Beyond Trust Wp044 Least Privilege Windows7

8/6/2019 Beyond Trust Wp044 Least Privilege Windows7

http://slidepdf.com/reader/full/beyond-trust-wp044-least-privilege-windows7 1/11

Least Privilege Application

Compatibility for Windows 7

Migrations

AbstractMicrosoft has done a great deal of exceptional work in improving Windows 7 from its

predecessor, Windows Vista. Organizations who decided to skip the upgrade to Windows

Vista, and go directly to Windows 7 should be excited. Windows 7 provides vast

improvements over Windows XP and Windows Vista from a security and usability

perspective.

This paper will give you an overview of the new technology built into Windows 7

operating systems, and how this technology can help your enterprises complete your

migration. We will also surface some of the confusion around what those technologies

mean from a security perspective, especially when removing administrative privileges from

your users.

www.beyondtrust.com

BeyondTrust – Corporate Headquarters

30401 Agoura Road, Suite 200

Agoura Hills, CA 91301 USAPhone: +1 800-234-9072

White Paper



2 Least Privilege Application Compatibility for Windows 7 Migrations © 2010. BeyondTrust Software, Inc.

Table of Contents

Introduction................................................................................................................................................................................................. 3

Windows 7 UAC .......................................................................................................................................................................................... 3

Windows 7 UAC Security Vulnerability.......................................................................................................................................... 5

Registry and File System Virtualization ........................................................................................................................................ 6

Application Compatibility Toolkit (ACT) ....................................................................................................................................... 7

Virtualization............................................................................................................................................................................................... 8

AppLocker..................................................................................................................................................................................................... 9

RunAs Administrator (Compatibility) .......................................................................................................................... ................. 10

Conclusion ...................................................................................................................... ............................................................................ 10

About BeyondTrust ................................................................................................................................ ................................................ 11




Introduction

The massive move to Windows 7 that is anticipated over the next several months poses

some unique challenges, but it also presents some incredible opportunities. One of the

biggest challenges that organizations will face is with application compatibility, and one of

the biggest opportunities is to improve security.

Microsoft has done a great deal of exceptional work in

improving Windows 7 from its predecessor, Windows

Vista. Organizations who decided to skip the upgrade

to Windows Vista, and go directly to Windows 7 should

be excited. Windows 7 provides vast improvements

over Windows XP and Windows Vista from a security

and usability perspective.

This paper will give you an overview of the new technologies built into Windows 7 and

how those technologies can help you in your migration. We will also surface some of the

confusion around what those technologies mean from a security perspective, especially

when removing administrative privileges from your users.

Windows 7 UACUser Account Control (UAC) has undergone a makeover from its debut in Windows Vista.

Microsoft has reduced the number of prompts that UAC presents when a user is logged in

to Windows. Microsoft implemented UAC to help prevent unauthorized changes to the

operating system. UAC is designed to prompt a user when a task is performed in Windows

that requires administrative privileges. For users who are logged in as a “ProtectedAdministrator,” the prompt simply asks for consent:




If the Protected Administrator selects, yes, then the operation is allowed to continue with

elevated privileges. The reason the user is called a “Protected Administrator” is because he

is actually operating with two tokens, one is a “Standard User” token, the other is an

“Administrator” token. All tasks that the user performs are done as a “Standard User,” until

the user answers yes to a UAC dialog, once this happens, the user switches to anAdministrator token, and the task is elevated to administrator status.

Microsoft and security experts all agree that users should avoid operating as an

administrator, with a full administrator token all the time, because it leaves the

operating system extremely vulnerable to various security problems, including

malware and malicious use.

With UAC, the user is notified whenever they elevate themselves to administrator for

specific tasks to warn them of the potential for harm. The problem with this approach in

corporate environments is that this strategy leaves the security decision up to the end

user.

Therefore, it is best to avoid configuring users as Protected Administrators, and make sure

they are configured as Standard Users. Standard Users have a different experience with

UAC, instead of a simple prompt for consent, they are asked for a password for an

administrative user:

If the Standard User has the password for an administrator account, the process or

application would run successfully. However, it would be running under a different

account, without the security context of the actual end user. Essentially, this is an

enhanced RunAs operation. Further, it only works if the user has an administrator

password, or if someone else enters the administrator password for the user (over the




shoulder credentials). Giving users administrator passwords will just lead to abuse and

over the shoulder credentials will only increase the load on the helpdesk.

