mark russinovichmark russinovich technical fellow psdtechnical fellow psd microsoft...
TRANSCRIPT
Windows Vista Security:User Account Control and Protected Mode IE
Mark RussinovichTechnical Fellow PSDMicrosoft Corporation
EUSEC West February 2, 2007
2
About Me
Technical Fellow, MicrosoftCo-founder and chief software architect of Winternals Software Co-author of Windows Internals, 4th edition and Inside Windows 2000, 3rd Edition with David SolomonAuthor of tools on www.sysinternals.com
Home of blog and forums
Contributing Editor, Windows IT Pro Magazine, TechNet MagazinePh.D. in Computer Engineering
3
Outline
User Account Control GoalsRunning as Standard UserConveniently Accessing Administrative RightsIsolating Elevated ProcessesProtected Mode Internet ExplorerUAC’s Impact on Malware
4
UAC GoalsEnable users run to run with standard user rights
Prevents deliberate (and accidental) modification of system settingsReduces malware impact by preventing modification of security settings and hardwarePrevents compromise of sensitive information on shared computers
5
UAC Goals (cont)To get there Windows had to address several problems:
The Windows usage model has been one of administrative rights
Applications use them without knowing itThose that need it don’t distinguish administrative from standard user actions
Users want administrative rights to easily perform operations that require them
Software installationsChanging the time zoneChanging firewall settingsEtc.
6
The UAC SolutionMake it possible to run most applications with standard user rights
Change the rights requirements of Windows operationsEnable legacy applications to run with standard user rights
Remove reasons for users to run as administrators at all times
Make it convenient to access administrative rights when necessary
Encourage ISVs to code new applications to run with standard user rights
Enable even administrators run as standard users
7
Outline
User Account Control GoalsRunning as Standard UserConveniently Accessing Administrative RightsIsolating Elevated ProcessesProtected Mode Internet ExplorerUAC’s Impact on Malware
8
Making Windows Standard User-Friendly
In Vista, many previously-admin operations are accessible by standard users:
View system clock and calendar Change time zone Configure Wired Equivalent Privacy (WEP) to connect to secure wireless networks Change power management settings Add printers and other devices that have the required drivers installed on computer or have been allowed by an IT administrator in Group Policy Install ActiveX Controls from sites approved by an administrator Create and configure a Virtual Private Network connection Install critical Windows Updates
9
Helping Legacy Applications Run as Standard User
Many applications would run fine as standard user, but they needlessly store data in HKLM\Software or %ProgramFiles%
They use these locations for per-user data, not global dataThese locations are system-global and so only writeable by administratorsIt’s always worked because Windows users have always been administrators
The solution: help them through virtualizationModifications of most system-global locations go to per-user areasReads generally go to the per-user location and fall back to the global location
10
Virtualized ProcessesProcesses are virtualized unless:
They are 64-bitThey have a requestedExecutionLevel in their executable manifest
Most Windows Vista executables
They are running with administrative rights (described later)Note: operations not originating from an interactive login session are not virtualized e.g. file sharing
Can be turned off globally via local security policy setting (secpol.msc):
11
Virtualized FilesRedirected file system locations:
%ProgramFiles% (\Program Files)%AllUsersProfile% (\ProgramData – what was \Documents and Settings\All Users)%SystemRoot% (\Windows)%SystemRoot%\System32 (\Windows\System32)Exceptions:
Files that have executable extensions (.exe, .bat, .vbs, .scr, etc)
Prevents masking of executables for servicing and security
Exceptions can be added in HKLM\System\CurrentControlSet\Services\Luafv\Parameters
\ExcludedExtensionsAdd
Per-user virtual root:%UserProfile%\AppData\Local\VirtualStoreNote: Virtual files do not roam with Roaming Profiles
12
Viewing Virtualized FilesExplorer shows a Compatibility Files button when there are virtual files present
Opens view of virtual location
13
File Virtualization ImplementationFile system virtualization is implemented in a file system filter
driver, luafv.sys
Luafv.sys
Ntfs.sys
Legacy Application
User Mode
Kernel Mode
\Windows\App.ini
\Users\<user>\AppData\Local\VirtualStore\Windows\App.ini
Vista Application
\Windows\App.ini
Access Denied
14
Registry VirtualizationRedirected locations:
HKLM\SoftwareExceptions:
HKLM\Software\Microsoft\WindowsHMLM\Software\Microsoft\Windows NTOther subkeys under Microsoft
Per-user virtual root:HKEY_CURRENT_USER\Software\Classes\VirtualStore
15
Registry Virtualization FlagsEach Registry key under HKLM\Software has
three new flags:Don’t Virtualize: disable virtualizationDon’t Silent Fail: if not virtualized, return maximum-allowed access instead of errorRecurse: propagate flags to child keys
