raiders of the elevated token: understanding user account control and session isolation raymond p.l....
TRANSCRIPT
![Page 1: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/1.jpg)
Raiders of the Elevated Token:Understanding User Account Control and Session IsolationRaymond P.L. ComvaliusIndependent IT Infrastructure ArchitectNEXTXPERT
WCL325
![Page 2: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/2.jpg)
About the speaker
Raymond P. L. ComvaliusConsultant, trainer and authorMVP Windows Expert IT Pro since [email protected]
@nextxpert
![Page 3: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/3.jpg)
Agenda
User Account ControlWhat is UAC?Configuring User Account ControlIntegrity LevelsFile & Registry VirtualizationHow to Control Elevation
Session 0 IsolationService ID
![Page 4: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/4.jpg)
What is User Account Control?
“The UAC solution is to run most applications with standard user rights…., and encourage software developers to create applications that run with standard user rights. UAC accomplishes this by enabling legacy applications to run with standard user rights, making it convenient for standard users to access administrative rights when they need them.” From: Microsoft Technet“UAC is not a security boundary”
![Page 5: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/5.jpg)
Windows User Types
The AdministratorThe account named ‘administrator’
An AdministratorYour name with administrator privileges
Protected AdministratorAKA: ‘Administrator in Admin Approval Mode’
Standard UserYour name without administrator privileges
![Page 6: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/6.jpg)
User SID
Standardizing the User Token
Group SIDs
Mandatory Label
Rights/Privileges
AdministratorsBackup OperatorsPower UsersNetwork Configuration OperatorsCryptographic OperatorsDomain AdminsSchema AdminsEnterprise AdminsGroup Policy Creator OwnersDomain ControllersEnterprise Read-Only Domain ControllersAccount OperatorsPrint OperatorsServer OperatorsRAS ServersPre-Windows 2000 Compatible Access
DenyRemove all except:
Bypass traverse checkingShutdown the SystemRemove computer from Docking stationIncrease a process working setChange the Time zone
![Page 7: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/7.jpg)
With or without administrative privileges
Analyzing the User Token
DemoDemo
![Page 8: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/8.jpg)
Consent UI
The ‘face’ of UACWarns you for a User State change (aka new token creation)Secure Desktop
Screen mode like pressing Ctrl-Alt-DelCreates screenshot of the desktop (programs keep running in the background)Keeps scripts etc. from pressing keys or clicking the mouse
![Page 9: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/9.jpg)
Configuring UAC in the Control Panel
From the Control PanelAlways notifyDefaultDo not dim the displayNever notify
With Group PolicyMore granular controls
![Page 10: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/10.jpg)
Configuring UAC in Group Policy
Behavior for Standard UsersDeny AccessPrompt for Credentials
Admin Approval Mode for the built-in Administrator accountFor Administrators in Admin Approval Mode
Prompt for ConsentPrompt for CredentialsElevate without prompting
Not same as disable UAC!
![Page 11: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/11.jpg)
Configuring UAC
Demo
![Page 12: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/12.jpg)
UIAccess Applications
Software alternatives for the mouse and keyboardFor example Remote Assistance
User Interface Accessibility integrity levelWindows always checks signatures on UIAccess ApplicationsUIAccess applications must be installed in secure locationsOptionally these applications can disable the secure desktop (used with Remote Assistance)
![Page 13: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/13.jpg)
Remote Assistance and the Secure Desktop
for non-administrative users
![Page 14: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/14.jpg)
Integrity Levels
Mandatory Access ControlLevels are part of ACLs and TokensLower level object has limited access to higher level objectsUsed to protect the OS and for Internet Explorer Protected Mode
System High Medium(Default)
Low
Services Administrators
Standard Users
IE Protected Mode
![Page 15: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/15.jpg)
Standardizing the User Token
User SID
Group SIDs
Mandatory Label
Rights/Privileges
Integrity Level: Medium(Restricted Token)
Integrity Level: High(Elevated Token)
![Page 16: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/16.jpg)
IE Protected Mode
Only with User Account Control enablediexplore.exe runs with Low Integrity LevelUser Interface Privilege Isolation (UIPI)
Internet Explorer 8
Internet Explorer 9/10
![Page 17: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/17.jpg)
IE Broker mechanismiexplore.exe (management process)
iexplore.exe (content process)
iexplore.exe (content process)
Low Integrity LevelProtected Mode = On
Medium Integrity LevelProtected Mode = Off
Inte
rnet/
Intra
net
Truste
d S
ites
Protected-mode Broker Object
UI Frame Favorites Bar Command Bar
Browser Helper Objects
ActiveX Controls
Toolbar Extensions
Browser Helper Objects
ActiveX Controls
Toolbar Extensions
![Page 18: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/18.jpg)
Integrity Levels
Demo
![Page 19: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/19.jpg)
File Virtualization
File Virtualization is a compatibility featureThe following folders and subfolders are virtualized:
%WinDir% \Program Files \Program Files (x86)
Virtual Store:%UserProfile%\AppData\Local\VirtualStore
Troubleshooting file virtualizationEvent Log: UAC-FileVirtualization
Disabling file virtualization
![Page 20: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/20.jpg)
Registry Virtualization
Virtualizes most locations under HKLM\SoftwareKeys that are not virtualized:
HKLM\Software\Microsoft\WindowsHKLM\Software\Microsoft\Windows NT\HKLM\Software\Classes
Per user location: HKCU\Software\Classes\VirtualStoreFlag on a registry key defines if it can be virtualized
“Reg flags HKLM\Software” shows flags for HKLM\Software
Registry Virtualization is NOT logged in the EventLog
![Page 21: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/21.jpg)
File & Registry Virtualization
Demo
![Page 22: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/22.jpg)
What defines a UAC state change
Executables that are part of the Windows OSFile NamesManifestsCompatibility SettingsShims
![Page 23: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/23.jpg)
UAC for the Windows OS
Default no warning when elevating Windows OS programsExcept for:
cmd.exeregedit.exe
![Page 24: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/24.jpg)
What’s in a name?
