White Paper

Least Privilege Application

Compatibility for Windows 7
Migrations

Abstract
Microsoft has done a great deal of exceptional work in improving Windows 7 from its
predecessor, Windows Vista. Organizations who decided to skip the upgrade to Windows
Vista, and go directly to Windows 7 should be excited. Windows 7 provides vast
improvements over Windows XP and Windows Vista from a security and usability
perspective.

This paper will give you an overview of the new technology built into Windows 7
operating systems, and how this technology can help your enterprises complete your
migration. We will also surface some of the confusion around what those technologies
mean from a security perspective, especially when removing administrative privileges from
your users.

www.beyondtrust.com
BeyondTrust – Corporate Headquarters
30401 Agoura Road, Suite 200
Agoura Hills, CA 91301 USA
Phone: +1 800-234-9072
Table of Contents

Introduction ................................................................................................................................................................................................. 3

Windows 7 UAC .......................................................................................................................................................................................... 3

Windows 7 UAC Security Vulnerability .......................................................................................................................................... 5

Registry and File System Virtualization ........................................................................................................................................ 6

Application Compatibility Toolkit (ACT) ....................................................................................................................................... 7

Virtualization............................................................................................................................................................................................... 8

AppLocker ..................................................................................................................................................................................................... 9

RunAs Administrator (Compatibility) ...........................................................................................................................................10

Conclusion ..................................................................................................................................................................................................10

About BeyondTrust ................................................................................................................................................................................11

2 Least Privilege Application Compatibility for Windows 7 Migrations © 2010. BeyondTrust Software, Inc.
 Introduction

The massive move to Windows 7 that is anticipated over the next several months poses
some unique challenges, but it also presents some incredible opportunities. One of the
biggest challenges that organizations will face is with application compatibility, and one of
the biggest opportunities is to improve security.

Microsoft has done a great deal of exceptional work in

improving Windows 7 from its predecessor, Windows
Vista. Organizations who decided to skip the upgrade
to Windows Vista, and go directly to Windows 7 should
be excited. Windows 7 provides vast improvements
over Windows XP and Windows Vista from a security
and usability perspective.

This paper will give you an overview of the new technologies built into Windows 7 and
how those technologies can help you in your migration. We will also surface some of the
confusion around what those technologies mean from a security perspective, especially
when removing administrative privileges from your users.

Windows 7 UAC
User Account Control (UAC) has undergone a makeover from its debut in Windows Vista.
Microsoft has reduced the number of prompts that UAC presents when a user is logged in
to Windows. Microsoft implemented UAC to help prevent unauthorized changes to the
operating system. UAC is designed to prompt a user when a task is performed in Windows
that requires administrative privileges. For users who are logged in as a “Protected
Administrator,” the prompt simply asks for consent:

3 Least Privilege Application Compatibility for Windows 7 Migrations © 2010. BeyondTrust Software, Inc.
 If the Protected Administrator selects, yes, then the operation is allowed to continue with
elevated privileges. The reason the user is called a “Protected Administrator” is because he
is actually operating with two tokens, one is a “Standard User” token, the other is an
“Administrator” token. All tasks that the user performs are done as a “Standard User,” until
the user answers yes to a UAC dialog, once this happens, the user switches to an
Administrator token, and the task is elevated to administrator status.

Microsoft and security experts all agree that users should avoid operating as an
administrator, with a full administrator token all the time, because it leaves the
operating system extremely vulnerable to various security problems, including
malware and malicious use.

With UAC, the user is notified whenever they elevate themselves to administrator for
specific tasks to warn them of the potential for harm. The problem with this approach in
corporate environments is that this strategy leaves the security decision up to the end
user.

Therefore, it is best to avoid configuring users as Protected Administrators, and make sure
they are configured as Standard Users. Standard Users have a different experience with
UAC, instead of a simple prompt for consent, they are asked for a password for an
administrative user:

If the Standard User has the password for an administrator account, the process or
application would run successfully. However, it would be running under a different
account, without the security context of the actual end user. Essentially, this is an
enhanced RunAs operation. Further, it only works if the user has an administrator
password, or if someone else enters the administrator password for the user (over the

4 Least Privilege Application Compatibility for Windows 7 Migrations © 2010. BeyondTrust Software, Inc.
 shoulder credentials). Giving users administrator passwords will just lead to abuse and
over the shoulder credentials will only increase the load on the helpdesk.

