Least Privilege Security for Windows 7, Vista and XP E-Book

Least Privilege Security for Windows 7, Vista and XP

Russell Smith

Least Privilege Security for Windows 7, Vista and XP

Credits

About the Author

About the Reviewers

Dedicated to St. Petersburg, Russia - where this book was written.

Preface

Chapter 1, An Overview of Least Privilege Security in Microsoft Windows, explores the principle of Least Privilege Security and shows how to implement it in different versions of Microsoft Windows. It also explains how to control and change system privileges, benefit from implementing Least Privilege Security on the desktop, and overcome the most common technical and political problems and challenges when implementing Least Privilege Security.

Chapter 2, Political and Cultural Challenges for Least Privilege Security, covers the reasons why users may not accept Least Privilege Security on the desktop. It also clearly explains and justifies the benefits of Least Privilege Security for your organization. The chapter also covers how to apply Least Privilege Security to different categories of users and get buy-in from management.

Chapter 3 , Solving Least Privilege Problems with the Application Compatibility Toolkit, covers how to modify incompatible applications on the fly and achieve the best balance between compatibility and security by using Application Compatibility shims. It explains how to create shims using the Application Compatibility Toolkit 5.5 and distribute compatibility databases to devices across the enterprise.

Chapter 4, User Account Control, covers how to achieve a seamless user experience by using the different components and compatibility features of User Account Control. It also explains how to configure User Account Control on multiple computers using Group Policy and the inner workings of User Account Control's core components.

Chapter 5, Tools and Techniques for Solving Least Privilege Security Problems, covers how to set up a system for temporarily granting administrative privileges to standard users for support purposes. It also covers how to use Task Scheduler to run common processes without the need to elevate privileges and how to install third-party solutions to configure administrative privileges for applications and Windows processes on-the-fly.

Chapter 6, Software Distribution using Group Policy, explains how to prepare applications for Group Policy Software Installation (GPSI) and Windows Installer deployment. It also explains how to repackage legacy setup programs in Windows Installer .msi format and how to make GPSI more scalable and flexible using the Distributed File System (DFS). It covers how to target client computers using Windows Management Instrumentation (WMI) filters and Group Policy Scope of Management.

Chapter 7, Managing Internet Explorer Add-ons, covers how to support per-user and per-machine ActiveX controls and manage Internet Explorer add-ons via Group Policy. It also explains how to install per-machine ActiveX controls using the ActiveX Installer Service (AxIS) and how to implement best practices for working with ActiveX controls in a managed environment.

Chapter 8, Supporting Users Running with Least-Privilege, explains how to support Least-Privilege user accounts using reliable remote access solutions, how to connect to remote systems with administrative privileges using different techniques and enable remote access using Group Policy and Windows Firewall.

Chapter 9, Deploying Software Restriction Policies and AppLocker, explains how to deploy default Software Restriction Policy (SRP) or AppLocker rules to ensure only programs installed in protected locations can run. It discusses how to force an application to launch with standard user privileges even if the user is an administrator and how to blacklist an application using SRP or AppLocker.

Chapter 10, Least Privilege in Windows XP, covers how to redeploy Windows XP with Least Privilege Security configured and identify problems with applications caused by Least Privilege Security using the Microsoft Deployment Toolkit. It also explains how to mitigate the problems and limitations users may face when running with a Least Privilege Security account and how to handle ActiveX controls in Windows XP.

Chapter 11, Preparing Vista and Windows 7 for Least Privilege Security, explains how to collect and analyze data to identify any potential compatibility problems with Least Privilege Security and software installed on networked PCs using Microsoft's Application Compatibility Toolkit (ACT). The reader will learn how to analyze logon scripts for Least Privilege compatibility, how to prepare a desktop image with Least Privilege Security enabled from the start and deploy the new image while preserving users' files and settings.

Chapter 12, Provisioning Applications on Secure Desktops with Remote Desktop Services, explains how to install the core server roles for Remote Desktop Services in Windows Server 2008 R2 using Windows PowerShell. It also explains how to set up and understand Remote Desktop Licensing and configure Remote Desktop Gateway for secure remote access to applications over HTTPS. This chapter also discusses how to advertise published Remote Applications on Windows 7’s Start menu using Remote Desktop Web Access.

Chapter 13, Balancing Flexibility and Security with Application Virtualization, covers how to sequence an application for streaming and virtualization, and how to set up the App-V Client to work with a server-less deployment model.

Chapter 14, Deploying XP Mode VMs with MED-V, explains how to deploy legacy applications that are not compatible with newer versions of Windows and how to set up Windows XP Mode for Windows 7. It also explains how to configure the different components of MED-V for managing and deploying VMs in a large corporate environment and how to prepare VMs for use with MED-V.

What you need for this book

Who this book is for

Conventions

Note

Warnings or important notes appear in a box like this.

Note

Tips and tricks appear like this.

Reader feedback

Customer support

Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the let us know link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.

Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.

Please contact us at <[email protected]> with a link to the suspected pirated material.

We appreciate your help in protecting our authors, and our ability to bring you valuable content.

You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.

Chapter 1. An Overview of Least Privilege Security in Microsoft Windows

Each user that logs in to NT-based versions of Microsoft Windows, does so with a set of system privileges. Privileges differ from permissions in that they give users the ability to perform an action, whereas permissions allow access to an object such as a file or registry key. There are many privileges used to control access to various system functions, ranging from the ability to change the system time to restoring files and directories. Rather than assigning each user account with privileges individually, a set of built-in groups are provided with pre-assigned privileges. Users are then added to groups, in a form of role-based access control, as the following table describing built-in groups in Windows 7 illustrates:

The two most frequently used built-in groups are Users and Administrators. If your user account is assigned to the Administrators group, you have a high level of privilege on the system and can perform almost any task that isn't specially protected by the operating system.

In contrast, if your user account is assigned to the Users Group, you can run installed programs and change settings that won't affect system stability, but you can't install software to the restricted Program Files directory, or modify protected areas of the registry or Windows directory. The Power Users group was often used in Windows NT, 2000, and XP, but was essentially an administrator with a few less privileges. Microsoft decided to deprecate this group in Windows Vista, preferring system administrators to assign users to either the users or administrators group, as it was easy for power users to escalate to administrative privilege. You should, however, note that the Power Users group still exists in Vista and Windows 7 for compatibility reasons, but isn't assigned any privileges.

What is Least Privilege Security?

Note

Most current malware relies on users having administrative privileges to install. If more users run with non-admin accounts, the situation is likely to change. Least Privilege Security should be further secured with the use of antivirus software and other protection technologies, such as Software Restriction Policy and AppLocker.

Considering the threat landscape has changed beyond recognition in recent years, users will often counter least privilege accounts, insisting that I'll be careful or I know what I'm doing. When users undertake risky activities such as browsing the Internet (computer expert or not), it's impossible to be sure that malevolent software won't be accidently launched through malicious code embedded in web pages, which is intended to launch silently without the user's knowledge, or exploit an unpatched vulnerability in the operating system. While antivirus software can provide a certain degree of protection, many exploits cannot be detected by even the best antivirus programs. A defense-in-depth strategy that includes both antivirus and Least Privilege Security, among other measures, is far more effective than any one protection mechanism alone. Users often have blind faith in antivirus, software believing it will protect them from all evil. Browsing the Internet is just one example of a risky activity. Malware can find its way into systems through removable media, CDs, and e-mail, and then propagate throughout a network, causing untold amounts of damage and lost productivity.

A word processor is unlikely to need privileged access to a system. If we limit the level of privilege that an application has to a system, so users can perform only the tasks required to complete the job, then maintaining systems becomes much easier. Privileges can be assigned to user accounts through the built-in administrators and users groups in Windows NT, providing system administrators with an easy way to restrict privileges for the majority of users. While this doesn't necessarily achieve true Least Privilege Security—for example, why would a word processing application need to change a system's power scheme—it is a reasonable trade-off between security, manageability, and usability in most production environments.

Least Privilege Security in Windows

The FAT/FAT32 (File Allocation Table) filesystem used in 9.x editions of Windows didn't support the use of access control lists. Therefore, there were no strict means of controlling access to specified files and registry keys for a set of defined users. All users were effectively administrators. There were some methods for controlling what users could do, but it was far from what was available in more sophisticated operating systems of the time.

Ease of use has always been one of Windows strong selling points, and the wide choice of applications has helped it become the most prevalent OS on the desktop.

Windows NT, which spawned Windows 2000, XP, Vista, and Windows 7 has many fundamental differences from DOS-based Windows. However, the most important point in this discussion is its use of NTFS—a filesystem that is considerably more reliable and flexible than FAT and supports the concept of access control. This provides NT-based systems with a foundation that can be secured and protected according to a user's role. Along with other features such as a stable kernel, the ability to assign users with system privileges, and computers with system policy, NT provided the stability and security features required from a true business-grade operating system.

NT had no built-in equivalent to the switch user (su) command in Unix, so it was common that all users would be assigned to the administrators group on any one system, or at a minimum power users, which was essentially the same as administrators with a few less privileges. This started the trend on Windows NT, despite a sound security model being in place, for all users to run with administrative privileges. The future merger of the NT line and DOS-based 9.x versions of Windows ensured that the practice of running with administrative privileges would be entrenched for years to come.

An unfortunate side effect was that application developers commonly ran with administrative privileges, meaning that their applications would not run correctly under a standard user account. Even to this day, there is much debate about secure application development and resistance from developers who refuse to work without administrative privileges.

Though the Windows NT 4 Resource Kit did include a tool called SU (Switch User,) similar to the Unix command-line tool, it was a separate product. Windows 2000 introduced for the first time a built-in command called runas that allows users to run an application under the context of a different user account without logging off. The runas command is an equivalent of the Unix su command and is facilitated through the secondary logon service. This new command-line tool and service were intended for administrators, in the hope that they would use a standard user account for everyday use, and elevate applications only when administrative access was required. It suffices to say that this never caught on. One of the biggest annoyances of runas is that it can't be used to launch Explorer or certain control panel applets, without using messy workarounds.

runas isn't limited to administrators, but for daily use its implementation is simply too clumsy and wouldn't gain user acceptance in most environments. Another major drawback of runas is that if a standard user needs to run an application under the context of another account, then all the access rights the standard user has to the network and local filesystem are lost if not shared with the elevated user. runas is best used in contexts where a standard user will elevate using an account that has access to all necessary resources, for example, when a sysadmin elevates from their standard user account to Domain administrator.

In Windows Vista and Server 2008, network drives mapped in one security context are not visible to processes running under a different account in the same logon session, regardless of the permissions assigned to the network drive. This behavior can, however, be changed by adding a REG_DWORD entry to the registry called EnableLinkedConnections, with a value of 1 under HKLM\Software\Microsoft\Windows\CurrrentVersion\Policies\System and rebooting the system. runas has several command-line options, known as switches, which can be used to change the way elevated programs are launched. The /netonly switch allows users to retain access to resources on the local machine as specified by their primary account, but gives permission to networked resources according to the privileges of the account specified in the runas command. This can be useful for certain tasks where local administrative access is not required. Other switches such as /noprofile and /env allow users to control whether their own user profile or environmental variables will be used. While runas from the command line is likely the most convenient way for system administrators to use the full array of features, holding Shift while right-clicking on an executable file presents runas in the context menu.