Evaluation of the file name determines need for elevation
SetupInstalUpdate
Disable this feature in Group Policy when needed
![Page 25: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/25.jpg)
UAC and Manifests
Configure the need for elevation per file:asInvokerhighestAvailablerequireAdministrator
External or InternalUse mt.exe from the SDK to inject manifestsUse sigcheck.exe from SysInternals to view manifests
![Page 26: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/26.jpg)
File Names & Manifests
Demo
![Page 27: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/27.jpg)
UAC and Compatibility Settings
Configure the shortcutRequireAdministratorRunAsInvoker
Create a ShimNeeds the Application Compatibility Toolkit Compatibility AdministratorCompatibility ModesCompatibility Fixes
![Page 28: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/28.jpg)
Compatibility Settings
Demo
![Page 29: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/29.jpg)
Does this look familiar?
![Page 30: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/30.jpg)
Session 0 Isolation
Services run in session 0Before Windows Vista, session 0 belonged to the consoleUsers logon to session 1 and higherWhen a service interacts in session 0 you see this message on Windows 7 and earlier
![Page 31: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/31.jpg)
Session 0 Isolation
Demo
![Page 32: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/32.jpg)
Windows OS File Security
![Page 33: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/33.jpg)
D DD
Reduce size ofhigh risk layersIncrease # of layersSegment theservices
Kernel DriversD
D User-mode Drivers
DD D
Service 1
Service 2
Service 3
Service…
Service …
Service A
Service B
Multiple Layers of Protection
![Page 34: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/34.jpg)
Services SID
Services now have SIDsS-1-80-<SHA-1 hash of logical service name>
ACLs have been set on these SIDsServices are taken out of the LocalSystem security contextLocalSystem is no longer “The Master of the Universe”
![Page 35: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/35.jpg)
Who is TrustedInstaller?
“Windows Installer Service” in the Services MMC“NT Service\TrustedInstaller” in icacls.exeTrustedInstaller installs:
Windows Service PacksHotfixesOperating System UpgradesPatches and installations by Windows Update
![Page 36: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/36.jpg)
Concluding
![Page 37: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/37.jpg)
Yes you can!
User Account Control is no rocket scienceUAC makes Internet Explorer a safer browserAnalyze your applicationsGet to know the tools
whoami.exeProcess Explorericacls.exeApplication Compatibility Toolkit
![Page 38: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/38.jpg)
Related Content
WCL301: Case of the Unexplained 2012
www.microsoft.com/springboard
www.nextxpert.com
Find Me Later At the Technical Learning Center
WCL402: App Compat for Nerds
![Page 39: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/39.jpg)
Track Resources
Resources for Developers http://msdn.microsoft.com/en-us/windows/apps
Windows 8 is ready for Businesshttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/windows-8/default.aspx
Microsoft Desktop Optimization Pack:www.microsoft.com/MDOP
Microsoft Desktop Virtualization: www.microsoft.com/dv
![Page 40: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/40.jpg)
Track Resources
Springboard Series: www.microsoft.com/springboard Explore > Plan > Deliver > Operate > Support for
Windows 7 and Windows 8MDOPDesktop VirtualizationWindows IntuneInternet Explorer 8, 9 and 10
Track Resources
![Page 41: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/41.jpg)
Download
http://windows.microsoft.com/en-US/windows-8/release-preview
Download the Windows 8 Release Preview Today
![Page 42: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/42.jpg)
Resources
Connect. Share. Discuss.
http://northamerica.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
![Page 43: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/43.jpg)
Complete an evaluation on CommNet and enter to win!
![Page 44: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/44.jpg)
Please Complete an Evaluation Your feedback is important!
Multipleways to Evaluate Sessions
Scan the Tagto evaluate thissession now on myTechEd Mobile
![Page 45: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/45.jpg)
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.
![Page 46: Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect](https://reader030.vdocuments.us/reader030/viewer/2022032804/56649e575503460f94b4fab2/html5/thumbnails/46.jpg)