Since the introduction of Windows Vista, organizations have been asking Microsoft to
provide a way to manage a list of applications that would silently elevate applications and
bypass the UAC prompts. Here is Microsoft’s response to this request:

“End users have been asking for Windows to provide a way to add arbitrary
applications to the auto-elevate list since the Windows Vista beta… Windows 7, just like
Windows Vista, doesn't provide such a capability.”

Mark Russinovich, Technical Fellow at Microsoft , Inside Windows 7 User Account Control,
http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx

Windows 7 UAC Security Vulnerability

The reduction of UAC prompts in Windows 7 has also introduced a security vulnerability
that has been widely publicized. The security vulnerability only exists when a user is
logged on as a Protected Administrator, and therefore it is wise to again make sure that
users always log in as Standard Users. The default UAC setting for Administrators is to not
notify (prompt) when the user makes changes to Windows settings:

5 Least Privilege Application Compatibility for Windows 7 Migrations © 2010. BeyondTrust Software, Inc.
 This setting will silently elevate certain actions in Windows that would typically prompt.
This introduces a code injection vulnerability whereby the user or malware could execute
code that could silently elevate anything that the user or malware wishes, making it easy
for a user or malware to take full administrative control over the machine. The
vulnerability has been widely publicized, and for more information, including proof
on concept code and video can be found here:

http://www.istartedsomething.com/20090613/windows-7-uac-code-injection-
vulnerability-video-demonstration-source-code-released/
The reduction of UAC
prompts in Windows 7 has
also introduced a security
vulnerability that has been
Registry and File System Virtualization
widely publicized. The
security vulnerability only
exists when a user is In Windows Vista, Microsoft introduced Registry and File System Virtualization to solve
logged on as a Protected some of the problems with application compatibility. Some applications require full access
Administrator, and therefore
it is wise to again make sure
to certain areas of the operating system that are off limits to standard users. These
that users always log in as applications might try to write data to the “Program Files” directory or the
Standard Users.
“HKEY_LOCAL_MACHINE” hive of the registry, for example. Standard users do not have
permission to write to these areas of the file system and registry, so when a user launched
an application on Windows XP that needed access to these locations, they would
eventually see an error when the application tried to access data stored in these locations.

In Windows Vista and Windows 7, Microsoft has redirected the access to these locations to
a virtual store in an area of the operating system that the user has access to. This attempt
to solve the problem of application compatibility for apps that need rights to areas of the
file system or registry that are off limits to a standard user introduces several problems.
One example is that applications may not be compatible with each other.

For example, if an application has written data to a virtual store, another application that
needs access to the data in the virtual store will not be able to access it. A similar problem
occurs when an application stores data in a virtual store and multiple users of the same
machine need access to it. A simplified example of this would be a game that stores its
high score file in the “Program Files” directory. With file system virtualization, the high
score file would be stored in the users’ profile, instead of Program Files, and thus any
subsequent player would store a copy of the high score in their profile. This means that
every user of the machine would have the high score! Imagine how this might impact line
of business applications that multiple people use on the same machine.

Another issue with registry and file system virtualization is the fact that it can cause
significant confusion for end users. If an end user has traditionally stored files in a directory
that will be virtualized in Windows 7, the user will not know where to go to get the files if
they need to copy, view them or email them because the files will no longer be where the
end user intended on storing them, they will actually be in the virtual store in the users’
profile.

6 Least Privilege Application Compatibility for Windows 7 Migrations © 2010. BeyondTrust Software, Inc.
 Reads and writes to the following location:
C:\Program Files (x86)\My Application A

Would be redirected to the virtual store:

C:\Users\%username%\AppData\Local\VirtualStore\Program Files (x86)\My Application A

All subsequent access for that specific application would be redirected to this location as
Organizations that make the
well, however, other applications that need access to this data will not know where to go
move to Windows 7 from
to get it because it has been virtualized.
Windows XP or Windows
Vista can take advantage of
Application Compatibility Toolkit (ACT)
a free tool from Microsoft
called the Application
Organizations that make the move to Windows 7 from Windows XP or Windows Vista can
Compatibility Toolkit (ACT).
take advantage of a free tool from Microsoft called the Application Compatibility Toolkit
(ACT). ACT is designed to identify and fix compatibility problems with applications that
will be migrated to Windows 7.

