General Microsoft

Least Privilege Security for Windows 7, Vista, XP– New Book from PACKT Publishing

Hello Folks, I have just started to review a book “Least Privilege Security for Windows 7, Vista, and XPwritten by Russel Smith. Windows OS Engineering and Application Platforms have always fascinated me ever since I started Packaging applications. I hope this book gives me lots of information, which I can further share it with you all..!

Least Privilege Security for Windows 7, Vista, XP– New Book from PACKT PublishingLooking from the Technology perspective, the contents of this book can be broadly classified into these sections –

  • Overview of Least Privilege Security in Microsoft Windows Operating System. and how to Solve Least Privilege Problems with the Application Compatibility Toolkit.
  • Detailed explanation on User Account Control (UAC) covering various concepts like Access Token Model, Elevation Prompt Security, Configuring UAC through Group Policy etc.
  • Software Distribution using Group Policy and Windows Installer.
  • Managing Internet Explorer Add-ons and Best Practices on Deploying Commonly used ActiveX Controls. If you don’t know what this is, you can visit
  • Supporting Users Running with Least-Privilege, Deploying Software Restriction Policies and AppLocker, Preparing Vista and Windows 7 for Least Privilege Security.
  • Provisioning Applications on Secure Desktops with Remote Desktop Services, Balancing Flexibility and Security with Application Virtualization and Deploying XP Mode VMs with MED-V.

I shall post a detailed review of this book soon. Until then, you can read this free chapter, Chapter No. 3 – Solving Least privilege Problems with the Application Compatibility Toolkit and let me know your comments / reviews.

You can also Order the book Online here from PACKT Publishing

About the Author: Russell Smith specializes in management and security of Microsoft-based IT systems and is a Contributing Editor for CDW’s Biztech magazine and writes regularly for industry journal Windows IT Professional. Russell is also contributing author to Supporting and Troubleshooting Applications on a Microsoft Windows Vista Client for Enterprise Support Technicians from Microsoft’s Official Academic Course (MOAC) series of books published by Wiley and Sons. he is an independent IT consultant and MCSE with more than ten years of experience. Russell’s recent projects include Active Directory Security Consultant for the UK Health Service National Programme for Information Technology (NPfIT) and Exchange Architect for Wipro Technologies. Russell also has extensive experienceas an IT trainer.

General Microsoft

Office 2010 Protected View and Adobe Reader Protected Mode – Sandbox

Beginning in Office 2010 you might have observed that, when you open a document / spreadsheet / presentation, it first opens the same for reading in a Protected View, only on your consent it further takes you to edit the same. This implementation was made using a Windows Sandboxing Technique.

Office 2010 Protected View

Now, Adobe is working towards implementing a similar Sandbox technology ‘Protected Mode’  for its reader products. Protected Mode is based on Microsoft’s Practical Windows Sandboxing technique. Adobe has been working closely with Microsoft Office security team and the Chrome team at Google, as well as third-party consultancies and other external stakeholders to leverage their sandboxing knowledge and experience.

An excerpt from the official blog post says –

“With Adobe Reader Protected Mode enabled (it will be by default), all operations required by Adobe Reader to display the PDF file to the user are run in a very restricted manner inside a confined environment, the “sandbox.” Should Adobe Reader need to perform an action that is not permitted in the sandboxed environment, such as writing to the user’s temporary folder or launching an attachment inside a PDF file using an external application (e.g. Microsoft Word), those requests are funneled through a “broker process,” which has a strict set of policies for what is allowed and disallowed to prevent access to dangerous functionality. “

Personally, I have been a biggest fan of User Account Control (UAC) ever since it was implemented in Windows Operating System. Focusing on Standard User Environment always gives various benefits w.r.t Security and stability. The modern OSes have demanded this change in the way, applications are built and developed. Office and Adobe compete on many fronts in the industry., but they’ve put all that aside when it comes to helping protect customers from security issues.

Its really good to see 2 big players share their solutions and approach; This definitely gives the all needed – “End User Experience”.

Courtesy: You can read the official Announcement from Adobe Team here

Microsoft Windows Installer, Application Compatibility and Deployments

Using CorrectFilePaths Shim to Fix Broken Applications

In this article, we will look at how to create a File redirection and make the application point to a new File Path instead of the old one!

