2. Agenda Why your application might not work User Account Control New Folder Locations Windows Resource Protection Mandatory Integrity Control User Interface Privilege Isolation Internet Explorer Protected Mode OS and IE Versioning Session 0 Isolation Some less common issues
4. Why: User Account Control OS is at risk from today’s malware when user is running as Administrator Ease with which malware can self-install Privilege elevation through security holes in software Extent of damage caused by malware is potentially greater Other issues Accidental damage caused by user
5. How: User Account Control With Windows 7 all users run as Standard User by default, including members of Admin group Only true for interactive logins; services continue to run as before in Windows XP
6. How: User Account Control (cont.) Two tokens are created at logon (split token) Standard User Token Administrator SID set as Deny Only (can still be used to deny access, but not to grant) Runs with medium integrity level (IL) Most privileges removed (e.g. SeDebugPrivilege) Administrator Token Administrator SID has all rights assigned Runs with high integrity level (IL) All privileges are present
7. How: User Account Control (cont.) Standard User Token is used until explicit consent is given, then Administrator Token is used (Consent UI) for that particular process Supporting feature: Unnecessary Administrator checks (in XP) have been removed Example: Change time zone
8. UAC: Elevation Details Re-parented Standard User or ProtectedAdministrator System Full Administrator ShellExecute(elevatedapp.exe) CreateProcessAsUser(elevatedapp.exe) explorer.exe AppInfo Service elevatedapp.exe RPC RPC consent.exe
11. UAC: Running Apps Elevated Right click program Run as administrator Compatibility fix (shim) or mode Program properties Compatibility tab Run as administrator RunAsAdmin shim in system shim database Installer detection Heuristics such as string containing “Setup”, “Install”, or “Update” in: Executable name Resource strings MSIs are always detected as installers
12. UAC: Running Apps Elevated (cont.) Application designed for Windows 7 UAC manifest with <requestedExecutionLevel> All applications should have one Removes application compatibility overhead (some Shims, PCA, virtualization) at run time Internal manifest (compiled into the application) Build manifest into application binary Takes precedence External manifest (added as a separate file) MyApp.exe.manifest Unsupported, avoid!
13. UAC: Internal Manifest (cont.) requireAdministrator The application runs only for administrators and requires that the application be launched with the full token of an administrator asInvoker The application runs with the same token as the parent process highestAvailable The application runs with the highest privileges the current user can obtain
14. UAC: Internal Manifest (cont.) Extract application manifest from executable if it exists: mt -inputresource:elevatedapp.exe;#1 -out:extracted.manifest Modify the manifest to add UAC request <?xml version="1.0" encoding="utf-8"?> <asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <assemblyIdentity version="1.0.0.0" name="MyApplication.exe"/> <trustInfoxmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivilegesxmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> </asmv1:assembly> Insert the modified manifest back into the executable: mt -manifest elevatedapp.exe.manifest -outputresource:elevatedapp.exe;#1
15. Side topic: Compatibility manifest Modify the manifest to add OS target <?xml version="1.0" encoding="utf-8"?> <asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <assemblyIdentity version="1.0.0.0" name="MyApplication.exe"/> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!—- The ID below indicates application support for Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> </application> </compatibility> </asmv1:assembly>
16. Combined Manifest Combined UAC and compatibility manifest <?xml version="1.0" encoding="utf-8"?> <asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <assemblyIdentity version="1.0.0.0" name="MyApplication.exe"/> <trustInfoxmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivilegesxmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level=“asInvoker" uiAccess="false" /> </requestedPrivileges> </security> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!—- The ID below indicates application support for Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> </application> </compatibility> </trustInfo> </asmv1:assembly>
17. UAC: UI Design for Elevation Send the BCM_SETSHIELD message to a button control, using SendMessage Button.FlatStyle has to be set to System Fails for owner-drawn buttons Get icon and render in owner draw handlerHICON shieldIcon = LoadIcon(null, IDI_SHIELD); Unmanaged code (C++) SendMessage call can be invoked more easily using the Button_SetElevationRequiredState macro Managed code (C#, VB.NET) Use SystemIcons.Shield
