Privilege elevation in Windows 7

Discussion in 'other security issues & news' started by Xarx, Jan 12, 2011.

Thread Status:
Not open for further replies.
  1. Xarx

    Xarx Registered Member

    Joined:
    Dec 12, 2010
    Posts:
    14
    Hello,

    I would like to understand the privilege elevation mechanism in Windows 7 (Vista) in more detail (see my questions below).
    Could you, please, point me to a relavant documentation? In particular I need to learn keywords that I can "google" in order to get some more info on this topic. (For instance, I tried to search "UAC", but all documentation to the UAC topic is too general, I have found no answers to my questions.)

    Questions:
    • What happens exactly when I choose "Run as administrator" on an application?
      I noticed several things concerning processes with rights elevated this way:
      • These processes do not see my disk letters mapped via the "subst" command. This probably means that they do not inherit my user context.
        (I found that when I execute the "subst" with elevated rights, then all my processes - both normal and with elevated rights - see the mapped disks.)
        How can I make the disk letters that I map in "Start -> All Programs -> Startup" (executed during logon) to be seen even by the "elevated" processes?
      • In Project Explorer I see (on process details -> Security tab) that normal processes have "BUILTIN\Administrators"="Deny", while processes with elevated rights have "BUILTIN\Administrators"="Owner".
        What does it mean "Owner"? Are there other possible values?
      • Moreover, normal processes have "Medium" in the "Process Image -> Integration" column in Process Explorer, while "elevated" processes have "High".
        Is the "Windows integrity mechanism" somehow related to the privilege elevation? E.g. in the sense that "High" integration means administrator privileges?
    • How can I selectively (=for selected applications, not globally) turn off the UAC dialog "Do you want to allow the program to make changes to your computer"?
      In particular, I want some programs in "Start -> All Programs -> Startup" to be executed with administration rights (upon logon).
    • Even when an application (notably cmd.exe) is executed with elevated administration rights, it still does *not* have all administrator privileges granted (automatically). For instance it does not obtain "SeRestorePrivilege" or "SeTakeOwnershipPrivilege", which prevents it e.g. from deleting some folders (for which administrators do not have "delete" privilege assigned).
      How am I to perform administration using batch scripts, if these scripts do not get all rights even with elevated administration privileges?

    Thank you,
    Martin.
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    On Vista/7, the standard account you start with is an administrator account.

    Every account has a security token(s). This token defines your rights.

    When you start a process, your "rights" in the form of a security token are passed along to the process.

    If the process tries to write to c:\windows, which is defined as a limited access area, then the OS examines the security token of the process. If the token has enough rights, the action is allowed. If not enough rights, the action is denied.

    In Vista/7 you actually have 2 security tokens by default, an Admin token and a User token. Although the normal account is an admin account, most things that happen actually use the token from the limited user token.

    LUA can cause some aggrevation as everything you do must be "Run As" the admin. In previous windows versions, you had to input credential when "running as", or use something like SuRun which could remember them for you in a handy way.

    In Vista/7, some things will activate UAC, which is asking, should we use the admin token on this process, it needs it to run right. Other times, you must "RunAsAdmin" because for one reason or another the UAC prompt does not display.

    The different levels of UAC you can change will effect what displays a prompt and what does not, and whether you must enter credentials in order to use the admin token.

    Your question, can you make a setting for a unique program that turns UAC off, AFAIK can only be done (easily) by setting UAC mode to quiet and using the App Compatability settings to RunAsAdmin. If you do this, per file or object, then it can be as you suggest. Otherwise, most likely the answer is no, you cannot do that (easily).

    Most of the information you are looking for will reside somewhere at microsoft dot com, more than you probably want ;)


    Sul.
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    For a standard account see How to run a program elevated at startup in a standard account when UAC is enabled.
    For an admin account see http://www.howtogeek.com/howto/wind...ortcuts-without-uac-prompts-in-windows-vista/.
     
  5. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I can't answer all of your questions, since I am mostly a *nix guy, but the Windows Integrity mechanism is a form of mandatory access control that is based on the Biba model of integrity controls. A good explanation of how it all works is here. Also see the Wikipedia page on MIC here.

    Note that this is different from the administrator/user model (which is known as Discretionary Access Controls or DAC.) They have different functions. The main difference is that DAC only assigns read, write and execute permissions to users and groups (known as subjects), whereas a MIC will assign security labels (or tokens) to individual processes (known as objects). That is, a MIC is much more fine-grained and is mandatory and not discretionary. This makes privilege escalation much more difficult than it is with the DAC model because instead of saying what each user has access to, you are saying what each process (or object) can or cannot do regardless of which user has access to it.
     