The Compatibility Administrator tool enables you to resolve many of your potential application-compatibility issues before deploying a new version of Windows in your organization. This tool enables you to create customized compatibility fixes, compatibility modes, AppHelp messages, and compatibility databases. To know more on how to create one and implement it, Read – Creating a Shim/Fix Using Compatibility Administrator.

Scenario: When I launch this application, and press on the update button, i get this below error dialog which says “Access to a certain path is denied”. This can occur in a locked down environment or as a part of the User Account Control, where the user works as a Standard User unless he elevates explicitly.

File Access Error

This application stores the configuration preferences in an ini file which gets saved in the folder C:\Windows\Downloaded Program Files\. This is a protected folder and a Standard User will not have permissions to write on it. We will need to change the path to a folder where a normal user will have the access, the %APPDATA% (User Profile’s Application Data) folder.

In this post,we will change this file path; make this application to point to the new folder, so that when this file tries to get saved…we do not get an access denied error. CorrectFilePaths Shim exactly helps us in doing so!

Step 1: Launch the Application Compatibility Administrator, and create a new Application Shim. Select CorrectFilePaths Shim and press the parameters button. This will give you options to configure the paths. You will need to use the ADDREDIRECT command.

CorrectFilePaths Shim

Step 2: Give the parameters for this shim.

General Syntax: “oldpath”;”newpath” . In this case, we will give it as  “C:\Windows\Downloaded Program Files\StockViewer.ini”;”%USERAPPDATA%\StockViewer.ini”

Parameters - Correct File Path Shim

Step 3: Apply the shim and test the application.

Now, when I click on the Save Preferences button, the configuration File gets saved. What happens in background is that, the hard-coded path is redirected to the new one. The User Application Data folder has the write access and hence the file gets created!

Redirected File gets Created in the User AppData

This mitigation technique can be used for any file path redirection. If you have any application which is hard-coded and writes to a particular restricted file paths, this technique can make it refer a new path and hence give you access.

If you have issues with Hard-coded registry key paths, then do read this article!

Microsoft Tools Windows Installer, Application Compatibility and Deployments

Standard User Analyzer (SUA) – Tool to Test Applications

Many of us work with Applications; either we develop or deploy them! While doing so, its important to test the developed application as a Standard User. Especially when the organization has a locked-down environment or the New Generation Operating Systems with UAC.

This helps in understanding the application behavior better. Standard User Analyzer tool exactly helps you in this purpose! This tool is a part of the Application Compatibility Toolkit.

Step 1: Install the Application Compatibility Toolkit and Start the Standard User Analyser. You dont need to run this as administrator; you can just launch it.

Standard User Analyzer

The application launches as below,

Standard User Analyzer - Application Launches

If you are aware of the SysInternals Tools Filemon/Regmon, this tool pretty much does the similar job. When you launch an application, it will monitor all the files, registries, INI files modified, the name-spaces which the app calls, the credential Privilages Process calls etc. This will give a detailed analysis on how this application behaves as a standard user.

You also have an option to run the same application as an administrator user and compare these 2 reports. This can be done, by marking the checkbox “Elevate” in the Launch Options.

Step 2: In the Target application tab, browse to the executable which the application will be launching. In this example, it is StockViewer.exe. Click on the button Launch. (You can also specify any command line arguments / parameters for this executable)

Launch Executable in the Standard User Analyzer

This tool needs a pre-requisite “Application Verifier”. If you have not installed this application, you will get this below dialog. Download and install this app.

Application Verifier is designed specifically to detect and help debug memory corruptions and critical security vulnerabilities. This is achieved by monitoring a native application’s interaction with the Windows operating system, profiling its use of objects, the registry, the file system, and Win32 APIs (including heaps, handles, locks, etc), and indicating issues when and where they are discovered. Application Verifier also includes checks to predict how well an application may perform under various account privileges. You can download it here

Application Verifier

Once Application Verifier is installed, This will actually start monitoring your application usage.  You may also get this below warning message,

Warning Message

Step 3: Start your application which you want to monitor; you can perform all the operations which an end-user would do!

