non-admin and the world of tomorrow
DESCRIPTION
Non-Admin and the World of Tomorrow. Presented by: Robert Hensing Microsoft Secure Windows Initiative. Agenda. Houston – we admit we have a problem! Great! So what is the problem exactly? How we got here . . . Why running as non-admin is important - PowerPoint PPT PresentationTRANSCRIPT
Microsoft Confidential
Non-Admin and the Non-Admin and the World of TomorrowWorld of Tomorrow
Presented by: Robert HensingPresented by: Robert HensingMicrosoft Secure Windows Microsoft Secure Windows InitiativeInitiative
Copyright Microsoft Corp. 2004
22
AgendaAgenda
Houston – we Houston – we admitadmit we have a problem! we have a problem!Great! So what Great! So what isis the problem exactly? the problem exactly?
How we got here . . .How we got here . . .
Why running as non-admin is importantWhy running as non-admin is important
When you come to a fork in the road – take When you come to a fork in the road – take it!it!
Two paths to non-admin righteousness – which Two paths to non-admin righteousness – which is right for you?is right for you?
Demonstrations (time permitting)Demonstrations (time permitting)Elevating upElevating up
Dropping downDropping down
Copyright Microsoft Corp. 2004
33
The problemThe problem90% of all people do not need to run with 90% of all people do not need to run with Administrative Administrative privilegesprivileges on Windows (give on Windows (give or take)or take)
Running as administrator grants software Running as administrator grants software excessiveexcessive privileges & permissions that allow it privileges & permissions that allow it to do VBT™to do VBT™
Dangerous Admin-only permissions Dangerous Admin-only permissions (examples)(examples)
Writing to HKCR (Spyware / Adware invoked Writing to HKCR (Spyware / Adware invoked as COM objects)as COM objects)
Writing to HKLM (Malware can create services Writing to HKLM (Malware can create services that auto-start regardless of who logs in)that auto-start regardless of who logs in)
Writing to %WINDIR% & %PROGRAMFILES% Writing to %WINDIR% & %PROGRAMFILES% (malware hidden with system files)(malware hidden with system files)
Copyright Microsoft Corp. 2004
44
The problem . . .The problem . . .Dangerous Admin-only privileges (examples)Dangerous Admin-only privileges (examples)
Debug programs (SeDebugPrivilege)Debug programs (SeDebugPrivilege)Allows malware to write to other processes memory (think rootkits)Allows malware to write to other processes memory (think rootkits)
Backup up files and directories (SeBackup/RestorePrivilege)Backup up files and directories (SeBackup/RestorePrivilege)Allows malware to bypass NTFS permissions to read + write filesAllows malware to bypass NTFS permissions to read + write files
Load and unload device drivers (SeLoadDriverPrivilege)Load and unload device drivers (SeLoadDriverPrivilege)Allows malware to easily load code into the kernel (rootkits)Allows malware to easily load code into the kernel (rootkits)
Manage auditing and security log (SeSecurityPrivilege)Manage auditing and security log (SeSecurityPrivilege)Allows malware to clear the event logs and erase evidenceAllows malware to clear the event logs and erase evidence
Take ownership of files or other objects Take ownership of files or other objects (SeTake0wnershipPrivilege)(SeTake0wnershipPrivilege)
Allows malware to more easily own access to files you own and have Allows malware to more easily own access to files you own and have ACL’d properlyACL’d properly
SeImpersonatePrivilegeSeImpersonatePrivilegeDon’t have enough priv’s? Impersonate the system account!Don’t have enough priv’s? Impersonate the system account!
Copyright Microsoft Corp. 2004
55
The problem . . . The problem . . .
This is Internet Explorer as a non-admin This is Internet Explorer as a non-admin accountaccount
Copyright Microsoft Corp. 2004
66
The problem . . . The problem . . .
This is Internet This is Internet Explorer on drugs Explorer on drugs (admin)(admin)
Any questions?Any questions?
