Raiders of the Elevated Token: Understanding User Account Control and Session Isolation (repeats on May 19 at 1pm)<br />Ra...
Introducing Raymond Comvalius<br />Independent Consultant, Trainer, and Author<br />MVP: Expert Windows IT Pro<br />Blog: ...
Agenda<br />User Account Control<br />What is UAC?<br />Configuring User Account Control<br />Integrity Levels<br />File &...
Disabled by Default in Windows 7 and Vista<br />The Administrator<br />The account named ‘administrator’<br />An Administr...
Standardizing the User Token<br />Administrators<br />Backup Operators<br />Power Users<br />Network Configuration Operato...
demo<br />Examining the Access Token<br />
Consent UI<br />The ‘face’ of UAC<br />Warns you for a User State change (AKA new token creation)<br />Secure Desktop<br /...
Configuring UAC in the Control Panel<br />From the Control Panel<br />Always notify<br />Default<br />Do not dim the displ...
Configuring UAC in Group Policy<br />Behaviour for Standard Users<br />Deny Access<br />Prompt for Credentials<br />Admin ...
demo<br />Configuring UAC<br />
UIAccess Applications<br />Software  alternatives for the mouse and keyboard<br />For example Remote Assistance<br />User ...
Remote Assistance and the Secure Desktop<br />for non-administrative users<br />
Integrity Levels<br />Mandatory Access Control<br />Levels are part of the ACLs and Tokens<br />Lower level object has lim...
Standardizing the User Token<br />User-SID<br />Local/Builtin Group SIDs<br />Domain Group SIDs<br />Integrity level: High...
IE protected mode<br />Only with User Account Control enabled<br />iexplore.exe runs with Low Integrity Level<br />User In...
IE Broker mechanism<br />iexplore.exe<br />Protected-mode Broker Object<br />UI frame<br />Command Bar<br />Favorites Bar<...
demo<br />Integrity Levels<br />
File Virtualization<br />File Virtualization is a compatibility feature<br />The following folders and subfolders are virt...
Registry Virtualization<br />Virtualizes most locations under HKLMSoftware<br />Keys that are not virtualized:	<br />HKLMS...
demo<br />File & Registry Virtualization<br />
What defines a UAC state change<br />Executables that are part of the Windows OS<br />File Name<br />Manifest<br />Compati...
UAC for the Windows OS<br />Default no warning when elevating Windows OS programs<br />Except for:<br />CMD.exe<br />Reged...
What’s in a name?<br />Evaluation of the file name determines need for elevation<br />Setup<br />Instal<br />Update<br />D...
UAC and Manifests<br />Configure the need for elevation per file:<br />asInvoker<br />highestAvailable<br />requireAdminis...
demo<br />File names and manifests<br />
UAC and compatibility settings<br />Configure the shortcut<br />RequireAdministrator<br />RunAsInvoker<br />Create a Shim<...
demo<br />Compatibility Settings<br />
Does this look familiar?<br />
Session 0 isolation<br />Services run in session 0<br />Before Vista, session 0 belonged to the console<br />Users logon t...
demo<br />Session 0 isolation<br />
Why is this?<br />
Services SID<br />A service can be a security entity<br />Windows uses TrustedInstaller  (Windows Installer Service)<br />...
demo<br />TrustedInstaller<br />
Yes you can!<br />User Account Control is no black magic<br />UAC makes Internet Explorer a safer browser<br />Analyze you...
Related Content<br />Required Slide<br />Speakers, please list the Breakout Sessions, Interactive Discussions, Labs, Demo ...
Track Resources<br />Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and spe...
Resources<br />Connect. Share. Discuss.<br />http://northamerica.msteched.com<br />Learning<br />Sessions On-Demand & Comm...
Complete an evaluation on CommNet and enter to win!<br />
Wcl310 Raiders of the Elevated Token
Wcl310 Raiders of the Elevated Token
Upcoming SlideShare
Loading in …5
×

Wcl310 Raiders of the Elevated Token

1,144 views
1,068 views

Published on

You noticed that Windows 7 is much less frequent in its requests for elevation than Windows Vista. But why are some applications still requesting for elevation? Why do some applications running in the background require interaction to show their output? Is this security in Windows 7?

This session will demonstrate how security related compatibility issues caused by legacy applications can be analyzed and what solutions are available to fix them yourself. The session has an overview of potential issues and what tools can enable you to take control over both legacy applications and web applications accessed by Internet Explorer 8 and 9.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,144
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Whoami /all
  • Use the Control Panel to configure UACUAC Group Policy elevate without prompting
  • Start Process Explorer and IE. Show both IE processes in process ExplorerRun Notepad with Low integrity Level: psexec –l notepad.exeShow the low integrity level directories: dir /ad *low
  • Show file virtualization from CMD.exeShow UAC-FileVirtualization Event log
  • Name ChangeCreate a manifestShow internal and external manifest
  • Show internal and external manifestCreate a shim
  • psexec –I 0 -d -s c:\\windows\\system32\\cmd.exe
  • New for TechEd 2011, we will be working with Microsoft Tag (http://tag.microsoft.com/overview.aspx) to create unique Tags for every session at the event. Your session Tag will appear on both the room signage and at the end of your presentation. With your session Tag, attendees will be able to scan as they enter the room to retrieve session details, view speaker bios, and engage in discussions; or scan at the end of the presentation to evaluate your session and download materials. We’re excited to integrate Microsoft Tag across the My TechEd mobile experience this year.
  • Wcl310 Raiders of the Elevated Token

