Best Practices for User Account Control (UAC) in Windows Vista

蔡孟儒 (Raymond) Consultant Microsoft Technology Center Session Objectives

User Account Control (UAC) Overview The new Shield paradigm Running application in UAC environment Coding in UAC environment Summary

Microsoft Confidential Session Objectives

User Account Control (UAC) Overview The new Shield paradigm Running application in UAC environment Coding in UAC environment Summary

Microsoft Confidential Why User Account Control?

Most user accounts have Administrator privileges. Code running without Administrator privileges is safer for the system. Enterprises realize significant TCO reductions when running with managed systems. Enterprises migrating to software that runs as Standard User

Microsoft Confidential Windows Vista UAC goals

All users run as Standard User by default  Filtered token created during logon  Only specially marked apps get the unfiltered token Explicit consent required for elevation  Predictable shell elevation paths High application compatibility  Data Redirection  Enabling legacy apps to run as standard user  Installer Detection

Microsoft Confidential UAC Architecture Standard User Rights Administrative Rights

StandardAdminAdminSplit Privileges UserToken logon Mode

Standard User Privilege

Admin Privilege Abby • Change Time Admin Token Zone

• Run IT Approved “Standard User” Token Applications Admin Privilege • Install Fonts

• Install Printers

• Run MSN Messenger

Admin Privilege • Etc.

Microsoft User Process Confidential DEMO: Standard User Rights vs. Administrative Rights Data Redirection for Legacy Apps

Legacy apps write to admin locations HKLM\Software; %SystemDrive%\Program Files %WinDir%\System32 Redirection removes need for elevation Writes to HKLM go to HKCU redirected store Writes to system directories redirected to per-user store Copy-on-write This is a crutch for legacy applications.

Microsoft Confidential Redirection

Files, registry keys are redirected when written to privileged areas This is not a feature! Only a mitigation for UAC, WRP Redirection is per user Redirection

Files, registry keys are redirected when written to privileged areas This is not a feature! Only a mitigation for UAC, WRP Redirection is per user

APP A

WRITE

HKLM Redirection

Files, registry keys are redirected when written to privileged areas This is not a feature! Only a mitigation for UAC, WRP Redirection is per user

APP A

WRITE HKCUHKCU

REDIRECT

HKLM Redirection

Files, registry keys are redirected when written to privileged areas This is not a feature! Only a mitigation for UAC, WRP Redirection is per user

APP A APP B

READ/ WRITE

WRITE HKCUHKCU

REDIRECT

HKLM Redirection

Files, registry keys are redirected when written to privileged areas This is not a feature! Only a mitigation for UAC, WRP Redirection is per user

APP A APP B APP C

READ/ WRITE HKCUHKCU WRITE READ/WRITE

REDIRECT

HKLM DEMO: Data Redirection Session Objectives

User Account Control (UAC) Overview The new Shield paradigm Running application in UAC environment Coding in UAC environment Summary and future direction

Microsoft Confidential UX: The Shield

Goal is to make your application simple & predictable Attached to controls which, if clicked, will require elevation as the next step Has only one state (I.e. no hover, disabled etc.) Does not remember elevated state Not an unlock operation

Microsoft Confidential Shield UI Examples

Microsoft Confidential Elevation Prompts

Microsoft Confidential Consent UI

OS Application

Signed Application Unsigned Application

Microsoft Confidential Session Objectives

User Account Control (UAC) Overview The new Shield paradigm Running application in UAC environment Coding in UAC environment Summary

Microsoft Confidential How to Run Code Elevated

Mark application as requiring Administrator privileges using manifest

Heuristic Installer detection

Application Compatibility shims

Compatibility Tab on Program Properties

Right-click Run as administrator

Microsoft Confidential Sample Manifest

MyAdminApp.exe.manifest

RequestedExecutionLevels

Level = asInvoker Launch with the same token as the parent process Level = highestAvailable Launch with the highest token this user possesses Level = requireAdministrator Highest token of the User provided User is a member of Administrators group Marking managed code Manifest can be added after .exe is built Use tool MT.exe, part of the Windows SDK (add in link) Steps: Create manifest file Use mt.exe to embed manifest Mt.exe –manifest yourapp.manifest -outputresource:yourapp.exe; DEMO: Manifest Compatibility Tab Session Objectives

