Understand UAC and make it work for you.

Tom to edit Master subtitle style ClickDecaluw [email protected]

Overview of the session

1. 2.

What is UAC and why should love it Whats been/being done in Windows7 How it works in the core How to make it work for you

3. 4.

5/2/12

1. What is UAC and why you should love it

Click to edit Master subtitle style

What is UAC

The annoying screen that protects LOCAL administrator / power users Version 1.0 of the Least privilage Windows environment

5/2/12

What is UAC
3 components
1.

Split tokens
Standard user Only Deny rights for enterpise and local Filtered token admin deny rights on admin rights Full token

Elevated rights Full admin rights

1. 2.

Consent / credential user interface Secure desktop => alpha blended sceenshot
5/2/12

What is UAC
Devices Servers

3 devices 2 types of users

Type of user Domain Admins
User: Tom-a

UAC setting UAC => ON / prompt or UAC => ON / auto confirm UAC => ON / Confirm or UAC => ON / request password UAC => ON / Block or UAC => ON / request password UAC => ON / Auto Confirm

Local Admins
User: Tom

Live Clients

Default users
User: Karel

Local Admins Clients being installed User: Tom

* Set using group policies UAC should not be concidered a substitute new RunAS 5/2/12

What is UAC

The need for two user accounts

Standard account

Day to day use local admin on clients NOT on domain

Specific admin tasks on the network Admin account domain admin and/or deleagted domain rights

5/2/12

OU design / UAC settings via GPO

Click icon toto add picture Click icon add picture

Clients => UAC auto confirm / AUC block

Serves => UAC auto confirm Clients being installed => UAC auto confirm

DEM

Two accounts

Click icon to add picture

< >
DEM

Why you should love it

Normal users=> Awareness

Forces users to become more security aware, it looks black and scarry, dont make it tellitubby style soft interface. It informs you of system-level changes Forces malware to show itself Lets you control yes/no Solves the incompatibility issue of 5/2/12

Admin users=> More control

Why you should love it

1.

Huge reduction of apps that need admin rigths

Program data from August 2008 indicates the number of applications and tasks generating a prompt has declined from 775,312 to 168,149

5/2/12
Number of unique applications and tasks creating UAC prompts.

Why should I care

Its here to stay

Windows vista Windows 2008 Windows 7

5/2/12

Why you should love it

Runas compared to UAC

RunAs Different credentials (username / password) Different profile

UAC Same credentials (username / password) Same profile

5/2/12

2. Whats been being done in Windows7

Click to edit Master subtitle style

Whats the problem

Whats being done
1.

Reduce prompts Make prompts informative better control

1.

1.

5/2/12

Whats the solution

Reduce unneeded prompts

More prompts

More prompts cause people to click yes without looking

Educate software developers to write software according to best practices Internally at MS remove unneeded prompts Relexed yes 5/2/12

Whats the solution

Prompt information

Improved message dialog

5/2/12

Whats the solution

More control
1.

Securit y

Always notify on every system change.

useabilit y

(vista default)
(Default) 5/2/12

* Controlable via GPOs

2.

Whats the solution

More control

Click to edit Master subtitle style

4. How it works in the core

Click to edit Master subtitle style

How it works in the core

The token when you logon

Logon process

Token

=> when you run an exe your

How it works in the core

A split token / filtered token

Logon proce ss Token

LSA service

Standard user Token

1.

You need to ask for elevation windows knows you will need elevation

Administrator token

Default token

Deny groups 5 privileges

2.

SeShutDownPrivilage SeChangeNotifyPrivilege SeUndockPrivilege SeIncreaseWorkingSetPri vilege SeTimeZonePrivilege

Medium Integrity level

S-1-16-8192 => HEX 2000

All groups All privileges High Integrity level

S-1-16-12288 => HEX 3000

Whoami /groups > explicit deny for admin accounts Whoami /priv Whoami /fo list /all

Click icon to add picture

DEM

How it works in the core Tokens in process explorer

Normal token

Admin 5/2/12 token

How it works in the core

Process launch
Standard user token Admin user token Process is started W lt From ind au iour ef av explorer.e D h kn ows W ind ow be xe ow s to s is ld Standard user token Admin user token

Child Process is

How it works in the core

Application Information service

How it works in the core

Windows knows it needs to elevate

1. Windows knows it needs elevation 1. Windows marks the icons 2. Heuristic Install detection 3. Manifest

5/2/12

How it works in the core

Windows knows it needs to elevate

Windows marks the icons

5/2/12

How it works in the core

Windows auto detect elevation Vista look for popular install strings

Setup Instal Update Wyse installer Installshield installer

Vista detects installers from

Check for the manifest => manifest overrules *onyabove 32bit works for
installers

Calc.Exe => setup.exe

Click icon to add picture

DEM

How it works in the core

Windows knows it needs to elevate
1.

