Windows Vista 的使用者帳號控制(UAC) 謝合宜 微軟特約技術顧問 MCSE : Security/Messaging MVP/MCT

預備知識 熟悉使用者帳號觀念 熟悉群組原則的使用 熟悉Windows作業系統的操作與管理 Level 200

講題大綱 使用者帳號控制 What? Why? How it work? 程式相容的後續

什麼是User Account Control? Windows Vista的系統基礎技術 所有使用者都是以“標準使用者”(standard user)來執行程式與設定工作 限制使用者權限的被使用 協助更好的環境管理與減少惡意程式的危害 將使用者分成兩個層次： 標準使用者 管理員 不再利用 Power User

使用者帳號控制的刺激 在Windows XP，很多人都是用管理員權限來執行系統 以標準使用者來執行系統的好處極多 應用程式安裝 ActiveX Control 減少管理負擔 以標準使用者來執行系統的好處極多 大部分的軟體不需要以管理員的權限來執行 惡意程式太多了……

標準使用者的好處 安全 總體擁有成本 管理承諾 避免惡意程式的安裝 減少惡意程式所造成的影響 強迫的安全原則設定 電腦環境是可控制的狀態 二○一九年四月十三日 標準使用者的好處 安全 總體擁有成本 管理承諾 避免惡意程式的安裝 減少惡意程式所造成的影響 強迫的安全原則設定 電腦環境是可控制的狀態 減少系統重建的需求 強迫一致的安全管制原則 更低的系統不穩與更高的生產力 安全基礎是美國 HIPAA 資訊安全規範 與SOX(企業安全內控法案)的必要需求 保護智慧財產與個人資訊 避免安裝未經授權的軟體 6 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

標準使用者部署的瓶頸 使用者能夠不經協助來完成本身所需的工作處理嗎?(網路連結設定、印表機設定等等) 二○一九年四月十三日 標準使用者部署的瓶頸 使用者能夠不經協助來完成本身所需的工作處理嗎?(網路連結設定、印表機設定等等) 其他廠商的軟體與目前企業正使用的軟體能夠以”標準使用者”來執行嗎? 企業是否有足夠的技術人力與管理工具、安全原則來完成所需的管理員權限相關的管理工作? 7 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Administrative Rights UAC的架構 Standard User Rights Administrative Rights User Admin logon Admin Token “Standard User” Token

Administrative Rights UAC的架構 Standard User Rights Administrative Rights Standard User Mode 修改時區 執行被允許的應用程式 安裝字型 安裝印表機 執行MSN Messenger 建立網路連線 建立無線連結 使用同步中心 修改顯示設定 標準使用者權限 User

Administrative Rights UAC的架構 Standard User Rights Administrative Rights Admin Privileges 標準使用者權限 修改時區 執行被允許的應用程式 安裝字型 安裝印表機 執行MSN Messenger 建立網路連線 建立無線連結 使用同步中心 修改顯示設定 Admin Process Change Time Admin Privilege User Admin Process Configure IIS Admin Privilege Admin Process Install Application Admin Privilege

UAC的使用例子 <SLIDETITLE INCLUDE=7>User Account Control Sample</SLIDETITLE> <KEYWORDS>Security, Advanced Options, UAC</KEYWORDS> <KEYMESSAGE>Running programs with elevated permissions</KEYMESSAGE> <SLIDEBUILDS>1</SLIDEBUILDS> <SLIDESCRIPT> The shield icon appears next to any task requiring elevated permissions. For example, an end user accessing Advanced System Settings, Hardware, Backup and Restore, or Change settings would be prompted for administrative credentials. On the other hand, because of a feature called Admin Approval Mode, administrator accounts would be prompted for permission to allow the program to run. [BUILD1] As you work through the various user interfaces for advanced options, for example, Windows Vista will continue to prompt you for permission to run any application or system component that requires elevated permissions. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>In Windows Vista, Standard User accounts have been given additional privileges that users require to perform common tasks, without needing helpdesk support.</TRANSITION> <TRANSITION LENGTH=2>In Windows Vista, Standard User accounts have been given additional privileges that users require to perform common tasks, without needing helpdesk support.</TRANSITION> <TRANSITION LENGTH=4>In Windows Vista, Standard User accounts have been given additional privileges that users require to perform common tasks, without needing helpdesk support.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM>http://www.microsoft.com/technet/windowsvista/security/uacppr.mspx#E4B</ITEM> </ADDITIONALINFORMATION>

