Security Summit West 2004 Security Summit West 2004 Redmond, WARedmond, WA

Darren CanavorDarren CanavorLonghorn SecurityLonghorn Security

AgendaAgenda

DefinitionsDefinitions LUA Customer Pain PointsLUA Customer Pain Points LUA VisionLUA Vision Desktop ControlDesktop Control ToolsTools Security Questions for youSecurity Questions for you

DefinitionsDefinitions LUA = Least Privileged User AccountLUA = Least Privileged User Account

Run with just enough privilege to get the job done and no more!Run with just enough privilege to get the job done and no more! Applications for regular users must be written to run as non-adminApplications for regular users must be written to run as non-admin

AdministratorAdministrator A user of a machine that belongs to a user group that has A user of a machine that belongs to a user group that has

permissions that are able to change local or domain statepermissions that are able to change local or domain state Bluntly - a user that can destroy the user experience for everyoneBluntly - a user that can destroy the user experience for everyone Privilege == Obligation (view as a burden, not an enabler)Privilege == Obligation (view as a burden, not an enabler)

PA = Protected AdministratorPA = Protected Administrator A user belonging to an admin group which obtains two tokens to A user belonging to an admin group which obtains two tokens to

run appsrun apps At logon administrators will run a shell that has LUA default privilegeAt logon administrators will run a shell that has LUA default privilege Elevated privileges are only granted to trusted applicationsElevated privileges are only granted to trusted applications

AIM = Application Impact Management (aka Strongbox)AIM = Application Impact Management (aka Strongbox) Virtualizes the legacy application view of Windows to remove Virtualizes the legacy application view of Windows to remove

admin dependencyadmin dependency

LUA Customer Pain PointsLUA Customer Pain Points

Customer Pain PointsCustomer Pain PointsHome: Home: Virus and Spyware wrecks my machineVirus and Spyware wrecks my machine

Viruses and Spyware with Admin privilege can damage the machineViruses and Spyware with Admin privilege can damage the machine Legacy applications require Admin to InstallLegacy applications require Admin to Install

Users cannot install applications as NonAdminUsers cannot install applications as NonAdmin Legacy applications require Admin to RunLegacy applications require Admin to Run

Users cannot run applications as NonAdminUsers cannot run applications as NonAdmin Common OS Configuration tasks require Admin privilegeCommon OS Configuration tasks require Admin privilege

Users cannot perform common OS configuration tasks as LUAUsers cannot perform common OS configuration tasks as LUA Users accidentally do the wrong thingUsers accidentally do the wrong thing

Users running as Admin can inadvertently damage their machineUsers running as Admin can inadvertently damage their machine

Enterprise:Enterprise: Virus and Spyware wrecks my machineVirus and Spyware wrecks my machine

Viruses and Spyware with Admin privilege can damage the machineViruses and Spyware with Admin privilege can damage the machine Enterprise Admin attacks compromise corporationEnterprise Admin attacks compromise corporation

Line of Business applications require Admin to RunLine of Business applications require Admin to Run Corporate Users cannot run applications as NonAdminCorporate Users cannot run applications as NonAdmin

Common OS Configuration tasks require Admin privilegeCommon OS Configuration tasks require Admin privilege Corporations can’t easily deploy users as LUA unless they compromise OS SecurityCorporations can’t easily deploy users as LUA unless they compromise OS Security Simple scenarios like VPN don’t work without Admin privilegeSimple scenarios like VPN don’t work without Admin privilege IT must reevaluate the LoB applications for each OS release due to inconsistent IT must reevaluate the LoB applications for each OS release due to inconsistent

configuration settingsconfiguration settings

LUA VisonLUA Vison

VisionVisionEliminate the risks caused by everyone running as administratorEliminate the risks caused by everyone running as administrator

StrategyStrategy Change the way that Windows runs so that common user tasks and Change the way that Windows runs so that common user tasks and

most applications don’t require administrative privilegemost applications don’t require administrative privilege Then advise and protect when administrator privilege is requiredThen advise and protect when administrator privilege is required

InitiativesInitiatives Ensure Windows Users can run all Common User Tasks without Ensure Windows Users can run all Common User Tasks without