Since the introduction of Windows Vista, organizations have been asking Microsoft to

provide a way to manage a list of applications that would silently elevate applications andbypass the UAC prompts. Here is Microsoft’s response to this request:

“End users have been asking for Windows to provide a way to add arbitrary

applications to the auto-elevate list since the Windows Vista beta… Windows 7, just like

Windows Vista, doesn't provide such a capability.”

Mark Russinovich, Technical Fellow at Microsoft , Inside Windows 7 User Account Control,

http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx

Windows 7 UAC Security Vulnerability

The reduction of UAC prompts in Windows 7 has also introduced a security vulnerability

that has been widely publicized. The security vulnerability only exists when a user is

logged on as a Protected Administrator, and therefore it is wise to again make sure that

users always log in as Standard Users. The default UAC setting for Administrators is to not

notify (prompt) when the user makes changes to Windows settings:







This setting will silently elevate certain actions in Windows that would typically prompt.

This introduces a code injection vulnerability whereby the user or malware could execute

code that could silently elevate anything that the user or malware wishes, making it easy

for a user or malware to take full administrative control over the machine. The

vulnerability has been widely publicized, and for more information, including proof on concept code and video can be found here:

http://www.istartedsomething.com/20090613/windows-7-uac-code-injection-

vulnerability-video-demonstration-source-code-released/

Registry and File System Virtualization

In Windows Vista, Microsoft introduced Registry and File System Virtualization to solve

some of the problems with application compatibility. Some applications require full access

to certain areas of the operating system that are off limits to standard users. These

applications might try to write data to the “Program Files” directory or the

“HKEY_LOCAL_MACHINE” hive of the registry, for example. Standard users do not have

permission to write to these areas of the file system and registry, so when a user launched

an application on Windows XP that needed access to these locations, they would

eventually see an error when the application tried to access data stored in these locations.

In Windows Vista and Windows 7, Microsoft has redirected the access to these locations to

a virtual store in an area of the operating system that the user has access to. This attempt

to solve the problem of application compatibility for apps that need rights to areas of the

file system or registry that are off limits to a standard user introduces several problems.

One example is that applications may not be compatible with each other.

For example, if an application has written data to a virtual store, another application that

needs access to the data in the virtual store will not be able to access it. A similar problem

occurs when an application stores data in a virtual store and multiple users of the same

machine need access to it. A simplified example of this would be a game that stores its

high score file in the “Program Files” directory. With file system virtualization, the high

score file would be stored in the users’ profile, instead of Program Files, and thus any

subsequent player would store a copy of the high score in their profile. This means that

every user of the machine would have the high score! Imagine how this might impact line

of business applications that multiple people use on the same machine.

Another issue with registry and file system virtualization is the fact that it can cause

significant confusion for end users. If an end user has traditionally stored files in a directory

that will be virtualized in Windows 7, the user will not know where to go to get the files if

they need to copy, view them or email them because the files will no longer be where the

end user intended on storing them, they will actually be in the virtual store in the users’

profile.

The reduction of UAC

prompts in Windows 7 has

also introduced a security

vulnerability that has been

widely publicized. The

security vulnerability only

exists when a user is

logged on as a Protected

Administrator, and therefore

it is wise to again make surethat users always log in as

Standard Users.

http://www.istartedsomething.com/20090613/windows-7-uac-code-injection-vulnerability-video-demonstration-source-code-released/








Reads and writes to the following location:

C:\Program Files (x86)\My Application A

Would be redirected to the virtual store:

All subsequent access for that specific application would be redirected to this location as

well, however, other applications that need access to this data will not know where to go

to get it because it has been virtualized.

C:\Users\%username%\AppData\Local\VirtualStore\Program Files (x86)\My Application A

Application Compatibility Toolkit (ACT)Organizations that make the move to Windows 7 from Windows XP or Windows Vista can

take advantage of a free tool from Microsoft called the Application Compatibility Toolkit

(ACT). ACT is designed to identify and fix compatibility problems with applications that

will be migrated to Windows 7.