19. Why: Program Compatibility Assistant Program Compatibility Assistant (PCA) automates mitigation of some UAC (and more) compatibility issues Attempts to detect if a program is an installer Client-only feature – not in Server PCA monitors attempts to: Create a sub folder in “Program Files” Copy exe or dll files into the new folder Overwrite system files Not writing to the “Program Database” Etc…
20. How: Program Compatibility Assistant If PCA detects a compatibility issue it… Notifies the user AND Applies a solution (high confidence) OR Offers to apply a solution (medium confidence)
21. UAC: Virtualization Redirects privileged file access to C:sersusername%ppDataocalirtualStore C:rogram Files C:indows Redirects registry access from HKLM to HKCUoftwarelassesirtualStoreACHINE Adding a manifest disables virtualization and the Program Compatibility Assistant (PCA)
22. UAC: Virtualization (cont.) Redirection is “sticky” – reads are re-directed Deleting all virtual copies removes the “stickiness” Elevated process not affected Side effects: multiple virtualized copies (one per user and one for admin)
24. UAC: Symptoms Explicit access right error message Event Log contains security or application messages indicating security problems Application crashes, fails to install, or fails to update for automatic updater Application fails to remember saved settings Symptoms vary widely and are difficult to diagnose
25. UAC: Investigation Determine whether application was designed to run as administrator Run as administrator – does it work? Run as standard user – check redirection locations C:sersusername%ppDataocalirtualStore HKCUoftwarelassesirtualStoreACHINE Event Log – logs relevant UAC Process Monitor (Procmon) for failed access http://technet.microsoft.com/en-gb/sysinternals/bb896645.aspx
27. UAC: MSI’s Symptom MSI with a custom action fails with a UAC error despite elevation Cause MSI contains custom action that impersonates the user (default) Example: ActionType=1025 msidbCustomActionTypeInScript (0x400) delayed msidbCustomActionTypeDll (0x1) = 0x401 msidbCustomActionNoImpersonate (0x800) not set
28. UAC: MSI’s (cont.) Fixes Redesign to select not impersonating user Set bit msidbCustomActionNoImpersonate (0x800) Example : ActionType 1025 (0x401) becomes 3073 (0xC01) Edit MSI with Orca.exe to change the right ActionType fields Run from elevated command prompt
30. UAC: Self-extracting installer Symptom Self-extracting EXE or custom wrapper runs elevated and executes a script, but script fails Cause UAC prompt occurs on self-extracting EXE or custom wrapper, but elevated privileges are not transferred to script Fixes Redesign to use MSI Run from elevated command prompt Creates an elevated script engine
31. UAC: Checking for admin rights Symptoms Many – from minor feature misbehavior to crash Causes Applications uses IsUserAnAdmin, CheckTokenMembership “BUILTINdministrators” and similar APIs APIs return false when not elevated Mitigation Shim ForceAdminAccess or ProtectedAdminCheck Fix GetTokenInformation API TokenElevation (elevated or not) TokenElevationType (default, full or limited)
32. UAC: User COM Objects Symptoms Elevated application cannot instantiate COM object Regular application can instantiate the same COM object Cause COM object is registered per user HKEY_CLASSES_ROOT is a virtual registry hive HKCUoftwarelasses take precedence in Windows XP and for medium and low integrity processes in Windows 7 HKCUoftwarelasses is NEVER used for high integrity processes (elevated) in Windows 7 Prevents user configuring malicious COM object and tricking elevated task into executing code. Mitigation Applications that will require administrator rights should register any COM objects during installation to HKLMoftwarelasses.
33. UAC: Mapped Network Drives Symptoms Regular mapped network drives (and SUBST) are not visible when running elevated Drives mapped from an elevated prompt are not visible in standard processes (including Explorer) Causes Mappings attached to logon session Mapped Network drives are only valid in the context of the user token that mapped them Two sets of mapping for split token situation
34. UAC: Mapped Network Drives (cont.) Mitigation Automatic mitigation for installers accessing remote drive Map each drive in the context of the regular token and elevated token Registry entry HKLMOFTWAREicrosoftindowsurrentVersionoliciesystemnableLinkedConnections = (dword)1 http://support.microsoft.com/kb/937624
