Using Least Privilege to reduce your security exposure Steve Lamb IT Pro Evangelist Email:...
-
Upload
angelina-french -
Category
Documents
-
view
225 -
download
5
Transcript of Using Least Privilege to reduce your security exposure Steve Lamb IT Pro Evangelist Email:...
Using Least Privilege to reduce your security exposure
Steve Lamb
IT Pro Evangelist
Email: [email protected]
Blog: http://blogs.technet.com/steve_lamb
Agenda
Least Privilege for Admins
–How to elevate only as needed
Least Privilege for Users
–Addressing LUA bugs
Managed DesktopChallenges Today
Increased IT spending required to Increased IT spending required to support users, maintain existing support users, maintain existing desktops, and prevent downtimedesktops, and prevent downtime
Employees lose productivity by Employees lose productivity by inadvertently changing system inadvertently changing system configurationsconfigurations
Security threats increase the IT Security threats increase the IT management burden; breaches can management burden; breaches can hobble critical systems and datahobble critical systems and data
Gartner: Nearly 40% TCO Savings per desktop in
a managed environment1
Managed Desktops: Systematic control over end-
user clients to maintain security & productivity
Reducing the desktop attack surface
Reduces day-to-day helpdesk calls
Increases end-users productivity/uptime
1 Security Holes Increase Windows Client TCO, Gartner 2005.1 Security Holes Increase Windows Client TCO, Gartner 2005.
Managed DesktopWhat’s the Value?
Definitions
Non-Admin
– “Power Users” is not non-Admin!
–Typically: “Users”, “Domain Users”
LUA
–Limited User Account
–Least-privileged User Account
LUA Bugs
User Account Protection (Windows Vista)
Principle of Least Privilege
Most computer use does not require admin privilege
But, typical usage: “Max Privilege”
Most malware expects “Max Privilege”
Admin Can, LUA Can’t:
Install kernel-mode rootkits
Install system-level keyloggers (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
Install ActiveX controls, including IE and Explorer extensions (common with spyware and adware)
Install and start services
Stop existing services (such as the firewall)
Access data belonging to other users
Cause code to run whenever anybody else logs on
Replace OS and other program files with Trojan horses
Access LSA Secrets, including other sensitive account information, possibly including account info for domain accounts
Disable/uninstall anti-virus
Create and modify user accounts
Reset passwords
Modify the “HOSTS” file and other system configuration settings
Cover its tracks in the event log
Render your machine unbootable
…
For Developers
Why develop as a non-admin?
–Better software
–Catch LUA bugs sooner
–Cheaper development costs
–Market advantage
–Safer security practices
The Twin Challenge on Windows XP
For Sysadmins and Developers
How to run with least privilegeand elevate only as needed?
For regular users:
How to always run with least privilegewhen so many apps (and sometimes
Windows) requires more?
How to Elevate as Needed
Fast User Switching
–Windows XP Home
–Windows XP Professional
– If not joined to a domain – fixed in Windows Vista!
–Logon sessions isolated from each other
Suggestion for home users:
–One LUA for each person, Guest optional
–One admin account
–No passwords!
RunAs
Start a program as a different user
–Same desktop
Command line or graphical dialog
Programs inherit security context from “parent”
–Start CMD as admin
–Launch apps from admin CMD
–Those apps also run as admin
RunAs Dialog
Right-click context menu
– Apps, shortcuts
– Common Console (.msc)
Shift+right-click for:
– Control Panel applets (.cpl)
– “Special Microsoft Windows Installer links”
RunAs Dialog
Make “RunAs” the default for a shortcut
Shortcut Properties, Advanced Properties
RunAs Command Line
E.g.,runas /u:Administrator cmd.exe
RunAs – Visual Differentiation
Set privileged console windows apart visually
cmd.exe /t:fc /k cd c:\ && title ***** Admin console *****
RunAs – Visual Differentiation
Background bitmap for IE and Explorer
Set it with TweakUI
PrivBar
Running IE as admin:Running IE as admin:
… … as Power User:as Power User:
… … as “User”:as “User”:
… … with “Protect my computer”:with “Protect my computer”:
RunAs
Demo
When RunAs Doesn’t Work
Some apps reuse existing instances
–Windows Explorer
–Microsoft Office Word
Some apps get started through the shell
–ShellExecute[Ex]
–DDE
Current version of WindowsUpdate! –And Microsoft Update!