User Account Control (UAC) Overview The new Shield paradigm Running application in UAC environment Coding in UAC environment Summary

Microsoft Confidential UAC Architecture

Microsoft Confidential UX Goals: Simple & Predictable 1st Choice: Make application Standard user only

2nd Choice: Clearly identify Administrative tasks Ensure Standard users can be fully productive Identify tasks that need elevation with a “shield”

Microsoft Confidential Shield Implementation APIs

Microsoft Confidential Separation of Admin Code Cannot elevate a running process Communication: Two Design Patterns Service Broker Model RPC Globally mapped shared memory Side by Side Processes RPC Named pipes Global or locally mapped shared memory Creation of an Administrator COM object to perform elevated task. CoCreateInstanceAsAdmin

Microsoft Confidential Coding for UAC in a nutshell

Design code to not require any Administrative privileges whenever possible. Per-machine settings during install Place Per-Machine (Shared) data into %ALLUSERSPROFILE% Place Per-Machine registry setting in HKLM Per-user settings at first run Place per-user data into %LOCALAPPDATA% Place per-user registry settings in HKCU Store user shared data in User\Public Coding for UAC in a nutshell

Examples of what not to do: Do not perform admin configuration at first run Do your admin operations during setup Do not rely on explicit Admin checks for Standard User applications Summary Application Impact Summary Works on Windows XP as Standard User? It will just work on Windows Vista Fails on Windows XP as Standard User? Mitigated by Redirection Mitigated by App Comp Shim via ACT Simple app with Admin dependencies Admin app on Windows XP? Needs to be marked! Web apps need special attention due to Protected Mode IE Use the Standard User Analyzer to fix your app Tool Location: http://www.microsoft.com/windows/appcompatibility/de fault.mspx Microsoft Confidential Process Isolation

Administrative and Standard User applications share the same desktop Security challenges Cross-process Window messages DLL injection and create remote thread

Process Isolation mechanisms Integrity level for processes “Lower” cannot interfere with “Higher”

Microsoft Confidential DEMO: User Interface Privilege Isolation (UIPI) More Information on UAC

UAC Blog: http://blogs.msdn.com/uac Deck from PDC2005: http://commnet.microsoftpdc.com/content/downloads.aspx General Security Info: http://msdn.microsoft.com/windowsvista/security/ Getting Started with UAC: http://www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx UAP Developer Guidelines: http://msdn.microsoft.com/library/default.asp?url=/library/en- us/dnlong/html/AccProtVista.asp UAC Question on Update: http://forums.microsoft.com/msdn/showpost.aspx?postid=111453&siteid=1 Aaron’s Blog: “Not running as administrator” http://blogs.msdn.com/Aaron_Margosis

Microsoft Confidential FAQ If I mark my app as “admin”, can I skip the elevation consent dialog? – No Can you modify the privilege of a running application? - No Will UAC elevate whenever a privileged API is used? – No, the entire process is either elevated or not How long does the elevated process last? Can it time out? – Life of the process Can I enable which users will use UAC? – Currently this is a per machine setting Does UAC apply to all processes and services? – Interactive processes only What areas of the Registry and File system get redirected? – HKLM\Software, %SystemRoot%, %ProgramFiles% Won’t Redirection de-motivate developers to fix their code? – Yes, it is a short term mitigation, not in 64bit What happens when installer detection fails? – The app runs as non-admin Will UAC be going down-level? - No Microsoft Confidential Q&A © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. User Control Policies

Admin Approval Mode for the built-in Administrator account Default: Not Defined Behavior of the elevation prompt for administrators in Admin Approval Mode Default: Prompt for consent Behavior of the elevation prompt for standard users: Default: Prompt for credentials Detect application installations and prompt for elevation Default: Enabled

Microsoft Confidential User Control Policies (conti.)

Only elevate executables that are signed and trusted Default: Disabled Run all administrators in Admin Approval Mode Default: Enabled Switch to the secure desktop when prompting for elevation Default: Enabled Virtualized file and registry write failures to per-user locations

Microsoft Confidential