If Windows 2000 was designed for business, then XP was a revolution for home users, finally merging the 9.x and NT range, thereby providing everyone with the security and stability of the NT kernel. This wasn't without its challenges, and to address problems with applications that weren't designed to run on NT, Microsoft created the Application Compatibility Toolkit (ACT). ACT allows businesses to scan their networks, creating an inventory database of installed applications. Programs can then be tested, and if necessary, any problems resolved with the use of application compatibility shims (fixes). ACT comes with a series of predefined shims, several of which can be used to solve problems with applications that weren't designed to run as a standard user.

XP also includes new Group Policy settings called Software Restriction Policy (SRP). While not intended to directly address Least Privilege Security problems, SRP does allow system administrators to dictate that given applications must run as a standard user. This is useful where users have to run with administrative privileges, but you want to restrict applications, such as Internet Explorer, to standard user privileges, minimizing the risk if users surf websites that host malware or browser exploits.

While it has always been, in theory, possible for corporate users to run as a standard user on NT-based operating systems, it was always difficult and unrealistic for home users, largely because Windows wasn't designed with this in mind. Ease of use always prevailed over security.

For the first time, Microsoft tried to go some way to change this situation with the introduction of User Account Control (UAC) in Vista. Much derided and misunderstood, UAC is a collection of technologies designed to make it easier for users to run with Least Privilege Security and to persuade developers to design applications that work without administrative privileges. Before Windows Vista, many routine tasks required elevation of privilege. User Account Control addresses this problem by changing system privileges to allow standard users to change the time zone, power schemes, and other previously restricted settings. User Account Control includes file and registry virtualization that transparently diverts write operations for protected areas of the filesystem and registry to the user's profile, allowing applications that don't comply with the Windows security model to function correctly without any modification.

Finally, and most controversially, UAC prompts users before they're allowed to make any changes to the system that require administrative privileges. This behavior can be configured in several different ways depending on the organization's requirements. UAC have been criticized for being too ubiquitous, thereby increasing the chances that users will simply agree to elevation without considering the risks. Despite Microsoft's efforts to make it easier to run as a standard user, by default, the first account in Vista is an administrator, albeit protected by UAC. If users opt to create additional accounts, they are prompted to assign standard user privileges, though this is not mandatory.

Descriptions of UAC from Microsoft have been somewhat contradictory. One of UAC's original design goals was to make it a security boundary, providing a sandbox where privilege cannot be elevated without the user's explicit consent. However, after Vista's release Microsoft acknowledged that it was a security feature, and not a boundary when running in Admin Approval Mode, implying that it could be compromised and wasn't designed to be impenetrable.

Using least privilege concepts, Microsoft has tightened the security of system services. To reduce the attack surface, Vista's system services run with a minimum set of privileges. The service control (sc) command-line tool lets system administrators query and change the system privileges assigned to services. The following example shows how to use the command to determine what privileges are granted to the Remote Procedure Call (RPC) service:

The following output shows just three privileges:

Microsoft has attempted to improve UAC in Windows 7 by making it quieter and more configurable. While there is no doubt that UAC is more configurable in Windows 7, it is for you to decide whether or not it is improved. The default user in Windows 7 is still a Protected Administrator, but the UAC settings are not as stringent as those in Vista. Windows 7 provides users with a less annoying experience, but with the prospect that their systems could be silently compromised. When designing UAC for Windows 7, Microsoft endeavored to strike the right balance between usability and security. Windows 7 gives users more control over UAC behavior, and the new features can also be configured in Group Policy.

Professional, Enterprise, and Ultimate SKUs of Windows 7 include XPM (XP Mode), which is intended to help smaller businesses migrate to Windows 7, while alleviating application compatibility concerns. It includes a license to run a virtualized instance of Windows XP and a new version of Virtual PC, which can integrate applications running inside a virtual machine with the Windows 7 desktop—blurring the line between installed and virtualized programs. Microsoft provides a managed version of XPM for larger organizations called Microsoft Enterprise Desktop Virtualization (MED-V).

