Upload
leque
View
247
Download
3
Embed Size (px)
Citation preview
What Will We Cover?
• Why Use User Account Control (UAC)• Why Use User Account Control (UAC),
and How It Worksand How It Works
• Improvements to the User Experience• Improvements to the User Experience
• Information about Application Deployment• Information about Application Deployment
Level 200
Agenda
• Introducing UAC Features and Benefits
g
• Introducing UAC Features and Benefits
• UAC Internals• UAC Internals
• User Experience with UAC• User Experience with UAC
• Securing Application Deployment• Securing Application Deployment
Why User Account Control?yA History of the Windows Ad i i t t A tAdministrator Account
Wh E t i R AWhy Enterprises Run As Administrator Today
Why User Account Control?yA History of the Windows Ad i i t t A tAdministrator Account
Wh E t i R AWhy Enterprises Run As Administrator Today
Reducing the Total Cost of OwnershipOwnership
How User Account Control WorksAllow System to Run Well
SAs Standard User
S l ti l All A li tiSelectively Allow Applicationsto Run with Elevated Privileges
How User Account Control WorksAllow System to Run Well
SAs Standard User
S l ti l All A li tiSelectively Allow Applicationsto Run with Elevated Privileges
Fix or Remove InappropriateAd i i t ti Ch kAdministrative Checks
How User Account Control WorksAllow System to Run Well
SAs Standard User
S l ti l All A li tiSelectively Allow Applicationsto Run with Elevated Privileges
Fix or Remove InappropriateAd i i t ti Ch kAdministrative Checks
Registr or File Virt ali ationRegistry or File Virtualization Provides Compatibility
Standard User PrivilegesgView System Clock and Calendar; Change Time Zone
Install Wired Equivalent Privacy
Standard User PrivilegesgView System Clock and Calendar; Change Time Zone
Install Wired Equivalent Privacy
Change Display and Power Management Settings
Standard User PrivilegesgView System Clock and Calendar; Change Time Zone
Install Wired Equivalent Privacy
Change Display and Power Management Settings
Install ActiveX Controls from Approved SitesInstall ActiveX Controls from Approved Sites
Standard User PrivilegesgView System Clock and Calendar; Change Time Zone
Install Wired Equivalent Privacy
Change Display and Power Management Settings
Install ActiveX Controls from Approved Sites
Add Printers and Other Devices
Install ActiveX Controls from Approved Sites
Add Printers and Other Devices
Standard User PrivilegesgView System Clock and Calendar; Change Time Zone
Install Wired Equivalent Privacy
Change Display and Power Management Settings
Install ActiveX Controls from Approved Sites
Add Printers and Other Devices
Install ActiveX Controls from Approved Sites
Add Printers and Other Devices
Create and Configure a VPC Connection
Standard User PrivilegesgView System Clock and Calendar; Change Time Zone
Install Wired Equivalent Privacy
Change Display and Power Management Settings
Install ActiveX Controls from Approved Sites
Add Printers and Other Devices
Install ActiveX Controls from Approved Sites
Add Printers and Other Devices
Create and Configure a VPC Connection
Download and Install Updates
Elevation ModelAdministrator Privileges
Ways to Request ElevationApplication Marking
Setup DetectionCompatibility Fix
S d d i il f l
Compatibility FixCompatibility AssistantRun As Administrator
Standard User Privileges (Default)
AdministratorAccount
Standard UserAccount
User Account Control Tools
St d d UStandard User Analyzer
• File Access• Registry Access Registry Access• INI Files• Token Issues• Security Privileges• Security Privileges • Name Space Issues • Other Issues
User Account Control Tools
St d d UApplication
C tibilitStandard User Analyzer
Compatibility Toolkit 5.0
• File Access• Registry Access Registry Access• INI Files• Token Issues• Security Privileges• Security Privileges • Name Space Issues • Other Issues
