Understand UAC and Make It Work For You.: Click To Edit Master Subtitle Style
Understand UAC and Make It Work For You.: Click To Edit Master Subtitle Style
What is UAC and why should love it Whats been/being done in Windows7 How it works in the core How to make it work for you
3. 4.
5/2/12
What is UAC
The annoying screen that protects LOCAL administrator / power users Version 1.0 of the Least privilage Windows environment
5/2/12
What is UAC
3 components
1.
Split tokens
Standard user Only Deny rights for enterpise and local Filtered token admin deny rights on admin rights Full token
1. 2.
Consent / credential user interface Secure desktop => alpha blended sceenshot
5/2/12
What is UAC
Devices Servers
UAC setting UAC => ON / prompt or UAC => ON / auto confirm UAC => ON / Confirm or UAC => ON / request password UAC => ON / Block or UAC => ON / request password UAC => ON / Auto Confirm
Local Admins
User: Tom
Live Clients
Default users
User: Karel
* Set using group policies UAC should not be concidered a substitute new RunAS 5/2/12
What is UAC
Standard account
Specific admin tasks on the network Admin account domain admin and/or deleagted domain rights
5/2/12
Serves => UAC auto confirm Clients being installed => UAC auto confirm
DEM
Two accounts
< >
DEM
Forces users to become more security aware, it looks black and scarry, dont make it tellitubby style soft interface. It informs you of system-level changes Forces malware to show itself Lets you control yes/no Solves the incompatibility issue of 5/2/12
5/2/12
Number of unique applications and tasks creating UAC prompts.
5/2/12
5/2/12
1.
1.
5/2/12
More prompts
Educate software developers to write software according to best practices Internally at MS remove unneeded prompts Relexed yes 5/2/12
5/2/12
Securit y
useabilit y
(vista default)
(Default) 5/2/12
2.
Logon process
Token
You need to ask for elevation windows knows you will need elevation
Administrator token
Default token
2.
Whoami /groups > explicit deny for admin accounts Whoami /priv Whoami /fo list /all
DEM
Normal token
Child Process is
1. Windows knows it needs elevation 1. Windows marks the icons 2. Heuristic Install detection 3. Manifest
5/2/12
5/2/12
Check for the manifest => manifest overrules *onyabove 32bit works for
installers
DEM
You tell windows 1. Right click => run as admin 2. Tag icon for elevation 3. Add manifest 4. Shim fixets
5/2/12
Mark an Icon for automatic elevation => only works on legacy apps
RequestExecutionLevel
asInvoker => use current security token highestAvailable => give the highest available token requireAdministrator => app requires admin token and if it does not exist, dont run
Use manifest file => this is the best way as its a 1|0 situation
DEM
To interact with the secure desktop you must adhere to thee prerequisets:
1.
Entry in secure desktop uiAccess=True Code must be signed by Microsoft Code must be put in secure location
2.
3.
DEM
2.
3.
2.
2.
4.
5.
Only elevate UIAccess applications that are installed AUI apps must run out of - \Program files\ in secure locations - \Windows\system32\ - \program files (x86)\ Run All Administrators in admin approval mode Switch to the secure desktop when prompting for elevation Virtualize file and registry write filure to per-user location If disabled => turns off UAC totally Secure desktop vs interactive desktop Determins how file redirection 4141 reacts
5/2/12
DEM
DEM
DEM
DEM
Fixup / Shim
DEM
when accessing an SMB share using a local admin (non domain) you will be using filtered token
Secure desktops dont prompt on the remote session, only on the local system
5/2/12
Target Process ID
5/2/12
Thank you
www.ittalks.be