Description from Microsoft’s website:

http://www.microsoft.com/downloads/details.aspx?familyid=24da89e9-b581-47b0-b45e-
492dd6da2971&displaylang=en

“The Microsoft Application Compatibility Toolkit (ACT) 5.5 helps customers understand
their application compatibility situation by identifying which applications are compatible
with the Windows 7 RC and Windows Vista® operating system and which require further
testing. ACT helps customers lower their costs for application compatibility testing,
prioritize their applications, and deploy Windows more quickly.

You can use the ACT features to:

• Verify an application's compatibility with a new version of the Windows operating

system, or a Windows Update, including determining your risk assessment.
• Become involved in the ACT Community, including sharing your risk assessment
with other ACT users.
• Test your Web applications and Web sites for compatibility with new releases and
security updates to the Windows® Internet Explorer® Internet browser.”

ACT is a critical part of any move to Windows 7, however, for applications that
require administrative privileges, ACT will not help. ACT is designed to help identify
and fix problems with general application compatibility, regardless of the user type. For
example, if you have an application in your portfolio that refuses to run on Windows 7, it is
likely that ACT will help you to get it to run on Windows 7.

7 Least Privilege Application Compatibility for Windows 7 Migrations © 2010. BeyondTrust Software, Inc.

Some organizations may be
comfortable with loosened
security for their virtual
environments, but most will
want the same level of security
in the virtual environment as
they have in the physical
environments, which means
enforcing least privilege in the
virtual world as well as the
physical world.
8 Least Privilege Application Compatibility for Windows 7 Migrations © 2010. BeyondTrust Software, Inc.
If that same application also requires administrator privileges, you will still end up getting a
UAC prompt when you run the application. As has been discussed in this paper, it is
important to not give users administrator passwords or make users administrators to deal
with these problems and unfortunately, ACT does not have the capability to “fix” or “shim”
applications that require administrator privileges.
Virtualization
Virtualization has become a hot buzzword over the past
several years, and for good reason. With the introduction
of Virtual PC several years ago, and now with Windows XP
Mode, Microsoft Enterprise Desktop Virtualization (Med-
V) & Application Virtualization (App-V), Microsoft is no
stranger to virtualization.
With all these technologies, it is easy to understand that
there is significant confusion in the market about what virtualization means for
privilege management, specifically the ability for virtualization to help with the
removal of administrative rights from users. While virtualization can add enormous
value in many areas, many organizations will rely on virtualization to help specifically with
application compatibility problems.
For example, if an organization cannot get an application to run on Windows 7, even after
trying to shim the application with the Application Compatibility Toolkit, the ability to
virtualize the application with one of the technologies listed above is available.
Unfortunately, virtualization does not help with the elimination of administrative
privileges; it simply shifts the problem from a physical world to a virtual world. Some
organizations may be comfortable with loosened security for their virtual environments,
but most will want the same level of security in the virtual environment as they have in the
physical environments, which means enforcing least privilege in the virtual world as well as
the physical world.
Removing administrator privileges from accounts on virtual machines is still a critical part
of an organizations security posture. If organizations wish to virtualize applications or
desktops, and the users still need to perform administrative tasks or run applications that
require administrative rights in the virtual environment, then the user will need to be
logging in as an administrator. This means that the virtual environment is still the subject
of the same security issues as when they are logged in to a physical machine.

