Delegation

Delegation was a new feature in Windows 2000 that allowed a service to impersonate a
user account or computer account to access resources throughout the domain. Windows
2000 had two limitations with regards to this feature: Delegation could not be constrained; that is, a delegated account could access
any resource in the domain. Delegation required Kerberos authentication.
Both of these shortcomings were addressed in Windows Server 2003. Delegation can
now be constrained to specific services, and Kerberos is no longer required.
You still must beware of trusting computer accounts for delegation, as this allows the LocalSystem
account on that computer to access services on the domain.
Integrity Levels, UAC, and LoRIE
With Windows Vista, Microsoft implemented an extension to the basic system of
discretionary access control we just described. The primary intent of this change was to
implementmandatory access control in certain scenarios. For example, actions that require
administrative privilege would require a further authorization, beyond that associated
with the user context access token. Microsoft termed this new architecture extension
Mandatory Integrity Control (MIC).
To accomplish mandatory access controllike behavior, MIC effectively implements
a new set of four security principals called Integrity Levels (ILs) that can be added to
access tokens and ACLs: Low Medium High System
ILs are implemented as SIDs, just like any other security principal. Now, in addition
to the standard access control check we described earlier in the chapter, Windows will
also check whether the IL of the requesting access token matches the IL of the target
resource. For example, a Medium-IL process may be blocked from reading, writing, or
executing up to a High-IL object.
MIC isnt directly visible when using Vista, but rather it serves as the underpinning
User Account Control (UAC) and
of some of the key new security features in the OS:
Low Rights Internet Explorer (LoRIE). Well talk briefly about them to show how MIC
works in practice.
UAC (it was named Least User Access, or LUA, in pre-release versions of Vista) is
perhaps the most visible new security feature in Vista. It works as follows:
1. Developers mark applications by embedding an application manifest (available
since XP) to tell the operating system whether the application needs elevated
privileges.
2. The LSA has been modi? ed to grant two tokens at logon to administrative
accounts: a ltered token and a linked token. The ? ltered token has all elevated
privileges stripped out (using the restricted token mechanism described earlier).
3. Applications are run by default using the ? ltered token; the full-privilege
linked token is used only when launching applications that are marked as
requiring elevated privileges.
4. The user is prompted using a special consent environment (the rest of the
session is grayed out and inaccessible) whether they in fact want to launch
the program, and may be prompted for appropriate credentials if they are
not members of an administrative group.
Assuming application developers are well-behaved, Vista thus achieves mandatory
access control of a sort: only specific applications can be launched with elevated
privileges.
Heres how UAC uses MIC: All non-administrative user processes run with Medium-
IL by default. Once a process has been elevated using UAC, it runs with High-IL, and
can thus access objects at that level. Thus, its now mandatory to have High-IL
privileges to access certain objects within Windows.
MIC also underlies the LoRIE implementation in Vista: The Internet Explorer process
(iexplore.exe) runs at Low-IL and, in a system with default configuration, can write only
to objects that are labeled with Low-IL SIDs (by default, this includes only the folder
%USERPROFILE%\AppData\LocalLow and the Registry key HKCU\Software\
AppDataLow). LoRIE thus cannot write to any other object in the system by default,
greatly restricting the damage that can be done if the process gets compromised by
malware while browsing the Internet.
In the Vista release, provisions are in place to allow unmarked code to run with administrative
privileges. In future releases, the only way to run an application elevated will be to have a signed
manifest that identifies the privilege level the application needs.
UAC can be disabled system-wide under the User Accounts Control Panel, Turn User Account Control
Off setting,
Security researcher Joanna Rutkowska wrote some interesting criticisms of UAC and
MIC in Vista at http://theinvisibleth
ings.blogspot.com/2007/02/running-vista-every-
day.html. Windows technology guru Jesper Johansson has written some insightful
articles on UAC in his blog at http://msinfluentials.com/blogs/jesper/.