Oakland Raiders. Original Raiders Civil War Blockade: Anaconda Plan.
Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L....
-
Upload
doris-mosley -
Category
Documents
-
view
213 -
download
0
Transcript of Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L....
Raiders of the Elevated Token:Understanding User Account Control and Session IsolationRaymond P.L. ComvaliusIndependent IT Infrastructure ArchitectNEXTXPERT
WCL325
About the speaker
Raymond P. L. ComvaliusConsultant, trainer and authorMVP Windows Expert IT Pro since [email protected]
@nextxpert
Agenda
User Account ControlWhat is UAC?Configuring User Account ControlIntegrity LevelsFile & Registry VirtualizationHow to Control Elevation
Session 0 IsolationService ID
What is User Account Control?
“The UAC solution is to run most applications with standard user rights…., and encourage software developers to create applications that run with standard user rights. UAC accomplishes this by enabling legacy applications to run with standard user rights, making it convenient for standard users to access administrative rights when they need them.” From: Microsoft Technet“UAC is not a security boundary”
Windows User Types
The AdministratorThe account named ‘administrator’
An AdministratorYour name with administrator privileges
Protected AdministratorAKA: ‘Administrator in Admin Approval Mode’
Standard UserYour name without administrator privileges
User SID
Standardizing the User Token
Group SIDs
Mandatory Label
Rights/Privileges
AdministratorsBackup OperatorsPower UsersNetwork Configuration OperatorsCryptographic OperatorsDomain AdminsSchema AdminsEnterprise AdminsGroup Policy Creator OwnersDomain ControllersEnterprise Read-Only Domain ControllersAccount OperatorsPrint OperatorsServer OperatorsRAS ServersPre-Windows 2000 Compatible Access
DenyRemove all except:
Bypass traverse checkingShutdown the SystemRemove computer from Docking stationIncrease a process working setChange the Time zone
With or without administrative privileges
Analyzing the User Token
DemoDemo
Consent UI
The ‘face’ of UACWarns you for a User State change (aka new token creation)Secure Desktop
Screen mode like pressing Ctrl-Alt-DelCreates screenshot of the desktop (programs keep running in the background)Keeps scripts etc. from pressing keys or clicking the mouse
Configuring UAC in the Control Panel
From the Control PanelAlways notifyDefaultDo not dim the displayNever notify
With Group PolicyMore granular controls
Configuring UAC in Group Policy
Behavior for Standard UsersDeny AccessPrompt for Credentials
Admin Approval Mode for the built-in Administrator accountFor Administrators in Admin Approval Mode
Prompt for ConsentPrompt for CredentialsElevate without prompting
Not same as disable UAC!
Configuring UAC
Demo
UIAccess Applications
Software alternatives for the mouse and keyboardFor example Remote Assistance
User Interface Accessibility integrity levelWindows always checks signatures on UIAccess ApplicationsUIAccess applications must be installed in secure locationsOptionally these applications can disable the secure desktop (used with Remote Assistance)
Remote Assistance and the Secure Desktop
for non-administrative users
Integrity Levels
Mandatory Access ControlLevels are part of ACLs and TokensLower level object has limited access to higher level objectsUsed to protect the OS and for Internet Explorer Protected Mode
System High Medium(Default)
Low
Services Administrators
Standard Users
IE Protected Mode
Standardizing the User Token
User SID
Group SIDs
Mandatory Label
Rights/Privileges
Integrity Level: Medium(Restricted Token)
Integrity Level: High(Elevated Token)
IE Protected Mode
Only with User Account Control enablediexplore.exe runs with Low Integrity LevelUser Interface Privilege Isolation (UIPI)
Internet Explorer 8
Internet Explorer 9/10
IE Broker mechanismiexplore.exe (management process)
iexplore.exe (content process)
iexplore.exe (content process)
Low Integrity LevelProtected Mode = On
Medium Integrity LevelProtected Mode = Off
Inte
rnet/
Intra
net
Truste
d S
ites
Protected-mode Broker Object
UI Frame Favorites Bar Command Bar
Browser Helper Objects
ActiveX Controls
Toolbar Extensions
Browser Helper Objects
ActiveX Controls
Toolbar Extensions
Integrity Levels
Demo
File Virtualization
File Virtualization is a compatibility featureThe following folders and subfolders are virtualized:
%WinDir% \Program Files \Program Files (x86)
Virtual Store:%UserProfile%\AppData\Local\VirtualStore
Troubleshooting file virtualizationEvent Log: UAC-FileVirtualization
Disabling file virtualization
Registry Virtualization
Virtualizes most locations under HKLM\SoftwareKeys that are not virtualized:
HKLM\Software\Microsoft\WindowsHKLM\Software\Microsoft\Windows NT\HKLM\Software\Classes
Per user location: HKCU\Software\Classes\VirtualStoreFlag on a registry key defines if it can be virtualized
“Reg flags HKLM\Software” shows flags for HKLM\Software
Registry Virtualization is NOT logged in the EventLog
File & Registry Virtualization
Demo
What defines a UAC state change
Executables that are part of the Windows OSFile NamesManifestsCompatibility SettingsShims
UAC for the Windows OS
Default no warning when elevating Windows OS programsExcept for:
cmd.exeregedit.exe
What’s in a name?
