mark russinovichmark russinovich technical fellow psdtechnical fellow psd microsoft...

Windows Vista Security:User Account Control and Protected Mode IE

Mark RussinovichTechnical Fellow PSDMicrosoft Corporation

EUSEC West February 2, 2007

2

About Me

Technical Fellow, MicrosoftCo-founder and chief software architect of Winternals Software Co-author of Windows Internals, 4th edition and Inside Windows 2000, 3rd Edition with David SolomonAuthor of tools on www.sysinternals.com

Home of blog and forums

Contributing Editor, Windows IT Pro Magazine, TechNet MagazinePh.D. in Computer Engineering

http://www.sysinternals.com/

3

Outline

User Account Control GoalsRunning as Standard UserConveniently Accessing Administrative RightsIsolating Elevated ProcessesProtected Mode Internet ExplorerUAC’s Impact on Malware

4

UAC GoalsEnable users run to run with standard user rights

Prevents deliberate (and accidental) modification of system settingsReduces malware impact by preventing modification of security settings and hardwarePrevents compromise of sensitive information on shared computers

5

UAC Goals (cont)To get there Windows had to address several problems:

The Windows usage model has been one of administrative rights

Applications use them without knowing itThose that need it don’t distinguish administrative from standard user actions

Users want administrative rights to easily perform operations that require them

Software installationsChanging the time zoneChanging firewall settingsEtc.

6

The UAC SolutionMake it possible to run most applications with standard user rights

Change the rights requirements of Windows operationsEnable legacy applications to run with standard user rights

Remove reasons for users to run as administrators at all times

Make it convenient to access administrative rights when necessary

Encourage ISVs to code new applications to run with standard user rights

Enable even administrators run as standard users

7

Outline


8

Making Windows Standard User-Friendly

In Vista, many previously-admin operations are accessible by standard users:

View system clock and calendar Change time zone Configure Wired Equivalent Privacy (WEP) to connect to secure wireless networks Change power management settings Add printers and other devices that have the required drivers installed on computer or have been allowed by an IT administrator in Group Policy Install ActiveX Controls from sites approved by an administrator Create and configure a Virtual Private Network connection Install critical Windows Updates

9

Helping Legacy Applications Run as Standard User

Many applications would run fine as standard user, but they needlessly store data in HKLM\Software or %ProgramFiles%

They use these locations for per-user data, not global dataThese locations are system-global and so only writeable by administratorsIt’s always worked because Windows users have always been administrators

The solution: help them through virtualizationModifications of most system-global locations go to per-user areasReads generally go to the per-user location and fall back to the global location

10

Virtualized ProcessesProcesses are virtualized unless:

They are 64-bitThey have a requestedExecutionLevel in their executable manifest

Most Windows Vista executables

They are running with administrative rights (described later)Note: operations not originating from an interactive login session are not virtualized e.g. file sharing

Can be turned off globally via local security policy setting (secpol.msc):

11

Virtualized FilesRedirected file system locations:

%ProgramFiles% (\Program Files)%AllUsersProfile% (\ProgramData – what was \Documents and Settings\All Users)%SystemRoot% (\Windows)%SystemRoot%\System32 (\Windows\System32)Exceptions:

Files that have executable extensions (.exe, .bat, .vbs, .scr, etc)

Prevents masking of executables for servicing and security

Exceptions can be added in HKLM\System\CurrentControlSet\Services\Luafv\Parameters

\ExcludedExtensionsAdd

Per-user virtual root:%UserProfile%\AppData\Local\VirtualStoreNote: Virtual files do not roam with Roaming Profiles

12

Viewing Virtualized FilesExplorer shows a Compatibility Files button when there are virtual files present

Opens view of virtual location

13

File Virtualization ImplementationFile system virtualization is implemented in a file system filter

driver, luafv.sys

Luafv.sys

Ntfs.sys

Legacy Application

User Mode

Kernel Mode

\Windows\App.ini

\Users\<user>\AppData\Local\VirtualStore\Windows\App.ini

Vista Application

\Windows\App.ini

Access Denied

14

Registry VirtualizationRedirected locations:

HKLM\SoftwareExceptions:

HKLM\Software\Microsoft\WindowsHMLM\Software\Microsoft\Windows NTOther subkeys under Microsoft

Per-user virtual root:HKEY_CURRENT_USER\Software\Classes\VirtualStore

15

Registry Virtualization FlagsEach Registry key under HKLM\Software has

three new flags:Don’t Virtualize: disable virtualizationDon’t Silent Fail: if not virtualized, return maximum-allowed access instead of errorRecurse: propagate flags to child keys

Windows Vista Reg.exe is flag-aware:

16

Registry Virtualization Implementation

Registry virtualization is built-into the Registry

Ntoskrnl.exe

Legacy Application

User Mode

Kernel Mode

HKLM\Software\App

HKCU\Software\Classes\VirtualStore\Machine\Software\App

Vista Application

Registry

Access Denied

17

Application-Specific BehaviorSome applications have to be helped in other

ways to run as Standard UserWindows Vista includes built-in application-compatibility shimsUsers can define shims for other applications

Most common standard user shims:ForceAdminAccess: spoofs queries of administrator group membershipVirtualizeDeleteFile: spoofs deletion of global fileLocalMappedObject: forces global section objects into user’s namespaceVirtualizeHKCRLite, VirtualizeRegisterTypeLib: redirects global registration of COM objects

18

User-Applied ShimsIf an application runs as administrator, but fails as standard user, use the Standard User Analyzer (SUA) to watch its behavior

Free download from MicrosoftDoesn’t necessarily see all administrator operations

Assign the application shims with the Compatibility Administrator

Part of the Application Compatibility Toolkit from MicrosoftCreates a Shim Database (.sdb) that you can install manually or with Sdbinst.exe

19

Outline


20

Accessing Administrative Rights

Problem: there are still operations that require administrative rights:

Installing applicationsModifying system-global settingsParental controls

Solution: make it convenient to access administrative rights from standard user accounts

Identify operations that require administrative rightsAllow for “run as” functionality

Called Over The Shoulder (OTS) elevation when accessed by a standard user accountCalled Consent elevation when accessed by Admin Approval Mode

21

Administrator Approval Mode

Problem: even administrators should run as standard user

Otherwise, there would be no major shift out of the Windows administrator environment But have to make it convenient to access administrator rights

Solution: have administrators run with a split personality

Two identities created for user when they login: User as standard userUser as administrator

Called Admin Approval Mode (AAM)

22

Recognizing Administrators

User is considered an administrator if they belong to any admin-type group e.g.:

AdministratorsControllersCertificate AdministratorsEnterprise AdministratorsSchema Administrators

23

Recognizing Administrators (cont)

User is considered an administrator if they have any administrator privileges:

Create TokenTCBTake OwnershipBackup RestoreDebugImpersonateRelabelLoad Driver

24

Administrator’s Standard User Identity: GroupsAdministrator’s standard user token is

subset of their full administrator tokenAdministrator groups are marked as “deny only” groups

Applies to Domain Administrators, Builtin\Administrators and othersCan only be used to deny access, never to grant

E.g. if file only allows administrator access, user is denied accessE.g. if allows a user’s group access, but denies administrators, user is denied access

25

Administrator’s Standard User Identity: PrivilegesAll privileges except the following are stripped:

Change NotifyShutdownUndockReserve ProcessorTime Zone

When authenticating to remote resources:If system is non-domain joined, user authenticates as standard user If domain-joined and an administrator of the remote resource, user authenticates as administrator

26

Requesting Administrator RightsThere are four mechanisms whereby administrator

rights can be requested:Executable manifest file includes a elevation level that asks for itProcess launch believes executable is a setup program

E.g. name has “setup”, “update” or “install” or it has bytes of known setup engines

User asks for it by selecting “Run as administrator” option from Explorer context menu or shortcut property

Application Compatibility database includes an ElevateCreateProcess shim for the executable

Windows and applications identify administrator operations with a shield icon

27

Requesting Administrator in a ManifestManifest files were introduced in Windows XP to

support side-by-side DLLs Used for XP’s Common Control v6 dialog .NET uses it for managed code “assemblies”Embedded in resources of binary file

Vista introduces a new key, requestedElevationLevel, that can be one of three values:

asInvoker: Run with the user’s rightshighestAvailable: if standard user then don’t ask, but if user is an administrator, then askrequireAdministrator: always ask

28

Elevation PromptsDialog gives user information on what is asking for administrative rights

File description, if executable is digitally signed; otherwise file namePublisher, if executable is digitally signedOpening Details reveals command line

Coloration indicates level of trust for the application source

Blue: core Windows components in protected locationsGrey: all other digitally signed codeOrange: unsigned code - do not run unless you know the source

OTS: Dialog contains “tiles” for known administrator accounts

Credentials create new logon session token

AAM: Dialog has “Continue” and “Cancel” buttonContinue unlocks Administrative token

29

Elevation Dialogs

30

Elevation Prompt Internals

Elevation dialog is presented by Consent.exeDisplays on secure desktop to prevent UI interferenceChild of Service Host (Svchost.exe) process containing AppInfo service

Elevated processes are created by AppInfo service

It’s re-parented to look like a child of the requesting process via a new CreateProcess parameter

31

Elevation Prompt Internals (cont)

Explorer

AppInfo ServiceRPC

Consent.exe

Admin.exe

ShellExecute( Admin.exe)

Standard User Local System Administrator

Re-parented

CreateProcessAsUser( Admin.exe)

32

Prompting CaveatsConsent and OTS dialogs only identify the primary executable

They do not identify other code, such as DLLs the executable may load or processes the executable may start

Display on a secure desktop does not prevent credential dialog spoofing

Allows user to “own” the administrator account and its data (not the system, though)Home users should configure Control+Alt+Del

Group policy setting

33

Configuring OTS CAD

Access the setting with the Group Policy Editor (gpedit.msc)

Note that AAM elevation will not go to the secure desktop when this is enabled (will be fixed in SP1)

34

Disabling OTSOTS is discouraged for corporate environments

It’s availability will cause help desk calls

Can be turned off through security policy

35

Outline


36

Isolating Elevated ProcessesProblem: elevated processes run on the same desktop as standard user processesSolution: Windows Vista isolates the windows and processes of elevated processes

Window isolation is called User Interface Privilege Isolation (UIPI)

Prevents malware from “driving” the input of an elevated process

Does not prevent accessibility apps (e.g. on-screen keyboard) from sending input

Prevents malware from executing “shatter attacks”

In AAM, additional process isolation is required because otherwise a user has full access to their own process, including elevated processes

37

Windows Integrity Level Mechanism

Underlying technology is a new Integrity level mechanism

Integrity levels are assigned to processes (subjects) and objectsIntegrity policy restricts access granted by Discretionary Access Control (DAC) security model

38

Integrity Levels and policy

Integrity levels defined by Security IDs (SIDs)The RID defines the integrity level

Primary integrity levelsLow S-1-16-4096 (0x1000)Medium S-1-16-8192 (0x2000)High S-1-16-12288 (0x3000)System S-1-16-16384 (0x4000)

Integrity level policies associated with generic access rights

No-Write-Up - lower IL process cannot modify higher IL objectNo-Read-Up – prevents lower IL process from having generic readNo-Execute-Up – prevents lower IL process generic execute access

Default policy is No-Write-Up Plus No-Read-Up for processes

39

Process Integrity LevelSecurity token in every process is assigned an integrity levelExamples of assigned levels:

Low Protected-mode IE, and processes started by PM IEMedium Standard user processes, non-elevated admin

Accessibility processes run at slightly above Medium

High Elevated Administrator processesSystem Local System, Local and Network Service processes

Process usually inherits the IL of its parentIf an executable file has an explicit IL, process will have an IL that is the minimum of parent’s and file’sProcesses can also be created at an explicit IL (e.g. elevation)

Ways to view a process’ integrity level:Command: Whoami /allSysinternals Process Explorer and AccessChk

40

Object Integrity LevelsEvery securable object has an IL, either explicit or implicit

Processes, threads and tokens always have an explicit ILObjects have an implicit level of Medium

Most objects are Medium ILObjects created by medium+ processes get medium ILObjects created by low IL processes get low IL

Built-in Icacls utility and Sysinternals AccessChk show object integrity levels

41

Integrity Level in Security Descriptors

Object integrity level is defined by a new Mandatory Label Access Control Entry (ACE) type

SID in the label ACE identifies the integrity level

Label ACE is stored in the System Access Control List (SACL)

SACLs also store audit ACEsReading audit ACEs requires the Security privilege, but reading a label ACE requires only Read Permissions access (READ_CONTROL)

ObjectMarkRuss

Read

Access Deny

Devs

Full

Access Allow

Medium

No Write Up

Integrity Level

MarkRuss

Read

Audit Fail

MarkRussDACLSACL

Security Descriptor

Label ACE

42

Modifying Object Integrity Levels

A process can modify an object’s integrity level if:

It has WRITE_OWNER permission and has an IL equal to or higher than the IL of the object

Note that WRITE_OWNER allows only lowering of the integrity level

Or it has the new “Modify an Object Label” privilege (SeRelabelPrivilege)

Not assigned to any account by default

43

Integrity Levels and Access Checks

Integrity check implemented in AccessCheck() APIIntegrity check happens before discretionary access check

A thread can only open an object for write access if its token IL is equal to or higher than that of the object

For example, a Low IL process cannot open a Medium object for Write access, even if the DACL grants the user Write access

Threads can open any object for read accessException is process/thread because “no read up” flag is set in their label ACE

Thread IL must be equal to or higher than process IL to open itPrevents sensitive information (e.g. passwords) leakage via memory reads

44

Object Versus Process Accesses

Medium ILProcess

High

Medium

Low

High

Medium

Low

ReadWrite

Low ILProcess

Processes Objects

45

Integrity Levels and User Interface

The Windows subsystem also honors integrity levels with UIPI

Lower IL process cannot send window messages to a window of a higher IL app based on filter

Certain read-type messages are allowed past filter and can be sent to the higher IL windows processHigher IL process can register additional messages that pass filter (ChangeWindowMessageFilter)

Lower IL process cannot install hooks Prevents “shatter” attacks

46

Elevation CaveatsElevations are not a security boundary

There is no guarantee that malware can’t hijack the elevation process or compromise an elevated application

Potential elevation techniques include:Side-by-Side code injection or replacement of private DLLsSquatting on or compromising Base Named Objects (e.g. shared memory, synchronization objects, etc.)Running something other than what you specifiedIn AAM, elevated processes share state with standard user environment e.g. HCKU, environment variablesIn AAM, malware can drive input

Switch to a dedicated administrator account for securely running as administrator

47

Disabling UACUAC can be turned off through security policy (and UI):

Note: this also turns off Protected-Mode IE

48

Outline


49

Protected-Mode Internet Explorer

Problem: “drive-by-download” malware uses buffer overflows and other vulnerabilities in IE, IE extensions, and ActiveX controls to compromise the user

Modifies behavior of user’s accountInstalls malware

Solution: IE 7 on Vista uses integrity and UIPI to isolate IE from the user’s other processes, windows and settings

Runs IE at Low ILAlso called Low-Rights IE (LoRIE)

Objects that must be writeable by IE are set to Low IL e.g.:Temporary Internet FilesCookiesRecycle BinVarious Registry keys, including ones under HKCU\Software\Microsoft\Internet Explorer

50

Saving Content in Protected-Mode IEIE promotes explicitly downloaded content to

Medium Makes it equivalent to the user’s other data and codePrevents malware from tampering with it

IE running at low can’t do that itselfDownloads first to a Low directory Asks IEUser.exe, which runs at Medium IL, to promote:

IExplore.exe(Low)

IEUser.exe(Medium)

IEShowFileSaveDialog IESaveFile

51

Installing ActiveX ControlsIEInstal.exe is the broker process for

ActiveX installationsRuns at High ILActivated via AppInfo servicePrompts the user as appropriate (OTS or Consent)

52

Protected-Mode IE CaveatsProtected-Mode IE does not stop malware

from reading user dataEven at low integrity, IExplore shares state with the user’s other processes

It may be possible for malware to elevate to Medium3rd-party IE extensions may allow malware to elevate“don’t ask me again” applications can allow elevation

53

Outline


54

UAC’s Impact on Malware

Malware developers are ISV’s tooThey will code for standard user

Malware will thrive in a standard user environment

It can still read all the user’s dataCan hide from the user with user-mode rootkitsCan control what applications (e.g. anti-malware) the user can access

55

UAC’s Impact on Malware (cont)

Malware will develop elevation techniquesElevating enables it to jump accounts and to disable securityIt will develop general and application-specific elevation hijackingIt will socially engineer elevation prompts

Malware will spoof the OTS credential promptCan launch medium IL process in administrator’s account

It has access to all the administrator’s dataIt can inject itself into the administrator’s account e.g. the Run key

Once in the administrator’s account it can use elevation techniques

56

ConclusionUAC’s fundamental contribution is making it possible to run as standard user (especially corporate environments)

Protects the systemProtects other users on the system

Elevations are a convenience and not a security boundary

Prevents malware from automatically obtaining administrative rights

Gives antimalware a chance to mitigate

Switching to a dedicated administrator account is more secure