Copyright Microsoft Corp. 2004
77
How we got hereHow we got hereFor decades consumer versions of For decades consumer versions of Windows had a flat permissions modelWindows had a flat permissions model
Window XP was the first Window XP was the first mass-marketedmass-marketed consumer OS based on the NT kernelconsumer OS based on the NT kernel
Remember Windows 2000 Professional and NT 4.0 Remember Windows 2000 Professional and NT 4.0 Workstation were lower volume and were targeted Workstation were lower volume and were targeted primarily at corporate users.primarily at corporate users.
Historically the core focus of consumer Historically the core focus of consumer versions of Windows was application and versions of Windows was application and backwards compatibility – NOT security.backwards compatibility – NOT security.
Most applications had been developed with the Most applications had been developed with the flat permissions modelflat permissions model
Apps could write anything anywhere anytimeApps could write anything anywhere anytime
This encouraged bad behaviorsThis encouraged bad behaviors
Copyright Microsoft Corp. 2004
88
Why running as non-admin is so Why running as non-admin is so importantimportant
It’s about risk avoidance and attack surface It’s about risk avoidance and attack surface reductionreduction
Malware running as Administrator can modify Malware running as Administrator can modify the operating system and affect all users of a the operating system and affect all users of a PCPC
Recovery often involves re-installing the OSRecovery often involves re-installing the OS
Malware running as a limited user account can Malware running as a limited user account can impact a users profile and may only affect that impact a users profile and may only affect that user.user.
Clean-up and recovery is often much easier if the Clean-up and recovery is often much easier if the malware runs at all!malware runs at all!
Copyright Microsoft Corp. 2004
99
Why running as non-admin is so Why running as non-admin is so importantimportant
The simple fact is most, if not all, of today’s top malware The simple fact is most, if not all, of today’s top malware will fail to run properly, if run from a regular user account.will fail to run properly, if run from a regular user account.
Don’t believe me?Don’t believe me?
[email protected]@mmCopies itself to %system%Copies itself to %system%
Oops – users can’t write thereOops – users can’t write there
Modifies HKLM\Software\Microsoft\Windows\CurrentVersion\RunModifies HKLM\Software\Microsoft\Windows\CurrentVersion\RunOops – users can’t write thereOops – users can’t write there
Creates a new serviceCreates a new serviceOops – users can’t do thatOops – users can’t do that
Tries to block access to dozens of security and AV sitesTries to block access to dozens of security and AV sitesOops – users can’t modify hosts filesOops – users can’t modify hosts files
Attempts to kill a bunch of processes running as SYSTEMAttempts to kill a bunch of processes running as SYSTEMOops – users can’t kill processes not running as them.Oops – users can’t kill processes not running as them.
Microsoft Confidential
When you come to a fork in the When you come to a fork in the road . . . Take it!road . . . Take it!
- Yogi Berra- Yogi Berra
Copyright Microsoft Corp. 2004
1111
Two approaches to reducing Two approaches to reducing privilegeprivilege
In Windows there are two ways to run In Windows there are two ways to run applications with reduced privileges.applications with reduced privileges.
1.1. Login at the regular user privilege levelLogin at the regular user privilege levelTemporarily elevate the privilege level of specific Temporarily elevate the privilege level of specific applications as neededapplications as needed
2.2. Login at the administrator privilege levelLogin at the administrator privilege levelDecrease the privilege level of specific applications as Decrease the privilege level of specific applications as neededneeded
Copyright Microsoft Corp. 2004
1212
Login at the regular user privilege levelLogin at the regular user privilege level
Modus OperandiModus OperandiLogin as a regular userLogin as a regular user
Use Runas.exe or similar tools to elevate permissions of known Use Runas.exe or similar tools to elevate permissions of known good applications to administrator level as needed.good applications to administrator level as needed.
Pro’sPro’sFails closed (i.e. new / unknown apps run as user by default)Fails closed (i.e. new / unknown apps run as user by default)
Supported and tested configuration by the product group (sort of).Supported and tested configuration by the product group (sort of).