RunAs and Explorer
Two viable options:
1. Use Internet Explorer, or
2. Set the flag that lets Windows Explorer run multiple instances
“The flag…”
– “Launch folder windows in a separate process”
Caveats about this setting
RunAs and Explorer
Demo
Issues Using Local Admin Account
No access to domain resources
Different profile settings
Some apps assume that the installer is the user
Per-user Policy settings
Power Options applet
Resolution? MakeMeAdmin
MakeMeAdmin
Temporary elevation of your current account
Result: CMD running with your normal account but with admin privileges
Apps started from it inherit context
Posted on my blog
MakeMeAdmin
Demo
Dealing with LegacyApps with LUA Bugs
App works only with admin privileges
The easy fix:
Add the user to the local Admins group!
Dealing with Legacy1. Fix the LUA Bugs
Make the developers fix their bugs!
Preferred option
Don’t continue to create “legacy”
Dealing with Legacy2. Hiding LUA Bugs
LUA modes in the Application Compatibility Toolkit
Shims to redirect registry and file access
But: XP’s shims don’t work.
(Windows Vista’s will work better…)
Dealing with Legacy3. Remediating LUA Bugs
Loosen ACLs
Only on app-specific resources!
–%ProgramFiles%\MyApp\MyDataFolder
–HKLM\SOFTWARE\MyApp\Settings
Not on OS resources!
–%windir%, %windir%\System32
–HKLM\SOFTWARE\Microsoft\Windows
Use a granular, surgical approach
–Least additional privilege
Deployment options
Dealing with Legacy3a. Remediating LUA Bugs – HKCR to HKCU
Writing to HKCR is usually a LUA bug
HKCR is a merged view of
–HKLM\SOFTWARE\Classes
–HKCU\SOFTWARE\Classes
Write to HKCR goes to HKCU if key already exists there
So: Pre-create keys under HKCU
Dealing with Legacy4. Running one app as admin
Run the app with admin privileges.
Some options:
–RunAs / MakeMeAdmin: requires giving the user the admin password
–DesktopStandard PolicyMaker Application Security
– “RunAsAdmin” by Valery Pryamikov
Highest risk
The Limits of LUA
Value? Two (incorrect) extremes
–Silver bullet
– “Not the answer”
What it protects against today
What it doesn’t protect against today
What happens when everyone is LUA?
LUA doesn’t protect against…
Anything you can do to yourself
Weak admin passwords
Attacks on services
Phishing
Stupidity
Capturing RunAs credentials – fixed in Windows Vista!
When everyone is LUA…
Attackers will adjust
Elevation of privilege becomes more interesting
Non-Admin Blog
The easiest way to run as non-admin (Fast User Switching)
"RunAs" basic (and intermediate) topics
RunAs with Explorer
MakeMeAdmin – temporary admin for your Limited User account
PrivBar – An IE/Explorer toolbar to show current privilege level
Running restricted – What does the "protect my computer" option mean?
Remembering Calculator and Character Map Settings
Managing Power Options as a non-administrator
Ctrl-C doesn't work in RUNAS or MakeMeAdmin command shells
Changing the system date, time and/or time zone
How to allow users to manage file and print shares without granting other advanced privileges
(More coming!)
