Event slides will be posted at:

1. Event slides will be posted at: http://www.microsoft.com/uk/msdnevents

2. User Account Controlin Windows Vista Daniel Moth Developer & Platform Group Microsoft Ltd daniel.moth@microsoft.com http://www.danielmoth.com/Blog

3. AGENDA • Why, What, How • Manifests • Process Elevation • Virtualisation • Compatibility Issues

4. UAC Goals • The Vista goal: enable users to run with standard user rights • Prevents deliberate (and accidental) modification of system settings • Reduces malware impact by preventing modification of security settings and hardware • Prevents compromise of sensitive information on shared computers

5. UAC Challenges • The Windows usage model has been one of administrative rights • Applications use them without knowing it • Those that need it don’t distinguish administrative from standard user actions • Users want administrative rights to easily perform operations that require them • Software installations • Changing the time zone • Changing firewall settings • Etc.

6. Administrative Rights • Problem: there are still operations that require administrative rights: • Installing applications • Modifying system-global settings • Parental controls • Solution: make it convenient to access administrative rights from standard user accounts • Identify operations that require administrative rights • Allow for “run as” functionality • Called Over The Shoulder (OTS) elevation

7. DEMO What UAC looks like to the end user

8. OTS Dialogs

9. User Account Control Internals Windows Vista Logon with UAC Enabled An administrator enters credentials in WinLogon UI Local Security Authority (LSA) verifies credentials Administrator Token Windows XP 1.Token inspected for “elevated” privileges Explorer.exe created. “Filtered” token 2. Elevated privileges removed.

10. UAC Internals²Defining Elevated Privileges • User will have a filtered token if they belong to any admin-type group e.g.: • Administrators • Controllers • Backup Operators • User will have a filtered token if they have any of these privileges: • Create Token, Debug, TCB, Take Ownership, Backup, Restore, Impersonate, Load Driver, Relabel

11. UAC Internals³Administrator’s Standard User Identity • Administrator’s standard user token is subset of their full administrator token • Administrator groups are marked as “deny only” groups • Applies to Domain Administrators, Builtin\Administrators and others • Can only be used to deny access, never to grant • E.g. if file only allows administrator access, user is denied access • E.g. if allows a user’s group access, but denies administrators, user is denied access • All privileges except the following are stripped: • Change Notify, Shutdown, Undock, Reserve Processor, Time Zone • When authenticating to remote resources: • If system is non-domain joined, user authenticates as standard user • If domain-joined and an administrator of the remote resource, user authenticates as administrator

12. StandardUser-FriendlyWindows • In Vista, many previously-admin operations are accessible by standard users: • View system clock and calendar • Change time zone • Configure Wired Equivalent Privacy (WEP) to connect to secure wireless networks • Change power management settings • Add printers and other devices that have the required drivers installed on computer or have been allowed by an IT administrator in Group Policy • Install ActiveX Controls from sites approved by an administrator • Create and configure a Virtual Private Network connection • Install critical Windows Updates

13. StandardUser-FriendlyYour Application • Test your application when running as Standard User!! • Saving Per-User State as Standard User • %userprofile% • HKCU • Saving Per-Machine State as Standard User • %allusersprofile% • Embed Manifest with run level = “asInvoker”

14. Privileges in Manifests • Manifest files were introduced in Windows XP to support side-by-side DLLs • Used for XP’s Common Control v6 dialog • .NET uses it for managed code “assemblies” • Embedded in resources of binary file • New key in Vista, • requestedElevationLevel • asInvoker: Run with the user’s rights • highestAvailable: if standard user then don’t ask, but if user is an administrator, then ask • requireAdministrator: always ask

15. Embedding Manifest in VS • Create Manifest in source directory • Add following lines to .rc file for project #define MANIFEST_RESOURCE_ID 1 MANIFEST_RESOURCE_ID RT_MANIFEST "AdminApp.exe.manifest" • Add additional manifest in project properties

16. DEMO Manifests

17. Process Creation in Vista with UAC Enabled • CreateProcess* checks the following sources for privilege information about the process • 1. Embedded Application Manifest • 2. Side-by-Side External Manifest • 3. App Compatibility Database • 4. Installer Detection • If process requires elevated privileges and parent process token does not possess these privileges ERROR_REQUIRES_ELEVATION is returned.

