Chris Corio's Blog

UAC Prompt Circumvention...it's really not a big deal....

2009-06-19T04:45:00Z

The debate about UAC and circumventing the prompt continues... From my perspective it's more a misunderstanding at this point than anything that merits any analysis... Look...between you and me...malware writers are much more talented than anyone's giving them credit for...

Here are the current posts that present the story "security flaw":

http://www.withinwindows.com/2009/06/10/uac-uac-go-away-come-again-some-other-day/

http://www.istartedsomething.com/20090611/uac-in-windows-7-still-broken-microsoft-wont-fix-code-injection-vulnerability/

Mark Russinovich's article pretty much tells the story from a technology perspective: http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx

I wrote the following as a comment to the first blog post I pasted above - it talks more about the history of UAC...

---

I was part of the team that designed UAC. I’ll give you a little insight into the history of UAC and address some of the comments made on this blog post. Here we go…

As with any major initiative, especially one involving a multi-year effort involving 10s of engineers and affecting every application on the face of the earth, you don’t always end up with the exact technology you envisioned when you started. Hell, in the case of UAC we even changed the name of the feature several times – I bet no one remembers that it was called Flexible Account Control Technologies at one point. :)

If my memory serves me, when we started the UAC project, we firmly believed it would be a security feature. We wanted to protect users on the Windows system from malware. We also had the goal of incentivizing the use of Standard User accounts, which is something MSFT has been trying to do for several releases of Windows.

From my perspective, the design was brilliant and I take no credit for the creation of the split token. That concept was extremely powerful though because it modeled the default token to be that of a Standard User. In Vista, there was no compromise when it came to prompting and I remember answering the question “is there a white list for applications?” in every UAC talk I ever gave. Have no false pretense, that prompt isn’t security theatre – it is a giant stop sign that says: “This ISV wrote software that unnecessarily requires Administrator privileges!” This is exactly why you see the prompts today on Windows 7 targetted at 3rd parties.

As for the security messaging around UAC. The point where our messaging switched from security to reliability was when the product team engaged the support of our Secure Windows Initiative (SWI) team to PenTest UAC. They clearly demonstrated because of the shared state, HKCU, user profile, etc., between the “little Abby” and “big Abby” tokens (as we referred to them) that UAC elevations could never be a security feature – this was also right around when MarkRuss came to MSFT. He was also instrumental in demonstrating the flaws in our messaging!

I’ll admit that the product team was taken aback by this change in messaging and it took some of us longer than others to adjust to the new messaging. The good news is that I believe everyone at MSFT recognizes that UAC elevations (particularly for PA accounts, but also for Standard User accounts) is not a security boundary. If you want the highest level of security…never elevate a standard user account in an interactive session – this is achievable in an enterprise.

I have personally corrected several of the old documents with that messaging and I’m happy to fix any others if you send me an email with the link: chris@chriscorio.com. I didn’t see any in the top 10 in the list that accompanies this blog post (most of which are not written by offical MSFT employees) aside from the Windows help, which demonstrates the vintage of the messaging: http://windowshelp.microsoft.com/Windows/en-US/help/0eeb9ddd-ddaa-4cc5-a092-9908305665471033.mspx

Now, where are we today? I’ve seen an incredible interest from IT professionals in running their systems as Standard Users. This is a giant success and UAC was integral in achieving it. Those machines will run smoother and more reliably. As pointed out on the thread, the default account created in the Windows Out-of-Box Experience is still an Administrator. This is disappointing for me but MSFT has prioritized the UX for Windows right now and I think it is a necessary focus. Hopefully we will see this change in the future.

If anyone would like to have a public debate about UAC at any time – please don’t hesitate to let me know. Just send over a list of questions and I’m happy to answer them. I will be blunt in saying that I regard the dramatic posts around this elevation vulnerability as simply being a laughable distraction.

One thing that should never be forgotten: Malware writers are very sophisticated. They surely have far more interesting exploits than this fairly rudimentary workaround. And, for all you security researchers out there, this debate makes me chuckle…why does malware need administrator privileges anyway?

For now, I’m focusing on moving the broader industry to Standard User accounts, one desktop and one more fixed application at a time.

Chris

TechNet Article: Windows 7 Security Features

2009-04-05T02:02:00Z

My latest article was published online today - it's an overview of new security features added into Windows 7 and some of the refinements to UAC and others.

http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx

I'm really excited about AppLocker... If anyone wants to test it out in your organization...I'm game to help... This is an extremely important security feature in my opinion...

