Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tips and Tricks to Running Windows with Least Privilege Steve Riley Enterprise Security Architect Security Business Unit

Published byDonald Malone Modified over 8 years ago

Similar presentations

Presentation on theme: "Tips and Tricks to Running Windows with Least Privilege Steve Riley Enterprise Security Architect Security Business Unit"— Presentation transcript:

1 Tips and Tricks to Running Windows with Least Privilege Steve Riley Enterprise Security Architect Security Business Unit steriley@microsoft.comblogs.technet.com/steriley SEC314

2 Agenda Why you want to run as Limited User How to do it without going nuts

3 Definitions Non-Admin “Power Users” is not non-Admin! Typically: “Users”, “Domain Users” LUA Limited User Account Least-privileged User Account Principle of Least Privilege

4 Admin Can, LUA Can’t: Install kernel-mode rootkits Install system-level keyloggers (including capturing passwords entered into the Ctrl-Alt-Del logon dialog) Install ActiveX controls, including IE and Explorer extensions (common with spyware and adware) Install and start services Stop existing services (such as the firewall) Access data belonging to other users Cause code to run whenever anybody else logs on Replace OS and other program files with Trojan horses Access LSA Secrets, including other sensitive account information, possibly including account info for domain accounts Disable/uninstall anti-virus Create and modify user accounts Reset passwords Modify the “HOSTS” file and other system configuration settings Cover its tracks in the event log Render your machine unbootable …

5 User Exposure Web browser E-mail client Instant messaging Internet-connected games Media players All vendors, not just Microsoft

6 “But I Am the Administrator…” Admin = sharp scissors Run as Limited User for most tasks Elevate to admin only as needed Most enterprise users should never need elevated privileges

7 For Developers Why develop as a non-admin? Better software Catch bugs sooner Cheaper development costs Safer security practices

8 LUA Bugs Feature works only as admin Cause: developer running as admin! “It works on my machine!” Unnecessary expense Resolution: Reimplement or even rearchitect, or Require admin privileges to run the product

9 How Much Does This Really Matter?

10 Who Were the “Bad Guys”? MBA candidate???

11 Who Are the “Bad Guys”? Organized crime Foreign governments Unscrupulous businesses (Probably) terrorists Hackers for hire

12 Money in Malware? Zombie network (botnet) SPAM Distributed Denial of Service (extortion) Adware ($ per view) Identity theft: credit card and banking info Corporate espionage Political and military espionage

13 “I’m Safe Because …” … I keep up to date on patches … I keep my anti-virus up to date … I use a firewall … I use Windows XP SP2 … I use Microsoft AntiSpyware! … I have a strong password … I don’t open strange e-mail attachments … I am really careful about where I browse … I don’t install random software … I am very smart / have common sense … I have never been infected …

14 Zero-Day Exploits Unpatched vulnerabilities Patch is reverse-engineered upon release Public disclosure precedes patch Previously unknown vulnerabilities Exploit precedes public disclosure

15 Lesson: Download.Ject Zero-day in Internet Explorer Exploit delivered via legitimate Web sites Not the first time, not the last

16 What is a Rootkit? Software that can hide its existence Makes the OS lie to you Perform activities without detection Follows system compromise

17 A Rootkit Can… Hide things: ProcessesFiles Registry keys ServicesDrivers User accounts Ports and network connections Modify security tokens Hide a back door

18 Invisible to… Typical diagnostic programs DIR /A Task Manager PerfMon Resource Kit Tools Process Explorer (SysInternals) Anti-virusAnti-spyware Some detection tools beginning to trickle out: Rootkit Revealer from SysInternals Blacklight from F-Secure The arms race is underway…

19 Non-admin vs. Rootkit Many RK techniques require admin privs Install/load kernel drivers Install services Hook/redirect kernel functions or interrupts Modify kernel data structures LUA rootkits Easier to detect Fewer places to hide/auto-start Affect only one user

20 “OK, I’m Convinced. Now What Do I Do?”

21 How to Elevate as Needed Fast User Switching Windows XP Home Windows XP Professional, not joined to a domain Logon sessions isolated from each other Suggestion for home users: One LUA for each person, Guest optional One admin account No passwords!

22 RunAs Start a program as a different user Same desktop Command line or graphical dialog Programs inherit security context from “parent” Start CMD as admin Launch apps from there They run as admin

23 RunAs Dialog Right-click context menu Apps, shortcuts Common Console (.msc) Shift+right-click for: Control Panel applets (.cpl) “Special Microsoft Windows Installer links”

24 RunAs Dialog Make “RunAs” the default for a shortcut Shortcut, Properties, Advanced Properties

25 RunAs Command Line E.g., runas /u:Administrator cmd.exe

26 RunAs – Visual Differentiation Set privileged console windows apart visually cmd.exe /t:fc /k cd c:\ && title ***** Admin console *****

27 RunAs – Visual Differentiation Background bitmap for IE and Explorer Set it with TweakUI

28 PrivBar Running IE as admin: … as Power User: … as “User”: … with “Protect my computer”:

29 PrivBar (cont’d)

30 Adding RunAs for.MSI Files Windows Installer files (.msi) have no RunAs Add it in Folder Options, or Just run it from your admin CMD: C:\Downloads> gpmc.msi

31 When RunAs Doesn’t Work Some apps reuse existing instances Windows Explorer Microsoft Office Word Some apps get started through the shell ShellExecute[Ex]DDE Current version of WindowsUpdate! 

