Tuesday, January 29, 2008

Let's Talk UAC for the Enterprise

In my initial UAC article UAC: An introduction to User Account Control I provided you with links to lots of UAC literature. My hope was that you could use that literature to get yourself up to speed on UAC and start to mull over its implications. I plan to write future articles that build on that basic UAC knowledge by examining aspects specifically relevant to enterprise administrators. But I realized that those links provide an overly simplified model of UAC (believe it or not). The literature is very focused on the workstation OS itself and does not consider administrators that have rights outside the OS - my article UAC: Local Admin vs. Domain Admin discusses this.

I present here a glossary of terms for UAC that will accommodate future discussion of UAC in the enterprise environment:

Accounts / User Accounts: generally refers to any users or userids in your environment.

Local Account: is a user account that has been created on a local Vista workstation and has no standing in the Active Directory Domain. Vista's default Administrator account is a good example.

Domain Account: is a user account that has been created in Active Directory and has standing in your enterprise's domain.

User / Standard User / Basic User: is a user that has standard user privileges on the local workstations. The user will be a member of the predefined local group Users and will have only basic rights. It is assumed that the user also has no extraordinary rights out in the domain, unless otherwise stated. The words 'standard' or 'basic' are used to emphasize this user's lowly status :-) Standard Users receive only a Full Token at logon time.

Power User: is a user that belongs to the predefined local group Power Users. Users are made a member of this group for legacy backward compatibility purposes and are not expected to receive any additional rights. However, Power Users do receive both a Full and Filtered Token at logon time. This is different from a standard user and will affect the behavior of UAC. I use the Power User for examples where I need a user with a Split Token without having a Full Administrative Token.

Administrator / Local Administrator: is a user who belongs to the predefined local group Administrators. This user has full administrative rights over the local Vista OS, but doesn't necessarily have any administrative rights on the domain. Local Administrators receive both a Full Administrator Token and a Filtered Token at logon time. A lot of UAC discussion is focused on this type of account because it is the one that has the most potential to be used to do damage to a system.

Domain Administrator: I don't use this term to refer specifically to an actual Domain Administrator, rather I use this term to refer to any user that has some administrative privileges on an enterprise's AD domain. A Domain Administrator is not necessarily a Local Administrator. In many environments Domain and Local Administrator rights are granted separately.

Token / Access Token: Tokens are assigned to user accounts at logon time. They contain data on a user's group membership, authorization and access. They are used to control what Vista resources and tasks can be accessed by a user account. Windows XP assigns only one token per user - Vista assigns up to two tokens per user when necessary. It is UAC that controls which available token is used or whether additional tokens must be assigned.

Standard User (Access) Token: Every account that logs into Vista is assigned a Standard User Token. Standard Users are assigned only one token, and this is it. This token represents all of the privileges of a standard user. Even administrators receive this token - it is the token they use when performing routine activities in Vista.

Full Administrator (Access) Token: Accounts that belong to the local Administrators group are assigned a Full Administrator Token in addition to a Standard User Token. This token represents privileges over and above those of a standard user - it is the token used when performing administrative tasks.

Full / Unrestricted (Access) Token: The highest access token available to an account is referred to as a Full Token. For Standard Users, the Full Token is the same as the Standard User Token. For Administrators, the Full Token is the same as the Full Administrator Token. But if an account has more rights than a Standard User and Fewer Rights than an Administrator, the account receives a unique Full Token that represents those extra rights. Accounts that are members of the following groups receive a Full Token in addition to a Standard User Token: Power Users, Account Operators, Server Operators, Printer Operators, Backup Operators.

Filtered / Restricted (Access) Token: You've already met the 3 possible tokens an account can receive. The term Filtered Token is used to refer to the Standard User Token for accounts that receive more than one token. Standard Users do not receive a Filtered Token because they did not have any extra rights that needed to be "filtered away".

Split (Access) Token(s): Accounts that have been assigned two tokens are referred to as having Split Tokens because their rights have been "split" between two tokens. Their Standard User Token represents their standard rights and their Full Token represents any additional rights they may have. Sometimes the term "Split Token" is used to refer to a user's Filtered Token.