36. New Folder Locations “My Documents” and other user folder locations are changed to provide a better user experience The user data is now stored in: ‘sersusername% folder structure Pictures, Music, Documents, Desktop, and Favorites are all new folders directly under this structure The “My “ prefix was dropped from Documents, Music, etc. “All Users” became “Public” and “rogramData”
37. New Folder Locations (cont.) Differentiation between User and App data User does not directly interact with app data Identify specific locations using ShGetFolderPath or SHGetKnownFolderPath System.Environment namespace Shared User Data (Documents) C:sersublicocuments CSIDL_COMMON_DOCUMENTS FOLDERID_PublicDocuments
38. New Folder Locations (cont.) Per User Data (Documents) C:sersusername%ocuments CSIDL_MYDOCUMENTS FOLDERID_Documents SpecialFolder.MyDocuments
39. New Folder Locations (cont.) Shared Application Data C:rogramDatayAppName %AllUsersProfile%yAppName CSIDL_COMMON_APPDATA FOLDERID_ProgramData SpecialFolder.CommonApplicationData Set permissions (ACL) for folders in shared application data area during install
40. New Folder Locations (cont.) Per User Application Data (local) C:sersusername%ppDataocal %LOCALAPPDATA% CSIDL_LOCAL_APPDATA FOLDERID_LocalAppData SpecialFolder.LocalApplicationData
41. New Folder Locations (cont.) Per User Application Data (roaming) C:sersusername%ppDataoaming %APPDATA% CSIDL_APPDATA FOLDERID_RoamingAppData SpecialFolder.ApplicationData
42. New Folder Locations (cont.) Localization Changes Localized folder names used to be the actual name (i.e., “C:rogramme”) and an English name was not provided In Windows 7, all folders have English names (i.e., “C:rogram Files”) and a junction point with the localized name is provided (i.e., “C:rogramme”) Explorer displays the localized name for the actual directory
43. New Folder Locations: Mitigation Directory junctions Provides backward compatibility for hard-coded paths ‘Documents and Settings’ ‘Users’ ‘My Documents’ ‘Documents’ ‘Programme’ ‘Program Files’
44. New Folder Locations: Fixes Never hard code absolute paths AppVerifier includes a test Script: environment variables Unmanaged code (C++/C) ShGetFolderPath function (CLSID_...) SHGetKnownFolderPath (FOLDERID_...) Vista and later Managed code (C#, VB.NET) System.Environment.GetFolderPath EnumSystem.Environment.SpecialFolder Microsoft.VisualBasic.FileIO.SpecialDirectories My.Computer.FileSystem.SpecialDirectories
46. Why: Windows Resource Protection Core operating system files and registry keys can be overwritten with older versions or malicious code causing serious stability and security issues Windows Resource Protection (WRP) is designed to protect those objects from being overwritten Increases system stability, predictability, and reliability Replaces Windows File Protection in Windows XP
47. How: Windows Resource Protection Updates to protected resources restricted OS trusted installers (Windows Update) ACL on resources Affects specific files, folders, and registry keys Majority of core OS modules (EXE and DLL) Majority of core OS HKCR Registry Keys Folders used exclusively by OS resources
49. Mandatory Integrity Control Windows 7 implements Mandatory Integrity Control (MIC) Processes run at one of four Integrity Levels: System processes run at System IL Applications that require administrative privileges run at High IL Standard applications run at Medium IL Restricted apps run at Low IL Securable objects (Files, Processes, Windows Stations, Message queues) define the minimum IL for a process to access them Default IL for objects: Medium
50. User Interface Privilege Isolation UIPI uses MIC’s Integrity Levels to restrict sending window messages Applications cannot send messages to other applications running at a higher integrity level Higher application can allow access SendMessage returns success to mitigate failures Where compatibility impact is high, lower IL applications can be manifested to opt out of UIPI Manifested Signed (authenticated) Installed in “Program Files”
51. MIC and UIPI Objects Processes High High High IL Process Medium Medium Medium IL Process Low Low Low IL Process Read Write Send
53. Install an ActiveXcontrol Exploit can install MALWARE Change Settings, Download a Picture Exploit can install MALWARE Cache Web content Why: IE Protected Mode IExplore.exe Admin-Rights Access HKLM Program Files User-Rights Access HKCU My Documents Startup Folder Temp Internet Files Untrusted files & settings
54. How: IE Protected Mode In Windows 7, Microsoft Internet Explorer 8 runs in Protected Mode (IEPM) for non-trusted sites (installation default) IE runs as separate process instances for different protection modes Prevents buffer overflow exploits from affecting higher trust level sites Required by IEPM’s underlying mechanism: Mandatory Integrity Control (MIC) User Interface Privilege Isolation (UIPI)