Con’sCon’sApplication compatibilityApplication compatibility
Hundreds if not thousands of applications fail to run, sometimes in Hundreds if not thousands of applications fail to run, sometimes in spectacular fashion with no warnings or meaningful errors.spectacular fashion with no warnings or meaningful errors.
Runas.exe doesn’t work with everything (various system level Runas.exe doesn’t work with everything (various system level adjustments like date/time, power settings, RAS/VPN adjustments like date/time, power settings, RAS/VPN connectoids, specific types of applications)connectoids, specific types of applications)
Also requires that the user know an admin password!Also requires that the user know an admin password!
Can require some non-trivial OS re-configuring and/or scripting to Can require some non-trivial OS re-configuring and/or scripting to implement seamlesslyimplement seamlessly
Copyright Microsoft Corp. 2004
1313
How I roll at home . . .How I roll at home . . .
I login as a regular user for day to day tasks I login as a regular user for day to day tasks at home (e-mail, web surfing, watching at home (e-mail, web surfing, watching shows (Media Center), video editing*, shows (Media Center), video editing*, photo-sharing)photo-sharing)
I login as an administrative account only to I login as an administrative account only to update and install software.update and install software.
I use Fast User Switching and my biometric I use Fast User Switching and my biometric keyboard.keyboard.
My pinky’s are my administrator accountMy pinky’s are my administrator account
My index fingers are my regular user accountMy index fingers are my regular user account
My middle finger is my wife’s account (sssshhhh!!!)My middle finger is my wife’s account (sssshhhh!!!)
Copyright Microsoft Corp. 2004
1414
Login at the administrator privilege levelLogin at the administrator privilege levelModus OperandiModus Operandi
Login with an account that is a member of AdministratorsLogin with an account that is a member of Administrators
Create un-documented registry settings or use tools making use of obscure Create un-documented registry settings or use tools making use of obscure API’s to reduce the privilege level of dangerous / known-bad applications API’s to reduce the privilege level of dangerous / known-bad applications down to that of a regular user by having the OS modify the processes down to that of a regular user by having the OS modify the processes token.token.
Pro’sPro’sIt just works – all applications except ones you choose continue run with It just works – all applications except ones you choose continue run with admin rightsadmin rights
Some users may encounter fewer problems like thisSome users may encounter fewer problems like thisDecreased help desk costs?Decreased help desk costs?
May require less application compatibility testingMay require less application compatibility testingOnly target applications identified as high-risk and test running those applications Only target applications identified as high-risk and test running those applications at the regular user level.at the regular user level.
Con’sCon’sFails open (i.e. new applications default to running as admin)Fails open (i.e. new applications default to running as admin)
Assumes it is possible for you to know what your dangerous / high-risk Assumes it is possible for you to know what your dangerous / high-risk apps areapps are
Officially NOT supported and the API’s used Officially NOT supported and the API’s used willwill change in future versions change in future versions of Windows.of Windows.
Copyright Microsoft Corp. 2004
1515
How I roll at work . . .How I roll at work . . .My work and home environments are completely My work and home environments are completely different with different needs.different with different needs.
At home I only ever use 3 maybe 4 applications and At home I only ever use 3 maybe 4 applications and Microsoft Update patches them for me once a month.Microsoft Update patches them for me once a month.
At work I frequently have the need to install and At work I frequently have the need to install and remove applications, stop and start services, re-remove applications, stop and start services, re-configure my system settings etc.configure my system settings etc.I feel that I have a fairly good grasp of what my I feel that I have a fairly good grasp of what my high-risk applications and their associated high-risk applications and their associated threats are. threats are.
As a result I run as admin on my work laptop and As a result I run as admin on my work laptop and desktop to avoid typical non-admin headaches and desktop to avoid typical non-admin headaches and drop the rights of high-risk apps.drop the rights of high-risk apps.
