Least Privilege Security for Windows 7, Vista and XP

Table of Contents

Least Privilege Security for Windows 7, Vista and XP

Credits

About the Author

About the Reviewers

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Errata

Piracy

Questions

1. An Overview of Least Privilege Security in Microsoft Windows

What is privilege?

What is Least Privilege Security?

Limiting the damage from accidental errors with Least Privilege Security

Reducing system access to the minimum with Least Privilege Security

Least Privilege Security in Windows

Windows 9.x

Windows NT (New Technology)

Windows 2000

Windows XP

Windows Vista

Windows 7

Advanced Least Privilege Security concepts

Discretionary Access Control

Mandatory Access Control

Mandatory Integrity Control

Role-based Access Control

Least Privilege Security in the real world

Benefits of Least Privilege Security on the desktop

Change and configuration management

Damage limitation

Regulatory compliance

Software licensing

What problems does Least Privilege Security not solve?

Common challenges of Least Privilege Security on the desktop

Application compatibility

System integrity

End user support

Least Privilege and your organization's bottom line

Determining the affect of Least Privilege Security on productivity

Reducing total cost of ownership

Improved security

Summary

2. Political and Cultural Challenges for Least Privilege Security

Company culture

Defining company culture

Culture shock

Culture case studies

Company A

Company B

Getting support from management

Selling Least Privilege Security

Using key performance indicators

Using key risk indicators

Mapping CSFs to KPIs

Security metrics

Threat modeling

Reducing costs

Security adds business value

Setting an example

User acceptance

Least Privilege Security terminology

Justifying the decision to implement Least Privilege Security

Applying Least Privilege Security throughout the enterprise

Deciding whom to exempt from running with a standard user account

What not to do

Managing expectations

Service catalog

Chargebacks

Maintaining flexibility

User education

Summary

3. Solving Least Privilege Problems with the Application Compatibility Toolkit

Quick compatibility fixes using the Program Compatibility Wizard

Applying compatibility modes to legacy applications

Program Compatibility Wizard

Program Compatibility Assistant

Disabling the Program Compatibility Assistant

Excluding executables from the Program Compatibility Assistant

Achieving application compatibility in enterprise environments

Compatibility fixes

Modifying applications using shims

Enhancing security using compatibility shims

Deciding whether to use a shim to solve a compatibility problem

Vendor support

In-house applications

Kernel-mode applications

Creating shims for your legacy applications

Solving compatibility problems with shims

LUA compatibility mode fixes in Windows XP

LUARedirectFS

LUARedirectFS_Cleanup

LUARedirectReg

LUARedirectReg_Cleanup

LUATrackFS

Creating your own custom database

Maxthon on Windows XP

Working with other commonly used compatibility fixes

ForceAdminAccess

CorrectFilePaths

VirtualRegistry

ADDREDIRECT

Working with custom databases

Adding new shims to your custom database (merging custom databases)

Temporarily disabling compatibility fixes

Installing a custom database from Compatibility Administrator

Deploying a database to multiple devices

Finding the GUID of custom database

SDBINST command-line switches

Distributing or updating a custom database using Group Policy

Summary

4. User Account Control

User Account Control components

Elevation prompts

Protected administrator (PA)

Windows Integrity Control and User Interface Privilege Isolation

Application Information Service

Filesystem and registry virtualization

Internet Explorer Protected Mode

The shield icon

User Account Control access token model

Standard user access token

Protected administrator access token

Conveniently elevating to admin privileges

Automatically launching applications with admin privileges

Consent and credential elevation prompts

Consent prompts

Credential prompts

Application-aware elevation prompts

Windows Vista

Publisher verified (signed)

Publisher not verified (unsigned)

Publisher blocked

Administrator accounts

Elevation prompt security

Securing the desktop

Providing extra security with the Secure Attention Sequence (SAS)

Securing elevated applications

Windows Integrity Mechanism

Integrity policies

Assigning integrity levels

User Interface Privilege Isolation

User Interface Privilege Level

UIPI and accessibility

Achieving application compatibility

Application manifest

Power Users

Windows Logo Program

Certification requirements

Filesystem and registry virtualization

Filesystem virtualization

Virtual root directory

Registry virtualization

Virtual root registry

Using Task Manager to determine whether a process is using UAC filesystem and registry virtualization

