Best Practices for User Account Control (UAC) in Windows Vista
蔡孟儒 (Raymond) Consultant Microsoft Technology Center Session Objectives
User Account Control (UAC) Overview The new Shield paradigm Running application in UAC environment Coding in UAC environment Summary
Microsoft Confidential Session Objectives
User Account Control (UAC) Overview The new Shield paradigm Running application in UAC environment Coding in UAC environment Summary
Microsoft Confidential Why User Account Control?
Most user accounts have Administrator privileges. Code running without Administrator privileges is safer for the system. Enterprises realize significant TCO reductions when running with managed systems. Enterprises migrating to software that runs as Standard User
Microsoft Confidential Windows Vista UAC goals
All users run as Standard User by default Filtered token created during logon Only specially marked apps get the unfiltered token Explicit consent required for elevation Predictable shell elevation paths High application compatibility Data Redirection Enabling legacy apps to run as standard user Installer Detection
Microsoft Confidential UAC Architecture Standard User Rights Administrative Rights
StandardAdminAdminSplit Privileges UserToken logon Mode
Standard User Privilege
Admin Privilege Abby • Change Time Admin Token Zone
• Run IT Approved “Standard User” Token Applications Admin Privilege • Install Fonts
• Install Printers
• Run MSN Messenger
Admin Privilege • Etc.
Microsoft User Process Confidential DEMO: Standard User Rights vs. Administrative Rights Data Redirection for Legacy Apps
Legacy apps write to admin locations HKLM\Software; %SystemDrive%\Program Files %WinDir%\System32 Redirection removes need for elevation Writes to HKLM go to HKCU redirected store Writes to system directories redirected to per-user store Copy-on-write This is a crutch for legacy applications.
Microsoft Confidential Redirection
Files, registry keys are redirected when written to privileged areas This is not a feature! Only a mitigation for UAC, WRP Redirection is per user Redirection
Files, registry keys are redirected when written to privileged areas This is not a feature! Only a mitigation for UAC, WRP Redirection is per user
APP A
WRITE
HKLM Redirection
Files, registry keys are redirected when written to privileged areas This is not a feature! Only a mitigation for UAC, WRP Redirection is per user
APP A
WRITE HKCUHKCU
REDIRECT
HKLM Redirection
Files, registry keys are redirected when written to privileged areas This is not a feature! Only a mitigation for UAC, WRP Redirection is per user
APP A APP B
READ/ WRITE
WRITE HKCUHKCU
REDIRECT
HKLM Redirection
Files, registry keys are redirected when written to privileged areas This is not a feature! Only a mitigation for UAC, WRP Redirection is per user
APP A APP B APP C
READ/ WRITE HKCUHKCU WRITE READ/WRITE
REDIRECT
HKLM DEMO: Data Redirection Session Objectives
User Account Control (UAC) Overview The new Shield paradigm Running application in UAC environment Coding in UAC environment Summary and future direction
Microsoft Confidential UX: The Shield
Goal is to make your application simple & predictable Attached to controls which, if clicked, will require elevation as the next step Has only one state (I.e. no hover, disabled etc.) Does not remember elevated state Not an unlock operation
Microsoft Confidential Shield UI Examples
Microsoft Confidential Elevation Prompts
Microsoft Confidential Consent UI
OS Application
Signed Application Unsigned Application
Microsoft Confidential Session Objectives
User Account Control (UAC) Overview The new Shield paradigm Running application in UAC environment Coding in UAC environment Summary
Microsoft Confidential How to Run Code Elevated
Mark application as requiring Administrator privileges using manifest
Heuristic Installer detection
Application Compatibility shims
Compatibility Tab on Program Properties
Right-click Run as administrator
Microsoft Confidential Sample Manifest
MyAdminApp.exe.manifest
Level = asInvoker Launch with the same token as the parent process Level = highestAvailable Launch with the highest token this user possesses Level = requireAdministrator Highest token of the User provided User is a member of Administrators group Marking managed code Manifest can be added after .exe is built Use tool MT.exe, part of the Windows SDK (add in link) Steps: Create manifest file Use mt.exe to embed manifest Mt.exe –manifest yourapp.manifest -outputresource:yourapp.exe; DEMO: Manifest Compatibility Tab Session Objectives
