Windows 8 : Managing Application Virtualization and Run Levels (part 1) - Application Access Tokens and Location Virtualization, Application Integrity and Run Levels

User Account Control (UAC) changes the way that applications are installed and run, where applications write data, and what permissions applications have. In this section, I’ll look at how UAC affects application installation, from application security tokens to file and registry virtualization to run levels. This information is essential when you are installing and maintaining applications on Windows 8.

1. Application Access Tokens and Location Virtualization

All applications used with Windows 8 are divided into two general categories:

• UAC-compliant Any application written specifically for Windows Vista or later is considered a compliant application. Applications certified as complying with the Windows 8 architecture have the UAC-compliant logo.

• Legacy Any application written for Windows XP or an earlier version of Windows is considered a legacy application.

The distinction between UAC-compliant applications and legacy applications is important because of the architectural changes required to support UAC. UAC-compliant applications use UAC to reduce the attack surface of the operating system. They do this by preventing unauthorized applications from installing or running without the user’s consent and by restricting the default privileges granted to applications. These measures make it harder for malicious software to take over a computer.

Note

The Windows 8 component responsible for UAC is the Application Information service. This service facilitates the running of interactive applications with an “administrator” access token. You can see the difference between the administrator user and standard user access tokens by opening two Command Prompt windows, running one with elevation (press and hold or right-click, and then tap or click Run As Administrator), and the other as a standard user. In each window, type whoami/all and compare the results. Both access tokens have the same security identifiers (SIDs), but the elevated administrator user access token has more privileges than the standard user access token.

All applications that run on Windows 8 derive their security context from the current user’s access token. By default, UAC turns all users into standard users even if they are members of the Administrators group. If an administrator user consents to the use of her administrator privileges, a new access token is created for the user. It contains all the user’s privileges, and this access token—rather than the user’s standard access token—is used to start an application or process.

In Windows 8, most applications can run using a standard user access token. Whether applications need to run with standard or administrator privileges depends on the actions the application performs. Applications that require administrator privileges, referred to as administrator user applications, differ from applications that require standard user privileges, referred to as standard user applications, in the following ways:

• Administrator user applications require elevated privileges to run and perform core tasks. Once started in elevated mode, an application with a user’s administrator access token can perform tasks that require administrator privileges and can also write to system locations of the registry and the file system.

• Standard user applications do not require elevated privileges to run or to perform core tasks. Once started in standard user mode, an application with a user’s standard access token must request elevated privileges to perform administration tasks. For all other tasks, the application should not run using elevated privileges. Further, the application should write data only to nonsystem locations of the registry and the file system.

Applications not written for Windows 8 run with a user’s standard access token by default. To support the UAC architecture, these applications run in a special compatibility mode and use file system and registry virtualization to provide “virtualized” views of file and registry locations. When an application attempts to write to a system location, Windows 8 gives the application a private copy of the file or registry value. Any changes are then written to the private copy, and this private copy is then stored in the user’s profile data. If the application attempts to read or write to this system location again, it is given the private copy from the user’s profile to work with. By default, if an error occurs when the application is working with virtualized data, the error notification and logging information show the virtualized location rather than the actual location that the application was trying to work with.

2. Application Integrity and Run Levels

The focus on standard user and administrator privileges also changes the general permissions required to install and run applications. In Windows XP and earlier versions of Windows, the Power Users group gave users specific administrator privileges to perform basic system tasks when installing and running applications. Applications written for Windows 8 do not require the use of the Power Users group. Windows 8 maintains it only for legacy application compatibility.

As part of UAC, Windows 8 by default detects application installations and prompts users for elevation to continue the installation. Installation packages for UAC-compliant applications use application manifests that contain run-level designations to help track required privileges. Application manifests define the application’s privileges as one of the following:

• RunAsInvoker Run the application with the same privileges as the user. Any user can run the application. For a standard user or a user who is a member of the Administrators group, the application runs with a standard access token. The application runs with higher privileges only if the parent process from which it is started has an administrator access token. For example, if you open an elevated Command Prompt window and then start an application from this window, the application runs with an administrator access token.

• RunAsHighest Run the application with the highest privileges of the user. The application can be run by both administrator users and standard users. The tasks the application can perform depend on the user’s privileges. For a standard user, the application runs with a standard access token. For a user who is a member of a group with additional privileges, such as the Backup Operators, Server Operators, or Account Operators group, the application runs with a partial administrator access token that contains only the privileges the user has been granted. For a user who is a member of the Administrators group, the application runs with a full administrator access token.

• RunAsAdmin Run the application with administrator privileges. Only administrators can run the application. For a standard user or a user who is a member of a group with additional privileges, the application runs only if the user can be prompted for credentials required to run in elevated mode or if the application is started from an elevated process, such as an elevated Command Prompt window. For a user who is a member of the Administrators group, the application runs with an administrator access token.

To protect application processes, Windows 8 labels them with integrity levels ranging from high to low. Applications that modify system data, such as Disk Management, are considered high integrity. Applications performing tasks that could compromise the operating system, such as Windows Internet Explorer 8 in Windows 8, are considered low integrity. Applications with lower integrity levels cannot modify data in applications with higher integrity levels.

Windows 8 identifies the publisher of any application that attempts to run with an administrator’s full access token. Then, depending on that publisher, Windows 8 marks the application as belonging to one of the following three categories:

• Windows Vista or later

• Publisher verified (signed)

• Publisher not verified (unsigned)

To help you quickly identify the potential security risk of installing or running the application, a color-coded elevation prompt displays a particular message depending on the category to which the application belongs:

• If the application is from a blocked publisher or is blocked by Group Policy, the elevation prompt has a red background and displays the message “The application is blocked from running.”

• If the application is administrative (such as Computer Management), the elevation prompt has a blue-green background and displays the message “Windows needs your permission to continue.”

• If the application has been signed by Authenticode and is trusted by the local computer, the elevation prompt has a gray background and displays the message “A program needs your permission to continue.”

• If the application is unsigned (or is signed but not yet trusted), the elevation prompt has a yellow background and red shield icon and displays the message “An unidentified program wants access to your computer.”

Prompting on the secure desktop can be used to further secure the elevation process. The secure desktop safeguards the elevation process by preventing spoofing of the elevation prompt.