Windows Installer and User Account Control

Automatically detecting application installers

Controlling User Account Control through Group Policy

Admin Approval Mode for the built-in administrator account

Allowing UIAccess applications to prompt for elevation without using the secure desktop

Behavior of the elevation prompt for administrators in Admin Approval Mode

Behavior of the elevation prompt for standard users

Detect application installations and prompt for elevation

Only elevate executables that are signed and validated

Only elevate UIAccess applications that are installed in secure locations

Run all administrators in Admin Approval Mode

Switch to the secure desktop when prompting for elevation

Virtualize file and registry write failures to per-user locations

What's new in Windows 7 User Account Control

User Account Control slider

Auto-elevation for Windows binaries

Executables

Microsoft Management Console (MMC)

Component Object Model (COM) objects

More settings accessible to standard users

Summary

5. Tools and Techniques for Solving Least Privilege Security Problems

Granting temporary administrative privileges

Granting temporary administrative access using a separate logon (Vista and Windows 7 only)

Creating three support accounts

Creating a policy setting to automatically delete the support account at logoff

Testing the support accounts

Putting into practice

Granting temporary administrative access without a separate logon

Creating a batch file to elevate the privileges of the logged in user

Testing the procedure

Limitations of the procedure

Bypassing user account control for selected operations

Using Task Scheduler to run commands with elevated privileges

Running the Scheduled Task as a standard user

Configuring applications to run with elevated privileges on-the-fly

Solving LUA problems with Avecto Privilege Guard

Defining application groups

Defining access tokens

Configuring messages

Defining policies

Solving LUA problems with Privilege Manager

Defining Privilege Manager rules

Assigning permissions

Adding or removing individual privileges

Specifying integrity levels

Suppressing unwanted User Account Control prompts

Modifying application manifest files

Editing manifests using Resource Tuner

Modifying manifests using the RunAsInvoker shim

Setting permissions on files and registry keys

Identifying problems using Process Monitor

Modifying permissions on registry keys and files with Group Policy

Fixing problems with the HKey Classes Root registry hive

Using Registry Editor to copy keys from HKCR to HKCU

Mapping .ini files to the registry

Using LUA Buglight to identify file and registry access violations

Summary

6. Software Distribution using Group Policy

Installing software using Group Policy

Installing software using Windows Installer

Deploying software using Group Policy

Comparing Group Policy Software Installation with system images for software distribution