I run Internet Explorer, MSN Messenger, Office I run Internet Explorer, MSN Messenger, Office Communicator and all Office applications at the Communicator and all Office applications at the regular user privilege level using Software regular user privilege level using Software Restriction Policies.Restriction Policies.
Copyright Microsoft Corp. 2004
1616
Resources for Elevating Privileges to AdminResources for Elevating Privileges to Admin
Aaron Margosis Non-Admin WeblogAaron Margosis Non-Admin Webloghttp://blogs.msdn.com/Aaron_Margosis/http://blogs.msdn.com/Aaron_Margosis/
MakeMeAdmin.cmd scriptMakeMeAdmin.cmd scriptCreates an elevated command shell running with Creates an elevated command shell running with administrator rights.administrator rights.
Combine with PrivBar for IECombine with PrivBar for IEAllows you to see what privilege level IE is running at.Allows you to see what privilege level IE is running at.
Non-Admin WikiNon-Admin Wikihttp://nonadmin.editme.com http://nonadmin.editme.com
Microsoft Confidential
Logging in at the regular user Logging in at the regular user privilege level and elevating up.privilege level and elevating up.
DemonstrationDemonstrationRun Internet Explorer as Run Internet Explorer as Administrator to install updatesAdministrator to install updates
Copyright Microsoft Corp. 2004
1818
Resources for Decreasing Privileges to Resources for Decreasing Privileges to Regular UserRegular User
Michael Howard’s blogMichael Howard’s bloghttp://blogs.msdn.com/michael_howard/default.aspxhttp://blogs.msdn.com/michael_howard/default.aspx
DropMyRightsDropMyRightshttp://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure11152004.asp library/en-us/dncode/html/secure11152004.asp
SetSAFERSetSAFERhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure01182005.aspsecure01182005.asp
33rdrd party OSS RunAsAdmin Explorer Shim party OSS RunAsAdmin Explorer Shimhttp://sourceforge.net/projects/runasadminhttp://sourceforge.net/projects/runasadmin
Replaces your shell entry in the registry with a shimReplaces your shell entry in the registry with a shim
It then uses SAFER to start the real shell with reduced rightsIt then uses SAFER to start the real shell with reduced rights
Adds icon to the TaskBar to allow starting specified programs as Adds icon to the TaskBar to allow starting specified programs as administrator without having to type in your credentials again.administrator without having to type in your credentials again.
Microsoft Confidential
Logging in at the administrator Logging in at the administrator privilege level and dropping down.privilege level and dropping down.
DemonstrationDemonstrationRun Internet Explorer as a Run Internet Explorer as a regular user to prevent regular user to prevent software installationsoftware installation
Run Internet Explorer as Run Internet Explorer as admin to isntall updatesadmin to isntall updates
Copyright Microsoft Corp. 2004
2020
Final thoughts . . . Final thoughts . . . Is reducing the rights of dangerous applications or Is reducing the rights of dangerous applications or my logon session as a whole the answer to all my my logon session as a whole the answer to all my malware problems?malware problems?
No, but it’s a great start!No, but it’s a great start!There are still architectural security issues that can be exploited There are still architectural security issues that can be exploited between processes within the same non-admin logon session between processes within the same non-admin logon session that still need to be addressed.that still need to be addressed.
There is still plenty of bad that can be done by malware running There is still plenty of bad that can be done by malware running without admin rights – if suddenly tomorrow the world were non-without admin rights – if suddenly tomorrow the world were non-admin the malware would change and adapt.admin the malware would change and adapt.
We truly understand the security threat We truly understand the security threat environment facing our customers.environment facing our customers.
Hundreds of passionate employees are aggressively Hundreds of passionate employees are aggressively pushing the non-admin boundaries and applying pushing the non-admin boundaries and applying sustained thinking in this area each day! sustained thinking in this area each day!
We are definitely committed to tackling and We are definitely committed to tackling and solving this problem.solving this problem.