Raiders of the Elevated Token: Understanding User Account Control and Session IsolationRaymond P.L. Comvalius MCT, MVPIndependent IT Infrastructure SpecialistThe Netherlands

WCL310-R

Introducing Raymond ComvaliusIndependent Consultant, Trainer, and AuthorMVP: Expert Windows IT ProBlog: www.xpworld.comTwitter: @xpworldEditor for bink.nuwww.books4brains.comwww.mvp-press.com

Agenda

User Account ControlWhat is UAC?Configuring User Account ControlIntegrity LevelsFile & Registry VirtualizationHow to Control Elevation

Session 0 IsolationService ID

Disabled by Default in Windows 7 and Vista

Most Secure – Best Choice for IT

Windows 7 and Vista - Default

XP Default

Windows User Types

The AdministratorThe account named ‘administrator’

An AdministratorYour name with administrator privileges

Protected AdministratorAKA: ‘Administrator in Admin Approval Mode’

Standard UserYour name without administrator privileges

Standardizing the User Token

User-SID

Local/Builtin Group SIDs

Domain Group SIDs

Mandatory Label

Rights/Privileges

Create a token objectAct as part of the operating system Take ownership of files and other objects Load and unload device driversBack up files and directoriesRestore files and directoriesImpersonate a client after authentication Modify an object labelDebug programs

AdministratorsBackup OperatorsPower UsersNetwork Configuration Operators

Group Policy Creator OwnersSchema AdminsEnterprise AdminsDenied RODC Password Replication Group

demo

Examining the Access Token

Consent UI

The ‘face’ of UACWarns you for a User State change (AKA new token creation)Secure Desktop

Screen mode like pressing Ctrl-Alt-DelCreates screenshot of the desktop (programs keep running in the background)Keeps scripts etc. from pressing keys or clicking the mouse

Configuring UAC in the Control Panel

From the Control PanelAlways notifyDefaultDo not dim the displayNever notify

With Group PolicyMore granular controls

Configuring UAC in Group Policy

Behaviour for Standard UsersDeny AccessPrompt for Credentials

Admin Approval Mode for the built-in Administrator accountFor Administrators in Admin Approval Mode

Prompt for ConsentPrompt for CredentialsElevate without prompting

Not same as disable UAC!

demo

Configuring UAC

UIAccess Applications

Software alternatives for the mouse and keyboardFor example Remote Assistance

User Interface Accessibility integrity levelWindows always checks signature on UIAccess ApplicationsUIAccess applications must be installed in secure locationsOptionally these applications can disable the secure desktop (used with Remote Assistance)

Remote Assistance and the Secure Desktop

for non-administrative users

Integrity Levels

Mandatory Access ControlLevels are part of the ACLs and TokensLower level object has limited access to higher level objectsUsed to protect the OS and for Internet Explorer Protected Mode

System High Medium(Default)

Low

Services Administrators Standard Users

IE Protected Mode

Standardizing the User Token

User-SID

Local/Builtin Group SIDs

Domain Group SIDs

Mandatory Label

Rights/Privileges

Integrity level: High (Elevated Token)

Integrity level: Medium

IE protected mode

Only with User Account Control enablediexplore.exe runs with Low Integrity LevelUser Interface Privilege Isolation (UIPI)

Internet Explorer 8

Internet Explorer 9

IE Broker mechanismiexplore.exe

Protected-mode Broker Object

UI frame Favorites Bar Command Bar

iexplore.exe (tab process 1)

Browser Helper Objects

Toolbar Extensions

ActiveX Controls

Tab 1 Tab n

iexplore.exe (tab process n)

Browser Helper Objects

Toolbar Extensions

ActiveX Controls

Tab 1 Tab n

Low Integrity LevelProtected Mode = On

Medium Integrity LevelProtected Mode = Off

Internet/Intranet

Trusted S

ites

demo

Integrity Levels

File Virtualization

File Virtualization is a compatibility featureThe following folders and subfolders are virtualized:

%WinDir% \Program Files \Program Files (x86)

Virtual Store:%UserProfile%\AppData\Local\VirtualStore

Troubleshooting file virtualizationEvent Log: UAC-FileVirtualization

Disabling file virtualization

Registry Virtualization

Virtualizes most locations under HKLM\SoftwareKeys that are not virtualized:

HKLM\Software\Microsoft\WindowsHKLM\Software\Microsoft\Windows NT\HKLM\Software\Classes

Per user location: HKCU\Software\Classes\VirtualStoreFlag on a registry key defines if it can be virtualized

“Reg flags HKLM\Software” shows flags for HKLM\Software

Registry Virtualization is NOT logged in the EventLog

demo

File & Registry Virtualization

What defines a UAC state change

Executables that are part of the Windows OSFile NameManifestCompatibility SettingsShims

UAC for the Windows OS

Default no warning when elevating Windows OS programsExcept for:

CMD.exeRegedit.exe

What’s in a name?

Evaluation of the file name determines need for elevationSetupInstalUpdate

Disable this feature in Group Policy when needed

UAC and Manifests

Configure the need for elevation per file:asInvokerhighestAvailablerequireAdministrator

External or InternalUse mt.exe from the SDK to inject a manifestUse SigCheck.exe from SysInternals to view the manifest

demo

File names and manifests

UAC and compatibility settings

Configure the shortcutRequireAdministratorRunAsInvoker

Create a ShimNeed the Application Compatibility Toolkit Compatibility AdministratorCompatibility ModesCompatibility Fixes

demo

Compatibility Settings

Does this look familiar?

Session 0 isolation

Services run in session 0Before Vista, session 0 belonged to the consoleUsers logon to session 1 and higherIf a service interacts in session 0 you see this message

demo

Session 0 isolation

Why is this?

Services SID

A service can be a security entityWindows uses TrustedInstaller (Windows Installer Service)Only TrustedInstaller has Full Control accessTrustedInstaller = “NT Service\TrustedInstaller”TrustedInstaller installs:

Windows Service PacksHotfixesOperating System UpgradesPatches and installations by Windows Update

demo

TrustedInstaller

Yes you can!

User Account Control is no black magicUAC makes Internet Explorer a safer browserAnalyze your applicationsGet to know the tools• Whoami.exe• icacls.exe• SysInternals• Application Compatibility Toolkit (ACT)• Windows SDK

Related Content

WCL312: Sysinternals Primer: Autoruns, Disk2vhd, ProcDump, BgInfo and AccessChkWCL402: Troubleshooting Application Compatibility Issues with Windows 7

Find Me At The Springboard booth

Track Resources

Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.

You can also find the latest information about our products at the following links:

Windows Azure - http://www.microsoft.com/windowsazure/

Microsoft System Center - http://www.microsoft.com/systemcenter/

Microsoft Forefront - http://www.microsoft.com/forefront/

Windows Server - http://www.microsoft.com/windowsserver/

Cloud Power - http://www.microsoft.com/cloud/

Private Cloud - http://www.microsoft.com/privatecloud/

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

http://northamerica.msteched.com

Connect. Share. Discuss.

Complete an evaluation on CommNet and enter to win!

Scan the Tag to evaluate this session now on myTech•Ed Mobile