Description from Microsoft’s website:

http://www.microsoft.com/downloads/details.aspx?familyid=24da89e9-b581-47b0-b45e-

492dd6da2971&displaylang=en

“ The Microsoft Application Compatibility Toolkit (ACT) 5.5 helps customers understand

their application compatibility situation by identifying which applications are compatible

with the Windows 7 RC and Windows Vista® operating system and which require further

testing. ACT helps customers lower their costs for application compatibility testing,

prioritize their applications, and deploy Windows more quickly.

You can use the ACT features to:

• Verify an application's compatibility with a new version of the Windows operating

system, or a Windows Update, including determining your risk assessment.

• Become involved in the ACT Community, including sharing your risk assessment

with other ACT users.

• Test your Web applications and Web sites for compatibility with new releases and

security updates to the Windows® Internet Explorer® Internet browser.”

ACT is a critical part of any move to Windows 7, however, for applications that

require administrative privileges, ACT will not help. ACT is designed to help identify

and fix problems with general application compatibility, regardless of the user type. For

example, if you have an application in your portfolio that refuses to run on Windows 7, it is

likely that ACT will help you to get it to run on Windows 7.

Organizations that make the

move to Windows 7 from

Windows XP or Windows

Vista can take advantage of

a free tool from Microsoft

called the Application

Compatibility Toolkit (ACT).

http://www.microsoft.com/downloads/details.aspx?familyid=24da89e9-b581-47b0-b45e-492dd6da2971&displaylang=en








If that same application also requires administrator privileges, you will still end up getting a

UAC prompt when you run the application. As has been discussed in this paper, it is

important to not give users administrator passwords or make users administrators to deal

with these problems and unfortunately, ACT does not have the capability to “fix” or “shim”

applications that require administrator privileges.

VirtualizationVirtualization has become a hot buzzword over the past

several years, and for good reason. With the introduction

of Virtual PC several years ago, and now with Windows XP

Mode, Microsoft Enterprise Desktop Virtualization (Med-

V) & Application Virtualization (App-V), Microsoft is no

stranger to virtualization.

With all these technologies, it is easy to understand that

there is significant confusion in the market about what virtualization means for

privilege management, specifically the ability for virtualization to help with the

removal of administrative rights from users. While virtualization can add enormous

value in many areas, many organizations will rely on virtualization to help specifically with

application compatibility problems.

For example, if an organization cannot get an application to run on Windows 7, even after

trying to shim the application with the Application Compatibility Toolkit, the ability to

virtualize the application with one of the technologies listed above is available.

Unfortunately, virtualization does not help with the elimination of administrativeprivileges; it simply shifts the problem from a physical world to a virtual world. Some

organizations may be comfortable with loosened security for their virtual environments,

but most will want the same level of security in the virtual environment as they have in the

physical environments, which means enforcing least privilege in the virtual world as well as

the physical world.

Removing administrator privileges from accounts on virtual machines is still a critical part

of an organizations security posture. If organizations wish to virtualize applications or

desktops, and the users still need to perform administrative tasks or run applications that

require administrative rights in the virtual environment, then the user will need to be

logging in as an administrator. This means that the virtual environment is still the subjectof the same security issues as when they are logged in to a physical machine.

Some organizations may be

comfortable with loosened

security for their virtual

environments, but most will

want the same level of security

in the virtual environment as

they have in the physical

environments, which means

enforcing least privilege in the

virtual world as well as the

physical world.




AppLockerAppLocker is a new and exciting technology in Windows 7 that can drastically improve

desktop security in some organizations. AppLocker allows administrators to create a

whitelist of all approved applications that are allowed to run on a computer, any other

applications or executables would not be allowed to run. On the surface, this appears to

be the security silver bullet; however, there are some things to be aware of when looking

to AppLocker to help improve your security.

For example, if any of the applications that are on the AppLocker whitelist require

administrator privileges, the user will need to be configured as a local administrator or

they will at the very least still need an administrator password to answer UAC prompts.

