Date post: | 05-Jan-2016 |
Category: |
Documents |
Upload: | kristopher-riley |
View: | 231 times |
Download: | 4 times |
Agenda
Why aren’t applications compatible with Windows?Windows 7 compatibility changesCompatibility guidelinesCompatibility diagnosticsWindows 7 Logo requirements
Why Aren't Applications Compatible?
Things change between releasesOS version number, structure of internal data types, registry keys, order of events …
Knowingly breaking changesUser Account Control
User experience changesHigh DPI
Why Not Administrator?
The Administrator account goes down in Windows history
Greater attack surface (security)Bigger TCO (users break their PCs)Less manageable (users change policy)
The Standard User is usually enough!
Slowly Moving…
Windows XP is generally unusable as Standard UserWindows Vista SP1, Windows 7 eliminate privileged operationsWhat can a standard user do?
Write files, connect to the network, change display settings, change the time zone, install trusted applications …
What can’t a standard user do?Write to sensitive registry locations, install unsigned device drivers, change the time …
Debunking Some Myths
88% of users have UAC enabled
60-80% don’t see a single UAC prompt within a single session
08/07 – 08/08 time period: Four times less (!) UAC prompts from applications
The Meaning of UAC
Three types of users:“True admin” – elevated privileges all the timeStandard user – no elevated privileges at all“UAC admin” – token is filtered at login time and linked to an elevated token
UAC is an intermediate step!Ultimately, all users must run as standard user
Mandatory Integrity Control (MIC)
• Traditional NT security model revolves around process token
• Windows Vista/Win7 enhances this with MIC:• Each process gets a MIC level• All resources get a MIC level (medium is
default)
• There are four levels:• 0: Low • 1: Medium • 2: High• 3: System
MIC and Securable Objects
Types of Elevation
Over-The-Shoulder elevation:
Full admin elevation:
Types of Elevation
A part of Windows:
Other (verified) publisher:
Types of Elevation
Unverified publisher:
Fine-Grained Control Over UAC
Windows Vista UAC can be on or off
Grater control through Registry
Windows 7 introduces granular prompt levels
You Don’t Want Privilege
Avoid elevated operations!Annoying promptsCosts you all standard-user customersVulnerabilities are escalatedAttackers target your products
Removing Unecessary Elevation
Administrator OnlyStandard User
Compliant
Writing to HKLM Writing to HKCU
Writing to C:\, Program Files, C:\Windows, C:\Temp
Writing to user local AppData, temporary path or documents folder
Always ask for GENERIC_ALL access mask
Ask for minimum required privileges
Refuse to launch if not elevated
Disable parts of functionality
Designing for UACRemoving Privileges
Best case: Your application runs 100% fine as standard user
Remove operations that require unnecessary privileges
Does your application need to write to C:\?Does your application need to store its settings in HKLM?
Do elevated work at install-timeInstall for the requesting user
Designing for UACRefactoring Elevation
Factor the operation into a separate process (or out-of-process COM object)Identify the operation with a Shield icon
Designing for UACRefactoring Elevation
Ensure that the low-privilege application can’t be externally abused
E.g. malware pressed buttons and causes high-privilege operations in an elevated processHave the high-privilege process present the user interaction
Factor out to a service or taskSecure the communications channel (don’t talk to strangers)
Designing for UACAdmin-Only Applications
Administrator-only applications should prompt for elevation when launched
Fail gracefully, allow for OTS elevation
Add a manifest to your application requesting elevated privileges
Ask for privilege onceE.g. Vista Windows Explorer made this mistake with file operations
UAC Application Manifest<?xml version="1.0" encoding="utf-8" ?><assembly xmlns="urn:schemas-microsoft-com:asmv.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="AppName" type="win32" /> <description>App Description</description> <trustInfo xmlns="urn:schemas-microsoft.com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" /> </requestedPrivileges> </security> </trustInfo></assembly>
requestedExecutionLevel
requireAdministrator
highestAvailable
asInvoker
Embedding the Manifest
Visual Studio 2008 can embed it for you
C++ projects have a special UAC combo boxC# or VB.NET projects need to edit the XML file manually
Use an embedding tool such as mt.exeUse the UAC Helpers library (CodePlex)Use the Windows Vista Bridge
Launching an Elevated Process
You can’t elevate a running processPreferably use manifests to request elevation
In other scenarios, the ShellExecute “runas” verb forces an elevation request
Even if there is a manifest that says “asInvoker”
For COM out-of-process objects, use CoCreateAsAdmin
Launching an Elevated ProcessManaged CodeProcess proc = new Process();proc.StartInfo = new ProcessStartInfo();proc.StartInfo.UseShellExecute = true;proc.StartInfo.Verb = “runas"; proc.StartInfo.FileName = @“C:\Windows\Notepad.exe"; proc.Start();
Detecting Elevation
UacHelpers.IsCurrentProcessElevatedUacHelpers.IsUacEnabledUacHelpers.IsUserAdmin
UAC Virtualization
For compatibility purposes, some privileged operations are redirected
%UserProfile%\AppData\Local\VirtualStoreHKCU\Software\Classes\VirtualStore
(Some) installers are auto-detectedApplications with a manifest do not get virtualization64-bit applications do not get virtualizationGenerally, don’t rely on it!