Admin Approval Mode 作業系統應用程式 有簽署的應用程式 沒有簽署的應用程式

(Application Information Service) 權限提昇(Elevation) 管理員權限 AIS (Application Information Service) 起始權限提昇的提示 管理員帳號 標準使用者帳號 標準使用者權限 (預設值)

使用者帳號控制

講題大綱 使用者帳號控制 What? Why? How it work? 程式相容的後續

File and Registry Virtualization 有安全的疑慮 效能降低 需要訓練使用者 應用程式衝突的問題 File/Registry Virtualization C:\Program Files\ FILE1.DAT FILE1.DAT \User Profile\

使用相容性標籤

Marking Apps with Execution Level 設定Pre-Windows Vista應用程式來與UAC相容 @ ACT RunAsUAC RunAsHighest RunAsAdmin

UAC工具 Application Verifier UAC Predictor 部署與測試用的工具 協助監控作業系統的使用情形 提供指南 Application Verifier plug-in Built-in feature of Windows Vista

Windows Vista Logo Program <SLIDETITLE INCLUDE=7>Windows Vista Logo Program</SLIDETITLE> <KEYWORDS>Vista Logo Program, Application Compatibility</KEYWORDS> <KEYMESSAGE>Information about the Windows Vista Logo program</KEYMESSAGE> <SLIDEBUILDS>5</SLIDEBUILDS> <SLIDESCRIPT> Microsoft offers the Windows Vista Logo program to help customers identify systems and peripherals that meet a comprehensive baseline definition of platform features and quality goals to ensure a great computing experience for end users. [BUILD1] Building products that meet logo requirements will enable you to differentiate your product with a powerful message. Products that bear the Windows Vista Logo communicate to customers that the product has met Microsoft quality standards and deliver a quality Windows Vista experience. Two distinct logos - Windows Vista "Standard" and Windows Vista "Premium" - will clearly convey the customer's opportunity to choose a product that best suits their requirements. [BUILD2] In a Microsoft research study conducted in 2004, over 76 percent of consumers reported that it was "important" to them to purchase products that display the "Designed for Windows XP" logo. Products carrying the Windows Vista logo will receive additional benefits through increased customer awareness and perceived value. [BUILD3] Microsoft is committed to conducting high-impact marketing activities that drive market demand for products bearing the Windows Vista Logo. A major awareness initiative will kick off at launch and continue to sustain enthusiasm over the long haul. [BUILD4] The logo will make it easier for customers to select and purchase products by clearly indicating an association with one of the strongest, well-known brands in the world - Windows. The Windows Vista Logo will make it easier for customers to confidently select and purchase hardware and software products that work with Windows Vista. [BUILD5] For more information on the Windows Vista Logo program, please check the Microsoft website. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH= 1>Developing an application that is not standard user mode-compatible and opens up vulnerabilities as a result of not adhering to Microsoft security guidelines will leave an ISV's customers vulnerable to malware attacks.</TRANSITION> <TRANSITION LENGTH= 2>Developing an application that is not standard user mode-compatible and opens up vulnerabilities as a result of not adhering to Microsoft security guidelines will leave an ISV's customers vulnerable to malware attacks.</TRANSITION> <TRANSITION LENGTH= 4>Developing an application that is not standard user mode-compatible and opens up vulnerabilities as a result of not adhering to Microsoft security guidelines will leave an ISV's customers vulnerable to malware attacks.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM>http://www.microsoft.com/technet/windowsvista/security/uacppr.mspx#ECF</ITEM> </ADDITIONALINFORMATION> % of consumers report logo is important http://www.microsoft.com/whdc/winlogo

權限提昇的同意原則(Consent Policy)

UAC的群組原則控制

講題總結 UAC是安全改善的基礎技術 可透過群組原則來定義UAC的使用方式 需要程式開發的配合

For More Information… TechNet Windows Vista www.microsoft.com/taiwan/technet Windows Vista www.microsoft.com/taiwan/windowsvista Windows Vista: Resources for IT Professional www.microsoft.com/technet/windowsvista/default.mspx MVP Community社群網站 www.microsoft.com/taiwan/community

緊接的 Vista 講題 8/22 Windows Vista 的用戶端零接觸部署 九月份 9/19~21 Tech．Ed 2006 Taiwan http://www.microsoft.com/taiwan/events/teched2006/