Reducing TCO/Increasing Securityg g y
More Control over End-User Tasks
Control Access to Files and Data
Reducing TCO/Increasing Securityg g y
More Control over End-User Tasks
Control Access to Files and Data
Less Time Spent Troubleshootingp g
Reducing TCO/Increasing Securityg g y
More Control over End-User Tasks
Control Access to Files and Data
Less Time Spent Troubleshootingp g
Better Software Licensing Control
Implications for Application Developers
For the more information, visit:msdn2 microsoft com/enmsdn2.microsoft.com/en-
us/windowsvista/aa904987.aspx
Agenda
• Introducing UAC Features and Benefits
g
• Introducing UAC Features and Benefits
• UAC Internals• UAC Internals
• User Experience with UAC• User Experience with UAC
• Securing Application Deployment• Securing Application Deployment
UAC ArchitectureAdministrator in Admin Approval Mode logon
Full administrator
Standard user
access token
Explorer exeaccess token Explorer.exe
Standard useraccess token
Standard user logon
Explorer.exe
UAC Architecture
1 Administrative application attempts to run1. Administrative application attempts to run.
UAC Architecture
1 Administrative application attempts to run1. Administrative application attempts to run.
2 AIS initiates the elevation prompt2. AIS initiates the elevation prompt.
UAC Architecture
1 Administrative application attempts to run1. Administrative application attempts to run.
2 AIS initiates the elevation prompt2. AIS initiates the elevation prompt.
3. Elevation prompts the user. Elevate?
UAC Architecture
1 Administrative application attempts to run1. Administrative application attempts to run.
2 AIS initiates the elevation prompt2. AIS initiates the elevation prompt.
3. Elevation prompts the user. Elevate?
4. Application launches as administrator.
UAC Architecture
1 Administrative application attempts to run1. Administrative application attempts to run.
2 AIS initiates the elevation prompt2. AIS initiates the elevation prompt.
3. Elevation prompts the user. Elevate?
4. Application launches as administrator.
5. Application is closed and elevated process exits.
File System and Registry Virtualization
C:\Program Files\FILE1 DAT
File/Registry Virtualization
C:\Program Files\FILE1.DATFILE1.DAT\User Profile\
File System and Registry Virtualization
C:\Program Files\FILE1 DAT
File/Registry Virtualization
C:\Program Files\FILE1.DAT\User Profile\FILE1.DAT
File System and Registry Virtualization
C:\Program Files\FILE1 DAT
File/Registry Virtualization
C:\Program Files\FILE1.DATFILE1.DAT\User Profile\
File System and Registry Virtualization
Security Security IssuesIssuesPerformance Performance DegradationDegradationAdditionalAdditional EndEnd--User TrainingUser Training
FILE1 DATFILE1 DAT
Additional Additional EndEnd--User TrainingUser TrainingApplication Application ConflictsConflicts
FILE1.DATFILE1.DAT
Installer Detection TechnologygyWindows Vista HeuristicallyDetects Installation Programs
What Installer Detection Applies toWhat Installer Detection Applies to
Installer Detection TechnologygyWindows Vista HeuristicallyDetects Installation Programs
What Installer Detection Applies toWhat Installer Detection Applies to
What Attributes Are Checked toD t i Wh th 32 BitDetermine Whether a 32-BitProcess Is an Installer
Core Changes in Functionalityg yUAC Is Enabled by Default
All Subsequent User AccountsAll Subsequent User AccountsAre Created As Standard Users
Core Changes in Functionalityg yUAC Is Enabled by Default
All Subsequent User AccountsAll Subsequent User AccountsAre Created As Standard Users
Built-In Administrator Account IsDi bl d b D f lt N I t ll tiDisabled by Default on New Installations
Core Changes in Functionalityg yUAC Is Enabled by Default
All Subsequent User AccountsAll Subsequent User AccountsAre Created As Standard Users
Built-In Administrator Account IsDi bl d b D f lt N I t ll ti
Ele ation Prompts Are Displa ed
Disabled by Default on New Installations
Elevation Prompts Are Displayedon the Secure Desktop by Default
Agenda
• Introducing UAC Features and Benefits
g
• Introducing UAC Features and Benefits
• UAC Internals• UAC Internals
• User Experience with UAC• User Experience with UAC
• Securing Application Deployment• Securing Application Deployment
Preventing Shatter AttacksgIncreased ProtectionIncreased Protection
Windows Messaging SystemWindows Messaging System
Preventing Shatter AttacksgIncreased ProtectionIncreased Protection
Windows Messaging SystemWindows Messaging System
Preventing Shatter AttacksgIncreased ProtectionIncreased Protection
Windows Messaging SystemWindows Messaging System
Preventing Shatter AttacksgIncreased ProtectionIncreased Protection
Windows Messaging SystemWindows Messaging System
UACUAC--Compliant SoftwareCompliant Software
Isolates Privileges Prevents Unauthorized Applications
DemoDemodemonstrationReviewing User Account ControlReviewing User Account Control
Use Windows Vista As a Standard UserUse Windows Vista As a Standard UserConfigure User Account Control
DemoDemodemonstrationElevating ApplicationsElevating Applications
Enable Auditing of Applications andEnable Auditing of Applications and Process CreationR El t d PRun Elevated ProgramsReview Audit Process Trackingg
Agenda
• Introducing UAC Features and Benefits
g
• Introducing UAC Features and Benefits
• UAC Internals• UAC Internals
• User Experience with UAC• User Experience with UAC
• Securing Application Deployment• Securing Application Deployment
High Securityg yAll Applications Are Deployed UsingApplication Deployment Technology
Benefits of Using Technologies LikeBenefits of Using Technologies LikeSCCM, SMS, and GPSI
High Securityg yAll Applications Are Deployed UsingApplication Deployment Technology
Benefits of Using Technologies LikeBenefits of Using Technologies LikeSCCM, SMS, and GPSI
Requirements for This Level ofS itSecurity
High Securityg yAll Applications Are Deployed UsingApplication Deployment Technology
Benefits of Using Technologies LikeBenefits of Using Technologies LikeSCCM, SMS, and GPSI
Requirements for This Level ofS it
Benefits of Implementing UAC
Security
Benefits of Implementing UACin This Manner
Medium SecurityyApplications Installed on a Case-by-
CCase Basis
Most Difficult Level to ManageMost Difficult Level to Manage
Medium SecurityyApplications Installed on a Case-by-
CCase Basis
Most Difficult Level to ManageMost Difficult Level to Manage
Help Desk Has to Manage AllA li ti I t ll tiApplication Installations
Medium SecurityyApplications Installed on a Case-by-
CCase Basis
Most Difficult Level to ManageMost Difficult Level to Manage
Help Desk Has to Manage AllA li ti I t ll ti
Sec rit Easil Compromised
Application Installations
Security Easily Compromised
Low SecurityyThree Possible Configurations:
Users Are Standard Users but KnowUsers Are Standard Users but KnowLocal Administrator Credentials
Low SecurityyThree Possible Configurations:
Users Are Standard Users but KnowUsers Are Standard Users but KnowLocal Administrator Credentials
Users Are Local Administrators
Low SecurityyThree Possible Configurations:
Users Are Standard Users but KnowUsers Are Standard Users but KnowLocal Administrator Credentials
Users Are Local Administrators
UAC Is Disabled and Users AreUAC Is Disabled and Users AreLocal Administrators