You tell windows 1. Right click => run as admin 2. Tag icon for elevation 3. Add manifest 4. Shim fixets

5/2/12

How it works in the core

Tell windows to elevate

Mark an Icon for automatic elevation => only works on legacy apps

Only for you For all users

How it works in the core

Embeded manifest

RequestExecutionLevel

asInvoker => use current security token highestAvailable => give the highest available token requireAdministrator => app requires admin token and if it does not exist, dont run

How it works in the core

tell windows to elevate

Use manifest file => this is the best way as its a 1|0 situation

Manifest internal and external

Click icon to add picture

DEM

How it works in the core

Interact with secure desktop

To interact with the secure desktop you must adhere to thee prerequisets:
1.

Entry in secure desktop uiAccess=True Code must be signed by Microsoft Code must be put in secure location

2.

3.

\windows\system32\* \Program files\* \Program files (x86)\*

Secure desktop does not pause the processes

Click icon to add picture

DEM

How it works in the core

Consent UIs 4 different levels of BEWARE
RED => Programm is signed by a publisher you blocked via GPO

TEAL => Digitally signed by Microsoft

Gray => Digitally signed by 3rd party

Orange => other situations

* Concent UI times out after 2 minutes * The dialogs are also linked to IE bars

5. How to make it work for you

Click to edit Master subtitle style

How to make it work for you

1.

Staging OU GPOs > manipulating UAC Use RunAs / ShellRunAs

1.

2.

3.

Computer => all computers

1.

Create folder Copy file

2.

2.
4.

User => target group Local_admins

Elevate.exe + Start++.exe => cmd line elevation Elevate cmd here

5/2/12

5.

Controle UAC via GPO/security options

Policy What it does Admin approval mode for the built-in admin account Local admin is disabled by default but if you enable the user => make him comply to UAC Allow UIaccess applications to prompt for elevatrion Applications like Remote assistent => when enabled local without using the secure desktop users who needed help will need to know an admin PW Disable if you use vista speech recognition Behavoir for the elevation prompt for administrators Do you want to be reprompted for credentials or just in admin approval mode approve Behavoir of the elevation prompt for standard users Set to deny if you want normal users to get an access denied instead of a credential prompt Detect application installations and prompt for elevation Only elevate executables that are signed and validated Not required when using SMS or GPSI, but when you want local people to be able to install apps starting with: setu, instl, update You can controle what is trusted by populating the computers trusted root store

Only elevate UIAccess applications that are installed AUI apps must run out of - \Program files\ in secure locations - \Windows\system32\ - \program files (x86)\ Run All Administrators in admin approval mode Switch to the secure desktop when prompting for elevation Virtualize file and registry write filure to per-user location If disabled => turns off UAC totally Secure desktop vs interactive desktop Determins how file redirection 4141 reacts

5/2/12

Run as different user.

Click icon to add picture

DEM

Elevate from command prompt

Click icon to add picture

DEM

Elevate command prompt here

Click icon to add picture

DEM

Privlated cmd prompt + no prompt elevation

Click icon to add picture

C:\Windows\System32\schtasks.exe /run /tn "CMD without UAC"

DEM

Program compatibility Toolkit

Click icon to add picture

Fixup / Shim

DEM

How to make it work for you

Two problems
-

SMB Access =>

when accessing an SMB share using a local admin (non domain) you will be using filtered token

Remote Assistance =>

Secure desktops dont prompt on the remote session, only on the local system

5/2/12

How to make it work for you

Configure elevation logging

Success / failure auditing of process tracking & privilage tracking

-

ID 4688 => what process was New Process created ID

Target Process ID

5/2/12

Thank you

Click to edit Master subtitle style

www.ittalks.be

Tom Decaluw [email protected]