Admin PrivilegeAdmin Privilege Enable the Windows Infrastructure for users without Admin PrivilegeEnable the Windows Infrastructure for users without Admin Privilege Enable Apps to Install, Run, Update and Uninstall without Enable Apps to Install, Run, Update and Uninstall without

Admin PrivilegeAdmin Privilege Create Protected/Isolated Sessions for apps that do require AdminCreate Protected/Isolated Sessions for apps that do require Admin Evangelize LUA to ISVs and Customers with Clear Guidelines, Evangelize LUA to ISVs and Customers with Clear Guidelines,

Education and Results TrackingEducation and Results Tracking

LUA Longhorn UX GoalsLUA Longhorn UX Goals

OS feels like it was built for the LUA userOS feels like it was built for the LUA user Users know when they are about to do Users know when they are about to do

something potentially unsafe and are able to something potentially unsafe and are able to make an informed decisionmake an informed decision Windows always gives strong Security and Windows always gives strong Security and

Privacy recommendationsPrivacy recommendations Users can undo damaging changesUsers can undo damaging changes

Users feel confident they can install or run Users feel confident they can install or run any program without compromising their PCany program without compromising their PC

Users do not need to learn any major new Users do not need to learn any major new concepts or procedures to be protectedconcepts or procedures to be protected

Longhorn Is LUA FriendlyLonghorn Is LUA Friendly

Fix OS bugs (CPL, MSC, etc…)Fix OS bugs (CPL, MSC, etc…) Support Common LUA scenarios:Support Common LUA scenarios:

VPNVPN Display SettingsDisplay Settings Power ManagementPower Management Regional SettingsRegional Settings Clock Clock CalcCalc Etc.Etc.

Support Per User Active X installationSupport Per User Active X installation Support Per User File Extension handlersSupport Per User File Extension handlers

LUA Infrastructure SupportLUA Infrastructure Support

Make Per User installs work for LUAMake Per User installs work for LUA Visual Studio, MSI 4.0, and OS support “MyPrograms”Visual Studio, MSI 4.0, and OS support “MyPrograms” Location: %USERPROFILE%\Local Settings\My ProgramsLocation: %USERPROFILE%\Local Settings\My Programs

All LH Logo Applications run as LUAAll LH Logo Applications run as LUA AppCompat shims top X ISV applicationsAppCompat shims top X ISV applications

Applications have manifests (Application Applications have manifests (Application or Deployment)or Deployment) Defines what the application is and its system impactDefines what the application is and its system impact Signed by either ISV or IT DepartmentSigned by either ISV or IT Department

Trust infrastructure to support manifest Trust infrastructure to support manifest signature validationsignature validation

LUA Deployments SupportLUA Deployments Support

Runtime File/Registry VirtualizationRuntime File/Registry Virtualization Support / Management tools (debug Support / Management tools (debug

transaction logs)transaction logs) Educate PSS on how to debug Educate PSS on how to debug

VirtualizationVirtualization Explorer support correct File viewExplorer support correct File view

Trust infrastructure supportTrust infrastructure support Trust ManagerTrust Manager Application Information ServiceApplication Information Service

Simple Secure Consent UISimple Secure Consent UI

Desktop ControlDesktop Control

Full control over what applications and Full control over what applications and drivers can be installed or rundrivers can be installed or run

Desktop Control Policy settings:Desktop Control Policy settings: LockdownLockdown: Only predefined publishers : Only predefined publishers

can install or runcan install or run PromptPrompt: For unknown publishers ask the : For unknown publishers ask the

user for install or run permissionuser for install or run permission XP compatibilityXP compatibility: No Trust check: No Trust check

Application Information Svc Application Information Svc OverviewOverview

<trustInfo>..

