1 / 54

User Account Control: How to Make a Good UAC Application

User Account Control: How to Make a Good UAC Application. Peter R. Woods Senior Program Manager Microsoft Corporation. Session Objectives. Session Objective(s): Microsoft Windows User Account Control overview The new Shield paradigm Writing code in UAC environment

JasminFlorian
Télécharger la présentation

User Account Control: How to Make a Good UAC Application

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. User Account Control:How to Make a Good UAC Application Peter R. Woods Senior Program Manager Microsoft Corporation

  2. Session Objectives • Session Objective(s): • Microsoft Windows User Account Control overview • The new Shield paradigm • Writing code in UAC environment • Windows Vista Logo program • Debugging • Services • Summary & future direction

  3. Why User Account Control? • Most user accounts have Administrator privileges. • Code running without Administrator privileges is safer for the system. • Enterprises realize significant TCO reductions when running with managed systems. • Enterprises migrating to SW that runs as Standard User

  4. User Account Control • All users run as Standard User by default • Filtered token created during logon • Only specially marked apps get the unfiltered token • Explicit consent required for elevation • Predictable elevation points • High application compatibility • Data redirection • Enabling legacy apps to run as standard user • Installer Detection

  5. Admin logon Abby Administrative Rights Standard User Rights UAC Architecture Admin Token Split Token “Standard User” Filtered Token

  6. Standard User Rights Abby UAC Architecture Admin logon • Change Time Zone • Run Standard User Compliant Applications • Install Fonts • Install Printers • Run MSN Messenger “Standard User” Filtered Token User Process

  7. Abby Administrative Rights Change Time Admin Process Configure IIS Admin Process Install Application Admin Process UAC Architecture Admin logon Elevation dialog Admin Token

  8. Process Isolation • Administrative and Standard User applications share the same desktop • Security challenges • Cross-process Window messages • DLL injection and create remote thread • Process Isolation mechanisms • Integrity level for processes • “Lower” cannot interfere with “Higher”

  9. Standard User Token Privileges typically in Standard User token • Bypass traverse checking (SeChangeNotify) • Shut down the system (SeShutdown) • Increase Working Set Size (SeIncreaseWorkingSet) • Remove computer from docking station (SeUndock) • Change Time Zone (SeChangeTimeZone) • New in Vista • All other privileges removed. • Privileged RIDs set to DENY_ONLY • E.g. Administrators, Enterprise Admins, Policy Admins, Power User, etc.

  10. Token Sample - Admin _User SID_ --------------------------- Account = Abby SID = S-1-5-21-1805867774-1466862479-406111094-1000 Domain = LH-X937PF8H3FFT _Groups SIDs_ --------------------------- Account = None SID = S-1-5-21-1805867774-1466862479-406111094-513 Domain = LH-X937PF8H3FFT Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED --------------------------- Account = Everyone SID = S-1-1-0 Domain = Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED --------------------------- Account = Administrators SID = S-1-5-32-544 Domain = BUILTIN Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED Attribute: SE_GROUP_OWNER --------------------------- Account = INTERACTIVE SID = S-1-5-4 Domain = NT AUTHORITY Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED . . . --------------------------- Account = High Mandatory Level SID = S-1-16-12288 Domain = Mandatory Label --------------------------- _Restricted SIDs_ _Privileges_ Privilege: SeIncreaseQuotaPrivilege (Disabled) Privilege: SeSecurityPrivilege (Disabled) Privilege: SeTakeOwnershipPrivilege (Disabled) Privilege: SeLoadDriverPrivilege (Disabled) Privilege: SeSystemProfilePrivilege (Disabled) Privilege: SeSystemtimePrivilege (Disabled) Privilege: SeProfileSingleProcessPrivilege (Disabled) Privilege: SeIncreaseBasePriorityPrivilege (Disabled) Privilege: SeCreatePagefilePrivilege (Disabled) Privilege: SeBackupPrivilege (Disabled) Privilege: SeRestorePrivilege (Disabled) Privilege: SeShutdownPrivilege (Disabled) Privilege: SeDebugPrivilege (Disabled) Privilege: SeSystemEnvironmentPrivilege (Disabled) Privilege: SeChangeNotifyPrivilege (Enabled) Privilege: SeRemoteShutdownPrivilege (Disabled) Privilege: SeUndockPrivilege (Disabled) Privilege: SeManageVolumePrivilege (Disabled) Privilege: SeImpersonatePrivilege (Enabled) Privilege: SeCreateGlobalPrivilege (Enabled) Privilege: SeIncreaseWorkingSetPrivilege (Disabled) Privilege: SeTimeZonePrivilege (Disabled) Privilege: SeCreateSymbolicLinkPrivilege (Disabled)