AppLocker cannot automatically elevate applications that are on the whitelist . If the user

is configured as a local administrator, or has a local administrator password, it is easy to

circumvent the control that AppLocker provides.

The easiest way to circumvent the controls is by booting in SafeMode and disabling the

AppID Service. Since the user is an administrator, they would have full control to do this.

Thus, removing administrator privileges from the user is critical to prevent the malicious

user from circumventing these controls. If the user is not an administrator, AppLocker

becomes much more effective, but organizations still need to find a way to deal with the

applications that are on the whitelist that require administrator privileges.

There is also the question of the management of the whitelist. In smaller organizations

that have relatively static environments, the combination of eliminating administrative

rights and AppLocker is viable. Unfortunately, the whitelist scales with the size of the

organization. As the company gets bigger, the whitelist gets bigger, and can becomecompletely unmanageable very quickly. In larger organizations, it becomes nearly

impossible to quickly react to users who need new applications placed on the whitelist.

When organizations choose to forgo the implementation of AppLocker for whitelisting,

removal of administrator privileges becomes even more important. Most applications

require administrator privileges to install, and if organizations wish to prevent unknown

applications from entering the environment, removal of administrator privileges can add

significant value.

When organizations choose to

forgo the implementation of

AppLocker for whitelisting,

removal of administrator

privileges becomes even more

important. Most applications

require administrator privileges

to install, and if organizations

wish to prevent unknown

applications from entering the

environment, removal of

administrator privileges can

add significant value.




RunAs Administrator (Compatibility)

On the compatibility tab of the properties sheet on applications installed on Windows 7 is

a Privilege Level option available to set the privileges that an application will run with

when launched. On the surface, checking this option appears to force an application to

run with administrative privileges when launched, however, what it actually does is force a

UAC prompt when the application runs.

In this example, we are modifying the Privilege Level of Microsoft Word. By default, Word

will run successfully when launched by a Standard User or a Protected Administrator,

without a UAC prompt because Word does not need administrator privileges to run.

However, let us say for some reason you wanted Word to run with Administrator Privileges.

To do this you have two options, you can right-click winword.exe and select Run as

administrator, this will prompt with a UAC dialog and ask for consent (Protected

Administrator) or an administrator password (Standard User).

The other option is to force the application to Run as administrator all the time, and

therefore prompt every time it is started, by checking the “Run this program as an

administrator” option, as shown above. This option really controls UAC prompts on a per

process basis, it does not automatically elevate applications or bypass UAC prompts.

ConclusionMicrosoft has made significant improvements in Windows 7 over Windows Vista and XP,

and organizations that make the move to Windows 7 will find more tools and technologies

built in to help with migrations of any size. When making the move to Windows 7,

consider what it will take to go the next step and remove administrator privileges fromyour end users drastically improving security.

This paper has described in detail all of the technologies that Microsoft has provided that

attempt to improve security, deal with application compatibility and also to clear up the

misconception that there is technology built in to Windows 7 that helps you to remove

administrative privileges. There are a number of things to consider when taking on a

project to roll out a new operating system and security is at the top of the list. There is no

better time to improve security than when you roll out a brand new desktop to your users.

There are a number of things to

consider when taking on a

project to roll out a new

operating system and security is

at the top of the list. There is no

better time to improve security

than when you roll out a brand

new desktop to your users.




About BeyondTrustFounded in 1985, BeyondTrust is the global leader in privilege authorization management,

access control and security solutions for virtualization and cloud computing environments.

BeyondTrust empowers IT governance to strengthen security, improve productivity, drive

compliance and reduce expense.

The company’s products eliminate the risk of intentional, accidental and indirect misuse of

privileges on desktops and servers in heterogeneous IT systems. More than half of the

companies listed on the Dow Jones Industrial Average rely on BeyondTrust’s PowerBroker

suite of products to secure their enterprises. Five of the top ten commercial banks and two

of America’s largest private companies have adopted PowerBroker to secure guest

operating systems and ESX hypervisors in a virtualized environment.

For more information, visit www.beyondtrust.com.

http://www.beyondtrust.com/




Beyond Trust Wp044 Least Privilege Windows7

Documents

Transcript of Beyond Trust Wp044 Least Privilege Windows7