Choosing between thin and fat images

Preparing applications for deployment

Extracting .msi files from setup packages

Using WinRAR or 7-Zip to extract .msi files

Using command-line switches for silent installs and customization

Deploying system changes using Group Policy startup scripts

Creating an .msi wrapper

Repackaging an application with a legacy installer

Installing AdminStudio

Configuring AdminStudio's Repackager to run on a remote machine

Installing the remote repackager

Monitoring a legacy installation routine

Customizing an installation package

Customizing Acrobat Reader's MSI installer using Adobe Customization Wizard 9

Using the Distributed File System with GPSI

Creating a DFS namespace

Adding a folder to the namespace

Deploying software using GPSI

Configuring software installation settings

Targeting devices using WMI filters and security groups

Active Directory security groups

Creating a security group to filter a GPO

Windows Management Instrumentation filtering

Upgrading software with GPSI

Uninstalling software with GPSI

Removing software when it falls out of scope of management

Removing .msi packages from Group Policy Objects

Summary

7. Managing Internet Explorer Add-ons

ActiveX controls

Per-user ActiveX controls

Changing the installation scope to per-user

Best practices

Deploying commonly used ActiveX controls

Deploying Adobe Flash and Shockwave Player

Deploying Microsoft Silverlight

ActiveX Installer Service

Enabling the ActiveX Installer Service

Using the GUI to install the ActiveX Installer Service

Using the command line to install the ActiveX Installer Service

Determining the ActiveX control host URL in Windows 7

Determining the ActiveX control host URL in Windows Vista

Configuring the ActiveX Installer Service with Group Policy

Testing the ActiveX Installer Service

Managing add-ons

Administrator approved controls

Determining the Class Identifier CLSID of an installed ActiveX control

Adding ActiveX controls to the Add-on List

Summary

8. Supporting Users Running with Least Privilege

Providing support

Preparing to support least privilege

Troubleshooting using remote access

Troubleshooting for notebook users

The notebook challenge

Having the right tools in place

Notebook users who seldom visit the office

Setting out IT policy

Other functions the help desk might require

The last resort: An administrative backdoor for notebooks

Enabling and using command-line remote access tools

WS-Management

Configuring WS-Management with Group Policy

Connecting to remote machines using WS-Management

Running standard Windows commands as an administrator on remote computers

Enumerating information using Windows Management Instrumentation

Performing actions on remote computers as an administrator using WMI methods

Connecting to WS-Management 1.1 from Windows Server 2008 R2

Working with WS-Management security

Automating administration tasks using PowerShell Remoting

Enabling and using graphical remote access tools

Enabling Remote Assistance

Different types of Remote Assistance

Enabling Remote Assistance via Group Policy

Offering a computer unsolicited Remote Assistance: DCOM

Sending Remote Assistance invitations

Initiating Remote Assistance from the command line

Connecting to remote PCs using Easy Connect

Enabling Remote Assistance with Network Address Translation

Remote Desktop

Connecting to a remote computer using the Microsoft Management Console (MMC)

Configuring Windows Firewall to allow remote access

Creating a GPO for Windows Firewall in Windows 7

Importing Windows 7 Firewall rules to a GPO

Modifying the default Windows Firewall rules

Adding additional inbound exceptions for remote administration

Creating a WMI filter to restrict the scope of management to Windows 7

Linking the new GPO to the Client OU

Checking the GPO applies to Windows 7

Creating a GPO for Windows Firewall in Vista

Enabling the Remote Assistance and Remote Administration inbound exceptions for the Domain profile

Creating a WMI query for Windows Vista

Creating a GPO for Windows Firewall in Windows XP

Configuring GPO settings

Creating an exception for WS-Management

Creating an exception for Remote Desktop

Creating an exception for Remote Administration

Creating an exception for Remote Assistance

Creating a WMI filter to restrict the scope of management to Windows XP

Linking the new GPO to the Client OU

Summary

9. Deploying Software Restriction Policies and AppLocker

Controlling applications

Blocking portable applications

Securing Group Policy

Preventing users from circumventing Group Policy

Implementing Software Restriction Policy

Creating a whitelist with Software Restriction Policy

Defining hash rules

Defining path rules

Trusting software signed by a preferred publisher (Certificate Rules)

Making exceptions for IE zones (Network/Internet Zone Rule)

Creating a whitelist with Software Restriction Policy

Configuring applications to run as a standard user

AppLocker

Automatically generating AppLocker rules

Manually creating an AppLocker rule to blacklist an application

Importing and exporting AppLocker rules

Summary

10. Least Privilege in Windows XP

Installing Windows XP using the Microsoft Deployment Toolkit

Providing a Volume License product key for an MDT XP Task Sequence

Windows XP security model

Power users

Network Configuration Operators

Support_<1234>

User rights

Modifying logon rights and privileges

Logon rights

Privileges

CD burning

Third-party CD/DVD burning software

Nero Burning ROM

Installing Nero BurnRights

Configuring Nero BurnRights from the command line

Allowing non-administrative users to burn discs in CDBurnerXP

Additional security settings

Restricting access to removable media

ActiveX controls

Flash Player

Acrobat Reader

Silverlight

Other popular ActiveX controls

RealPlayer

QuickTime

Sun Java Runtime Environment

Alternatives to QuickTime and RealPlayer

Changing the system time and time zone

Changing the system time

Changing the time zone

Setting time zone registry permissions using a GPO

Power management

Managing power settings with Group Policy Preferences

Creating a GPO startup script to install GPP CSEs

Configuring power options using Group Policy Preferences

Configuring the registry for access to power settings

Managing network configuration

Configuring Restricted Groups

Identifying LUA problems using Standard User Analyzer

Summary

11. Preparing Vista and Windows 7 for Least Privilege Security

The Application Compatibility Toolkit

Application Compatibility Manager

Installing and configuring ACT

Creating a Data Collection Package

Analyzing data collected by ACT

The application attempted to store a file in a restricted location

The application attempted to store a file in a system location that was virtualized by Windows Vista