Evaluation of the file name determines need for elevation
SetupInstalUpdate
Disable this feature in Group Policy when needed
UAC and Manifests
Configure the need for elevation per file:asInvokerhighestAvailablerequireAdministrator
External or InternalUse mt.exe from the SDK to inject manifestsUse sigcheck.exe from SysInternals to view manifests
File Names & Manifests
Demo
UAC and Compatibility Settings
Configure the shortcutRequireAdministratorRunAsInvoker
Create a ShimNeeds the Application Compatibility Toolkit Compatibility AdministratorCompatibility ModesCompatibility Fixes
Compatibility Settings
Demo
Does this look familiar?
Session 0 Isolation
Services run in session 0Before Windows Vista, session 0 belonged to the consoleUsers logon to session 1 and higherWhen a service interacts in session 0 you see this message on Windows 7 and earlier
Session 0 Isolation
Demo
Windows OS File Security
D DD
Reduce size ofhigh risk layersIncrease # of layersSegment theservices
Kernel DriversD
D User-mode Drivers
DD D
Service 1
Service 2
Service 3
Service…
Service …
Service A
Service B
Multiple Layers of Protection
Services SID
Services now have SIDsS-1-80-<SHA-1 hash of logical service name>
ACLs have been set on these SIDsServices are taken out of the LocalSystem security contextLocalSystem is no longer “The Master of the Universe”
Who is TrustedInstaller?
“Windows Installer Service” in the Services MMC“NT Service\TrustedInstaller” in icacls.exeTrustedInstaller installs:
Windows Service PacksHotfixesOperating System UpgradesPatches and installations by Windows Update
Concluding
Yes you can!
User Account Control is no rocket scienceUAC makes Internet Explorer a safer browserAnalyze your applicationsGet to know the tools
whoami.exeProcess Explorericacls.exeApplication Compatibility Toolkit
Related Content
WCL301: Case of the Unexplained 2012
www.microsoft.com/springboard
www.nextxpert.com
Find Me Later At the Technical Learning Center
WCL402: App Compat for Nerds
Track Resources
Resources for Developers http://msdn.microsoft.com/en-us/windows/apps
Windows 8 is ready for Businesshttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/windows-8/default.aspx
Microsoft Desktop Optimization Pack:www.microsoft.com/MDOP
Microsoft Desktop Virtualization: www.microsoft.com/dv
Track Resources
Springboard Series: www.microsoft.com/springboard Explore > Plan > Deliver > Operate > Support for
Windows 7 and Windows 8MDOPDesktop VirtualizationWindows IntuneInternet Explorer 8, 9 and 10
Track Resources
Download
http://windows.microsoft.com/en-US/windows-8/release-preview
Download the Windows 8 Release Preview Today
Resources
Connect. Share. Discuss.
http://northamerica.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
Complete an evaluation on CommNet and enter to win!
Please Complete an Evaluation Your feedback is important!
Multipleways to Evaluate Sessions
Scan the Tagto evaluate thissession now on myTechEd Mobile
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.