The UAC slider is a nice feature, but as I wrote in my last two posts, you need to understand that UAC is about helping you run as a Standard User. I'll put up a post in the near future that explains how to do that. Actually, this week someone asked me if I *actually* run as a Standard User? Aghast, I replied, "Yeah, that's the only way I log on to my computers." IMO, there is no reason to run as an Administrator any more on Windows Vista or Windows 7. That said, you still need access to Administrator privileges.

The new Authentication technologies are super exciting. WBF is really cool. BitLocker-To-Go is going to be really interesting for many enterprises.

Enjoy the article and let me know if you have any comments

UAC public relations...good for now...

2009-02-17T08:06:00Z

The storm seems to have subsided once again regarding UAC in Windows 7. Microsoft announced that they've fixed the problem and the world is content with that explanation. Personally, I think it might be the eye of the storm because I know there must be a security researcher or two waiting to once again find a "HUGE security flaw in Windows 7 UAC": http://i.gizmodo.com/5142837/huge-security-flaw-in-windows-7-user-account-control?skyline=true&s=x

Like I said, I'm really impressed with the sensationalism that ran rampant through this story. If I may critique Zheng's technical technique for a moment - personally, rather than writing a script to send key strokes, I probably would have just written an accessibility application and used the window's COM interfaces to just move the slider. After all, it's a feature in Windows that was specifically designed to programatically interact with UI...

Well...here's to RC1...I'm hoping that people come to understand that UAC is about the Standard User experience, not the superficial security provided by the prompt. But I assure you that I'll be tuning in to Jon and Steven as they progress through their UAC PR experience...

User Account Control and the Great Slider Debate

2009-02-09T04:59:00Z

After watching months of favorable UAC press, I couldn't resist commenting on the recent negative press that's been swirling around UAC.

Just so everyone knows, I am an expert on UAC. I worked as a Program Manager on the UAC during Windows Vista and spent almost 6 years on the Windows Security team.

Here's a video of one of my talks about UAC: http://www.microsoft.com/emea/msdnshowtime/sessionh.aspx?videoid=326

Here's one of my articles: Least Privilege: Teach Your Apps To Play Nicely With Windows Vista User Account Control

You'll notice they're both focused on helping ISVs write better code for the Standard User.

So, what happened to UAC in the last couple weeks? Well, according to eWeek:

"The issue relating to UAC was publicized by Windows bloggers Rafael Rivera and Long Zheng. During the week of Feb. 2, Zheng and Rivera have posted proof-of-concept code that circumvents UAC in the Windows 7 beta and allows hackers to use preapproved Microsoft applications to fool Windows 7 into granting malicious code full access rights."

Hmm... herein lies the biggest problem with UAC - Microsoft has continuously proven that they (I would have said ‘we' during Vista) are not great at delivering the core message around UAC. So let me try to do it the best I can:

User Account Control is about achieving one objective: Allowing end users to use Windows everyday with an account that is not in the Administrators group (or any other similarly privileged group.)

Why is this goal so important? Because running as a Standard User is a markedly more secure and reliable way to run Windows. In homes, in businesses, on laptops, on desktops, your parents, your kids...wherever, whoever, however you get Windows users to not run as Administrators...you're better off. After all, Unix and OSX have run this way for years.

So, how did Microsoft go about making this move? In Windows Vista, we made it so that the default security context in Windows Vista was that of a Standard User. This sent a clear message to ISVs that we want them to design for users that aren't Administrators. As a result, we needed to make it convenient to get Administrator privileges and we introduced the UAC prompt. With a change of this magnitude it takes time for the eco-system to digest the change and many legacy applications (including Windows) needed to be fixed up. Obviously, folks were upset about the amount they were getting prompted and there was a public outcry.

Personally I think this is a problem that would have fixed itself over time but I appreciate the continual focus on innovating that embodies Microsoft. In Windows 7, they introduced the new UAC policy settings and the slider to control them, which was designed to strike a balance between usability and continued to make it clear to ISVs that they need to design their code to run as a Standard User.

Now, notice...I've never said UAC is a security technology to this point. The security technology that UAC actually attempts to employ is the boundary between user sessions. The boundary has existed since NT4 and is clearly defined. In fact, by default Windows and UAC actually didn't take advantage of this boundary in the first version (Vista) or the second (Win7) - this is because the first account on the machine is always an administrator account. UAC was a long term strategic bet and I'm hearing from more and more companies that are deploying their desktops as Standard Users every day.

So, what really happened is that Zheng and Rivera have convinced the press that there is actually a sensational story here and the press have run with it. Microsoft, ever sensitive about UAC, has Jon and Steven working overtime writing blog posts that as far as I can tell don't clearly articulate UAC's value and continue to muddle the message around UAC. After living through this for the last couple weeks I simply couldn't resist writing this blog post - I hope it's clear that I really love MSFT and UAC.

