TechEd 2006 and an Invitation to a UAC Chat


Many of the UAC team members attended TechEd 2006 this week in Boston.  I really had a great time talking to customers about the UAC project, how the technology works, how the policy options affect its operation, and what direction Microsoft is taking it.


 


The aspect that surprised me the most this week was that well over 50% of the enterprise customers are already moving to Standard User on XP.  That means they are already pushing on their vendors to ship good Standard User applications and they are already inventorying and deploying applications (or pushing “staged” images) to their desktops.  I validated this data point during my talk by asking for a show of hands.  Almost all of the people that said “I manage enterprise desktops” also said “we are already trying to get to Standard User.”


 


I have had two customers so far ask me “I am already locked down Standard User, why should I care about Vista”.  We have three answers here:


 


·         We fixed the operating system.  You can change Power Management, change the timezone etc.  And we “auto fix” many of the applications.


·         You can push enterprise policy to enable scenarios such as “my laptop users can install any printer from HP… or any printer”.


·         You can push enterprise policy to enable your Standard Users to install ActiveX controls from your business partners.


 


That was the right answer, as these two scenarios are both very important and very expensive in Windows XP today.


 


In addition, Wei and his team staffed a UAC Lab along with the App Compat team to train developers on how to look for, debug, and fix UAC issues.  The attendees are given a broken demo app to demonstrate issues including incorrect version check, session 0, MIC, UAC, and other standard user related issues.   By mid-week, we already had over 1000 out of the total 12000+ attendees participated in the lab which is of 45 minutes duration. 


 


For the people that did not make it to TechEd 2006, we want to have a chat session to take your questions online.  We will staff the chat session with our developers, testers and program managers, so we should be able to field any question you have.


 


Please join us on Thursday, 1pm to 2pm Pacific time (4pm-5pm Eastern).  Here is the chat info:


User Account Control in Windows Vista
Please join the User Account Control (UAC) team in a candid Q&A about UAC in Windows Vista. Ask us your tough questions, such as those about application compatibility, UAC Group Policy management, and application deployment.


Add to Calendar


June 22, 2006
1:00 P.M. Pacific Time


Enter


 



If this link doesn’t work, you can find the chat session on one of the following sites:


 


http://www.microsoft.com/technet/community/chats/default.mspx


http://www.microsoft.com/communities/chats/default.mspx


http://msdn.microsoft.com/chats/


 


thanks,


 


Steve


Comments (10)

  1. The UAC Team would like to invite you for a Q&A Chat with their team. Here is the details: User Account

  2. Gordon Fecyk says:

    "We fixed the operating system.  You can change Power Management, change the timezone etc.  And we “auto fix” many of the applications."

    The applications aren’t Microsoft’s responsibility to fix… unless of course they’re Microsoft applications.  The developers should fix their broken stuff themselves.  They’ve had, what, six years to do this on Win2K?

    And why not fix Power Management, changing the time zone, and so forth on XP?  A lot of admins loosen just enough security to work around this already.  Or is this a selling point for Vista?  "Windows Vista.  We fixed the operating system."  Nice marketing slogan.

  3. Seby says:

    The simplest Vista Virus:
    -blacken the screen
    -ask user for Admin creditentials
    now your virus has Admin privileges…what else could you want?

    Simple, easy…DANGEROUS

    An app can’t directly elevate if it requests the admin creds from the user – elevation happens only through the UI-supplied interface.  And the expectation is that as the occurrence of elevation prompts becomes rarer – as they should – users won’t just give up their creds or consent when some random app says “hey, give me your housekeys.”

    –Aaron Margosis

  4. Gordon Fecyk says:

    Emulate the security prompts, or alternately, entice the user:

    “Here, dumb user. Here’s some free smileys for you! Go on, type your admin password here. You know you want to.”

    Ironically, I’ve been told that Yahoo! Messenger for MacOS X asks for the root password using its own dialog box, rather than using whatever API the MacOS provides. Yeah, so it can store it for later updates.  Or whatever.  Think Yahoo! is trustworthy?

