Agenda
• Introducing UAC• The shield icon• UAC manifests• Least User Access (LUA) predictor
tool• Partitioning an application • UAC test cases
Introducing UAC
• Silent installation of malicious software• Compromised machine = lost
productivity• Some line of business (LOB)
applications require elevated privileges• Common configuration tasks require
elevated privileges• Reduced total cost of ownership (TOC)
with standard user desktop• UAC facilitates use of standard user
UAC Features
• By default, applications run as standard user
• Reduction of attack surface• No need for dual accounts for
administrative users• Process separation• Seamless transition
– Eliminate unnecessary elevation– Be predictable– Require minimal effort– Revert to least privileges
UAC ArchitectureUAC Architecture Standard User RightsStandard User Rights
Administrator RightsAdministrator Rights
Administrator logonAdministrator logon
““Standard User” TokenStandard User” Token
Administrator TokenAdministrator Token
User ProcessUser Process
• Change Time Change Time
ZoneZone
• Run IT-Approved Run IT-Approved
ApplicationsApplications
• Install FontsInstall Fonts
• Install PrintersInstall Printers
• Run MSN Run MSN
MessengerMessenger
Standard User ModeStandard User ModeSplit TokenSplit TokenAdministrator PrivilegesAdministrator Privileges
Administrator PrivilegeAdministrator Privilege
Standard User PrivilegeStandard User Privilege
Administrator PrivilegeAdministrator Privilege
Administrator PrivilegeAdministrator PrivilegeAbbyAbby
Agenda
• Introducing UAC• The shield icon• UAC manifests• LUA predictor tool• Partitioning an application • UAC test cases
The Shield Icon• Make applications run without
elevation– Ensure standard users can be fully
productive– After installation administrative
intervention NOT required
• Clearly identify administrative tasks– Consistently use shield icon– Allow users to predict elevation
requirement– Displayed if UAC disabled– Only one state– Does not retain state
Agenda
• Introducing UAC• The shield icon• UAC manifests• LUA predictor tool• Partitioning an application • UAC test cases
UAC Manifest
• Allows operating system to identify application context
• Embeds in application manifest• Legacy code still runs
– Nonmanifested code can run with administrator privileges
• An extension to existing manifest schema
Manifest Requirement
• To meet the UAC requirement, every executable (with an .exe extension) included with an application must have an embedded manifest.
<requestedExecutionLevel level="asInvoker|
highestAvailable| requireAdministrator"
/>
Creating an Embedded Manifest with Visual Studio 7
• Automatically embed manifest in PE• Create manifest in text editor• Same name as target .exe• With .manifest extension• Set requestedExecutionLevel
Building Manifests Within C/C++ Code
• Attach manifest to executable– Add to resource file– Put manifest in source code directory – Rebuild application
Building Manifests for Applications Built on the .NET Framework
• Post-build step• MT tool• Add contents of manifest file into PE
Embedding Manifests with Command-Line Compilation
• Include manifest in PE image from command line
• Command-line switches– /win32res (VB/C#/J#)
• C#– Post-build step– Call mt.exe – Point to manifest file
Agenda
• Introducing UAC• The shield icon• UAC manifests• LUA predictor tool• Partitioning an application • UAC test cases
Using the LUA Privilege Predictor Tool
• Run application as nonadministrator• Bug-fixing labor-intensive• Least User Access (LUA)• Predict privilege problems• Diagnose privilege problems
Agenda
• Introducing UAC• The shield icon• UAC manifests• LUA predictor tool• Partitioning an application • UAC test cases
Separation of Administrator Code
• Elevated privileges for certain tasks• Launch separate process• ShellExecute or • Create an administrator COM object
to perform elevated task– Use the COM elevation moniker
Agenda
• Introducing UAC• The shield icon• UAC manifests• LUA predictor tool• Partitioning an application • UAC test cases
UAC Test Cases
• Verify that all of the application’s executables contain an embedded manifest that define its execution level
• Verify that least-privilege users cannot modify other users’ documents or files
• Verify that least-privilege user is not able to save files to the Windows System directory
Summary
• Introducing UAC• The shield icon• UAC manifests• LUA predictor tool• Partitioning an application • UAC test cases
• Professional Developers Conference 2005:http://commnet.microsoftpdc.com/content/downloads.aspx (search for FUN406)
• Windows Vista security: http://msdn.microsoft.com/windowsvista/security/
• Getting Started with User Account Control on Windows Vista Beta 1: http://www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx
• Developer Best Practices and Guidelines for Applications in a Least Privileged Environment:http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AccProtVista.asp
• UACBlog: • http://blogs.msdn.com/uac
Additional Resources