Using Least Privilege to reduce your security exposure

Steve Lamb

IT Pro Evangelist

Email: stephen.lamb@microsoft.com

Blog: http://blogs.technet.com/steve_lamb

Agenda

Least Privilege for Admins

–How to elevate only as needed

Least Privilege for Users

–Addressing LUA bugs

Managed DesktopChallenges Today

Increased IT spending required to Increased IT spending required to support users, maintain existing support users, maintain existing desktops, and prevent downtimedesktops, and prevent downtime

Employees lose productivity by Employees lose productivity by inadvertently changing system inadvertently changing system configurationsconfigurations

Security threats increase the IT Security threats increase the IT management burden; breaches can management burden; breaches can hobble critical systems and datahobble critical systems and data

Gartner: Nearly 40% TCO Savings per desktop in

a managed environment1

Managed Desktops: Systematic control over end-

user clients to maintain security & productivity

Reducing the desktop attack surface

Reduces day-to-day helpdesk calls

Increases end-users productivity/uptime

1 Security Holes Increase Windows Client TCO, Gartner 2005.1 Security Holes Increase Windows Client TCO, Gartner 2005.

Managed DesktopWhat’s the Value?

Definitions

Non-Admin

– “Power Users” is not non-Admin!

–Typically: “Users”, “Domain Users”

LUA

–Limited User Account

–Least-privileged User Account

LUA Bugs

User Account Protection (Windows Vista)

Principle of Least Privilege

Most computer use does not require admin privilege

But, typical usage: “Max Privilege”

Most malware expects “Max Privilege”

Admin Can, LUA Can’t:

Install kernel-mode rootkits

Install system-level keyloggers (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)

Install ActiveX controls, including IE and Explorer extensions (common with spyware and adware)

Install and start services

Stop existing services (such as the firewall)

Access data belonging to other users

Cause code to run whenever anybody else logs on

Replace OS and other program files with Trojan horses

Access LSA Secrets, including other sensitive account information, possibly including account info for domain accounts

Disable/uninstall anti-virus

Create and modify user accounts

Reset passwords

Modify the “HOSTS” file and other system configuration settings

Cover its tracks in the event log

Render your machine unbootable

…

For Developers

Why develop as a non-admin?

–Better software

–Catch LUA bugs sooner

–Cheaper development costs

–Market advantage

–Safer security practices

The Twin Challenge on Windows XP

For Sysadmins and Developers

How to run with least privilegeand elevate only as needed?

For regular users:

How to always run with least privilegewhen so many apps (and sometimes

Windows) requires more?

How to Elevate as Needed

Fast User Switching

–Windows XP Home

–Windows XP Professional

– If not joined to a domain – fixed in Windows Vista!

–Logon sessions isolated from each other

Suggestion for home users:

–One LUA for each person, Guest optional

–One admin account

–No passwords!

RunAs

Start a program as a different user

–Same desktop

Command line or graphical dialog

Programs inherit security context from “parent”

–Start CMD as admin

–Launch apps from admin CMD

–Those apps also run as admin

RunAs Dialog

Right-click context menu

– Apps, shortcuts

– Common Console (.msc)

Shift+right-click for:

– Control Panel applets (.cpl)

– “Special Microsoft Windows Installer links”

RunAs Dialog

Make “RunAs” the default for a shortcut

Shortcut Properties, Advanced Properties

RunAs Command Line

E.g.,runas /u:Administrator cmd.exe

RunAs – Visual Differentiation

Set privileged console windows apart visually

cmd.exe /t:fc /k cd c:\ && title ***** Admin console *****

RunAs – Visual Differentiation

Background bitmap for IE and Explorer

Set it with TweakUI

PrivBar

Running IE as admin:Running IE as admin:

… … as Power User:as Power User:

… … as “User”:as “User”:

… … with “Protect my computer”:with “Protect my computer”:

RunAs

Demo

When RunAs Doesn’t Work

Some apps reuse existing instances

–Windows Explorer

–Microsoft Office Word

Some apps get started through the shell

–ShellExecute[Ex]

–DDE

Current version of WindowsUpdate! –And Microsoft Update!