  11. Token Sample - Filtered _User SID_ --------------------------- Account = Abby SID = S-1-5-21-1805867774-1466862479-406111094-1000 Domain = LH-X937PF8H3FFT _Groups SIDs_ --------------------------- Account = None SID = S-1-5-21-1805867774-1466862479-406111094-513 Domain = LH-X937PF8H3FFT Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED --------------------------- Account = Administrators SID = S-1-5-32-544 Domain = BUILTIN Attribute: SE_GROUP_USE_FOR_DENY_ONLY --------------------------- Account = Users SID = S-1-5-32-545 Domain = BUILTIN Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED --------------------------- . . . Account = INTERACTIVE SID = S-1-5-4 Domain = NT AUTHORITY Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED --------------------------- Account = Medium Mandatory Level SID = S-1-16-8192 Domain = Mandatory Label --------------------------- _Restricted SIDs_ _Privileges_ Privilege: SeShutdownPrivilege (Disabled) Privilege: SeChangeNotifyPrivilege (Enabled) Privilege: SeUndockPrivilege (Disabled) Privilege: SeIncreaseWorkingSetPrivilege (Disabled) Privilege: SeTimeZonePrivilege (Disabled)

  12. User Experience (UX)The Security Shield Icon

  13. The Security Shield • Goal is to make your application simple & predictable • Attached to controls which, if clicked, will require elevation as the next step • Has only one state (i.e. no hover, disabled etc.) • Does not remember elevated state • Not an unlock operation

  14. Security Shield UI Examples

  15. Consent UI OS Application Unsigned Application Signed Application

  16. Credential UI

  17. User Experience Guidelines • Rules for shield and elevation • MSDN and Windows Vista website • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AccProtVista.asp • http://msdn.microsoft.com/library/?url=/library/en-us/UxGuide/UXGuide/Home.asp?frame=true • www.microsoft.com/windowsvista • New documents are being added. • Check under ‘What’s new’ heading

  18. Coding for UAC in a nutshell • Design code to not require any Administrative privileges whenever possible. • Per-machine settings during install • Place Per-Machine (Shared) data into %ALLUSERPROFILE% • Place Per-Machine registry setting in HKLM • Per-user settings at first run • Store per-user data in user profile • Place per-user data into %LOCALAPPDATA% • Place per-user registry settings in HKCU • Store user shared data in User\Public • Take advantage of the Windows Vista Logo program!

  19. Coding for UAC in a nutshell • Examples of what not to do: • Avoid self updating code. • Major Application Compatibility issue • Do not perform admin configuration at first run. • Do not rely on explicit Admin checks for Standard User applications

  20. Applications that require Administrator privileges • Administrative applications can be marked to identify them to the O/S • Mark application as requiring Administrator privileges using embedded manifest. • Installer detection • Application Compatibility shims • Compatibility Tab on Program Properties • Right-click Run as administrator

  21. Applications that require Administrator privileges • Mixed use applications: • Application is bifurcated into Non administrative and administrative sections… Application launches as Standard user • Within UI, clearly identify Administrative tasks • Ensure Standard users can be fully productive • Identify tasks that need elevation with a “shield” • Elevated tasks launch in separate process • Separately marked executable • Elevated COM object • Object should request confirmation • Command line tools should run AsInvoker…

  22. Separation of Admin Code • Cannot elevate a running process • Communication: Two Design Patterns • Service Broker Model • IPC • Globally mapped shared memory • Side by Side Processes • IPC • Named pipes • Global or locally mapped shared memory

  23. RequestedExecutionLevels • Level = asInvoker • Launch with the same token as the parent process • Level = highestAvailable • Launch with the highest token this user possesses • Level = requireAdministrator • Highest token of the User provided User is a member of Administrators group

  24. Sample Manifest • MyAdminApp.exe.manifest <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86“ name="MyAdminApp" type="win32"/> <!-- Identify the application security requirements. --> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator"/> </requestedPrivileges> </security> </trustInfo> </assembly>