When organizations choose to
forgo the implementation of
AppLocker for whitelisting,
removal of administrator
privileges becomes even more
important. Most applications
require administrator privileges
to install, and if organizations
wish to prevent unknown
applications from entering the
environment, removal of
administrator privileges can
add significant value.
9 Least Privilege Application Compatibility for Windows 7 Migrations © 2010. BeyondTrust Software, Inc.
AppLocker
AppLocker is a new and exciting technology in Windows 7 that can drastically improve
desktop security in some organizations. AppLocker allows administrators to create a
whitelist of all approved applications that are allowed to run on a computer, any other
applications or executables would not be allowed to run. On the surface, this appears to
be the security silver bullet; however, there are some things to be aware of when looking
to AppLocker to help improve your security.
For example, if any of the applications that are on the AppLocker whitelist require
administrator privileges, the user will need to be configured as a local administrator or
they will at the very least still need an administrator password to answer UAC prompts.
AppLocker cannot automatically elevate applications that are on the whitelist . If the user
is configured as a local administrator, or has a local administrator password, it is easy to
circumvent the control that AppLocker provides.
The easiest way to circumvent the controls is by booting in SafeMode and disabling the
AppID Service. Since the user is an administrator, they would have full control to do this.
Thus, removing administrator privileges from the user is critical to prevent the malicious
user from circumventing these controls. If the user is not an administrator, AppLocker
becomes much more effective, but organizations still need to find a way to deal with the
applications that are on the whitelist that require administrator privileges.
There is also the question of the management of the whitelist. In smaller organizations
that have relatively static environments, the combination of eliminating administrative
rights and AppLocker is viable. Unfortunately, the whitelist scales with the size of the
organization. As the company gets bigger, the whitelist gets bigger, and can become
completely unmanageable very quickly. In larger organizations, it becomes nearly
impossible to quickly react to users who need new applications placed on the whitelist.
When organizations choose to forgo the implementation of AppLocker for whitelisting,
removal of administrator privileges becomes even more important. Most applications
require administrator privileges to install, and if organizations wish to prevent unknown
applications from entering the environment, removal of administrator privileges can add
significant value.

There are a number of things to
consider when taking on a
project to roll out a new
operating system and security is
at the top of the list. There is no
better time to improve security
than when you roll out a brand
new desktop to your users.
10 Least Privilege Application Compatibility for Windows 7 Migrations © 2010. BeyondTrust Software, Inc.
RunAs Administrator (Compatibility)
On the compatibility tab of the properties sheet on applications installed on Windows 7 is
a Privilege Level option available to set the privileges that an application will run with
when launched. On the surface, checking this option appears to force an application to
run with administrative privileges when launched, however, what it actually does is force a
UAC prompt when the application runs.
In this example, we are modifying the Privilege Level of Microsoft Word. By default, Word
will run successfully when launched by a Standard User or a Protected Administrator,
without a UAC prompt because Word does not need administrator privileges to run.
However, let us say for some reason you wanted Word to run with Administrator Privileges.
To do this you have two options, you can right-click winword.exe and select Run as
administrator, this will prompt with a UAC dialog and ask for consent (Protected
Administrator) or an administrator password (Standard User).
The other option is to force the application to Run as administrator all the time, and
therefore prompt every time it is started, by checking the “Run this program as an
administrator” option, as shown above. This option really controls UAC prompts on a per
process basis, it does not automatically elevate applications or bypass UAC prompts.
Conclusion
Microsoft has made significant improvements in Windows 7 over Windows Vista and XP,
and organizations that make the move to Windows 7 will find more tools and technologies
built in to help with migrations of any size. When making the move to Windows 7,
consider what it will take to go the next step and remove administrator privileges from
your end users drastically improving security.
This paper has described in detail all of the technologies that Microsoft has provided that
attempt to improve security, deal with application compatibility and also to clear up the
misconception that there is technology built in to Windows 7 that helps you to remove
administrative privileges. There are a number of things to consider when taking on a
project to roll out a new operating system and security is at the top of the list. There is no
better time to improve security than when you roll out a brand new desktop to your users.
 About BeyondTrust
Founded in 1985, BeyondTrust is the global leader in privilege authorization management,
access control and security solutions for virtualization and cloud computing environments.
BeyondTrust empowers IT governance to strengthen security, improve productivity, drive
compliance and reduce expense.

The company’s products eliminate the risk of intentional, accidental and indirect misuse of
privileges on desktops and servers in heterogeneous IT systems. More than half of the
companies listed on the Dow Jones Industrial Average rely on BeyondTrust’s PowerBroker
suite of products to secure their enterprises. Five of the top ten commercial banks and two
of America’s largest private companies have adopted PowerBroker to secure guest
operating systems and ESX hypervisors in a virtualized environment.

For more information, visit www.beyondtrust.com.

11 Least Privilege Application Compatibility for Windows 7 Migrations © 2010. BeyondTrust Software, Inc.