    1. 1.
    2. 2. Raiders of the Elevated Token: Understanding User Account Control and Session Isolation (repeats on May 19 at 1pm)<br />Raymond P.L. Comvalius MCT, MVP<br />Independent IT Infrastructure Specialist<br />The Netherlands<br />WCL310<br />
    3. 3. Introducing Raymond Comvalius<br />Independent Consultant, Trainer, and Author<br />MVP: Expert Windows IT Pro<br />Blog: www.xpworld.com<br />Twitter: @xpworld<br />Editor for bink.nu<br />www.books4brains.com<br />www.mvp-press.com<br />
    4. 4. Agenda<br />User Account Control<br />What is UAC?<br />Configuring User Account Control<br />Integrity Levels<br />File & Registry Virtualization<br />How to Control Elevation<br />Session 0 Isolation<br />Service ID<br />
    5. 5. Disabled by Default in Windows 7 and Vista<br />The Administrator<br />The account named ‘administrator’<br />An Administrator<br />Your name with administrator privileges<br />Protected Administrator<br />AKA: ‘Administrator in Admin Approval Mode’<br />Standard User<br />Your name without administrator privileges<br />XP Default<br />Windows 7 and Vista - Default<br />Most Secure – Best Choice for IT<br />Windows User Types<br />
    6. 6. Standardizing the User Token<br />Administrators<br />Backup Operators<br />Power Users<br />Network Configuration Operators<br />User-SID<br />Local/Builtin Group SIDs<br />Group Policy CreatorOwners<br />Schema Admins<br />Enterprise Admins<br />Denied RODC Password Replication Group<br />Domain Group SIDs<br />Create a token object<br />Act as part of the operating system <br />Take ownership of files and other objects <br />Load and unload device drivers<br />Back up files and directories<br />Restore files and directories<br />Impersonate a client after authentication <br />Modify an object label<br />Debug programs<br />Mandatory Label<br />Rights/Privileges<br />
    7. 7. demo<br />Examining the Access Token<br />
    8. 8. Consent UI<br />The ‘face’ of UAC<br />Warns you for a User State change (AKA new token creation)<br />Secure Desktop<br />Screen mode like pressing Ctrl-Alt-Del<br />Creates screenshot of the desktop (programs keep running in the background)<br />Keeps scripts etc. from pressing keys or clicking the mouse<br />
    9. 9. Configuring UAC in the Control Panel<br />From the Control Panel<br />Always notify<br />Default<br />Do not dim the display<br />Never notify<br />With Group Policy<br />More granular controls<br />
    10. 10. Configuring UAC in Group Policy<br />Behaviour for Standard Users<br />Deny Access<br />Prompt for Credentials<br />Admin Approval Mode for the built-in Administrator account<br />For Administrators in Admin Approval Mode<br />Prompt for Consent<br />Prompt for Credentials<br />Elevate without prompting<br />Not same as disable UAC!<br />
    11. 11. demo<br />Configuring UAC<br />
    12. 12. UIAccess Applications<br />Software alternatives for the mouse and keyboard<br />For example Remote Assistance<br />User Interface Accessibility integrity level<br />Windows always checks signature on UIAccess Applications<br />UIAccess applications must be installed in secure locations<br />Optionally these applications can disable the secure desktop (used with Remote Assistance)<br />
    13. 13. Remote Assistance and the Secure Desktop<br />for non-administrative users<br />
    14. 14. Integrity Levels<br />Mandatory Access Control<br />Levels are part of the ACLs and Tokens<br />Lower level object has limited access to higher level objects<br />Used to protect the OS and for Internet Explorer Protected Mode<br />Medium<br />(Default)<br />System<br />High<br />Low<br />IE Protected Mode<br />Standard Users<br />Administrators<br />Services<br />
    15. 15. Standardizing the User Token<br />User-SID<br />Local/Builtin Group SIDs<br />Domain Group SIDs<br />Integrity level: High (Elevated Token)<br />Mandatory Label<br />Integrity level: Medium<br />Rights/Privileges<br />
    16. 16. IE protected mode<br />Only with User Account Control enabled<br />iexplore.exe runs with Low Integrity Level<br />User Interface Privilege Isolation (UIPI)<br />Internet Explorer 9<br />Internet Explorer 8<br />
    17. 17. IE Broker mechanism<br />iexplore.exe<br />Protected-mode Broker Object<br />UI frame<br />Command Bar<br />Favorites Bar<br />Medium Integrity Level<br />Protected Mode = Off<br />Low Integrity Level<br />Protected Mode = On<br />iexplore.exe (tab process n)<br />iexplore.exe (tab process 1)<br />Tab n<br />Tab n<br />Tab 1<br />Tab 1<br />Toolbar Extensions<br />Toolbar Extensions<br />Trusted Sites<br />Internet/Intranet<br />ActiveX Controls<br />ActiveX Controls<br />Browser Helper Objects<br />Browser Helper Objects<br />