http://blogs.msdn.com/aaron_margosis
Resources
Non-Admin Wiki: http://nonadmin.editme.com
Non-Admin blog: http://blogs.msdn.com/aaron_margosis
DesktopStandard PolicyMaker Application Security: http://www.desktopstandard.com/PolicyMakerApplicationSecurity.aspx
RunAsAdmin: http://www.harper.no/valery/CategoryView,category,RunAsAdmin.aspx
Technet Webcasthttp://msevents.microsoft.com/cui/eventdetail.aspx?eventID=1032274954
“Browsing the Web and Reading E-mail Safely as an Administrator” Part 1: http://msdn.microsoft.com/library/en-us/dncode/html/secure11152004.asp Part 2: http://msdn.microsoft.com/library/en-us/dncode/html/secure01182005.asp
TweakUI: http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx
SysInternals tools: http://www.sysinternals.com
Community ResourcesCommunity Resources
Community ResourcesCommunity Resources
http://www.microsoft.com/communities/default.mspxhttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)Most Valuable Professional (MVP)
http://www.microsoft.com/communities/http://www.microsoft.com/communities/mvpmvp
NewsgroupsNewsgroups
Converse online with Microsoft Newsgroups,Converse online with Microsoft Newsgroups,including Worldwideincluding Worldwide
http://communities2.microsoft.com/communitieshttp://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx/newsgroups/en-us/default.aspx
User Groups - Meet and learn with your peersUser Groups - Meet and learn with your peers
http://www.microsoft.com/communities/usergroupshttp://www.microsoft.com/communities/usergroups/default.mspx/default.mspx
Running with Least Privileges in Windows Vista
What do we call this technology?
Flexible Account Control Technologies
Least User-privileges Access (LUA)
Least User Account (LUA)
User Account Protection (UAP)
User Account Control (UAC)
For the purposes of this talk we will refer to this technology as:
User Account Control
Desktop LockdownDesktop LockdownEnables I.T. to take back control of desktop management
Gives standard users the “Just Enough Privilege” on desktops
Reduces lost productivity and downtime
Available as part of Windows Vista
Protecting Against Security Protecting Against Security ThreatsThreats
User Account ControlGreater Confidence and ControlUser Account ControlGreater Confidence and Control
Reduces OS attack surface from malware, root kits, and shatter attacks
Isolates admin processes to helps prevent compromise by malware
Framework for Developing Least-Privilege ApplicationsFramework for Developing Least-Privilege ApplicationsProvides safe, stable model for software applications to execute tasks without exposing the system to malware
Ensures logo-compliant applications will run properly in Windows Vista. Also includes virtualization feature for legacy applications.
Administrator Approval Mode
Allows admins to operate with standard privileges for common tasks
Prompts when admin mode is necessary
Application Manifest defines permission levels
Administrator Approval Mode
Allows admins to operate with standard privileges for common tasks
Prompts when admin mode is necessary
Application Manifest defines permission levels
User Experience
Ability to perform common tasks as a Standard User, (e.g. Time-Zone changes)
Installation of printers and device drivers just works
VPN, wireless, and remote access just work
User Experience
Ability to perform common tasks as a Standard User, (e.g. Time-Zone changes)
Installation of printers and device drivers just works
VPN, wireless, and remote access just work
Application Compatibility
Protects System files from rogue applications
Protects Registry from Corruption
Application Compatibility
Protects System files from rogue applications
Protects Registry from Corruption
User Account Control FeaturesUser Account Control Features
Firewall settings are Firewall settings are locked down locked down (grayed out)(grayed out)
User clicks button to User clicks button to unlock settingsunlock settings
Admin is prompted Admin is prompted to approve process to approve process or supply credentialsor supply credentials
User Account Control: User ExperienceUser Account Control: User Experience
UAP ArchitectureStandard User RightsStandard User Rights
Administrative RightsAdministrative Rights
Admin logonAdmin logon
User PrivilegeUser Privilege
Admin PrivilegeAdmin Privilege
User ProcessUser Process
• Change Time Change Time
ZoneZone
• Run IT Approved Run IT Approved
ApplicationsApplications
• Install FontsInstall Fonts
• Install PrintersInstall Printers
• Run MSN Run MSN
MessengerMessenger
• Etc.Etc.