32 RunAs and Explorer Two viable options: Use Internet Explorer, or Set the flag that lets Windows Explorer run multiple instances Option 2: “Launch folder windows in a separate process”

33 Issues Using Local Admin Account No access to domain resources Different profile settings Some apps assume that the installer is the user Per-user Policy settings Power Options applet Resolution? MakeMeAdmin

34 MakeMeAdmin Temporary elevation of your current account Result: CMD running with your normal account but with admin privileges Apps started from it inherit context Posted on Aaron Margosis’s blog

35 Or reduce when you can DropMyRights tool by Michael Howard If you need to run as admin, at least you can run Outlook as something less!

36 The Limits of LUA Value? Two (incorrect) extremes Silver bullet “Not the answer” What it protects against today What it doesn’t protect against today What happens when everyone is LUA?

37 Non-Admin Blog The easiest way to run as non-admin (Fast User Switching) "RunAs" basic (and intermediate) topics RunAs with Explorer MakeMeAdmin – temporary admin for your Limited User account PrivBar – An IE/Explorer toolbar to show current privilege level Running restricted – What does the "protect my computer" option mean? Remembering Calculator and Character Map Settings Managing Power Options as a non-administrator Ctrl-C doesn't work in RUNAS or MakeMeAdmin command shells Changing the system date, time and/or time zone How to allow users to manage file and print shares without granting other advanced privileges (More coming!) http://blogs.msdn.com/aaron_margosis

38 Non-Admin blog: http://blogs.msdn.com/aaron_margosishttp://blogs.msdn.com/aaron_margosis Non-Admin Wiki: http://nonadmin.editme.comhttp://nonadmin.editme.com “Browsing the Web and Reading E-mail Safely as an Administrator” Part 1: http://msdn.microsoft.com/library/en- us/dncode/html/secure11152004.asp Part 2: http://msdn.microsoft.com/library/en- us/dncode/html/secure01182005.asphttp://msdn.microsoft.com/library/en- us/dncode/html/secure11152004.asphttp://msdn.microsoft.com/library/en- us/dncode/html/secure01182005.asp TweakUI: http://www.microsoft.com/windowsxp/downloads/powertoys/xpp owertoys.mspx http://www.microsoft.com/windowsxp/downloads/powertoys/xpp owertoys.mspx SysInternals tools: http://www.sysinternals.comhttp://www.sysinternals.comResources

39 We invite you to participate in our online evaluation on CommNet, accessible Friday only If you choose to complete the evaluation online, there is no need to complete the paper evaluation Your Feedback is Important!

40

41 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. http://www.awprofessional.com/title/0321336437 promo code: JJSR6437 Steve Riley steriley@microsoft.comblogs.technet.com/steriley

42

Download ppt "Tips and Tricks to Running Windows with Least Privilege Steve Riley Enterprise Security Architect Security Business Unit"

Similar presentations

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
®® Microsoft Windows 7 for Power Users Tutorial 7 Enhancing Your Computers Security.

®® Microsoft Windows 7 for Power Users Tutorial 7 Enhancing Your Computers Security.
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.

Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
XP Tutorial 9 New Perspectives on Microsoft Windows XP 1 Microsoft Windows XP Exploring Your Network Tutorial 9.

XP Tutorial 9 New Perspectives on Microsoft Windows XP 1 Microsoft Windows XP Exploring Your Network Tutorial 9.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.

Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.
IDENTITY THEFT ARE YOU SAFE?. HOW DOES THIS HAPPEN TO ME? Internet “Security “ When using a public computer, never access any vital accounts like banking.

IDENTITY THEFT ARE YOU SAFE?. HOW DOES THIS HAPPEN TO ME? Internet “Security “ When using a public computer, never access any vital accounts like banking.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.
1 of 6 Parts of Your Notebook Below is a graphic overview of the different parts of a OneNote 2007 notebook. Microsoft ® OneNote ® 2007 notebooks are digital.

1 of 6 Parts of Your Notebook Below is a graphic overview of the different parts of a OneNote 2007 notebook. Microsoft ® OneNote ® 2007 notebooks are digital.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Information for Developers Windows XP Service Pack 2 Information for Developers.

Information for Developers Windows XP Service Pack 2 Information for Developers.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
© 2012 Lathrop & Gage LLP ILTA SOS Webinar: Remove Administrator Rights and Secure a Law Firm’s Greatest Asset- Its Reputation Sean M. Power Chief Information.

© 2012 Lathrop & Gage LLP ILTA SOS Webinar: Remove Administrator Rights and Secure a Law Firm’s Greatest Asset- Its Reputation Sean M. Power Chief Information.
GET CONTROL! Avoid The Headache… Five Simple Steps to a Safer Computer – NUIT Tech Talk.

GET CONTROL! Avoid The Headache… Five Simple Steps to a Safer Computer – NUIT Tech Talk.

Similar presentations

Ads by Google