55. How: IE Protected Mode (cont.) Integrity Levels (IL) for IE IEPM: Low Integrity Level Unprotected: Medium Integrity Level Low-integrity processes (such as IEPM) can only write to folders, files, and registry keys that are also marked as low-integrity Temporary Internet Files folder %TEMP%ow History folder Cookies folder Favorites folder Windows Temporary Files folders %userprofile%ppDataocalLow
56. IEPM: Compatibility Impact Attempts by ActiveX controls to modify medium and higher IL objects fail e.g. writing to the user’s Documents folder ActiveX controls fail to install Automatic mitigations
57. Install an ActiveX control Change settings, Drag and Drop Cache Web content Redirected settings & files Compat Layer IEPM: Automatic Mitigation IExplore in Protected Mode Integrity Control and UIPI IEInstall.exe Admin-Rights Access HKLM HKCR Program Files IEUser.exe User-Rights Access HKCU My Documents Startup Folder Temp Internet Files Untrusted files & settings
58. IEPM: Manual Mitigation Redesign the site to function properly in Protected Mode Add site to trusted sites Protected Mode is not enabled for trusted sites Use ActiveX Install Services (AXIS) for enterprise deployments
59. AXIS: How it works IE parses a page that requires an ActiveX control If the user is a Standard User, the AXIS is called The AXIS will perform a lookup in the Allowed Installation Sites list deployed via Group Policy If the Host URL is within policy, the control will be downloaded by the service If the control meets the signing criteria, it will be installed as the LocalSystem account
60. AXIS: Enabling the Service AXIS is an optional component that must be enabled Deploy through SMS Run cmd.exe as Administrator, then run this command: ocsetup.exe AxInstallService Control Panel Programs Turn Windows Features On or Off
61. AXIS: Configuring the Policy Run gpedit.msc Navigate to Computer Settings Administrative Templates Windows Components ActiveX Installer Services Enter Host URL and policy for each trusted site Must specify protocol: http or https(preferred) Example: http://download.microsoft.com Best Policy 2, 1, 0, 0
63. Windows and IE Versions Internal version number for Windows 7 is 6.1 – this is what is returned by GetVersion() Version number for Internet Explorer is 8.0 Version number is included in User Agent String User Agent String is included in HTTP header
64. Windows Version Mitigation Compatibility mode is provided in Windows 7 Users can right-click the shortcut or the EXE and apply the Windows XP SP2 compatibility mode from the Compatibilitytab. This applies multiple shims including “WinXPSP2VersionLie” PCA automates step for installers Better: Apply the shim “WinXPSP2VersionLie” In many cases, applications will work the same way they did in Windows XP and there is no need for changes to them
65. Windows Version Mitigation (cont.) 'Reinstall using recommended settings' Applies the Windows XP compatibility mode and restarts the program The fix is effective for all users (stored in HKLM)
66. Windows Version Remediation Applications should not perform version checks for equality, e.g. == 5.1 If you need a specific feature, check whether the feature is installed or available If you need Windows XP, check for Windows XP or later (>= 5.1) Exceptions to this occur when there is a very specific business, or legal need to do a version check, such as a regulatory body requires you to certify your application for each operating system and version
68. IE8 Version Symptoms Web sites may render incorrectly CSS and JavaScript compliance changes Renders in IE8 Standards Mode for Internet sites Web sites that check the User Agent String for the IE version will get higher version number Web sites might refuse to load Web Sites might reduce functionality
69. IE8 Version Mitigations IE7 Compatibility Mode Default setting for intranet sites Can be controlled from the server For a single Web Page For a directory, application, or site Add <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" /> to the page or response header See http://support.microsoft.com/kb/968499 for different options
70. IE7 Compatibility Mode In a Web Page <html> <head> <title>My Web Page</title> <!-- Use IE7 mode --> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7”/> </head> <body> <p>Content goes here.</p> </body> </html>
72. IE8 Standards Mode In a Web Page <html> <head> <title>IE8 Standards Mode Web Page</title> <!-- Use IE8 Standards Mode --> <meta http-equiv="X-UA-Compatible" content="IE=IE8”/> </head> <body> <h1>Hi from IE8 Standards Mode</h1> </body> </html>
73. Expression SuperPreview Stand-alone visual debugging tool Shows web pages rendered in IE 6 and either IE 7 or 8, depending on which version you have installed on your machine. View pages side by side or as an onion-skin overlay and use rulers, guides and zoom/pan tools to precisely identify differences in layout.