Standard User ModeStandard User ModeSplit TokenSplit TokenAdmin PrivilegesAdmin Privileges
Admin PrivilegeAdmin Privilege
User PrivilegeUser Privilege
Admin PrivilegeAdmin Privilege
Admin PrivilegeAdmin PrivilegeAbbyAbbyAdministrator ApprovalAdministrator Approval
ModeModeAdministrator ApprovalAdministrator Approval
ModeMode
User Account Control in Windows Vista
Demo
How do I deploy Software?Group Policy Software Installation
Package Applications in to MSI
Publish or Advertise through GPOs
System Management Server
Create deployment packages in SMS
Updating Applications
Use MSI 3.1 Patching Infrastructure
Initial MSI will include certificates to allowed elevated patching
Apps write to admin locations
HLKM\Software
%SystemDrive%\Program Files
%SystemRoot%
Windows Vista Redirection
This is a temporary solution
Use the LUA Predictor
Application CompatibilityAdministrator by Accident
Redirection allows legacy apps to run as Standard User
Writes to HKLM go to HKCU redirected store
Writes to system directories redirected to per-user store, copy-on-write
Application CompatibilityLUA Predictor
Guidance provided for developing compliant UI, file, registry, and deployment functionality
Predictor AppVerifier tool tests applications for compliance
App Verifier Toolkit Plug in
Show all Files, Registry Keys, and Admin APIs that need Admin privilege
Available Today!
Check out new whitepapers and guidance on Microsoft.com Check out new whitepapers and guidance on Microsoft.com
Beta 2 – Check out new featuresBeta 2 – Check out new features
Encourage Developers to Test their applications for compatibility & become logo compliant
Encourage Developers to Test their applications for compatibility & become logo compliant
Getting Ready for Windows Vista
All users run as Standard User by default even when you log on as admin!
Administrators use full privilege only for administrative tasks or applications
User provides explicit consent before using elevated privilege
High application compatibility
Windows Vista GoalWindows Vista provides a more secure and reliable Windows Vista provides a more secure and reliable
foundation which brings a new level of confidence in your foundation which brings a new level of confidence in your PCPC
SummaryUser Account Control Goals
Provides Developers with:
AppCompat – assurance that their applications will run properly
Reduced support costs
Improved application security
Helps enterprises to:
Establish increased protection against malware
Control access to administrative functions
Increase user productivity
Simply and safely elevate privileges for administrative tasks
SummaryUser Account Control Goals (Con’t)
Resources
Information about the Logo Program:
https://partner.microsoft.com/global/winlogo/
ISV/Developer guidelines on MSDN:
http://msdn.microsoft.com/windowsvista/default.aspx?pull=/library/en-us/dnlong/html/AccProtVista.asp
IT Deployment doc using AppCompat runlevel Shims:
http://www.microsoft.com/technet/windowsvista/deploy/appcompat/acshims.mspx
UAP Getting started Doc (targeted to Beta-1):
http://www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx
Top 10 Questions1. If I mark my app as “admin”, can I skip the elevation consent dialog? – No
2. Can you modify the privilege of a running application? - No
3. Will LUA elevate whenever a privileged API is used? – No, the entire process is either elevated or not
4. How long does the elevated process last? – Life of the process
5. Can I enable which users will use UAC? – Currently this is a per machine setting
6. Does UAP apply to all processes and services? – Interactive processes only
7. What areas of the Registry and File system get redirected? – HKLM\Software, %SystemRoot%, %ProgramFiles%
8. Won’t Redirection de-motivate developers to fix their code? – Yes, it is a short term mitigation, not in 64bit
9. What happens when installer detection fails? – The app runs as non-admin
10. Will UAC be going down-level? - No
Community Resources
Community Resources
– http://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)
– http://www.microsoft.com/communities/mvp
Newsgroups
–Converse online with Microsoft Newsgroups,including Worldwide
– http://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx
User Groups - Meet and learn with your peers
– http://www.microsoft.com/communities/usergroups/default.mspx
Thanks to Aaron Margosis for providing some of the content for this presentation deck