Advanced Least Privilege Security concepts

Discretionary Access Control (DAC) is where system administrators assign access to a set of objects, such as a directory of files, and allow the user to change the security properties of those files. The user becomes the owner of the directory and can modify the security properties of all files within that directory.

Mandatory Access Control (MAC) allows system administrators to centrally control the changes users can make to objects they own. MAC helps prevent the flow of sensitive information from a high-privileged account to a lower one.

Windows Vista introduced a form of MAC through Mandatory Integrity Control (MIC) that prevents processes running with a low Integrity Level (IL) from writing to or deleting objects with a higher IL.

Windows Server 2003 included Role-based Access Control (RBAC) that allows system administrators to control access, based on users' organizational roles. Focusing on users' roles rather than objects and resources, as with DAC, is a more natural way for system administrators to control access to data across an organization. DAC enforces basic least privilege concepts to protect operating system files and registry keys using groups, which are collections of users, whereas RBAC roles are collections of permissions.

Least Privilege Security in the real world

Benefits of Least Privilege Security on the desktop

Though considered a security principle, the biggest benefit of Least Privilege Security is that it aids change and configuration management. Every time you log in to a computer with administrative privileges, there's the potential that the system's configuration may undergo unsanctioned changes, knowingly or otherwise. Least privilege helps to maintain the intended configuration of a system, but at the same time giving the flexibility to change it (if permitted by corporate policy enables System Administrators to maintain) and manage who can change what. Least Privilege Security enables system administrators maintain better standardized environments and reduce support costs. If the helpdesk can be reasonably certain of a system's configuration, it's much easier to support that system. If users are allowed to change important configuration settings without a good reason, the help desk faces a much tougher job, increasing the time required to resolve problems, thus driving up costs.

Least Privilege Security also prevents users from circumventing controls implemented by system administrators. If a user has administrative privileges, with the right knowledge, it's possible to circumvent Group Policy. Ultimately, if a user has administrative privileges, there's likely a way to break into a system even if other controls are in force.

Good change and configuration management provides stability. How often are support staff faced with queries such as it was working ok yesterday? Computers don't stop working without a reason. Something must have changed. If system administrators can prevent unwanted change, these types of queries can be reduced. Wouldn't it be nice to know that every time a user switches on their system, they can be sure that it will work as expected?

If users are prevented from making unintentional changes to critical system components on the desktop, the risk of malicious or unsanctioned software finding its way onto corporate systems is significantly reduced. The likelihood of users being infected with drive-by internet attacks, rootkits, or worms is minimized as users need to specifically give permission for such software to run. A large number of today's malicious programs require administrative privileges to install. Therefore, a standard user is far less likely to infect a machine accidentally. Even if a standard user account becomes infected with a virus, the damage it can do is considerably less than if they had been granted administrative privileges.

You may be thinking that there are ways around some of the protections that Least Privilege Security provides, and you would be right. However, it must be understood that Least Privilege Security should be used as one layer of a comprehensive defense-in-depth strategy, and that other technologies such as Software Restriction Policies, Windows Firewall, and antivirus software, should be deployed to provide complete protection.

Many organizations are subject to regulatory compliance, and all such regulations require that users are given only the privileges required to complete their work. Even if your business is not subject to regulation, it should be considered best practice to implement Least Privilege Security, to boost customer trust. Sensitive data is easily stolen from users if layered protection is not in place. If keylogging software is silently installed on a user's machine, then the program may be able to transmit captured data to its author without the user's knowledge. A comprehensive defense-in-depth security strategy would be almost certain to prevent such an attack.

Least Privilege Security can also help organizations to manage software licensing. While it doesn't necessarily remove the need to audit programs installed across an enterprise, enforcing a standard image using least privilege reduces the chances that your business will fall out of compliance through unauthorized or unlicensed applications being installed on desktops.