Windows Vista for DevelopersPart 4User Account ControlKenny KerrWord下载.docx
《Windows Vista for DevelopersPart 4User Account ControlKenny KerrWord下载.docx》由会员分享,可在线阅读,更多相关《Windows Vista for DevelopersPart 4User Account ControlKenny KerrWord下载.docx(33页珍藏版)》请在冰点文库上搜索。
∙Direct2D
∙IntroductiontoMSIL
∙Native
∙Technology
∙VisualC++inShort
∙WindowClippings
∙WWS
Navigation
∙Blogs
Archives
∙December2009
(2)
∙November2009(3)
∙October2009
(1)
∙September2009(4)
∙August2009(5)
∙July2009
(1)
∙June2009(3)
∙May2009(5)
∙April2009
(1)
∙March2009
(2)
∙January2009(3)
∙December2008(7)
∙November2008(5)
∙October2008(7)
∙September2008(3)
∙August2008(6)
∙July2008(8)
∙June2008
(1)
∙May2008(9)
∙April2008(11)
∙March2008(4)
∙February2008(3)
∙January2008(3)
∙December2007(5)
∙November2007(3)
∙October2007(5)
∙September2007
(2)
∙July2007(6)
∙June2007(6)
∙May2007(11)
∙April2007(8)
∙March2007(4)
∙February2007(3)
∙January2007(9)
∙December2006(4)
∙November2006
(2)
∙October2006(4)
∙September2006
(2)
∙August2006
(1)
∙July2006(4)
∙June2006(4)
∙May2006(8)
∙March2006
(1)
∙January2006
(2)
∙December2005
(1)
∙November2005
(1)
∙October2005(6)
∙September2005(4)
∙August2005(3)
∙July2005(6)
∙June2005(10)
∙May2005(3)
∙April2005
(1)
∙February2005
(2)
∙December2004
(2)
∙November2004
(1)
∙October2004(3)
∙September2004(11)
∙August2004(4)
∙July2004(7)
∙June2004(6)
∙May2004(5)
Links
∙Kenny'
sArticles
∙KarinKerr
PopularPosts
∙AppLockdownSupplement
∙TowardBetterDesigninNativeC++
∙C++/CLI:
TheMostPowerfulLanguagefor.NETProgramming
∙TheLinqbetweenC#andC++
∙IncrementdifferencesinC++andC#
∙MaxCPU:
Anotheroneforyourdevelopertoolbox...
∙DemystifyingManagedCodeandCompilerOutput
∙MixingNativeandManagedTypesinC++
∙IntroductiontoMSIL(Series)
∙WindowsVistaforDevelopers(Series)
∙KnownFoldersBrowser
WindowsVistaforDevelopers–Part4–UserAccountControl
SincethereleaseofWindows2000,thedevelopersworkingonWindowshavebeentryingtocreateanenvironmentwhereuserscanworksafelyandsecurely.Windows2000introducedtechniquesforcreatingrestrictedtokensthatcaneffectivelylimitthepermissionsandprivilegesaffordedtoanapplication.WindowsXPintroducedfurtherimprovementsbutithassimplynotbeenpervasiveenoughtomakeanyrealdifferencefortheaverageuser...untilnow.Whateveryourinitialreaction,UserAccountControl(UAC)isheretostayandreallyisn’tasbadascriticsmakeitouttobe.Asdeveloperswehavearesponsibilitytoembraceitsothattheapplicationswedevelopdon’tannoyanddesensitizeouruserswithneedlessprompts.
Inthispart4oftheWindowsVistaforDevelopersseries,wearetakingapracticallookatUACandspecificallywhatcanbedoneprogrammaticallywithrespecttoelevationandintegritycontrol.
Whatissecuritycontext?
Securitycontextreferstothosethingsthatdefineandconstrainwhataprocessorthreadcandointermsofpermissionsandprivileges.AsecuritycontextonWindowsisdefinedintermsofalogonsessionandthesearemanipulatedviatokens.Asitsnamesuggests,alogonsessionrepresentsaspecificsessiononasinglecomputerforagivenuser.Programmersinteractwithlogonsessionsbymeansoftokens.Anynumberoftokenscanbecreatedthatrefertothesamelogonsession.Thesetokenscanofferdifferentsetsofpermissionsandprivilegesbasedonasubsetofthoseprovidedbythelogonsession.ThisisreallythekeytohowUACworksoratleastabigpartofit.
SohowdoesUACwork?
OnWindowsVistatherearetwopredominanttypesofuseraccounts,standardusersandadministrators.Thefirstuseraccountthatyoucancreatewillbeanadministratoratleastinitiallyandanysubsequentuseraccountswillbestandardusersbydefault.Standarduseraccountsareforthosepeoplewhoyoudonottrustwithcompletecontroloverthecomputer.Administratoraccountsareforthoseuserswhoalsoenjoycompletecontroloverthecomputer.UnlikepreviousversionsofWindows,youdon’thavetologonasastandardusertoprotectyourselffrommaliciouscodethatmayfinditswaytoyourcomputer.Thelogonsessionscreatedforstandardusersandadministratorsareequallycapableofprotectingfromsuchthreats.
WhenastandarduserlogsontoacomputeranewlogonsessioniscreatedandtheyarepresentedwithashellapplicationsuchasWindowsExplorerthatwascreatedbythesystemandassociatedwiththeuser’snewlycreatedlogonsessionbymeansofatoken.ThiseffectivelylimitswhattheusercandosinceWindowsExplorercanonlyrunthoseapplicationsandaccessthoseresourcesthattheuser’slogonsessionpermitsbasedonthepermissionsandprivilegesspecifiedbythetoken.
WhenanadministratorlogsontoacomputerthingsarealittledifferentandthisiswhereWindowsVistadiffersdramaticallyfrompreviousversions.Althoughthesystemcreatesanewlogonsession,itcreatesnotonebuttwodifferenttokensrepresentingthesamelogonsession.Thefirsttokengrantsallthepermissionsandprivilegesaffordedtotheadministratorwhilethesecondtokenisarestrictedtoken,sometimescalledafilteredtoken,offeringfarfewerpermissionsandprivileges.Thisrestrictedtokenofferspracticallythesamecapabilitiesandconstraintsaswouldbegrantedtoastandarduser.Thesystemthencreatestheshellapplicationusingtherestrictedtoken.Thismeansthatalthoughtheuserisloggedonasanadministrator,applicationsarebydefaultrunwithlimitedpermissionsandprivileges.
Whentheadministratorneedstoperformsometaskthatrequiresadditionalpermissionsorprivilegesnotgrantedtotherestrictedtoken,heorshecanelecttorunanapplicationusingthefullsecuritycontextprovidedbytheunrestrictedtoken.Whatprotectstheadministratorfrommaliciouscodeisthatthiselevationtotheunrestrictedtokenisonlyallowedaftertheadministratorhasconfirmedthedesiretousetheunrestrictedtokenbymeansofasecurepromptprovidedbythesystem.Maliciouscodecannotsuppressthispromptandtherebygaincompletecontroloverthecomputerwithouttheuser’sknowledge.
AsIhintedatbefore,restrictedtokensarenotnewWindowsVistabutitisinWindowsVistathattheyarefinallybeingusedinanintegratedwayintheshelltoprovideamoresecureenvironmentforuserstowork(andplay).
Restrictedtokens
Althoughyouwilltypicallynothavetocreaterestrictedtokensyourself,itisusefultounderstandhowit’sdonesothatyouhaveabetterideaofwhatisbeingdoneonyourbehalfandsothatyoucanhavemoreinsightintotheenvironmentinwhichyourapplicationwillrun.AsadeveloperyoumayalsofindyourselfneedingtocreateanevenmorerestrictiveenvironmentthanwhatisprovidedbyUACinwhichcaseknowinghowtocreaterestrictedtokensisamust.
TheaptlynamedCreateRestrictedTokenfunctioncreatesanewtokenthatisaduplicateofanexistingtokenwithcertainrestrictions.Thisfunctioncanrestrictthetokeinanumberofways:
•
Byspecifyingdeny-onlysecurityidentifiers(SIDs)thatcanonlybeusedtodenyaccesstosecurableresources.
ByspecifyingrestrictingSIDsthatwillbeusedasanadditionalaccesscheck.
Bydeletingprivileges.
TherestrictedtokenusedbyUACiscreatedbyaddingdeny-onlySIDsanddeletingprivileges.RestrictedSIDsarenotused.Let’swalkthroughasimpleexample.Thefirstthingweneedisatokentoduplicateandrestrict.Let’sgrabtheprocesstoken:
CHandleprocessToken;
VERIFY(:
:
OpenProcessToken(:
GetCurrentProcess(),
TOKEN_DUPLICATE|TOKEN_ASSIGN_PRIMARY|TOKEN_QUERY,
&
processToken.m_h));
NextweneedanarrayofSIDstodisable.Thisensuresthattheycanneverbeusedtoallowaccess.ThefollowingcodeusesmyhandyWellKnownSidclasstoconstructtheSIDforthebuilt-inAdministratorsgroup.TheWellKnownSidclassisavailablewiththedownloadforthisarticle.
WellKnownSidadministratorsSid=WellKnownSid:
Administrators();
SID_AND_ATTRIBUTESsidsToDisable[]=
{
administratorsSid,0
//addadditionalSIDstodisablehere
};
Nextweneedanarrayofprivilegestodelete.Wefirstneedtolookuptheprivilege’sLUIDvalue:
LUIDshutdownPrivilege={0};
LookupPrivilegeValue(0,//localsystem
SE_SHUTDOWN_NAME,
shutdownPrivilege));
LUID_AND_ATTRIBUTESprivilegesToDelete[]=
shutdownPrivilege,0
//addadditionalprivilegestodeletehere
Finally,wecancallCreateRestrictedTokentocreatetherestrictedtoken:
CHandlerestrictedToken;
CreateRestrictedToken(processToken,
0,//flags
_countof(sidsToDisable),
sidsToDisable,
_countof(privilegesToDelete),
privilegesToDelete,
0,//numberofSIDstorestrict,
0,//noSIDstorestrict,
restrictedToken.m_h));
Theresultingtoken’sgroupSIDswillhaveanentryforthebuilt-inAdministratorsgroupwiththeSE_GROUP_USE_FOR_DENY_ONLYflagmakingsurethattheSIDisusedtodenyaccessbutnotallowaccess.ThetokenwillalsobestrippedoftheSeShutdownPrivilegeprivilegeensuringthatthetokencannotbeusedtorestart,sleep,orshutdownthecomputer.
Ifth