    If Yahoo! does it, and actually believes MacOS users will give it to them, what stops others from doing the same on Vista?  All for the promise of some free trinket or $$$$FREE PR0N!!!111$$$

    Maybe a Group Policy or User Accounts setting such as, “Members of Group X are not asked to provide Admin credentials. Ever. For any reason.” would help somewhat.

    Emulating the security prompts won’t allow the spoofer to actually elevate.  Unprivileged software can’t even impersonate another security context.

    — Aaron Margosis

  5. Gordon Fecyk says:

    Is it still possible to inject input into an arbitrary window in Vista?  I imagine removing this functionality would break a lot of applications that legitimately capture and redirect output to other applications, such as the terminal capture or ‘Relay’ programs included with travel agency terminal software.

    With this in mind, let’s patch our virus to look for security prompt windows once our dumb user’s fallen for the offer of $$$FREE PR0N!!!111$$$ and feed the same with the Admin username and password he’s so graciously supplied.

    I wouldn’t even need malicious intent.  I could be writing installer code for Yahoo! and would want to support my own automatic updates system of some kind.  Even though there’s one in Windows Installer, yes, but my bosses could be equally stupid or have some kind of charter that says ‘Thou shalt use freely available tools for everything,’ ie: Three Rings Design using Nullsoft’s installer because of Truth, Justice, and the Stallman Way, or something.

    Gee.  How can you tell I’ve seen a lot of badly written garbage in my day?  And a lot of badly written excuses to use said garbage?  Though I’m sure I can’t compare against what you’ve all seen. 🙂

    A policy that disables security prompts for a given user or group would prevent this scenario.

    Hey Gordon – this isn’t possible.  Windows Vista introduces the concept of Mandatory Integrity Control (MIC) and integrity levels for different processes.  Processes running at one integrity level cannot access the HWNDs or other “User” (user32) objects of processes running at higher integrity levels.  Most of the desktop runs at Medium Integrity; IE (a.k.a., “Low Rights IE”) runs at Low, and the security prompts run at High.  Furthermore, the security prompts are now (by default) on the secure winlogon desktop, which is inaccessible to everything except LocalSystem.

    Hope this helps!

    — Aaron Margosis

  6. Gordon Fecyk says:

    Something like this would have been easy to miss.

    I’m not sure why you’d want to run IE on a different integrity level than the rest of the user’s desktop, if said desktop can’t access high integrity processes.  It’s like reintroducing Power Users on the Desktop level when you’re eliminating it in the OS.

    Here’s an obligatory Firefox jab: Firefox running on Vista would inherit medium desktop integrity and a Firefox exploit could own the user’s desktop.  Outlook could similarly be exploited, but I figured that’d get the attention of the Mozilla advocates. 🙂

    I suppose it isn’t a major problem and I’m just picking nits, as you’ve addressed input injection on security prompts.  It just seems redundant to have three desktop integrity levels when you already have just two OS security levels (plus SYSTEM).

    Still, this is impressive.  And it wouldn’t break the Relay app I mentioned.

  7. Gordon – IE runs at Low IL because it is much more exposed to the internet than most apps.  Running IE at Low IL helps protect the user’s desktop and data, in the event that malware finds a way to execute code within the iexplore.exe process.

    Firefox will run at Medium IL, unless its implementers decide to have it run at Low – documentation for doing so is here:  http://msdn.microsoft.com/library/en-us/IETechCol/dnwebgen/ProtectedMode.asp?frame=true

  8. Gordon Fecyk says:

    It took me a while, but I finally figured out how to write a virus for Vista.  And it doesn’t even invole a whole lot of technical expertise; just some social engineering on a global scale:

    http://www.antiwindowscatalog.com/index.asp?mode=rant&id=38

    Enjoy!

  9. David Hopwood says:

    Aaron: is it intended to be guaranteed that an app, running under UAC, that knows the Adminstrator password cannot use any admin privileges without a prompt? I didn’t get an answer to this when I asked on a previous blog entry. Note that UAC and UIPI are not sufficient for this unless they also affect network protocols that use Windows account passwords for authentication.

  10. About UIPI says:

    can anyone demonstrate the UIPI concept programatically,

     that is i want one programe to run in user mode other in administrative mode and the

    user mode process cannot send msg to administrative process plzzzzzzzzz

Skip to main content