</trustInfo>

Author manifest with a trustInfo section

Make a strong name and sign the manifest

Validate Certificate and Signature

Developer/Administrator

Manifest

System

Enterprise Certificate

StoreSystem

Certificate Store

Make a trust action based on the Manifest data and Policies

Strong name/signature secured

Local Certificate

Store

Signing authority

Managing Application TrustManaging Application Trust

Trust determined by certificate used to sign Trust determined by certificate used to sign code with a.k.a. ‘publisher’code with a.k.a. ‘publisher’ Authenticate against set of “Trusted Publishers”Authenticate against set of “Trusted Publishers”

Administrators set policies controlling which Administrators set policies controlling which publishers to trustpublishers to trust Decide which are “Trusted Publishers”Decide which are “Trusted Publishers” Pre-populate “Trusted Publishers” certificates in Pre-populate “Trusted Publishers” certificates in

OS Image (IBS)OS Image (IBS) GP Certificate trust download for machines joined GP Certificate trust download for machines joined

to domainto domain

Permissions For Installing DriversPermissions For Installing Drivers

Driver StoreDriver Store Repository of drivers on local machineRepository of drivers on local machine Requires Administrator permission to populateRequires Administrator permission to populate ““Stage” drivers for installStage” drivers for install Once drivers are added to store they will install regardless Once drivers are added to store they will install regardless

of user permissionof user permission

Driver Package IntegrityDriver Package Integrity Longhorn will require all drivers to be digitally signed Longhorn will require all drivers to be digitally signed

to installto install Authenticode™ code signing works for all driver types Authenticode™ code signing works for all driver types

in Longhornin Longhorn Signing check occurs before adding a driver to the Signing check occurs before adding a driver to the

Driver StoreDriver Store

Code Validation ProcessCode Validation Process

All code validation is a human decisionAll code validation is a human decision Publishers can get signed app manifest (need to be in Publishers can get signed app manifest (need to be in

cert store)cert store) Domain admins can sign deployment manifest Domain admins can sign deployment manifest

(enterprise store)(enterprise store) Local admins can “bless” appsLocal admins can “bless” apps By policy user can decide to change default behaviorBy policy user can decide to change default behavior

All local validation decisions are preserved in All local validation decisions are preserved in App ContextApp Context

Code Integrity is assured by checking every .EXE Code Integrity is assured by checking every .EXE and .DLL for validityand .DLL for validity

Application trust is assured at RuntimeApplication trust is assured at Runtime

LUA Predictor AppVerifierLUA Predictor AppVerifier

Intended to predict whether an application would work Intended to predict whether an application would work correctly as a non-admin.correctly as a non-admin. Identifies API calls that would fail if attempted by a Identifies API calls that would fail if attempted by a

non-administratornon-administrator Identifies all Access requiring Admin privilegeIdentifies all Access requiring Admin privilege

Example LUA Predictor test pass:Example LUA Predictor test pass: Logon as Administrator and install LUA Predictor ShimLogon as Administrator and install LUA Predictor Shim Build affinity to the applicable applicationBuild affinity to the applicable application Test application and save log Test application and save log Logon as Non AdminLogon as Non Admin Test application and save logTest application and save log

Tool Location: Tool Location: http://www.microsoft.com/windows/http://www.microsoft.com/windows/appcompatibility/default.mspxappcompatibility/default.mspx

Security Questions For YouSecurity Questions For You Do you test applications as Least Privileged User (LUA) – Do you test applications as Least Privileged User (LUA) –

non-administrators?non-administrators? Do you perform a threat analysis of applications before Do you perform a threat analysis of applications before

deploying them?deploying them? Is it your goal to provision users to run with out administrator Is it your goal to provision users to run with out administrator

credentials, if so what percentage of your users run as credentials, if so what percentage of your users run as non administrators?non administrators?

Do your IT administrators have a secondary LUA account?Do your IT administrators have a secondary LUA account? Do you have a hard policy on what IT administrators can do Do you have a hard policy on what IT administrators can do

when they are logged on?when they are logged on? Ie. Not surf the internet?Ie. Not surf the internet?

Do you write line-of-business applications in .NET Do you write line-of-business applications in .NET managed code?managed code?

Do you see value in writing managed code with permission sets Do you see value in writing managed code with permission sets that limit what the application can do?that limit what the application can do?

Do you see value in writing line-of-business apps to a highly Do you see value in writing line-of-business apps to a highly restricted environment (a sandbox) that restricts that application restricted environment (a sandbox) that restricts that application enough that it doesn’t need a trust dialog to deploy?enough that it doesn’t need a trust dialog to deploy?

© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.