  25. Admin Application Marking

  26. Manifest marking in VS 2005 for c/c++

  27. Manifest marking in VS 2005

  28. Shield UI Examples … Add a Shield glyph to my UI // if you want the small icon #include <shellapi.h> SHSTOCKICONINFO sii; sii.cbSize = sizeof(sii); SHGetStockIconInfo(SIID_SHIELD, SHGSI_ICON | SHGSI_SMALLICON, &sii); hiconShield = sii.hIcon; // if you want the large icon SHSTOCKICONINFO sii; sii.cbSize = sizeof(sii); SHGetStockIconInfo(SIID_SHIELD, SHGSI_ICON | SHGSI_LARGEICON, &sii); hiconShield = sii.hIcon; // if you want an icon at a custom size SHSTOCKICONINFO sii; sii.cbSize = sizeof(sii); SHGetStockIconInfo(SIID_SHIELD, SHGSI_ICONLOCATION, &sii); hiconShield = ExtractIconEx(sii. ...);

  29. Security Shield UI Examples The standard button control (PUSHBUTTON, DEFPUSHBUTTON) has been enhanced to allow you to add an icon along with the displayed text, without requiring the BS_ICON or BS_BITMAP styles to be set. To show the shield icon, you can call the following macro (defined in commctrl.h): Button_SetElevationRequiredState(hwndButton, fRequired); Where hwndButton is the HWND of the button fRequired determines whether to show (TRUE) or hide (FALSE) the LUA shield. A Windows Message can also be used to enable the shield on a button. lresult = SendMessage(hwndButton, BCM_SETSHIELD, 0, fRequired); Where hwndButton is the HWND of the button fRequired determines whether to show (TRUE) or hide (FALSE) the LUA shield.

  30. Coding samples • Use ShellExecute() rather than CreateProcess() when launching other applications. • CreateProcess() will return error if elevation is required • ShellExecute() sends to the Application Information Service (AIS) for elevated launch. retHandle = ShellExecute(NULL, L"open“, L”\\Program Files\\MyApp\\MyAdminApp.exe”, NULL, NULL, SW_SHOWNORMAL);

  31. Coding samples Runas verb to ShellExecuteEx() Allows caller to request elevation of normally unelevated apps. Pass ‘runas’ as the lpVerb in the SHELLEXECUTEINFO Structure (structure pointer)->lpVerb = L”runas”

  32. Coding samples • Launching an elevated COM object • Accomplished using elevation moniker • Object class must be registered as being ‘elevatable’ HKLM\Software\Classes\CLSID\ {9df523b0-a6c0-4ea9-b5f1-f4565c3ac8b8}\Elevation Enabled REG_DWORD 1 • Object class must have ‘friendly name’ assigned HKLM\Software\Classes\CLSID\{9df523b0-a6c0-4ea9-b5f1-f4565c3ac8b8} “LocalizedString” REG_EXPAND_SZ “@%ProgramFiles%\YourApp\YourElevatedComObject.dll,-101” • Object has string name defined in DLL string table STRINGTABLE LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US { 101, “Your Elevated Com Object" } • Object elevation is requested at launch time

  33. Coding samples • Elevation moniker in action Example: HRESULT CreateElevatedComObject(HWND hwnd, REFCLSID rclsid, REFIID riid, __out void ** ppv) { BIND_OPTS3 bo; WCHAR wszCLSID[50]; WCHAR wszMonikerName[300]; StringFromGUID2(rclsid, wszCLSID, sizeof(wszCLSID)/sizeof(wszCLSID[0])); HRESULT hr = StringCchPrintf(wszMonikerName,sizeof(wszMonikerName)/sizeof(wszMonikerName[0]), L"Elevation:Administrator!new:%s", wszCLSID); if (FAILED(hr))return hr; memset(&bo, 0, sizeof(bo)); bo.cbStruct = sizeof(bo); bo.hwnd = hwnd; bo.dwClassContext = CLSCTX_LOCAL_SERVER; return CoGetObject(wszMonikerName, &bo, riid, ppv); }

  34. Windows Vista Logo Program & UAC Builds upon existing Windows XP Logo Program Enhancements around running as standard user Use Install bootstrap model if launching software directly from installation process App must contain requestedExecutionLevel in an embedded manifest to define run level Authenticode sign installation package and all binaries

  35. Debugging Administrative Apps • Launch copy of Visual Studio 2005 elevated • Start->All Programs->Microsoft Visual Studio 2005->(right click on) Microsoft Visual Studio 2005 • Select Run as Administrator • Debug your program

  36. Process Isolation & Assistive Technology • Mechanism exists to mark Accessibility applications • Accessibility apps (Assistive Technology) need to drive UI at higher levels. • Accessibility have a manifest requestedExecutionLevel statement of: <requestedPrivileges> <requestedExecutionLevel level=“asInvoker“ uiAccess=“true”/> </requestedPrivileges> • Assistive Technology applications Must be Authenticode signed and trusted or they will fail to launch.

