacy 3a. Remediating LUA Bugs – HKCR to HKCU Writing to HKCR is usually a LUA bug HKCR is a merged view of – HKLM\SOFTWARE\Classes – HKCU\SOFTWARE\Classes Write to HKCR goes to HKCU if key already exists there So: Pre-create keys under HKCU

Dealing with Legacy 4. Running one app as admin Run the app with admin privileges. Some options: – RunAs / MakeMeAdmin: requires giving the user the admin password – DesktopStandard PolicyMaker Application Security – “RunAsAdmin” by Valery Pryamikov Highest risk

The Limits of LUA Value? Two (incorrect) extremes – Silver bullet – “Not the answer” What it protects against today What it doesn’t protect against today What happens when everyone is LUA?

LUA doesn’t protect against… Anything you can do to yourself Weak admin passwords Attacks on services Phishing Stupidity Capturing RunAs credentials – fixed in Windows Vista!

When everyone is LUA… Attackers will adjust Elevation of privilege becomes more interesting

Non-Admin Blog The easiest way to run as non-admin (Fast User Switching) "RunAs" basic (and intermediate) topics RunAs with Explorer MakeMeAdmin – temporary admin for your Limited User account PrivBar – An IE/Explorer toolbar to show current privilege level Running restricted – What does the "protect my computer" option mean? Remembering Calculator and Character Map Settings Managing Power Options as a non-administrator Ctrl-C doesn't work in RUNAS or MakeMeAdmin command shells Changing the system date, time and/or time zone How to allow users to manage file and print shares without granting other advanced privileges (More coming!)

Resources Non-Admin Wiki: Non-Admin blog: DesktopStandard PolicyMaker Application Security: RunAsAdmin: Technet Webcast “Browsing the Web and Reading Safely as an Administrator” Part 1: Part 2: TweakUI: SysInternals tools:

Community Resources Most Valuable Professional (MVP) Newsgroups Converse online with Microsoft Newsgroups, including Worldwide /newsgroups/en-us/default.aspx /newsgroups/en-us/default.aspx User Groups - Meet and learn with your peers /default.mspx /default.mspx

Running with Least Privileges in Windows Vista

What do we call this technology? Flexible Account Control Technologies Least User-privileges Access (LUA) Least User Account (LUA) User Account Protection (UAP) User Account Control (UAC) For the purposes of this talk we will refer to this technology as: User Account Control

Desktop Lockdown Enables I.T. to take back control of desktop management Gives standard users the “Just Enough Privilege” on desktops Reduces lost productivity and downtime Available as part of Windows Vista Protecting Against Security Threats User Account Control Greater Confidence and Control Reduces OS attack surface from malware, root kits, and shatter attacks Isolates admin processes to helps prevent compromise by malware Framework for Developing Least-Privilege Applications Provides safe, stable model for software applications to execute tasks without exposing the system to malware Ensures logo-compliant applications will run properly in Windows Vista. Also includes virtualization feature for legacy applications.

Administrator Approval Mode Allows admins to operate with standard privileges for common tasks Prompts when admin mode is necessary Application Manifest defines permission levels Administrator Approval Mode Allows admins to operate with standard privileges for common tasks Prompts when admin mode is necessary Application Manifest defines permission levels User Experience Ability to perform common tasks as a Standard User, (e.g. Time-Zone changes) Installation of printers and device drivers just works VPN, wireless, and remote access just work User Experience Ability to perform common tasks as a Standard User, (e.g. Time-Zone changes) Installation of printers and device drivers just works VPN, wireless, and remote access just work Application Compatibility Protects System files from rogue applications Protects Registry from Corruption Application Compatibility Protects System files from rogue applications Protects Registry from Corruption User Account Control Features

Firewall settings are locked down (grayed out) User clicks button to unlock settings Admin is prompted to approve process or supply credentials User Account Control: User Experience

UAP Architecture Standard User Rights Administrative Rights Admin logon User Privilege Admin Privilege User Process Change Time ZoneChange Time Zone Run IT Approved ApplicationsRun IT Approved Applications Install FontsInstall Fonts Install PrintersInstall Printers Run MSN MessengerRun MSN Messenger Etc.Etc. Admin Process Install Application Admin Process Configure IIS Admin Process Change Time Standard User Mode Split Token Admin Privileges Admin Privilege User Privilege Admin Privilege Abby Token Administrator Approval Mode Mode

User Account Control in Windows Vista Demo

How do I deploy Software? Group Policy Software Installation Package Applications in to MSI Publish or Advertise through GPOs System Management Server Create deployment packages in SMS Updating Applications Use MSI 3.1 Patching Infrastructure Initial MSI will include certificates to allowed elevated patching

Apps write to admin locations HLKM\Software %SystemDrive%\Program Files %SystemRoot% Windows Vista Redirection This is a temporary solution Use the LUA Predictor Application Compatibility Administrator by Accident Redirection allows legacy apps to run as Standard User Writes to HKLM go to HKCU redirected store Writes to system directories redirected to per-user store, copy-on-write

Application Compatibility LUA Predictor Guidance provided for developing compliant UI, file, registry, and deployment functionality Predictor AppVerifier tool tests applications for compliance App Verifier Toolkit Plug in Show all Files, Registry Keys, and Admin APIs that need Admin privilege Available Today!

Check out new whitepapers and guidance on Microsoft.com Beta 2 – Check out new features Encourage Developers to Test their applications for compatibility & become logo compliant Getting Ready for Windows Vista

All users run as Standard User by default even when you log on as admin! Administrators use full privilege only for administrative tasks or applications User provides explicit consent before using elevated privilege High application compatibility Windows Vista Goal Windows Vista provides a more secure and reliable foundation which brings a new level of confidence in your PC Summary User Account Control Goals

Provides Developers with: AppCompat – assurance that their applications will run properly Reduced support costs Improved application security Helps enterprises to: Establish increased protection against malware Control access to administrative functions Increase user productivity Simply and safely elevate privileges for administrative tasks Summary User Account Control Goals (Con’t)

Resources Information about the Logo Program: ISV/Developer guidelines on MSDN: us/dnlong/html/AccProtVista.asp IT Deployment doc using AppCompat runlevel Shims: UAP Getting started Doc (targeted to Beta-1):

Top 10 Questions 1. If I mark my app as “admin”, can I skip the elevation consent dialog? – No 2. Can you modify the privilege of a running application? - No 3. Will LUA elevate whenever a privileged API is used? – No, the entire process is either elevated or not 4. How long does the elevated process last? – Life of the process 5. Can I enable which users will use UAC? – Currently this is a per machine setting 6. Does UAP apply to all processes and services? – Interactive processes only 7. What areas of the Registry and File system get redirected? – HKLM\Software, %SystemRoot%, %ProgramFiles% 8. Won’t Redirection de-motivate developers to fix their code? – Yes, it is a short term mitigation, not in 64bit 9. What happens when installer detection fails? – The app runs as non-admin 10. Will UAC be going down-level? - No

Community Resources – Most Valuable Professional (MVP) – Newsgroups – Converse online with Microsoft Newsgroups, including Worldwide – /newsgroups/en-us/default.aspx /newsgroups/en-us/default.aspx User Groups - Meet and learn with your peers – /default.mspx /default.mspx

Thanks to Aaron Margosis for providing some of the content for this presentation deck