RunAs and Explorer

Two viable options:

1. Use Internet Explorer, or

2. Set the flag that lets Windows Explorer run multiple instances

“The flag…”

– “Launch folder windows in a separate process”

Caveats about this setting

RunAs and Explorer

Demo

Issues Using Local Admin Account

No access to domain resources

Different profile settings

Some apps assume that the installer is the user

Per-user Policy settings

Power Options applet

Resolution? MakeMeAdmin

MakeMeAdmin

Temporary elevation of your current account

Result: CMD running with your normal account but with admin privileges

Apps started from it inherit context

Posted on my blog

MakeMeAdmin

Demo

Dealing with LegacyApps with LUA Bugs

App works only with admin privileges

The easy fix:

Add the user to the local Admins group!

Dealing with Legacy1. Fix the LUA Bugs

Make the developers fix their bugs!

Preferred option

Don’t continue to create “legacy”

Dealing with Legacy2. Hiding LUA Bugs

LUA modes in the Application Compatibility Toolkit

Shims to redirect registry and file access

But: XP’s shims don’t work.

(Windows Vista’s will work better…)

Dealing with Legacy3. Remediating LUA Bugs

Loosen ACLs

Only on app-specific resources!

–%ProgramFiles%\MyApp\MyDataFolder

–HKLM\SOFTWARE\MyApp\Settings

Not on OS resources!

–%windir%, %windir%\System32

–HKLM\SOFTWARE\Microsoft\Windows

Use a granular, surgical approach

–Least additional privilege

Deployment options

Dealing with Legacy3a. Remediating LUA Bugs – HKCR to HKCU

Writing to HKCR is usually a LUA bug

HKCR is a merged view of

–HKLM\SOFTWARE\Classes

–HKCU\SOFTWARE\Classes

Write to HKCR goes to HKCU if key already exists there

So: Pre-create keys under HKCU

Dealing with Legacy4. Running one app as admin

Run the app with admin privileges.

Some options:

–RunAs / MakeMeAdmin: requires giving the user the admin password

–DesktopStandard PolicyMaker Application Security

– “RunAsAdmin” by Valery Pryamikov

Highest risk

The Limits of LUA

Value? Two (incorrect) extremes

–Silver bullet

– “Not the answer”

What it protects against today

What it doesn’t protect against today

What happens when everyone is LUA?

LUA doesn’t protect against…

Anything you can do to yourself

Weak admin passwords

Attacks on services

Phishing

Stupidity

Capturing RunAs credentials – fixed in Windows Vista!

When everyone is LUA…

Attackers will adjust

Elevation of privilege becomes more interesting

Non-Admin Blog

The easiest way to run as non-admin (Fast User Switching)

"RunAs" basic (and intermediate) topics

RunAs with Explorer

MakeMeAdmin – temporary admin for your Limited User account

PrivBar – An IE/Explorer toolbar to show current privilege level

Running restricted – What does the "protect my computer" option mean?

Remembering Calculator and Character Map Settings

Managing Power Options as a non-administrator

Ctrl-C doesn't work in RUNAS or MakeMeAdmin command shells

Changing the system date, time and/or time zone

How to allow users to manage file and print shares without granting other advanced privileges

(More coming!)

http://blogs.msdn.com/aaron_margosis

Resources

Non-Admin Wiki: http://nonadmin.editme.com

Non-Admin blog: http://blogs.msdn.com/aaron_margosis

DesktopStandard PolicyMaker Application Security: http://www.desktopstandard.com/PolicyMakerApplicationSecurity.aspx

RunAsAdmin: http://www.harper.no/valery/CategoryView,category,RunAsAdmin.aspx

Technet Webcasthttp://msevents.microsoft.com/cui/eventdetail.aspx?eventID=1032274954