Windows Vista Reg.exe is flag-aware:
16
Registry Virtualization Implementation
Registry virtualization is built-into the Registry
Ntoskrnl.exe
Legacy Application
User Mode
Kernel Mode
HKLM\Software\App
HKCU\Software\Classes\VirtualStore\Machine\Software\App
Vista Application
Registry
Access Denied
17
Application-Specific BehaviorSome applications have to be helped in other
ways to run as Standard UserWindows Vista includes built-in application-compatibility shimsUsers can define shims for other applications
Most common standard user shims:ForceAdminAccess: spoofs queries of administrator group membershipVirtualizeDeleteFile: spoofs deletion of global fileLocalMappedObject: forces global section objects into user’s namespaceVirtualizeHKCRLite, VirtualizeRegisterTypeLib: redirects global registration of COM objects
18
User-Applied ShimsIf an application runs as administrator, but fails as standard user, use the Standard User Analyzer (SUA) to watch its behavior
Free download from MicrosoftDoesn’t necessarily see all administrator operations
Assign the application shims with the Compatibility Administrator
Part of the Application Compatibility Toolkit from MicrosoftCreates a Shim Database (.sdb) that you can install manually or with Sdbinst.exe
19
Outline
User Account Control GoalsRunning as Standard UserConveniently Accessing Administrative RightsIsolating Elevated ProcessesProtected Mode Internet ExplorerUAC’s Impact on Malware
20
Accessing Administrative Rights
Problem: there are still operations that require administrative rights:
Installing applicationsModifying system-global settingsParental controls
Solution: make it convenient to access administrative rights from standard user accounts
Identify operations that require administrative rightsAllow for “run as” functionality
Called Over The Shoulder (OTS) elevation when accessed by a standard user accountCalled Consent elevation when accessed by Admin Approval Mode
21
Administrator Approval Mode
Problem: even administrators should run as standard user
Otherwise, there would be no major shift out of the Windows administrator environment But have to make it convenient to access administrator rights
Solution: have administrators run with a split personality
Two identities created for user when they login: User as standard userUser as administrator
Called Admin Approval Mode (AAM)
22
Recognizing Administrators
User is considered an administrator if they belong to any admin-type group e.g.:
AdministratorsControllersCertificate AdministratorsEnterprise AdministratorsSchema Administrators
23
Recognizing Administrators (cont)
User is considered an administrator if they have any administrator privileges:
Create TokenTCBTake OwnershipBackup RestoreDebugImpersonateRelabelLoad Driver
24
Administrator’s Standard User Identity: GroupsAdministrator’s standard user token is
subset of their full administrator tokenAdministrator groups are marked as “deny only” groups
Applies to Domain Administrators, Builtin\Administrators and othersCan only be used to deny access, never to grant
E.g. if file only allows administrator access, user is denied accessE.g. if allows a user’s group access, but denies administrators, user is denied access
25
Administrator’s Standard User Identity: PrivilegesAll privileges except the following are stripped:
Change NotifyShutdownUndockReserve ProcessorTime Zone
When authenticating to remote resources:If system is non-domain joined, user authenticates as standard user If domain-joined and an administrator of the remote resource, user authenticates as administrator
26
Requesting Administrator RightsThere are four mechanisms whereby administrator
rights can be requested:Executable manifest file includes a elevation level that asks for itProcess launch believes executable is a setup program
E.g. name has “setup”, “update” or “install” or it has bytes of known setup engines
User asks for it by selecting “Run as administrator” option from Explorer context menu or shortcut property
Application Compatibility database includes an ElevateCreateProcess shim for the executable
Windows and applications identify administrator operations with a shield icon
27
Requesting Administrator in a ManifestManifest files were introduced in Windows XP to
support side-by-side DLLs Used for XP’s Common Control v6 dialog .NET uses it for managed code “assemblies”Embedded in resources of binary file
Vista introduces a new key, requestedElevationLevel, that can be one of three values:
asInvoker: Run with the user’s rightshighestAvailable: if standard user then don’t ask, but if user is an administrator, then askrequireAdministrator: always ask
28
Elevation PromptsDialog gives user information on what is asking for administrative rights
File description, if executable is digitally signed; otherwise file namePublisher, if executable is digitally signedOpening Details reveals command line
Coloration indicates level of trust for the application source