18. UAC Prompt Internals CreateProcessAsUser ( Admin.exe) CreateProcess( Admin.exe) Explorer.exe AppInfo Service Admin.exe 2. RPC ShellExecute Consent.exe 1. ERROR_ELEVATION_REQUIRED 3. Re-parented CreateProcess Local System Administrator Standard User

19. DEMO Launching Elevated • Shield • -Extract admin pieces as other manifested processes • -Re-launch ourselves elevated

20. COM Elevation • COM Elevation • Accomplished using elevation moniker • Object class must contain elevation attributes Example: File Operation elevation HKCR\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09} \Elevation REG_DWORD Enabled=1 HKCR\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09} REG_EXPAND_SZ LocalizedString= “@%SystemRoot%\system32\shell32.dll,-50176”

21. DEMO Shell “access denied” to file

22. Common AppCompat IssueFile and Registry Permissions • Many applications would run fine as standard user • …but they needlessly store data in HKLM\Softwareor%ProgramFiles% • They use these locations for per-user data, not global data • These locations are system-global and so only writeable by administrators • It’s always worked because Windows users have always been administrators

23. DEMO Virtualisation Modifications of most system-global locations go to per-user areas Reads generally go to the per-user location and fall back to the global location

24. File Virtualisation • Redirected file system locations: • %ProgramFiles% (\Program Files) • %SystemRoot% (\Windows) • %SystemRoot%\System32 (\Windows\System32) • %AllUsersProfile% (\ProgramData – what was \Documents and Settings\All Users) • Exceptions: • Files that have executable extensions (.exe, .bat, .vbs, .scr, etc) • Exceptions can be added in HKLM\System\CurrentControlSet\Services\Luafv\Parameters \ExcludedExtensionsAdd • Per-user virtual root: • %UserProfile%\AppData\Local\VirtualStore

25. Registry Virtualization • Redirected locations: • HKLM\Software • Exceptions: • HKLM\Software\Microsoft\Windows • HMLM\Software\Microsoft\Windows NT • Other subkeys under Microsoft • Per-user virtual root: • HKEY_CURRENT_USER\Software\Classes\VirtualStore

26. Virtualized Processes • Processes are virtualized unless • They are running with administrative rights • They are 64-bit • They have a requestedExecutionLevel in their executable manifest • Most Windows Vista executables • Can be turned off globally via local security policy setting (secpol.msc)

27. DEMO UAC: Local Security Policies

28. Installation AppCompat Issues • Don’t Perform Administrator Operations on First Run • Configure all machine-wide state during install • Updating Application Binaries Usually Requires Administrator Privileges • Application binaries in %ProgramFile% cannot be overwritten by a Standard User. • MSI updating technology (MSPs) does elevated update based on the signature of the patch • Use Bootstrapper to Launch Application As Part of Install

29. Summary • Understand UAC • Filtered Token, Elevation, Process creation, Prompts, Shields, Manifests, Virtualisation • Act Now • Test your applications as a Standard User • Use the Standard User Analyzer to help • Embed a manifest in your EXEs • Fix your installation programs (use MSI)

30. UAC Resources • User Account Control Resources for IT Professionals (TechNet Landing Page)  • http://www.microsoft.com/technet/windowsvista/security/uac.mspx • Windows Vista Application Development Requirements for UAC Compatibility                     • http://download.microsoft.com/download/5/6/a/56a0ed11-e073-42f9-932b-38acd478f46d/WindowsVistaUACDevReqs.doc • UAC Team blog • http://blogs.msdn.com/uac • COM Elevation Moniker • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/html/1595ebb8-65af-4609-b3e7-a21209e64391.asp • Windows Vista UX Guidelines for UAC  • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/UxGuide/UXGuide/Environment/UAC/UAC.asp • MSI Patching Technology • http://msdn2.microsoft.com/en-us/library/aa372388.aspx • Service Security • http://www.microsoft.com/whdc/system/vista/Vista_Services.mspx

31. Event slides will be posted at: http://www.microsoft.com/uk/msdnevents

32. Get the latest technology previews, trial software, special offers • Get information tailored to your needs • Pick your RSS feeds • Sign up for MSDN Connection at: http://www.msdn.co.uk

33. Additional Information • UK MSDN Events • Post events page including slide decks • http://www.microsoft.com/uk/msdnevents • Upcoming events • http://www.microsoft.com/uk/msdn/events/upcoming.aspx • UK MSDN Site & Flash Newsletter • Local news, events, nuggets & webcasts • http://www.microsoft.com/uk/msdn • Register to receive the bi-weekly MSDN Flash by email • http://www.microsoft.com/uk/msdn/flash.aspx

34. © 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.