Can break in so many ways
Windows 7 Breaking ChangesDPIDPI (Dots Per Inch) settings are per-
user, require logoff/logon (not reboot)Windows 7 clean install heuristically chooses proper DPI
The user doesn’t have to opt-in to high DPI
Declare applications to be DPI-awareUse manifest (preferred)SetProcessDPIAware
High DPI Issues
Clipped text Layout issues and image size
issues
Pixilated bitmaps
Layout issues
Blurry UI
Mismatched font sizes
Windows Compatibility
Windows makes every effort!Thousands of applications have “compatibility shims” applied by the systemEven more applications are thoroughly tested
Windows 7 (32-bit) can still run 16-bit MS-DOS programs
Almost 25 years later!Most applications work just fine on new Windows versionsSome don’t
The Version Check
Do NOT check the version of Windows and refuse to run (Windows 7 Logo requirement)Check for features, not versions
Support backward: Disable featuresSupport forward: Check for version ≥
Windows 7 Breaking ChangesMail and Internet ExplorerWindows Mail is deprecated
Including APIs to launch Outlook Express, etc.Replaced by Windows Live Mail
Internet Explorer 8 out-of-the-boxCompatibility with standards, incompatibility with websitesIE7 emulation mode (Compatibility View)Intranet sites in compatibility mode by defaultPages/servers can detect IE8 and request compatibility mode/render standard content
64-Bit Windows
Applications on 64-bit Windows have to be extra careful32-bit applications run in a virtualized environment (WOW64)
File system redirection, registry redirectionRegistry reflection (COM server nodes)
Two versions of the registryTwo versions of Program FilesTwo versions of System32 (SysWOW64)
Windows 7 Breaking ChangesLibrariesA library can be selected instead of a
folderE.g. in common file dialogs
Ask the library for its default save locationAsk the common file dialog to provide only file-system locations
Less user-friendly, means user has to navigate to a specific folder instead of a library
Due to Libraries internal structure, users may NOT KNOW the specific folder
General Compatibility Guidelines
Compatible Might Be a Hack
Configuration APIs Change registry values
GetKnownFolder(…) Hard-code system paths
Consider future error codes
AppInit_DLLsPatch OS binaries
Target 32-bit and 64-bit
Repackage redistributables
Let The System Know!
Tell Windows which OS version your application was designed for
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application>
<supportedOS Id="{77777777-7777-7777-7777-777777777777}"/> <supportedOS Id="{66666666-6666-6666-6666-666666666666}"/> </application> </compatibility></assembly>
Compatibility Diagnostics
Application Compatibility ToolkitAn extensive set of tools for diagnosing and fixing compatibility problems
Includes management of organization-wide compatibility fixes
Includes Standard User Analyzer, Internet Explorer Compatibility Test Tool and many others
Administering Compatibility
Examples of Shims
Shims = compatibility fixesRedirect registry accessRedirect file system accessOS version lieLegacy graphics mode emulation…hundreds of others!
ACT generates an SDB fileInstall on end-user’s machine using sdbinst (part of Windows)
End-User Solutions
Shortcut “Compatibility” tab
Compatibility troubleshooter
Reproducing Problems
Problem Steps Recorder can be an invaluable tool
Windows 7 Logo RequirementsWord of AdviceIf you’re compliant with the Windows
Vista logo, you’re ready for Windows 7
Even if you’re not planning to apply, the Logo requirements make senseLogo requirements better application!
Reduce helpdesk and support costsHappier users
IT – easier install and managementEnd users, better experiences
Windows 7 Logo RequirementsGeneral RequirementsProvide Microsoft with a copy of the
software for testing purposesAgree to a 30-90 day resolution policy for issues with Logo’d productsOpt in to receive communications from Microsoft regarding the Logo’d products
Windows 7 Logo RequirementsGeneral RequirementsDo not distribute malware or spyware
Do not modify WRP protected resourcesRegister for the WinQual portalInstall and uninstall cleanlyInstall to the correct foldersSupport Windows x64Follow UAC guidelinesDo not load drivers and services in Safe Mode
Windows 7 Logo RequirementsGeneral RequirementsDigitally sign files with Authenticode
Do not check the OS versionPrevent unnecessary rebootsSupport multi-user sessionsPass Application Verifier tests
Application Compatibility
…everything you were afraid to ask
Q&A
Summary
Why aren’t applications compatible with Windows?Windows 7 compatibility changesCompatibility guidelinesCompatibility diagnosticsWindows 7 Logo requirements
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.