“Browsing the Web and Reading E-mail Safely as an Administrator” Part 1: http://msdn.microsoft.com/library/en-us/dncode/html/secure11152004.asp Part 2: http://msdn.microsoft.com/library/en-us/dncode/html/secure01182005.asp

TweakUI: http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx

SysInternals tools: http://www.sysinternals.com

Community ResourcesCommunity Resources

Community ResourcesCommunity Resources

http://www.microsoft.com/communities/default.mspxhttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)Most Valuable Professional (MVP)

http://www.microsoft.com/communities/http://www.microsoft.com/communities/mvpmvp

NewsgroupsNewsgroups

Converse online with Microsoft Newsgroups,Converse online with Microsoft Newsgroups,including Worldwideincluding Worldwide

http://communities2.microsoft.com/communitieshttp://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx/newsgroups/en-us/default.aspx

User Groups - Meet and learn with your peersUser Groups - Meet and learn with your peers

http://www.microsoft.com/communities/usergroupshttp://www.microsoft.com/communities/usergroups/default.mspx/default.mspx

Running with Least Privileges in Windows Vista

What do we call this technology?

Flexible Account Control Technologies

Least User-privileges Access (LUA)

Least User Account (LUA)

User Account Protection (UAP)

User Account Control (UAC)

For the purposes of this talk we will refer to this technology as:

User Account Control

Desktop LockdownDesktop LockdownEnables I.T. to take back control of desktop management

Gives standard users the “Just Enough Privilege” on desktops

Reduces lost productivity and downtime

Available as part of Windows Vista

Protecting Against Security Protecting Against Security ThreatsThreats

User Account ControlGreater Confidence and ControlUser Account ControlGreater Confidence and Control

Reduces OS attack surface from malware, root kits, and shatter attacks

Isolates admin processes to helps prevent compromise by malware

Framework for Developing Least-Privilege ApplicationsFramework for Developing Least-Privilege ApplicationsProvides safe, stable model for software applications to execute tasks without exposing the system to malware

Ensures logo-compliant applications will run properly in Windows Vista. Also includes virtualization feature for legacy applications.

Administrator Approval Mode

Allows admins to operate with standard privileges for common tasks

Prompts when admin mode is necessary

Application Manifest defines permission levels

Administrator Approval Mode

Allows admins to operate with standard privileges for common tasks

Prompts when admin mode is necessary

Application Manifest defines permission levels

User Experience

Ability to perform common tasks as a Standard User, (e.g. Time-Zone changes)

Installation of printers and device drivers just works

VPN, wireless, and remote access just work

User Experience

Ability to perform common tasks as a Standard User, (e.g. Time-Zone changes)

Installation of printers and device drivers just works

VPN, wireless, and remote access just work

Application Compatibility

Protects System files from rogue applications

Protects Registry from Corruption

Application Compatibility

Protects System files from rogue applications

Protects Registry from Corruption

User Account Control FeaturesUser Account Control Features

Firewall settings are Firewall settings are locked down locked down (grayed out)(grayed out)

User clicks button to User clicks button to unlock settingsunlock settings

Admin is prompted Admin is prompted to approve process to approve process or supply credentialsor supply credentials

User Account Control: User ExperienceUser Account Control: User Experience

UAP ArchitectureStandard User RightsStandard User Rights

Administrative RightsAdministrative Rights

Admin logonAdmin logon

User PrivilegeUser Privilege

Admin PrivilegeAdmin Privilege

User ProcessUser Process

• Change Time Change Time

ZoneZone

• Run IT Approved Run IT Approved

ApplicationsApplications

• Install FontsInstall Fonts

• Install PrintersInstall Printers

• Run MSN Run MSN

MessengerMessenger

• Etc.Etc.