When Steven and Jon say they will protect the slider in this blog post: http://blogs.msdn.com/e7/archive/2009/02/05/uac-feedback-and-follow-up.aspx. They are misguided - given the overall implementation of the default slider setting that allows Windows applications to run without a prompt, there is no way that someone else won't be able to find a way to turn off UAC prompting using some other Windows component. I don't think this is security researcher rocket science and that's as far as I will entertain the security discussion - UAC offers reliability enhancements and allows us all a much more pleasant experience as a Standard User on Windows.

For Jon and Steven to entertain the discussion around UAC and security in their blog posts is ludicrous. Why would they change a feature to make people think it's more secure when it's not a security feature in the first place? How is that message not getting out there? You can say I'm wrong or don't know...I'll gladly have the debate with anyone that so chooses to send me an email. I would encourage Jon and Steven to consider changing their messaging. If they don't, there will be a continuous stream of Zheng's and Rivera's attacking UAC as a security technology and Microsoft will continuously be responding with..."we fixed that hole..." when this was never the actual goal of the feature and instead becomes a thorn in the side of Windows 7.

Cheers,

Chris

If you're a company that wants help deploying Standard User desktops then email me - chris@migratellc.com. (I couldn't resist the plug for my company. :) )

What’s running on my system? - Part 1

2008-09-28T03:03:00Z

I don't know about you but I'm interested in figuring out what applications I'm using and what else might be running on my system. I'm going to describe ways to figure that out in a series of blog posts.

The first way is to turn on Process Auditing on your system and checkwhat processes are created in your audit log. Here's how you turn on process auditing:

1. Start MMC.exe with full administrator privileges.

2. From the File menu choose Add/Remove Snap-in...

3. Click on Group Policy Object Editor and then click Add.

You will be prompted to determine which Group Policy Object to edit - Local Computer should be highlighted. Keep that setting and press Finish.

4. Click on the OK button.

5. Now you will see a node for Local Computer Policy

Expand the Local Computer Policy
Then expand Computer Configuration->Windows Settings->Security Settings->Local Policies.
Click on Audit Policy. You should see the following screen.

6. Double-click on "Audit process tracking" and check the "Success" check box. It will look like this when you hit OK:

7. Now the creation of processes will be tracked by the system. Time to reboot.

After the system restarts it's time to figure out what's running.

Open the Event Viewer - you can do this by following the steps above but adding in the Event Viewer snap-in to MMC instead of the Group Policy Object Editor.
Expand the following nodes: Event Viewer->Windows Logs and clicking on Security
Then click on "Filter Current Log..." in the upper right-hand corner of the Event Viewer snap-in.
The Event ID that's most interesting for this exercise is: 4688, so add this to the filter and click OK.
Now you will see a list of all of the processes that have been created. :-) The interesting piece of information is usually the NewProcessName element in each entry.

Well...that's a great way to understand how your system boots and what processes have been created. Check out the next post where I'll talk about monitoring what's being started by each user.

My MSDN and TechNet Magazine Articles

2008-08-27T02:09:00Z

While I was at Microsoft I wrote a lot of documentation on all kinds of different technologies - after all that's what Program Managers do. Of all the whitepapers, KBs, and everything else I wrote - my favorite thing to write was always a magazine article. There's nothing like holding a magazine with your work in it - hopefully I'll get around to writing many more.

List of Chris Corio's MSDN and TechNet magazine articles:

TechNet Magazine: First Look: New Security Features in Windows Vista

http://technet.microsoft.com/en-us/magazine/cc160980(TechNet.10).aspx

MSDN Magazine: Teach Your Apps to Play Nicely With Windows Vista User Account Control

http://msdn.microsoft.com/en-us/magazine/cc163486.aspx

TechNet Magazine: Application Lockdown with Software Restriction Policies

http://technet.microsoft.com/en-us/magazine/cc510322(TechNet.10).aspx

My First Blog Post

2008-08-14T12:05:00Z

Well, if you're going to start a blog, you've got to have a first post. This is mine.

For those of you who don't know me (not you, Mom) I'll tell you a little about my focus for this blog. After spending almost 6 years working for Microsoft in the Windows Security team, this blog is my chance to help people use the security technologies that I worked on and understand subtleties that are often overlooked.

When I left Microsoft I was actively contributing on User Account Control, Software Restriction Policies, and Protected Mode IE among others. I expect to mainly comment on these technologies for the time being but we'll see where this blog takes me.

Well...one down. On to the next...