User Account Control (UAC) Overview The new Shield paradigm Running application in UAC environment Coding in UAC environment Summary
Microsoft Confidential UAC Architecture
Microsoft Confidential UX Goals: Simple & Predictable 1st Choice: Make application Standard user only
2nd Choice: Clearly identify Administrative tasks Ensure Standard users can be fully productive Identify tasks that need elevation with a “shield”
Microsoft Confidential Shield Implementation APIs
Microsoft Confidential Separation of Admin Code Cannot elevate a running process Communication: Two Design Patterns Service Broker Model RPC Globally mapped shared memory Side by Side Processes RPC Named pipes Global or locally mapped shared memory Creation of an Administrator COM object to perform elevated task. CoCreateInstanceAsAdmin
Microsoft Confidential Coding for UAC in a nutshell
Design code to not require any Administrative privileges whenever possible. Per-machine settings during install Place Per-Machine (Shared) data into %ALLUSERSPROFILE% Place Per-Machine registry setting in HKLM Per-user settings at first run Place per-user data into %LOCALAPPDATA% Place per-user registry settings in HKCU Store user shared data in User\Public Coding for UAC in a nutshell
Examples of what not to do: Do not perform admin configuration at first run Do your admin operations during setup Do not rely on explicit Admin checks for Standard User applications Summary Application Impact Summary Works on Windows XP as Standard User? It will just work on Windows Vista Fails on Windows XP as Standard User? Mitigated by Redirection Mitigated by App Comp Shim via ACT Simple app with Admin dependencies Admin app on Windows XP? Needs to be marked! Web apps need special attention due to Protected Mode IE Use the Standard User Analyzer to fix your app Tool Location: http://www.microsoft.com/windows/appcompatibility/de fault.mspx Microsoft Confidential Process Isolation
Administrative and Standard User applications share the same desktop Security challenges Cross-process Window messages DLL injection and create remote thread
Process Isolation mechanisms Integrity level for processes “Lower” cannot interfere with “Higher”
Microsoft Confidential DEMO: User Interface Privilege Isolation (UIPI) More Information on UAC
UAC Blog: http://blogs.msdn.com/uac Deck from PDC2005: http://commnet.microsoftpdc.com/content/downloads.aspx General Security Info: http://msdn.microsoft.com/windowsvista/security/ Getting Started with UAC: http://www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx UAP Developer Guidelines: http://msdn.microsoft.com/library/default.asp?url=/library/en- us/dnlong/html/AccProtVista.asp UAC Question on Update: http://forums.microsoft.com/msdn/showpost.aspx?postid=111453&siteid=1 Aaron’s Blog: “Not running as administrator” http://blogs.msdn.com/Aaron_Margosis
Microsoft Confidential FAQ If I mark my app as “admin”, can I skip the elevation consent dialog? – No Can you modify the privilege of a running application? - No Will UAC elevate whenever a privileged API is used? – No, the entire process is either elevated or not How long does the elevated process last? Can it time out? – Life of the process Can I enable which users will use UAC? – Currently this is a per machine setting Does UAC apply to all processes and services? – Interactive processes only What areas of the Registry and File system get redirected? – HKLM\Software, %SystemRoot%, %ProgramFiles% Won’t Redirection de-motivate developers to fix their code? – Yes, it is a short term mitigation, not in 64bit What happens when installer detection fails? – The app runs as non-admin Will UAC be going down-level? - No Microsoft Confidential Q&A © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. User Control Policies
Admin Approval Mode for the built-in Administrator account Default: Not Defined Behavior of the elevation prompt for administrators in Admin Approval Mode Default: Prompt for consent Behavior of the elevation prompt for standard users: Default: Prompt for credentials Detect application installations and prompt for elevation Default: Enabled
Microsoft Confidential User Control Policies (conti.)
Only elevate executables that are signed and trusted Default: Disabled Run all administrators in Admin Approval Mode Default: Enabled Switch to the secure desktop when prompting for elevation Default: Enabled Virtualized file and registry write failures to per-user locations
Microsoft Confidential