  6. Xarx

    Xarx Registered Member

    Joined:
    Dec 12, 2010
    Posts:
    14
    Thank you all for the documents provided. It'll take me time to read them all up. If they do not answer my questions, I'll return. ;)

    Sully, I understand the behaviour at the level you were explaining it. What I do not understand is, what does it mean in reality to have two security tokens. Originally I thought, that these split tokens have consequences only in the security area, but now it seems, that whole user environments (contexts) are split (as if two separate users were logged on). That is, these environments e.g. do not share mapped disks, and elevated processes probably do not inherit user environment variables either. What confuses me is that when I map the disk letters using the "Admin token", the programs that use the "User token" do see the disk letters. Which signals that the user environments are in fact not split, that there is another more complicated relation between them. Perhaps the integrity model is the answer?

    Martin.
     
  7. katio

    katio Guest

    I think you should enable the hidden Administrator account, then you won't have the problem of two conflicting tokens. Use it for admin purposes only of course (i.e. don't browse the web...)
    The reason for this annoying behaviour I guess is security, same as with the environment sanitisation on suid binaries.
    That's ACL, "owner" is pretty self-explanatory :p You have allow, deny and owner, I think that's it.

    You aren't supposed to do have full SYSTEM access, that's how Windows works. Apparently the highest privileges are reserved for itself not the human user. Don't ask me why, UNIX root surely is much more convenient and never gets in your way like that.
    But maybe this helps:
    http://stackoverflow.com/questions/77528/how-do-you-run-cmd-exe-under-the-local-system-account
    If you ever find yourself in a situation where you can't do something because of missing privileges you could always boot into a PE environment, repair DVD, Linux... and override it that way.
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Copying files from a mapped drive to a local directory fails with error “Location is not available” if UAC is enabled
    Mapped Network Drives with UAC on Windows Vista
    Elevation PowerToys
     
  9. Xarx

    Xarx Registered Member

    Joined:
    Dec 12, 2010
    Posts:
    14
    Hello,

    I've read all the documents you pointed me to, and more. I've learned a lot of theoretical information from it. But when it comes to practical advices, few actually work on my 64-bit Windows 7. Perhaps because most of the advices are aimed at Windows Vista 32-bit, and things could have changed in Windows 7, or in 64-bit.

    The only solution (from those I tested) that actually works for me is to map drive letters in the registry (see here):
    Code:
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices" /v Z: /t REG_SZ /d "\??\C:\DirectoryName" /f
    It is sufficient for me, but might not be sufficient to someone else as the mappings are global for all users. Though subst lists these mappings, they can't be modified nor deleted (access denied).

    There are other suggested ways how to map drive letters that I didn't try:
    • Using Group Policy Preferences (here, Resolution, pt. 3)
      This requires instalation of Group Policy Management Console server and client, and is said to require Active Directory. Even though it might work on a standalone computer, it seems to me like using a hammer on a mosquito.
    • Using runasspc (see here)
      This, perhaps, might work, though there are several real and potential issues, mainly:
      • Every admin user needs to have his own .spc file; when password is changed, the .spc file needs to be re-generated
      • Does it work silently?
      • Does it execute the program in the already existing user session, or does it create (and then destroys) a new session? In the latter case, the disk letter mappings would not survive longer than a few milliseconds.
    And there are other sugested ways that didn't work for me, most notably:
    • Execute mapping script or program either from "HKCU\Software\Microsoft\Windows\CurrentVer\Run" or from "...\Start Menu\Programs\Startup"
      I was not able to execute the mapping with elevated privileges:
      • .cmd script cannot be set "Properties->Compatibility->Run this program as administrator" because cmd.exe is a 64-bit executable, and the Compatibility tab is grayed out for these. (subst.exe is 64-bit too.)
      • When you use another 32-bit application (such as Visual Subst) and check the "Run this program as administrator", the application is silently not executed upon logon.
        Remark: Even though you modify the Compatibility tab on a program link, the settings actually apply to the executable itself. Hence, if you check "Run this program as administrator" on one link, it actually applies to all links, preventing you from executing the program as a normal user. Thus you cannot have one link for admin and other for non-admin.
    • Using psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553)
      This programs needs to install a temporary service, which my security settings do not allow. Even if it is possible to weaken the security so that psexec works, I'm not going to do so.
    • Using runas /trustlevel:"Unrestricted"
      Even at the elevated console, "runas /showtrustlevels" offers only "Basic User".

    Though I know what "Owner" means for files and folders, I do not know what it means for running processes. Please, be more descriptive.

    I still have no solution.

    And some recapitulation:
    Yes, the correspondence is really like that, i.e. "high" integration means elevated process. "Windows integration control" is a good keyword, and the links posted by chronomatic are a good source of information on this.

    Runasspc and similar tools might be used - with the limitations mentioned above. Moreover, it's hard to pass in (dynamically) program arguments, thus this can be used mainly for executing programs via .lnk files or startup batches.

    It is really so, actually two logon sessions exist, one for normal and the other for elevated user (both with the same login name). It is not true, however, that disk letters mapped for elevated user are visible by the corresponding normal user. I don't know why I was persuaded that they are.

    Thank you all, I knew I'm asking at the right place :thumb:!

    Martin.
     
    Last edited: Jan 20, 2011
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    No, you'll get a UAC prompt. If you want silent, you may want to check out the program in this thread.

    The program run by Runasspc will run in an admin account, exactly as if you'd elevated with UAC.
     
  11. Xarx

    Xarx Registered Member

    Joined:
    Dec 12, 2010
    Posts:
    14
    In that case, for the mere purpose of UAC elevation, it is much easier and more straightforward to use elevate.exe, created e.g. by the same author as runasspc. You need no .spc files, then.
    (And it shows the UAC prompt too.)
     
    Last edited: Jan 21, 2011
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Are you looking for a solution for admin accounts or standard accounts?
     
  13. Xarx

    Xarx Registered Member

    Joined:
    Dec 12, 2010
    Posts:
    14
    For now, I'm trying to get everything working at least as an admin. When I succeed, maybe I switch to LUA, and increase the difficulty level of the task ;). There is still plenty of things to be solved, e.g.:
    • When I xcopy a folder, the copy sometimes cannot be deleted.
      I already mentioned this in my previous post, that e.g. an xcopy of "Programs and Files" directory structure cannot be deleted from command line, not even from the elevated command line. Still unsolved.
    • Secure browsing
      Use LUA and SRP? This can result in many programs not working, or in need of heavy configuration changes, so I hesitate. (I already bookmarked several guides how to setup Windows 7 with LUA and SRP. I only need to make time to try them.)
      Use low integrity mode? As far as I know, Firefox doesn't run in low integrity mode.
    • Replace UAC with CIS (Comodo firefall & Defence+)?
      I'm used to CIS from WinXP. This could make browsing more secure too. But for me, it is more important that CIS could replace the UAC alerts that cannot be turned off with those that can be turned off selectively. In other words, CIS is much more configurable. But if I turn UAC alerts off, I actually turn off the whole UAC by this, loosing e.g. UAC virtualization. Is it worth while? Not mentioning that CIS has its own problems, as I learned in Windows XP.
    • etc.

    I have two notebooks, one with Windows XP Pro, and a new one with Windows 7 Enterprise. I want to make both notebooks configured very similarly, for ease of administration, and with the same programs installed. The problem is, that the principles according which I configured my WinXP no longer work in Win7, so I need to learn and think over everything again. And many programs that I used in WinXP no longer work in Win7 (or not correctly). This is very time consuming, and I have little time to spend by this.

    Martin.
     
    Last edited: Jan 22, 2011
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    @Xarx,

    I've been running Windows 7 x64 at home as a standard user with AppLocker since April 2010 with few problems. Most programs that I've used work fine with a standard account, provided that UAC virtualization hasn't been disabled. I recommend not disabling UAC.

    Here are some resources:
    Avoid UAC prompts by using an elevated program launcher - this technique also works in a standard account. Use this technique only if the user is trusted with the power this technique gives. I use this technique.
    Anyone running AppLocker? - see post #7 for my AppLocker ruleset.
    How to avoid typing UAC (User Account Control) credentials for selected programs - if you don't like the elevated program launcher method, then see this thread for other ideas. Also see the program mentioned in post #10.
    SRP and IE "Flash" - if you use Adobe Flash with Internet Explorer and also use SRP/AppLocker
    UAC Group Policy Settings and Registry Key Settings - if you want more control over UAC.
    Using Comodo Internet Security as an anti-executable - if you want or need to avoid SRP/AppLocker and want free anti-executable technology.
    What is needed to run your browser in Protected Mode? - Firefox works as low integrity.
    Audit Windows permissions with freeware Windows Permission Identifier - for checking permission weaknesses.
     
    Last edited: Jan 22, 2011
Loading...
Thread Status:
Not open for further replies.