Standard User ModeStandard User ModeSplit TokenSplit TokenAdmin PrivilegesAdmin Privileges

Admin PrivilegeAdmin Privilege

User PrivilegeUser Privilege

Admin PrivilegeAdmin Privilege

Admin PrivilegeAdmin PrivilegeAbbyAbbyAdministrator ApprovalAdministrator Approval

ModeModeAdministrator ApprovalAdministrator Approval

ModeMode

User Account Control in Windows Vista

Demo

How do I deploy Software?Group Policy Software Installation

Package Applications in to MSI

Publish or Advertise through GPOs

System Management Server

Create deployment packages in SMS

Updating Applications

Use MSI 3.1 Patching Infrastructure

Initial MSI will include certificates to allowed elevated patching

Apps write to admin locations

HLKM\Software

%SystemDrive%\Program Files

%SystemRoot%

Windows Vista Redirection

This is a temporary solution

Use the LUA Predictor

Application CompatibilityAdministrator by Accident

Redirection allows legacy apps to run as Standard User

Writes to HKLM go to HKCU redirected store

Writes to system directories redirected to per-user store, copy-on-write

Application CompatibilityLUA Predictor

Guidance provided for developing compliant UI, file, registry, and deployment functionality

Predictor AppVerifier tool tests applications for compliance

App Verifier Toolkit Plug in

Show all Files, Registry Keys, and Admin APIs that need Admin privilege

Available Today!

Check out new whitepapers and guidance on Microsoft.com Check out new whitepapers and guidance on Microsoft.com

Beta 2 – Check out new featuresBeta 2 – Check out new features

Encourage Developers to Test their applications for compatibility & become logo compliant

Encourage Developers to Test their applications for compatibility & become logo compliant

Getting Ready for Windows Vista

All users run as Standard User by default even when you log on as admin!

Administrators use full privilege only for administrative tasks or applications

User provides explicit consent before using elevated privilege

High application compatibility

Windows Vista GoalWindows Vista provides a more secure and reliable Windows Vista provides a more secure and reliable

foundation which brings a new level of confidence in your foundation which brings a new level of confidence in your PCPC

SummaryUser Account Control Goals

Provides Developers with:

AppCompat – assurance that their applications will run properly

Reduced support costs

Improved application security

Helps enterprises to:

Establish increased protection against malware

Control access to administrative functions

Increase user productivity

Simply and safely elevate privileges for administrative tasks

SummaryUser Account Control Goals (Con’t)

Resources

Information about the Logo Program:

https://partner.microsoft.com/global/winlogo/

ISV/Developer guidelines on MSDN:

http://msdn.microsoft.com/windowsvista/default.aspx?pull=/library/en-us/dnlong/html/AccProtVista.asp

IT Deployment doc using AppCompat runlevel Shims:

http://www.microsoft.com/technet/windowsvista/deploy/appcompat/acshims.mspx

UAP Getting started Doc (targeted to Beta-1):

http://www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx

Top 10 Questions1. If I mark my app as “admin”, can I skip the elevation consent dialog? – No

2. Can you modify the privilege of a running application? - No

3. Will LUA elevate whenever a privileged API is used? – No, the entire process is either elevated or not

4. How long does the elevated process last? – Life of the process

5. Can I enable which users will use UAC? – Currently this is a per machine setting

6. Does UAP apply to all processes and services? – Interactive processes only

7. What areas of the Registry and File system get redirected? – HKLM\Software, %SystemRoot%, %ProgramFiles%

8. Won’t Redirection de-motivate developers to fix their code? – Yes, it is a short term mitigation, not in 64bit

9. What happens when installer detection fails? – The app runs as non-admin

10. Will UAC be going down-level? - No

Community Resources

Community Resources

– http://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)

– http://www.microsoft.com/communities/mvp

Newsgroups

–Converse online with Microsoft Newsgroups,including Worldwide

– http://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx

User Groups - Meet and learn with your peers

– http://www.microsoft.com/communities/usergroups/default.mspx

Thanks to Aaron Margosis for providing some of the content for this presentation deck