75. Sessions in Windows XP/ Server 2003 Session 0 Window Station Desktop Services 1st User’sWindow 1st User’sWindow 1st User’sWindow Screen Saver Login
76. Sessions in Windows 7 Session 0 Session 1 Window Station Window Station Desktop Desktop Service 1st User’sWindow 1st User’sWindow Service 1st User’sWindow Screen Saver Login Secure
77. Session 0: Compatibility Impact A service and a user application that use window message functions (e.g. SendMessage, PostMessage) to communicate will silently fail A service and a user application that use local objects to communicate will silently fail A service that uses a UI to interact with the user will display the UI on a special desktop which is inaccessible Applications that work with Fast User Mode Switching will probably continue to work
79. Less Common Issues Painting Behavior Deprecated Components Managed Code for .NET 1.x 64-bit Vista
80. Painting behavior Why: To improve user experience How: All top-level windows are rendered to an off-screen bitmap; Desktop Window Manager combines the images to draw the desktop Impact: Some applications will render incorrectly Mitigation: Disable desktop composition Apply shim “DisableDWM” Properties -> Compatibility Tab -> Disable desktop composition Fixes: Redesign application to not assume that it is rendering directly to the screen
82. Deprecated components Windows Help (WinHlp32.exe) Available as a download CHM is now the preferred option Graphical Identification and Network Authentication (GINA) modules Removal of Windows Mail Disables CoStartOutlookExpress File associations (.eml, .nws, .contact, .group, .wab, .p7c, .vfc) are broken or disabled Install Windows Live Mail
83. Deprecated components (cont.) Removal of Windows Movie Maker Install Windows Live Movie Maker Microsoft Agent technologies Removal of Windows Registry Reflection PCA instruments CoCreateInstance API and the Loader (NTDLL) Detect load failures on deprecated COM objects and DLLs respectively Uses Windows Error Reporting (WER) to retrieve Knowledge Base article or link to download deprecated component
84. Managed code for .NET 1.x Symptom Managed code written for .NET 1.x fails (error message or crash) Cause Application depends on .NET 1.x feature AND Application does not specify <supportedRuntime> or <requiredRuntime> in configuration file Note: .NET 1.0 did not support <supportedRuntime> Fix Add <supportedRuntime version="v1.1.4322"/> to <appname>.exe.config
85. Managed code for .NET 1.x Symptom Managed code written for .NET 1.x fails (error message or crash) Cause Application depends on .NET 1.x feature AND Application does not specify <supportedRuntime> or <requiredRuntime> in configuration file Note: .NET 1.0 did not support <supportedRuntime> Fix Add <supportedRuntime version="v1.1.4322"/> to <appname>.exe.config
86. 64 bit WoW64 allows 32-bit applications to run on 64-bit Windows, but compatibility issues may still exist Not supported 16-bit applications and installers Limited support for some installers 32-bit kernel mode drivers 32-bit user mode printer drivers Kernel patching (x64 only) Patchguard prevents applications from patching the Kernel. If this is detected, a shut down will be initiated Windows Server 2008 R2 – 64 bit ONLY
87. Windows 7 Logo Program Benefits Compatibility message to your customers Joint marketing Partner Points Requirements ISVs must sign up to receive their crash data from WER Use AppVerifier as part of development lifecycle Install to correct folder locations Sign binary executables Include a manifest and run as a standard user Support Restart Manager 64 bit support Etc...
88. Windows 7 Logo Program Roadmap Follow these steps to verify that your application complies with the Windows 7 Client Software Logo technical requirements: Download and install the Windows 7 Client Software Logo Toolkit Run the Toolkit to validate your application Ensure the application adheres to all policies Accept and sign all legal agreements Opt in to receive communications from Microsoft about your product(s) Mail a licensed copy of your software to Microsoft Upon successful completion of validation testing submit the results to Microsoft
89. Tools, documentation, and help Application Verifierhttp://go.microsoft.com/fwlink/?linkid=11573 Standard User Analyzer http://www.microsoft.com/downloads/details.aspx?FamilyId=24DA89E9-B581-47B0-B45E-492DD6DA2971&displaylang=en Windows 7 Application Quality Cookbookhttp://code.msdn.microsoft.com/Release/ProjectReleases.aspx?ProjectName=Windows7AppQuality&ReleaseId=1734 Windows 7 Training Kit for Developershttp://www.microsoft.com/downloads/details.aspx?FamilyID=1C333F06-FADB-4D93-9C80-402621C600E7&displaylang=en Application Compatibility Forumhttp://social.msdn.microsoft.com/Forums/en-US/windowscompatibility/threads/
90. Call to action Get ready for Windows 7 deployments Test your applications on Windows 7 Make use of resources that are available now Joint marketing Free technical support Free App Compat Labs Latest tools Active discussion forums Tell Microsoft and your customers Update Greenlight Web Site Consider Window 7 Logo certification
91. Resources Windows Application Compatibilityhttp://msdn.microsoft.com/en-us/windows/aa904987.aspx Developer for Windows 7 on MSDN http://msdn.microsoft.com/en-us/windows/dd433113.aspx IE8 Readiness Toolkithttp://www.microsoft.com/windows/internet-explorer/readiness/developers-new.aspx Windows API Code Packhttp://code.msdn.microsoft.com/WindowsAPICodePack Greenlight Web Sitehttp://www.isvappcompat.com/uk UK DPE Briefings and Labshttp://blogs.msdn.com/ukisvdev/archive/2009/06/09/windows-7-application-compatibility-briefings-and-drop-in-clinic.aspx