  37. Debugging Assistive Technology (AT) Apps Defined as apps with manifest tag: uiAccess=true AT apps must be Authenticode signed (root in trusted root store) Launch your AT app from Windows Explorer Launch copy of Visual Studio 2005 Remote Debugger (msvsmon.exe) from within your app using shellExecute(). On the remote debugger, Select tools->options Click No Authentication (native only) and Allow any user to debug

  38. Debugging Assistive Technology (AT) Apps • On Visual Studio 2005 • Select Debug->attach to process • Under transport, select • Remote (Native only with no authentication) • Under Qualifier, enter the local machine name • Select the process to debug (your app) and click attach

  39. Debugging AT Apps

  40. Marking managed code • No obvious way to do this in VS UI for managed code • Manifest can be added after .exe is built • Use tool MT.exe, part of the Windows SDK • (add in link) • Steps: • Create manifest file • Use mt.exe to embed manifest • Mt.exe –manifest yourapp.manifest -outputresource:yourapp.exe;#1 • Works for all languages • c/c++, c#, j#, and VB

  41. Guides for Services Don’t create interactive services No UI from services on the user desktop Use RPC, sockets, named-pipes, or COM to communicate Use reduced privileged account: Local Service or Network Service, if possible User prompted to shift to special session 0 viewer for interactive services

  42. ‘Going the other way’ – from high to medium No direct method Use a bootstrap EXE and launch the elevated EXE/MSI from there. Create/register a COM server marked to run as Interactive User and use it from your Less desirable since it leaves the COM server around for anybody else to use later on Register a WMI.Job (formerly scheduled task) that runs as the interactive user.

  43. Data Redirection for Legacy Apps • Some legacy apps write to admin locations • HLKM\Software • %SystemDrive%\Program Files etc. • Redirection removes need for elevation • Writes to HKLM go to HKU redirected store • HKU->(user SID)_classes->VirtualStore • Writes to system directories redirected to per-user store • (%localappdata%\virtualstore) • Copy-on-write

  44. Developer Impact Summary • Windows XP Logo’d for Standard User? • It will just work on Windows Vista • Fails on Windows XP as Standard User? • Use the SUA Analyzer tool to look for Admin dependences • Admin app on Windows XP? • Needs to be marked as requireAdministrator • Web apps need special attention due to Protected Mode IE

  45. Developer Impact Summary • Installation Best Practices • Use MSI 3.1 for Install and Update • Alternate to MSI3.1 – call Update.exe marked as admin to do the update • Be careful with Self Updating Code • ClickOnce is a great deployment technology for Standard User apps

  46. Future UAC Direction • Continue Isolation of Admin code on Standard User Desktop • Integrate Application IDs into OS for Standard User code • Integrate Software Restriction Policies into AppIDs • Tighten down power of Setup applications • Metadata in Manifests • Rollout of Windows Vista Logo program to help ISVs write compliant code. • Work with Developers to reduce dependence on Data Redirection

  47. Resources

  48. ToolsStandard User Analyzer (SUA) • Intended to predict whether an application would work correctly as standard user • Identifies API calls that would fail if attempted by a user • Identifies all Access requiring elevated privileges • Available for download at the Microsoft Download Center: • http://www.microsoft.com/downloads/details.aspx?FamilyID=df59b474-c0b7-4422-8c70-b0d9d3d2f575&DisplayLang=en

  49. SUA Analyzer • Enter Target App Name • Enter parameters • Check Launch Elevated Checkbox • Click Launch button. • (On Vista, approve two elevation dialogs) • Exit notepad • (On Vista, approve elevation dialog) • Tool shows interaction that would fail as standard user. In this case, boot.ini is not accessible to standard users. • Send comments to: luatools@microsoft.com

  50. FAQ • If I mark my app as “admin”, can I skip the elevation consent dialog? – No • Can you modify the privilege of a running application? - No • Will LUA elevate whenever a privileged API is used? – No, the entire process is either elevated or not • How long does the elevated process last? Can it time out? – Life of the process • Can I enable which users will use UAC? – Currently this is a per machine setting • Does UAC apply to all processes and services? – Interactive processes only • What areas of the Registry and File system get redirected? – HKLM\Software, %SystemRoot%, subdirectories of %ProgramFiles% • Won’t Redirection de-motivate developers to fix their code? – Yes, it is a short term mitigation, not in 64bit • What happens when installer detection fails? – The app runs as non-admin • Will UAC be going down-level? – No

More Related