The application attempted to open a restricted registry key and write to a restricted registry location

The application attempted to store information under the HKEY_LOCAL_MACHINE\SOFTWARE registry hive

Printers and Least Privilege Security

Installing printers using Group Policy Preferences

Installing printers using Windows Server 2003 Print Management and Group Policy

Installing printers using a script

Logon scripts

Synchronizing the system time

Updating antivirus definitions

Changing protected system configuration

Mapping network drives and printers

Creating desktop shortcuts

Why do a desktop refresh from a technical perspective?

Different methods of reinstalling Windows

Manual, non-destructive install

Automated install

Reinstall Vista or Windows 7 with Least Privilege Security

Installing the Microsoft Deployment Toolkit

Creating a deployment share

Adding an operating system image

Adding core packages to our Lite Touch installation

Creating a Lite Touch task sequence

Updating our deployment share

Preserving default local group membership

Refreshing our OS with the Windows Deployment Wizard

Summary

12. Provisioning Applications on Secure Desktops with Remote Desktop Services

Introducing Remote Desktop Services

Installing Remote Desktop Session Host and Licensing roles

Controlling access to the Remote Desktop Server

Installing the Remote Desktop Gateway

Creating Connection (CAP) and Resource (RAP) Authorization Policies

Installing the RD Gateway SSL Certificate in Windows 7

Connecting to a Remote Desktop Server via an RD Gateway from Windows 7

Installing applications on Remote Desktop Servers

Publishing applications using Remote Desktop Services

Adding applications to the RemoteApp Manager

Managing Remote Desktop Services licenses

Understanding Remote Desktop Licensing

Revoking Per Device Remote Desktop Services Client Access Licences

Tracking Per User Remote Desktop Services Client Access Licences

Installing Remote Desktop Web Access

Configuring RSS for advertising RemoteApps in Windows 7

Understanding Remote Desktop and Virtual Desktop Infrastructures

Scaling with Remote Desktop Services

Summary

13. Balancing Flexibility and Security with Application Virtualization

Microsoft Application Virtualization 4.5 SP1 for Windows desktops

Isolating applications with SystemGuard

Deploying App-V

Deploying App-V using the standalone model

Deploying App-V using the streaming model

Deploying App-V using the full infrastructure

Creating a self-service system with App-V for standard users

Enforcing security descriptors

Emulating Application Programming Interface (API)

Solving App-V compatibility problems with shims

Sequencing an application for App-V

Installing the sequencer

Installing the client

Streaming applications with an App-V Server

Installing Microsoft System Center Application Virtualization Streaming Server

Deploying and managing applications for users who never connect to the corporate intranet

Updating applications and Differential Streaming

Active Update

Override URL

VMware ThinApp

Summary

14. Deploying XP Mode VMs with MED-V

Solving least privilege security problems using virtual machines

Virtual PC and Windows 7 XP Mode

Differentiating between App-V and XP Mode

Setting up Windows 7 XP Mode

Launching applications installed in XP Mode from the Windows 7 Start menu

Security concerns when running XP Mode

Microsoft Enterprise Desktop Virtualization (MED-V)

Installing MED-V 1.0 SP1

Installing the Image Repository

Installing the MED-V Server component

Installing the MED-V Management Console

Preparing a virtual machine for use with MED-V

Working with the MED-V Management Console

Importing a VM for testing

Creating a usage policy

Testing the workspace and usage policy

Packing the VM for use with the MED-V Server

Uploading the VM image to the MED-V Server

Testing the uploaded VM image

Summary

Index