Windows VistaFeatures of Vista Security ModelLUA (continued)Integrity levels (privilege levels)Unprivileged user accountsMandatory Integrity Control (MIC)SACL ACE typesIntegrity enforcementOther restrictionsElevation of process privilegesLauching from Windows ExplorerRegistry virtualizationIE7 in Protected ModeRegistry protectionPrivilege escalationLow to MediumMedium to HighHigh to LocalSystemWindows VistaSecurity model and vulnerabilitiesFeatures of Vista Security ModelUser account protection (UAP)New in VistaGoal: implement least-privilege user accountsAccounts created during installation are protected administrators and subject to UAP, and are limited user accounts (LUA)When executing without restrictions, a protected administrator user can make changes to key registry, start services, and perform all privileged functionsHowever, processes launched by that user (including programs) do not inherit this full range of privilegesLUA (continued)Some processes cannot run properly without administrator privilegesThese processes can be allowed to inherit the full privileges from the administrator at launchA pop-up box will require the user to approve privilege escalationClaim: no process escalate its privileges without explicit consent from the protected administratorIntegrity levels (privilege levels)Integrity access level System privilegesHigh Administrative (install to Program Files folder, write system registry entries, etc.)Medium User (access to its Documents folder and its section of the registry)Low Untrusted (access to Temporary Internet folders and low-privilege sections of current user’s registry)Unprivileged user accountsWindows Vista (as XP) allows for the creation of standard user accounts (without administrator privileges)Creation of such accounts require additional stepsReasonable to expect that non-administrative accounts will be the default in well-managed corporate networks Reasonable to expect that administrative user accounts will be used by home users for all activities, including browsing the webMandatory Integrity Control (MIC)Also referred as Integrity LevelsNew in VistaControlled by Access Control Entries (ACE) in System Access Control List (SACL)Applies to all securable objects (files, processes, registry keys, etc.)Spawned process inherit parent’s privilegesMIC is enabled/disabled through a windows registry entrySACL ACE typesSID Integrity LevelS-1-16-16384 System Mandatory LevelS-1-16-12288 High Mandatory LevelS-1-16-8192 Medium Mandatory LevelS-1-16-4096 Low Mandatory LevelIntegrity enforcementA process cannot interact with another process at a higher integrity level directlyHowever, it is possible for a higher integrity process to directly interact with a lower privilege processIt is possible for a process with any privilege to interact through IPC (named pipes,etc.)A lower integrity server to impersonate a higher integrity client using calls such as ImpersonateNamedPipeClient, as long as the impersonation level of the client allows it?!Registry entry keys have associated privilege levels. For instance, if IE has been given low privileges, it will only have access to a limited section of the registry even if launched by a protected administratorOther restrictionsA process is not generally able to send windowing messages to higher-privilege processes sharing the desktopNeed to have explicit UI privileges in SACLMechanisms to create processes that inherit only some of the user’s privileges via CreateRestrictedToken API. E.g:Removed privilegesMatch only DENY rules for an SID typeElevation of process privilegesInstaller applicationsHas extension .msi, matches common installers, or has name SETUP.EXEApplication has a compatibility entry in the registry key or a entry in the compatibility database Manifest file contains requestedExecutionLevel or requireAdministrator entriesUser manually selects “Run Elevated…” by right-clicking the application in Windows ExplorerLauched through a privileged process without using the restricted APIFixed bug: Launched through TaskManagerCOM objects configured as such in the registry (either builti-in or through user consent)Lauching from Windows ExplorerWindows explorer has a restricted token and medium integrity levelTo launch processes at higher integrity levels, it requests it to AppInfo Admin BrokerRunAsAdminProcess system callRequets user consent (pop-up box)Triggers CreateProcessAsUserRegistry virtualizationApplication developers have traditionally assumed administrator privilegesUser-area registry files are written transparently if application requests to write to registry and fails, lacking privilegeUser-area registry overrides system registry for that userAugmented by file virtualization:C:\Progra~1 (C:\Program Files) to: %UserProfile%\AppData\Local\VirtualStore\C\P rogra~1In this fashion, unprivileged applications can modify a localized win.ini, for instanceSpecial virtualization rules apply to low-integrity processes such as IEIE7 in Protected ModeIE7 in protected mode (Low IL)CompatibilityLayerIntegrity MechanismIEInstal.exeAdmin Broker(High IL)IEUser.exeUser Broker(Medium IL)AdministrativeRights RequiredUserRights RequiredLow Rights RequiredRegistry protectionNot only files protected, but registry entriesModifications of system files made only through trusted installerTrusted installer called for updates (only accepts signed updates)Resolves a major security issue with earlier windows versionsPrivilege escalationProcesses by the same user can be running with medium or high privilegesSince a medium privilege process can write to the current user registry, it can modify entries that control the behavior of the same user’s high-privilege processes (if written to that user’s registry)By default, user processes and files have medium integrity level, while IE7 (as before) is low integrityExamples of privilege escalation from low medium high local system are provided by Matthew Conover, Principal Security Researcher, Symantec Corporation, in “Analysis of the Windows Vista Security Model,” a SYMANTEC ADVANCED THREAT RESEARCH technical reportLow to MediumIE7 cannot write files in the user account or the medium integrity area of the user registry, including adding startup itemsBut it may be able to connect
View Full Document