User Account Control User Account Control RequirementsRequirements

Agenda

• Introducing UAC• The shield icon• UAC manifests• Least User Access (LUA) predictor

tool• Partitioning an application • UAC test cases

Introducing UAC

• Silent installation of malicious software• Compromised machine = lost

productivity• Some line of business (LOB)

applications require elevated privileges• Common configuration tasks require

elevated privileges• Reduced total cost of ownership (TOC)

with standard user desktop• UAC facilitates use of standard user

UAC Features

• By default, applications run as standard user

• Reduction of attack surface• No need for dual accounts for

administrative users• Process separation• Seamless transition

– Eliminate unnecessary elevation– Be predictable– Require minimal effort– Revert to least privileges

UAC ArchitectureUAC Architecture Standard User RightsStandard User Rights

Administrator RightsAdministrator Rights

Administrator logonAdministrator logon

““Standard User” TokenStandard User” Token

Administrator TokenAdministrator Token

User ProcessUser Process

• Change Time Change Time

ZoneZone

• Run IT-Approved Run IT-Approved

ApplicationsApplications

• Install FontsInstall Fonts

• Install PrintersInstall Printers

• Run MSN Run MSN

MessengerMessenger

Standard User ModeStandard User ModeSplit TokenSplit TokenAdministrator PrivilegesAdministrator Privileges

Administrator PrivilegeAdministrator Privilege

Standard User PrivilegeStandard User Privilege

Administrator PrivilegeAdministrator Privilege

Administrator PrivilegeAdministrator PrivilegeAbbyAbby

Agenda

• Introducing UAC• The shield icon• UAC manifests• LUA predictor tool• Partitioning an application • UAC test cases

The Shield Icon• Make applications run without

elevation– Ensure standard users can be fully

productive– After installation administrative

intervention NOT required

• Clearly identify administrative tasks– Consistently use shield icon– Allow users to predict elevation

requirement– Displayed if UAC disabled– Only one state– Does not retain state

UAC in ActionUAC in Action

Agenda

• Introducing UAC• The shield icon• UAC manifests• LUA predictor tool• Partitioning an application • UAC test cases

UAC Manifest

• Allows operating system to identify application context

• Embeds in application manifest• Legacy code still runs

– Nonmanifested code can run with administrator privileges

• An extension to existing manifest schema

Manifest Requirement

• To meet the UAC requirement, every executable (with an .exe extension) included with an application must have an embedded manifest.

<requestedExecutionLevel level="asInvoker|

highestAvailable| requireAdministrator"

/>

Creating an Embedded Manifest with Visual Studio 7

• Automatically embed manifest in PE• Create manifest in text editor• Same name as target .exe• With .manifest extension• Set requestedExecutionLevel

Building Manifests Within C/C++ Code

• Attach manifest to executable– Add to resource file– Put manifest in source code directory – Rebuild application

Building Manifests for Applications Built on the .NET Framework

• Post-build step• MT tool• Add contents of manifest file into PE

Embedding Manifests with Command-Line Compilation

• Include manifest in PE image from command line

• Command-line switches– /win32res (VB/C#/J#)

• C#– Post-build step– Call mt.exe – Point to manifest file

Creating and Creating and Embedding Embedding UAC ManifestsUAC Manifests

Agenda

• Introducing UAC• The shield icon• UAC manifests• LUA predictor tool• Partitioning an application • UAC test cases

Using the LUA Privilege Predictor Tool

• Run application as nonadministrator• Bug-fixing labor-intensive• Least User Access (LUA)• Predict privilege problems• Diagnose privilege problems

Agenda

• Introducing UAC• The shield icon• UAC manifests• LUA predictor tool• Partitioning an application • UAC test cases

Separation of Administrator Code

• Elevated privileges for certain tasks• Launch separate process• ShellExecute or • Create an administrator COM object

to perform elevated task– Use the COM elevation moniker

Agenda

• Introducing UAC• The shield icon• UAC manifests• LUA predictor tool• Partitioning an application • UAC test cases

UAC Test Cases

• Verify that all of the application’s executables contain an embedded manifest that define its execution level

• Verify that least-privilege users cannot modify other users’ documents or files

• Verify that least-privilege user is not able to save files to the Windows System directory

Summary

• Introducing UAC• The shield icon• UAC manifests• LUA predictor tool• Partitioning an application • UAC test cases

• Professional Developers Conference 2005:http://commnet.microsoftpdc.com/content/downloads.aspx (search for FUN406)

• Windows Vista security: http://msdn.microsoft.com/windowsvista/security/

• Getting Started with User Account Control on Windows Vista Beta 1: http://www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx

• Developer Best Practices and Guidelines for Applications in a Least Privileged Environment:http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AccProtVista.asp   

• UACBlog:  • http://blogs.msdn.com/uac

Additional Resources