Default (Access) Token: The Default Token is the first token that an account is using after it has initially logged into Windows Vista. Explorer.exe will have been run using this token in order to present the Desktop to the user with the least privileges possible. Now let's see if you've been paying attention :-) Which of the above tokens is being used at this point? Actually it's easier to ask which token can't be used at this point -- The only token which could not be used by default is a Full Administrator Token - Administrators would have a Standard User Token which would be getting used instead. For Basic Users, their Standard User Token would be used - which is the same as their Full Token. For other types of users, their Standard User Token would also be used - but it could be either their Filtered or Split Token. Confused yet?

Elevation / Elevated Process: It is difficult to have a technical discussion about Vista without someone using the word "Elevation". Vista protects itself by only allowing users with a limited security level to launch processes at a similar security level. The more secure operation a user wishes to perform, the higher level they must operate at. The user must have a sufficient Access Token to be able to Elevate a process to a sufficiently high security/integrity level. An Elevated Process is usually one that has been launched by someone with a Full Administrator Token and runs with a High Integrity Level.

User Interface Privilege Isolation (UIPI): Is the new Windows Integrity Mechanism that provides a barrier around elevated processes in Vista. All processes and objects have integrity levels that restrict the accesses that are granted to a process by the Windows Discretionary Access Control (DAC) security model.

Integrity levels (IL): Processes can have one of four Integrity Levels: Low, Medium, High, System. Internet Explorer runs at a Low IL so that it is prevented from doing any harm to the system. The Desktop and most user applications have a Medium IL and can be accessed by any user (Standard User Token). Most administrative processes, such as Computer Manager, have a High IL and can only be accessed by users with a Full Administrator Token. Other tools like Regedit can be run with a user's Full Token (whatever that might be) and will only allow access to appropriate areas of the registry. System is the highest Integrity Level - normally only some services and some system processes run with System IL. The UIPI prevents processes operating at a lower IL from accesses processes with a higher IL, but there is a Medium IL process called uiAccess that can actually access High IL processes. uiAccess is needed to give user interface devices such as mice and keyboards access to all processes.

Elevation Prompt: When UAC detects that a process is to be run with a higher Integrity Level than the current process or user token allows, an elevation prompt is presented to the user. An elevation prompt serves two functions. First, it ensures that the user is aware when processes are trying to access more sensitive areas of the system. Second, it gives the user control over the granting of that access.

Consent Prompt: Is a type of UAC Elevation Prompt. If UAC determines that the current user has an available token of a sufficiently high Integrity Level (such as Full or Administrator Token), the Consent Prompt will be used to elevate a process. The Consent Prompt simply asks the user to Consent to the elevation by choosing to "Continue" or "Cancel".

Credentials Prompt: Is a type of UAC Elevation Prompt. If UAC determines that the current user does not have a token of sufficiently high Integrity Level (maybe just a Full or User Token), the Credentials Prompt will be used to elevate a process. The Credentials Prompt asks the user to provide a username and password of a user who would have sufficient rights. Vista will then create the necessary token for that user and use it to elevate the process -- In fact, Vista will revert to an entire profile for the user with the high token and run the elevated process within that environment, using different shell folders, etc.

Manifest: Applications developed for Vista should have an accompanying Manifest that specifies what token is needed for successful execution of the program. When a manifest is found, UAC will kick into gear and ensure that the requisite tokens are used to properly elevate the application. In addition to manifests, Vista has predefined other processes and application types that need elevation. Users also have the option to manually force elevation when launching applications.

highestAvailable: can be specified by a manifest. It tells UAC to elevate the user to the highest token available. No elevation is necessary if the calling process is already using the highest token, or if it's a Standard User who only has one token anyway.

requireAdministrator: can be specified by a manifest. It tells UAC to elevate to a Full Administrator Token. Any Full token is not sufficient - the user must be a member of the local Administrators group in order for elevation to succeed.

No comments: