Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Windows Server 2012 : Software and User Account Control Administration (part 4) - Maintaining application integrity - Application access tokens

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
1/28/2015 8:33:37 PM

Maintaining application integrity

To help maintain internal consistency and application integrity, Windows Server defines two run levels for applications: standard and administrator. Windows Server determines whether a user needs elevated privileges to run a program by supplying most applications and processes with a security token. If an application has a standard token, or an application cannot be identified as an administrator application, elevated privileges are not required to run the application, and Windows Server starts it as a standard application by default. If an application has an administrator token, elevated privileges are required to run the application, and Windows Server prompts the user for permission or confirmation prior to running the application.

Application access tokens

Applications are said to be either compliant or legacy. Any application written specifically for Windows Server 2008 or later is considered to be a compliant application. Any application written for an earlier version of Microsoft Windows or not certified as compliant is considered to be a legacy application.

Distinguishing between compliant and legacy applications is important because of the architecture changes required to support UAC. Compliant applications use UAC to reduce the attack surface of the operating system. They do this by preventing unauthorized programs from installing or running without the user’s consent and by restricting the default privileges granted to applications. This, in turn, makes it harder for malicious programs to take over a computer.

The Application Information service facilitates the running of interactive applications with an “administrator” access token. By default, this service is stopped and configured for manual start up. When this service is stopped, you will be unable to start interactive applications with the additional administrator privileges you might require to perform tasks.

INSIDE OUT: Examining administrator and standard user access tokens

You can see the difference between the administrator user and standard user access tokens by opening two Command Prompt windows. Run the first command prompt with elevation by right tapping or clicking and selecting Run As Administrator. Run the other command prompt as a standard user.

In the administrator Command Prompt window, type the following:

  1. cd %UserProfile%

  2. whoami /all > admin.txt

In the standard Command Prompt window, type the following:

  1. whoami /all > user.txt

  2. fc user.txt admin.txt

The resulting output is a comparison of the differences between your administrator access token and your standard access token. Both access tokens will have the same security identifiers (SIDs), but the elevated administrator access token will have more privileges than the standard user access token.

Applications derive their security context from the current user’s access token. By default, the Local Security Authority (LSA) turns all users into standard users even if they are members of the Administrators group. When a member of an administrator group logs on to a computer where UAC is enabled, the LSA creates two access tokens for two different logon sessions: one with administrator rights and one with administrator rights filtered out. The filtered access token is used to start the user’s desktop. The other logon session runs as an administrator and is accessed when tasks are elevated. Thus, if an administrator user has consented to the use of her administrator privileges, the unfiltered access token (which contains all of the user’s privileges) is used to start the application or process rather than the user’s standard access token. Also note that the access tokens contain separate logon IDs because they are related to different logon sessions.

Most applications can run using a standard user access token. Whether applications need to run with standard or administrator privileges depends on the actions the applications perform. Applications that require administrator privileges, referred to as administrator applications, differ in several ways from user applications that require standard user privileges, referred to as user applications.

Administrator applications require elevated privileges to run and perform core tasks. When started in elevated mode, an application with a user’s administrator access token can perform tasks that require administrator privileges and also can write to system locations of the registry and the file system.

Standard user applications do not require elevated privileges to run and perform core tasks. When started in standard user mode, an application with a user’s standard access token must request elevated privileges to perform administration tasks. For all other tasks, the application should not run using elevated privileges. Further, the application should write data only to nonsystem locations of the registry and the file system.

INSIDE OUT: Virtualization for legacy applications

You configure any applications not specifically written for or certified as compatible as legacy applications. Legacy applications run using a user’s standard access token by default. To prevent legacy applications from making changes to the operating system that could cause problems, legacy applications run in a special compatibility mode. In this mode, the operating system uses file system and registry virtualization to provide “virtualized” views of file and registry locations.

When a legacy application attempts to write to a system location, the operating system gives the application a private copy of the file or registry value. Any changes the application makes are then written to the private copy, and this private copy, in turn, is stored in the user’s profile data. If the application attempts to read or write to this system location again, the operating system gives it the private copy from the user’s profile to work with.

By default, if an error occurs when the application is working with virtualized data, the error notification and logging information show the virtualized location rather than the actual location that the application is trying to work with. This ensures that there is consistency between how virtualization is used and how related errors are reported.

If you are an application developer and are debugging an application, you can use options on Task Manager’s Details tab to put an application you are testing in “virtualized” mode. Press and hold or right-click the application’s primary process and then tap or click UAC Virtualization. Repeat this process to exit “virtualized” mode.

TROUBLESHOOTING: Virtualization exceptions

Some application tasks always require administrative privileges. If so, these tasks cannot be performed with a standard access token. Virtualization is designed for applications that are not UAC-compliant but require a full administrator access token to work properly. Virtualization doesn’t apply to applications that are elevated and run with a full administrator access token. Virtualization is not supported for native Windows 64-bit applications and is disabled for applications that have a requested execution-level attribute in their application manifest.

You can verify that an application that won’t work properly has a problem running as a standard user simply by pressing and holding or right-clicking the application icon and then tapping or clicking Run As Administrator. There’s a problem if the application works when running with a full administrator access token but doesn’t run when using a standard access token. However, because the application might write to areas of the file system or registry that cause problems with stability or startup, you should test this theory only on nonproduction computers. You can try to resolve the problem using one of the compatibility databases in the current version of the Microsoft Application Compatibility Toolkit, or you can use the toolkit to create your own compatibility databases.

Application run levels

Because of UAC, the processes related to installing and running applications have also changed. In earlier versions of Windows, the Power Users group gave users specific administrator privileges to perform basic system tasks when installing and running applications. Compliant applications do not require the use of the Power Users group; this group is maintained only for legacy-application compatibility.

Windows Server detects application installations and prompts users for elevation to continue the installation by default. Installation packages for Windows Server–compliant applications use application manifests that contain run-level designations to help track required privileges. Application manifests define the application’s desired privileges as one of the following:

  • RunAsInvoker Runs the application with the same privileges as the user. Any user can run the application. For a standard user or a user who is a member of the Administrators group, the application runs with a standard access token. The application runs with higher privileges only if the parent process from which it is started has an administrator access token. For example, if you start an elevated Command Prompt window and then start an application from this window, the application runs with an administrator access token.

  • RunAsHighest Runs the application with the highest privileges of the user. The application can be run by both administrator users and standard users. The tasks that can be performed by the application depend on the user’s privileges. For a standard user, the application runs with a standard access token. For a user who is a member of a group with additional privileges—such as the Backup Operators, Server Operators, or Account Operators groups—the application runs with a partial administrator access token that contains only the privileges the user has been granted. For a user who is a member of the Administrators group, the application runs with a full administrator access token.

  • RunAsAdmin Runs the application with administrator privileges. Only administrators can run the application. For a standard user or a user who is a member of a group with additional privileges, the application runs only if the user can be prompted for credentials required to run in elevated mode or if the application is started from within an elevated process, such as an elevated Command Prompt window. For a user who is a member of the Administrators group, the application runs with an administrator access token.

Windows Server protects application processes by labeling them with integrity levels ranging from high to low. Applications that modify system data, such as Disk Management, are considered “high” integrity, while those performing tasks that could compromise the operating system, such as Microsoft Internet Explorer, are considered “low” integrity. Applications with lower integrity levels cannot modify data in applications with higher integrity levels.

Windows Server identifies the publisher of any application that attempts to run with an administrator’s full access token. Then, depending on that publisher, Windows Server marks the application as being a compliant application, a publisher verified (signed) application, or a publisher not verified (unsigned) application. When you are installing or running an application, the elevation prompt is designed to help identify the potential security risk of installing or running the application. First of all, the prompt is color-coded. Second, the elevation prompt displays a unique message depending on the category to which the application belongs.

When working with the elevation prompt, keep the following in mind:

  • Red is a strong warning, representing likely danger. If the application is from a blocked publisher or is blocked by Group Policy, the elevation prompt has a red background and displays the message “The application is blocked from running.”

  • Yellow is a general warning, indicating potential danger. If the application is unsigned (or is signed but not yet trusted), the elevation prompt has a yellow background and red shield icon and displays the message “An unidentified program wants access to your computer.”

  • Blue/green is for administrative elevation. If the application is administrative (such as Server Manager), the elevation prompt has a blue/green background and displays the message “Windows needs your permission to continue.”

  • Gray is for general elevation. If the application has been signed by Authenticode and is trusted by the local computer, the elevation prompt has a gray background and displays the message “A program needs your permission to continue.”

Only core Windows processes can access the secure desktop prompt. This serves to further secure the elevation process by preventing spoofing of the elevation prompt. The secure desktop is enabled by default in Group Policy.

Other -----------------
- Microsoft Sharepoint 2013 : Understanding app patterns (part 5) - Building MVC apps - Introducing MVC4
- Microsoft Sharepoint 2013 : Understanding app patterns (part 4) - Building MVC apps - Understanding web form challenges
- Microsoft Sharepoint 2013 : Understanding app patterns (part 3) - Building MVVM apps - Utilizing promises
- Microsoft Sharepoint 2013 : Understanding app patterns (part 3) - Building MVVM apps - Utilizing promises
- Microsoft Sharepoint 2013 : Understanding app patterns (part 2) - Building MVVM apps - Introducing knockout
- Microsoft Sharepoint 2013 : Understanding app patterns (part 1) - Building MVVM apps - Understanding JavaScript challenges
- Microsoft Sharepoint 2013 : Working with documents - Checking documents in and out
- Microsoft Sharepoint 2013 : Working with documents - Requiring and displaying document check out
- Microsoft Sharepoint 2013 : Working with documents - Uploading multiple documents
- Microsoft Sharepoint 2013 : Working with documents - Customizing document templates
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
 
programming4us
Natural Miscarriage
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Game Trailer