This is the only session in the early slot this morning that interests me. It’s the traditional post Tech-Ed party morning. However, there was no traditional Tech-Ed party… it was an invite only affair. I didn’t bother going because I was shattered. A Mickie-Dee burger and an early night to catch up on sleep was enough for me.
This presentation is by Mark Minasi. Again, just the highlights here. Attending Mark’s sessions is highly recommended. There’s much more content than shown here.
- UAC: User Account Control
- Windows Integrity Levels (WILs)
UAC
Originally intended as a security solution to protect you against accidental malware installation. It failed. MS "lied" about the original intention.
UAC is still good, not as good as it should be. You normally run as non-admin, even if not admin. Prompted to elevate when you need it. Avoids the other solution: admin has two accounts, admin and non-admin. When you logon as administrator you get two tokens: standard and administrative. Default token used for the admin’s new processes is the standard. When you try to run some programs, you’re prompted to use the admin token. How does Vista know? The program is coded to say it needs elevation. Once a process starts, you cannot change the associated token is to restart the process. If a program isn’t coded, you can do "run as administrator".
Even if this isn’t a 100% secure anti malware solution, it allows admins to have the recommended dual ID solution with a single admin account.
Run As is still there but … when you run as you run as there standard token.
You can disable this prompt but still have UAC. Use GPO to : elevate without prompting, prompt for consent (default), prompt for credentials.
The secure desktop is where the screen grays out when the prompt comes up. It’s a special session with your desktop as a screenshot. You can configure this but it’s best left as default.
Tip: to configure a program to prompt automatically, edit the properties of the exe to "run as administrator". That’s OK but not built into the program. It doesn’t travel when you copy the file, etc. Vista catches anything called setup, install or update in the file name it knows to prompt for elevation. That’s a "sometimes" workaround.
Proper solution for dodgy applications is to use a manifest. You can simply place it in the same folder as the exe. If the file is called myexe.exe then the manifest is called myexe.exe.manifest. There’s some caching behaviour with this so it may fail if you’ve been testing. Create test folders when experimenting to avoid this. There’s also a bug where you set it not to prompt but it can still prompt. Might be fixed in SP2.
Best way is to build the manifest into the exe. You use a tool called MT (in visual studio including the free Lite edition): mt /manifest <my.manifest> -outputsource:<myexe>;#1.
Windows 7 has a different UAC control, kind of like the IE security slide controls, varying from maximum to minimum/off.
Windows Integrity Levels
Every user token, object and process has an integrity level (IL). One object cannot change another unless it has an IL greater than or equal to the subject’s IL. This is also known as "mandatory integrity controls" or "windows integrity controls".
MS didn’t really use it in RTM but they left the mechanisms in place. It is possible for a user/attacker to create a file that even an administrator cannot delete.
3 types of WIL label:
- no read up
- no write up
- no execute up
Two tools you can use to see these:
- icacls
- chml – a tool that Mark wrote.
Use "icacls <file> /setintegritylevel <level>" to set a WIL label on a file.
As an admin, you cannot set a WIL level as system. Icacls won’t do it. Use chml instead:
- WinPE
- Use PSExec as system
If you cannot delete a file you have permission for:
- Uses these tools to look for "System Mandatory Level".
- Boot to WinPE to reduce the WIL label.
- Delete it.
Use whoami /groups /fo list to see your session’s WIL label.
Those are the highlights. Much more in Mark’s Vista security book.