Blue: core Windows components in protected locationsGrey: all other digitally signed codeOrange: unsigned code - do not run unless you know the source
OTS: Dialog contains “tiles” for known administrator accounts
Credentials create new logon session token
AAM: Dialog has “Continue” and “Cancel” buttonContinue unlocks Administrative token
29
Elevation Dialogs
30
Elevation Prompt Internals
Elevation dialog is presented by Consent.exeDisplays on secure desktop to prevent UI interferenceChild of Service Host (Svchost.exe) process containing AppInfo service
Elevated processes are created by AppInfo service
It’s re-parented to look like a child of the requesting process via a new CreateProcess parameter
31
Elevation Prompt Internals (cont)
Explorer
AppInfo ServiceRPC
Consent.exe
Admin.exe
ShellExecute( Admin.exe)
Standard User Local System Administrator
Re-parented
CreateProcessAsUser( Admin.exe)
32
Prompting CaveatsConsent and OTS dialogs only identify the primary executable
They do not identify other code, such as DLLs the executable may load or processes the executable may start
Display on a secure desktop does not prevent credential dialog spoofing
Allows user to “own” the administrator account and its data (not the system, though)Home users should configure Control+Alt+Del
Group policy setting
33
Configuring OTS CAD
Access the setting with the Group Policy Editor (gpedit.msc)
Note that AAM elevation will not go to the secure desktop when this is enabled (will be fixed in SP1)
34
Disabling OTSOTS is discouraged for corporate environments
It’s availability will cause help desk calls
Can be turned off through security policy
35
Outline
User Account Control GoalsRunning as Standard UserConveniently Accessing Administrative RightsIsolating Elevated ProcessesProtected Mode Internet ExplorerUAC’s Impact on Malware
36
Isolating Elevated ProcessesProblem: elevated processes run on the same desktop as standard user processesSolution: Windows Vista isolates the windows and processes of elevated processes
Window isolation is called User Interface Privilege Isolation (UIPI)
Prevents malware from “driving” the input of an elevated process
Does not prevent accessibility apps (e.g. on-screen keyboard) from sending input
Prevents malware from executing “shatter attacks”
In AAM, additional process isolation is required because otherwise a user has full access to their own process, including elevated processes
37
Windows Integrity Level Mechanism
Underlying technology is a new Integrity level mechanism
Integrity levels are assigned to processes (subjects) and objectsIntegrity policy restricts access granted by Discretionary Access Control (DAC) security model
38
Integrity Levels and policy
Integrity levels defined by Security IDs (SIDs)The RID defines the integrity level
Primary integrity levelsLow S-1-16-4096 (0x1000)Medium S-1-16-8192 (0x2000)High S-1-16-12288 (0x3000)System S-1-16-16384 (0x4000)
Integrity level policies associated with generic access rights
No-Write-Up - lower IL process cannot modify higher IL objectNo-Read-Up – prevents lower IL process from having generic readNo-Execute-Up – prevents lower IL process generic execute access
Default policy is No-Write-Up Plus No-Read-Up for processes
39
Process Integrity LevelSecurity token in every process is assigned an integrity levelExamples of assigned levels:
Low Protected-mode IE, and processes started by PM IEMedium Standard user processes, non-elevated admin
Accessibility processes run at slightly above Medium
High Elevated Administrator processesSystem Local System, Local and Network Service processes
Process usually inherits the IL of its parentIf an executable file has an explicit IL, process will have an IL that is the minimum of parent’s and file’sProcesses can also be created at an explicit IL (e.g. elevation)
Ways to view a process’ integrity level:Command: Whoami /allSysinternals Process Explorer and AccessChk
40
Object Integrity LevelsEvery securable object has an IL, either explicit or implicit
Processes, threads and tokens always have an explicit ILObjects have an implicit level of Medium
Most objects are Medium ILObjects created by medium+ processes get medium ILObjects created by low IL processes get low IL
Built-in Icacls utility and Sysinternals AccessChk show object integrity levels
41
Integrity Level in Security Descriptors
Object integrity level is defined by a new Mandatory Label Access Control Entry (ACE) type
SID in the label ACE identifies the integrity level
Label ACE is stored in the System Access Control List (SACL)
SACLs also store audit ACEsReading audit ACEs requires the Security privilege, but reading a label ACE requires only Read Permissions access (READ_CONTROL)
ObjectMarkRuss
Read
Access Deny
Devs
Full
Access Allow
Medium
No Write Up
Integrity Level
MarkRuss
Read
Audit Fail
MarkRussDACLSACL
Security Descriptor
Label ACE
42
Modifying Object Integrity Levels
A process can modify an object’s integrity level if:
It has WRITE_OWNER permission and has an IL equal to or higher than the IL of the object
Note that WRITE_OWNER allows only lowering of the integrity level
Or it has the new “Modify an Object Label” privilege (SeRelabelPrivilege)