    18. 18. demo<br />Integrity Levels<br />
    19. 19. File Virtualization<br />File Virtualization is a compatibility feature<br />The following folders and subfolders are virtualized:<br />%WinDir% <br />Program Files <br />Program Files (x86)<br />Virtual Store:<br />%UserProfile%AppDataLocalVirtualStore<br />Troubleshooting file virtualization<br />Event Log: UAC-FileVirtualization<br />Disabling file virtualization<br />
    20. 20. Registry Virtualization<br />Virtualizes most locations under HKLMSoftware<br />Keys that are not virtualized: <br />HKLMSoftwareMicrosoftWindows<br />HKLMSoftwareMicrosoftWindows NT<br />HKLMSoftwareClasses<br />Per user location: HKCUSoftwareClassesVirtualStore<br />Flag on a registry key defines if it can be virtualized<br />“Reg flags HKLMSoftware” shows flags for HKLMSoftware<br />Registry Virtualization is NOT logged in the EventLog<br />
    21. 21. demo<br />File & Registry Virtualization<br />
    22. 22. What defines a UAC state change<br />Executables that are part of the Windows OS<br />File Name<br />Manifest<br />Compatibility Settings<br />Shims<br />
    23. 23. UAC for the Windows OS<br />Default no warning when elevating Windows OS programs<br />Except for:<br />CMD.exe<br />Regedit.exe<br />
    24. 24. What’s in a name?<br />Evaluation of the file name determines need for elevation<br />Setup<br />Instal<br />Update<br />Disable this feature in Group Policy when needed<br />
    25. 25. UAC and Manifests<br />Configure the need for elevation per file:<br />asInvoker<br />highestAvailable<br />requireAdministrator<br />External or Internal<br />Use mt.exe from the SDK to inject a manifest<br />Use SigCheck.exe from SysInternals to view the manifest<br />
    26. 26. demo<br />File names and manifests<br />
    27. 27. UAC and compatibility settings<br />Configure the shortcut<br />RequireAdministrator<br />RunAsInvoker<br />Create a Shim<br />Need the Application Compatibility Toolkit <br />Compatibility Administrator<br />Compatibility Modes<br />Compatibility Fixes<br />
    28. 28. demo<br />Compatibility Settings<br />
    29. 29. Does this look familiar?<br />
    30. 30. Session 0 isolation<br />Services run in session 0<br />Before Vista, session 0 belonged to the console<br />Users logon to session 1 and higher<br />If a service interacts in session 0 you see this message<br />
    31. 31. demo<br />Session 0 isolation<br />
    32. 32. Why is this?<br />
    33. 33. Services SID<br />A service can be a security entity<br />Windows uses TrustedInstaller (Windows Installer Service)<br />Only TrustedInstaller has Full Control access<br />TrustedInstaller = “NT ServiceTrustedInstaller”<br />TrustedInstaller installs:<br />Windows Service Packs<br />Hotfixes<br />Operating System Upgrades<br />Patches and installations by Windows Update<br />
    34. 34. demo<br />TrustedInstaller<br />
    35. 35. Yes you can!<br />User Account Control is no black magic<br />UAC makes Internet Explorer a safer browser<br />Analyze your applications<br />Get to know the tools<br />Whoami.exe<br />icacls.exe<br />SysInternals<br />Application Compatibility Toolkit (ACT)<br />Windows SDK<br />
    36. 36. Related Content<br />Required Slide<br />Speakers, please list the Breakout Sessions, Interactive Discussions, Labs, Demo Stations and Certification Exam that relate to your session. Also indicate when they can find you staffing in the TLC.<br />WCL312: Sysinternals Primer: Autoruns, Disk2vhd, ProcDump, BgInfo and AccessChk<br />WCL402: Troubleshooting Application Compatibility Issues with Windows 7<br />Find Me At The Springboard booth<br />
    37. 37. Track Resources<br />Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.<br />You can also find the latest information about our products at the following links:<br />Cloud Power - http://www.microsoft.com/cloud/<br />Private Cloud - http://www.microsoft.com/privatecloud/<br />Windows Server - http://www.microsoft.com/windowsserver/<br />Windows Azure - http://www.microsoft.com/windowsazure/<br />Microsoft System Center - http://www.microsoft.com/systemcenter/<br />Microsoft Forefront - http://www.microsoft.com/forefront/<br />
    38. 38. Resources<br />Connect. Share. Discuss.<br />http://northamerica.msteched.com<br />Learning<br />Sessions On-Demand & Community<br />Microsoft Certification & Training Resources<br />www.microsoft.com/teched<br />www.microsoft.com/learning<br />Resources for IT Professionals<br />Resources for Developers<br />http://microsoft.com/technet<br />http://microsoft.com/msdn<br />
    39. 39. Complete an evaluation on CommNet and enter to win!<br />

    ×