wcl310-r. disabled by default in windows 7 and vista most secure – best choice for it windows 7...
TRANSCRIPT
![Page 1: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/1.jpg)
Raiders of the Elevated Token: Understanding User Account Control and Session IsolationRaymond P.L. Comvalius MCT, MVPIndependent IT Infrastructure SpecialistThe Netherlands
WCL310-R
![Page 2: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/2.jpg)
Introducing Raymond ComvaliusIndependent Consultant, Trainer, and AuthorMVP: Expert Windows IT ProBlog: www.xpworld.comTwitter: @xpworldEditor for bink.nuwww.books4brains.comwww.mvp-press.com
![Page 3: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/3.jpg)
Agenda
User Account ControlWhat is UAC?Configuring User Account ControlIntegrity LevelsFile & Registry VirtualizationHow to Control Elevation
Session 0 IsolationService ID
![Page 4: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/4.jpg)
Disabled by Default in Windows 7 and Vista
Most Secure – Best Choice for IT
Windows 7 and Vista - Default
XP Default
Windows User Types
The AdministratorThe account named ‘administrator’
An AdministratorYour name with administrator privileges
Protected AdministratorAKA: ‘Administrator in Admin Approval Mode’
Standard UserYour name without administrator privileges
![Page 5: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/5.jpg)
Standardizing the User Token
User-SID
Local/Builtin Group SIDs
Domain Group SIDs
Mandatory Label
Rights/Privileges
Create a token objectAct as part of the operating system Take ownership of files and other objects Load and unload device driversBack up files and directoriesRestore files and directoriesImpersonate a client after authentication Modify an object labelDebug programs
AdministratorsBackup OperatorsPower UsersNetwork Configuration Operators
Group Policy Creator OwnersSchema AdminsEnterprise AdminsDenied RODC Password Replication Group
![Page 6: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/6.jpg)
demo
Examining the Access Token
![Page 7: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/7.jpg)
Consent UI
The ‘face’ of UACWarns you for a User State change (AKA new token creation)Secure Desktop
Screen mode like pressing Ctrl-Alt-DelCreates screenshot of the desktop (programs keep running in the background)Keeps scripts etc. from pressing keys or clicking the mouse
![Page 8: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/8.jpg)
Configuring UAC in the Control Panel
From the Control PanelAlways notifyDefaultDo not dim the displayNever notify
With Group PolicyMore granular controls
![Page 9: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/9.jpg)
Configuring UAC in Group Policy
Behaviour for Standard UsersDeny AccessPrompt for Credentials
Admin Approval Mode for the built-in Administrator accountFor Administrators in Admin Approval Mode
Prompt for ConsentPrompt for CredentialsElevate without prompting
Not same as disable UAC!
![Page 10: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/10.jpg)
demo
Configuring UAC
![Page 11: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/11.jpg)
UIAccess Applications
Software alternatives for the mouse and keyboardFor example Remote Assistance
User Interface Accessibility integrity levelWindows always checks signature on UIAccess ApplicationsUIAccess applications must be installed in secure locationsOptionally these applications can disable the secure desktop (used with Remote Assistance)
![Page 12: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/12.jpg)
Remote Assistance and the Secure Desktop
for non-administrative users
![Page 13: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/13.jpg)
Integrity Levels
Mandatory Access ControlLevels are part of the ACLs and TokensLower level object has limited access to higher level objectsUsed to protect the OS and for Internet Explorer Protected Mode
System High Medium(Default)
Low
Services Administrators Standard Users
IE Protected Mode
![Page 14: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/14.jpg)
Standardizing the User Token
User-SID
Local/Builtin Group SIDs
Domain Group SIDs
Mandatory Label
Rights/Privileges
Integrity level: High (Elevated Token)
Integrity level: Medium
![Page 15: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/15.jpg)
IE protected mode
Only with User Account Control enablediexplore.exe runs with Low Integrity LevelUser Interface Privilege Isolation (UIPI)
Internet Explorer 8
Internet Explorer 9
![Page 16: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/16.jpg)
IE Broker mechanismiexplore.exe
Protected-mode Broker Object
UI frame Favorites Bar Command Bar
iexplore.exe (tab process 1)
Browser Helper Objects
Toolbar Extensions
ActiveX Controls
Tab 1 Tab n
iexplore.exe (tab process n)
Browser Helper Objects
Toolbar Extensions
ActiveX Controls
Tab 1 Tab n
Low Integrity LevelProtected Mode = On
Medium Integrity LevelProtected Mode = Off
Internet/Intranet
Trusted S
ites
![Page 17: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/17.jpg)
demo
Integrity Levels
![Page 18: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/18.jpg)