Not assigned to any account by default
43
Integrity Levels and Access Checks
Integrity check implemented in AccessCheck() APIIntegrity check happens before discretionary access check
A thread can only open an object for write access if its token IL is equal to or higher than that of the object
For example, a Low IL process cannot open a Medium object for Write access, even if the DACL grants the user Write access
Threads can open any object for read accessException is process/thread because “no read up” flag is set in their label ACE
Thread IL must be equal to or higher than process IL to open itPrevents sensitive information (e.g. passwords) leakage via memory reads
44
Object Versus Process Accesses
Medium ILProcess
High
Medium
Low
High
Medium
Low
ReadWrite
Low ILProcess
Processes Objects
45
Integrity Levels and User Interface
The Windows subsystem also honors integrity levels with UIPI
Lower IL process cannot send window messages to a window of a higher IL app based on filter
Certain read-type messages are allowed past filter and can be sent to the higher IL windows processHigher IL process can register additional messages that pass filter (ChangeWindowMessageFilter)
Lower IL process cannot install hooks Prevents “shatter” attacks
46
Elevation CaveatsElevations are not a security boundary
There is no guarantee that malware can’t hijack the elevation process or compromise an elevated application
Potential elevation techniques include:Side-by-Side code injection or replacement of private DLLsSquatting on or compromising Base Named Objects (e.g. shared memory, synchronization objects, etc.)Running something other than what you specifiedIn AAM, elevated processes share state with standard user environment e.g. HCKU, environment variablesIn AAM, malware can drive input
Switch to a dedicated administrator account for securely running as administrator
47
Disabling UACUAC can be turned off through security policy (and UI):
Note: this also turns off Protected-Mode IE
48
Outline
User Account Control GoalsRunning as Standard UserConveniently Accessing Administrative RightsIsolating Elevated ProcessesProtected Mode Internet ExplorerUAC’s Impact on Malware
49
Protected-Mode Internet Explorer
Problem: “drive-by-download” malware uses buffer overflows and other vulnerabilities in IE, IE extensions, and ActiveX controls to compromise the user
Modifies behavior of user’s accountInstalls malware
Solution: IE 7 on Vista uses integrity and UIPI to isolate IE from the user’s other processes, windows and settings
Runs IE at Low ILAlso called Low-Rights IE (LoRIE)
Objects that must be writeable by IE are set to Low IL e.g.:Temporary Internet FilesCookiesRecycle BinVarious Registry keys, including ones under HKCU\Software\Microsoft\Internet Explorer
50
Saving Content in Protected-Mode IEIE promotes explicitly downloaded content to
Medium Makes it equivalent to the user’s other data and codePrevents malware from tampering with it
IE running at low can’t do that itselfDownloads first to a Low directory Asks IEUser.exe, which runs at Medium IL, to promote:
IExplore.exe(Low)
IEUser.exe(Medium)
IEShowFileSaveDialog IESaveFile
51
Installing ActiveX ControlsIEInstal.exe is the broker process for
ActiveX installationsRuns at High ILActivated via AppInfo servicePrompts the user as appropriate (OTS or Consent)
52
Protected-Mode IE CaveatsProtected-Mode IE does not stop malware
from reading user dataEven at low integrity, IExplore shares state with the user’s other processes
It may be possible for malware to elevate to Medium3rd-party IE extensions may allow malware to elevate“don’t ask me again” applications can allow elevation
53
Outline
User Account Control GoalsRunning as Standard UserConveniently Accessing Administrative RightsIsolating Elevated ProcessesProtected Mode Internet ExplorerUAC’s Impact on Malware
54
UAC’s Impact on Malware
Malware developers are ISV’s tooThey will code for standard user
Malware will thrive in a standard user environment
It can still read all the user’s dataCan hide from the user with user-mode rootkitsCan control what applications (e.g. anti-malware) the user can access
55
UAC’s Impact on Malware (cont)
Malware will develop elevation techniquesElevating enables it to jump accounts and to disable securityIt will develop general and application-specific elevation hijackingIt will socially engineer elevation prompts
Malware will spoof the OTS credential promptCan launch medium IL process in administrator’s account
It has access to all the administrator’s dataIt can inject itself into the administrator’s account e.g. the Run key
Once in the administrator’s account it can use elevation techniques
56
ConclusionUAC’s fundamental contribution is making it possible to run as standard user (especially corporate environments)
Protects the systemProtects other users on the system
Elevations are a convenience and not a security boundary
Prevents malware from automatically obtaining administrative rights
Gives antimalware a chance to mitigate
Switching to a dedicated administrator account is more secure