While this demo, i launched my application and found that this application asked for administrator rights while launching, and also gives some ‘access denied’ error. When I close this app, the Standard User Analyzer has fetched all the requirement information which the application has accessed.

Standard User Analyzer - Application Reports

These logs and reports will explain you on the application behavior. It will also help your developers to fix this application easily. Looking from the application Compatibility front, this tool also gives you an option which identifies the mitigations and provides you options to fix them.

Apply Mitigations

When you click on the Apply Mitigation, you will get the below dialog with the list of shims which would mitigate the issues identified.

Mitigations List

You can also export this mitigation as an msi, so that you can deploy the same using any deployment tools in your organization!


User Account Control (UAC) Basics and Security Features in Windows 7

UAC is a security feature that was firstly presented in Windows Vista., and now in Windows 7. UAC enables the user to run as standard user, and elevate only when an administrative operation is performed. Here is a 10 mins video which explains on the basics of UAC and its improvements in Windows 7.

Also See this video – VirtualStore: File / Registry Virtualization in Windows 7


How does User Account Control (UAC) work in Windows 7?

When an administrator user logs on to a Windows Vista computer, two access tokens are created: a filtered standard user access token, and a full administrator access token. Instead of launching the desktop (Explorer.exe) with the administrator’s access token, the standard user access token is used. All child processes inherit from this initial launch of the desktop (the explorer.exe process), which helps limit Windows Vista’s attack surface. By default, all users, including administrators, log on to a Windows Vista computer as standard users.

When a standard user, attempts to perform a task that requires administrative privileges, such as accessing C:\Windows folder, UAC prompts the user to enter valid credentials for an administrator account. (Elevation from standard user account to Administrator Account). When an administrator, attempts to perform a task that requires administrative privileges, such as accessing C:\Windows folder or installing component for that application, UAC prompts the user to approve the action. When the user approves the action, the task is launched with the administrator’s full administrator access token.

  • ActiveX installer Service which is enable enterprise to delegate ActiveX control installation for standard users.
  • Installer Detection which detects installation programs and requests administration credential and approval from the administrator user in order to run with access privileges.
  • User Interface Privilege Isolation (UIPI) which isolate application running as a full administrator from processes running as an account lower than an administrator on the same interactive desktop.
  • Virtualization which enables redirection for Application read and write to system files and registry key
  • Access Token Change which allow the user to receive one or two access tokens (a filtered access token or standard user access token and a full access token or full administrator access token) based on user account privilege.
How-to Windows Installer, Application Compatibility and Deployments

How to Test Application MSI Packages for UAC

The easiest way to simulate the UAC is to install an MSI from an elevated command line. In Vista choose to run the command prompt as Administrator. Then install an MSI. You can flag an MSI, by modifying the WordCount in the Summary Information Stream, so that it does not automatically require elevation during an install. This MSI would only be able to write to the user profile and not any protected system location. In corporate deployments this is a rare scenario.

The application installer will always need to be elevated but this will be handled by the deployment tool. If an application does turn out to be badly written then this scenario can be handled in the same way as under a locked down XP machine. Specific NTFS permissions would be given for the file, folder or registry key.

Best Practices Microsoft

Windows 7 – File and Registry Redirection : Impact on MSI Packaging

The basics of this feature is explained in the article Folder Virtualization Concepts in Windows Vista.

Impact in MSI Packaging
Files in a registry key can be found twice in your installation. Especially if the application has to be launched to customize options and settings.

Possible Work-around
During Setup-Capture:

Virtualized resources needs to be merged with the original files and the virtualized resources can be deleted from the installation resources. If file and registry virtualization is enabled on the default user environment, you will need to test the application with two different default user accounts. Check if resources from the application gets virtualized and that those contents will not affect the proper functionality of the application.

The best practice is to disable the file and registry virtualization. Microsoft does not guarantee this feature will be in future releases of Windows. If a file or registry key needs permission changes, use the LockPermission table or use a custom action to modify the related security descriptor of those resources. If the user has the permission to modify the resources, it won’t be virtualized.

It’s recommended to use the latest release of a product that supports Vista. Applications following the Microsoft development guidelines for Vista compliant applications, are modifying resources in the user profile where virtualization will not take place.