File Virtualization
File Virtualization is a compatibility featureThe following folders and subfolders are virtualized:
%WinDir% \Program Files \Program Files (x86)
Virtual Store:%UserProfile%\AppData\Local\VirtualStore
Troubleshooting file virtualizationEvent Log: UAC-FileVirtualization
Disabling file virtualization
![Page 19: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/19.jpg)
Registry Virtualization
Virtualizes most locations under HKLM\SoftwareKeys that are not virtualized:
HKLM\Software\Microsoft\WindowsHKLM\Software\Microsoft\Windows NT\HKLM\Software\Classes
Per user location: HKCU\Software\Classes\VirtualStoreFlag on a registry key defines if it can be virtualized
“Reg flags HKLM\Software” shows flags for HKLM\Software
Registry Virtualization is NOT logged in the EventLog
![Page 20: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/20.jpg)
demo
File & Registry Virtualization
![Page 21: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/21.jpg)
What defines a UAC state change
Executables that are part of the Windows OSFile NameManifestCompatibility SettingsShims
![Page 22: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/22.jpg)
UAC for the Windows OS
Default no warning when elevating Windows OS programsExcept for:
CMD.exeRegedit.exe
![Page 23: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/23.jpg)
What’s in a name?
Evaluation of the file name determines need for elevationSetupInstalUpdate
Disable this feature in Group Policy when needed
![Page 24: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/24.jpg)
UAC and Manifests
Configure the need for elevation per file:asInvokerhighestAvailablerequireAdministrator
External or InternalUse mt.exe from the SDK to inject a manifestUse SigCheck.exe from SysInternals to view the manifest
![Page 25: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/25.jpg)
demo
File names and manifests
![Page 26: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/26.jpg)
UAC and compatibility settings
Configure the shortcutRequireAdministratorRunAsInvoker
Create a ShimNeed the Application Compatibility Toolkit Compatibility AdministratorCompatibility ModesCompatibility Fixes
![Page 27: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/27.jpg)
demo
Compatibility Settings
![Page 28: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/28.jpg)
Does this look familiar?
![Page 29: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/29.jpg)
Session 0 isolation
Services run in session 0Before Vista, session 0 belonged to the consoleUsers logon to session 1 and higherIf a service interacts in session 0 you see this message
![Page 30: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/30.jpg)
demo
Session 0 isolation
![Page 31: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/31.jpg)
Why is this?
![Page 32: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/32.jpg)
Services SID
A service can be a security entityWindows uses TrustedInstaller (Windows Installer Service)Only TrustedInstaller has Full Control accessTrustedInstaller = “NT Service\TrustedInstaller”TrustedInstaller installs:
Windows Service PacksHotfixesOperating System UpgradesPatches and installations by Windows Update
![Page 33: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/33.jpg)
demo
TrustedInstaller
![Page 34: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/34.jpg)
Yes you can!
User Account Control is no black magicUAC makes Internet Explorer a safer browserAnalyze your applicationsGet to know the tools• Whoami.exe• icacls.exe• SysInternals• Application Compatibility Toolkit (ACT)• Windows SDK
![Page 35: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/35.jpg)
Related Content
WCL312: Sysinternals Primer: Autoruns, Disk2vhd, ProcDump, BgInfo and AccessChkWCL402: Troubleshooting Application Compatibility Issues with Windows 7
Find Me At The Springboard booth
![Page 36: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/36.jpg)
Track Resources
Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.
You can also find the latest information about our products at the following links:
Windows Azure - http://www.microsoft.com/windowsazure/
Microsoft System Center - http://www.microsoft.com/systemcenter/
Microsoft Forefront - http://www.microsoft.com/forefront/
Windows Server - http://www.microsoft.com/windowsserver/
Cloud Power - http://www.microsoft.com/cloud/
Private Cloud - http://www.microsoft.com/privatecloud/
![Page 37: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/37.jpg)
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
![Page 38: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/38.jpg)
Complete an evaluation on CommNet and enter to win!
![Page 39: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/39.jpg)
Scan the Tag to evaluate this session now on myTech•Ed Mobile
![Page 40: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/40.jpg)
![Page 41: WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The](https://reader031.vdocuments.us/reader031/viewer/2022032702/56649f425503460f94c61226/html5/thumbnails/41.jpg)