Windows moving to "Adminless" accounts, Win32 App Isolation & Reputation-based security

[Hawx]

Summary

A recent presentation by David Weston, Director of OS Security at Microsoft, has managed to fly under the radar, but contains loads of information about the future security state of Windows along with upcoming features to support this state. There's quite a lot of information in the video that I'll attempt to summarize here, although I'd suggest giving it a watch if you're in the Development/Infosec/IT space.

 

• Windows 11 has provided a hardware security baseline for Microsoft, with features that require hardware support (HVCI, TPM etc) to be enabled by default going forward, stating that Windows 10 strategy of off-by-default was a failure.
• Admin accounts are a continued security problem within the Windows ecosystem, so a future version of Windows will be adding a new "Adminless" account model with linux-like just-in-time escalation. This new model intends to provide a secure middle-ground between the frustrations of a standard user account and the security risks of an Admin account. "Adminless" accounts will run as a "less privileged" user by default and prompt users with Windows Hello when an application requires escalation for a given operation, rather than permanently running the account as a standard or admin user.
• Win32 Applications will be bundled under the new Win32 App Isolation model in an attempt to prevent privilege escalation if an application is compromised/exploited, meaning that:
  • The application registry and file system will be virtualized, resulting in clean uninstalls.
  • The application specifies what permissions it requires when packaged and said permissions will integrate within Windows (similar to UWP apps)
  • Applications will still have full access to the system, but restricted by what permissions were declared with the manifest, ie a notepad app should not have permissions to access your webcam.
  • The MSIX packager will automatically analyze the application behavior and work out a permissions baseline for the developer to make the move as easy as possible.
  • A full demo of Notepad++ running with this sandbox enabled was shown to demonstrate that all existing win32 features are supported.
• Inspired by what third-party AVs already do, Smart App Control is going to be rolled out, working as a cloud-driven reputation system to only permit signed and/or well-known high-reputation software from running. SAC is intended to prevent zero-day exploits from spreading before Defender has received updated definitions. This will be rolled out by default depending on what software someone uses. For example, if you use IDEs or other technical tools it'll be disabled, whilst someone that only uses Chrome and Spotify will have it enabled. The system can be disabled in a single click if required. (Note: this feature is already available in some markets for fresh Windows 11 installs)
• TPMs within the ecosystem are not in a healthy state, with telemetry telling Microsoft that many are running vulnerable firmware due to manufactures not pushing out updates, and some being inoperable due to hardware failures or other issues. Microsoft is working on its Pluton security chip to replace/augment the existing TPM ecosystem and have the ability to push out firmware updates via Windows Update.
• Software/Hardware mitigations are reaching the end of the road in terms of viability. Microsoft is now focused on eliminating classes of security bugs with extensive R&D going into the use of Memory-safe languages (Rust) in areas of the system that exploits often appear in:
  • To prove it out, the font analysis/rendering subsystem was rewritten over 6 months from 96k lines of C++ to 152k lines of Rust. This has also improved performance by 5%-15%.
  • Parts of Win32k GDI have also been rewritten in Rust and will be shipping with an upcoming Insider build of Windows.

 

Quotes

Slide dumping a bit here as they're more useful than anything I could quote from the talk.

 

My thoughts

I believe the adminless account model will be a massive improvement for ecosystem security without annoying users like with previous attempts. Smart access control also appears fine to enable for the vast majority of users that do nothing more than browse the internet with their computers and should be able to prevent a whole class of zero-day attacks.

 

Sources

Presentation slides: https://github.com/dwizzzle/Presentations/blob/master/David Weston - Windows 11 Security by-default - Bluehat IL 2023.pdf

 

 

[TrigrH]

9 minutes ago, Hawx said:

The application registry and file system will be virtualized, resulting in clean uninstalls.

 About time.

[Dabombinable]

15 minutes ago, TrigrH said:

 About time.

I have borked the registry on so many installs of Windows due to how poorly most programs uninstall.

[Vishera]

1 hour ago, Hawx said:

Microsoft is working on its Pluton security chip to replace the existing TPM ecosystem and have the ability to push out firmware updates immediately.

Excellent way to bork your hardware.

1 hour ago, Hawx said:

Win32 Applications will be bundled under the new Win32 App Isolation model in an attempt to prevent privilege escalation if an application is compromised/exploited

Won't that create software compatibility issues?, There are cases where multiple software work together and that can possibly bork it.

[Hawx]

3 minutes ago, Vishera said:

"Adminless" accounts like on Android?

Won't that make the OS more closed down and more difficult to do power user things?

The only change is that when applications require admin escalation you will be asked instead of applications being given free rein by default. The goal here is to stop applications having unnecessary privileges and becoming an exploit/escalation risk, not to stop users doing what they like. 

[porina]

1 hour ago, Hawx said:

• The application registry and file system will be virtualized, resulting in clean uninstalls.

Is it just the system or is the app ran virtualised? I think app virtualisation was talked about before and concern was possible performance hit.

 

1 hour ago, Hawx said:

• The application specifies what permissions it requires when packaged and said permissions will integrate within Windows (similar to UWP apps)
• Applications will still have full access to the system, but restricted by what permissions were declared with the manifest, ie a notepad app should not have permissions to access your webcam.

Is this present in existing software?

What's to stop a dev asking for more than they need?

I guess the above is to prevent the user from getting bombarded by permission requests as can be the case on Android, but then it comes down to who gets to control what and when.

 

1 hour ago, Hawx said:

• Inspired by what third-party AVs already do, Smart app control is going to be added, working as a cloud-driven reputation system to only permit signed and/or well-known high-reputation software from running. This will be rolled out by default depending on what software someone uses. For example, if you use IDEs or other technical tools it'll be disabled, whilst someone that only uses Chrome and Spotify will have it enabled. The system can be disabled in a single click if required.

This sounds like a real pain and may be something I turn off quickly on a new install, like I do with UAC. Already a similar feature to that on Chrome causes problems sometimes. Uncommon software will become harder to use, such as those for niche use cases by power users that access hardware or software at a lower level. Many are already flagged as false positives/PUPs by traditional AV software.

 

1 hour ago, Hawx said:

• TPMs within the ecosystem are not in a healthy state, with telemetry telling Microsoft that many are running vulnerable firmware due to manufactures not pushing out updates, and some being inoperable due to hardware failures or other issues. Microsoft is working on its Pluton security chip to replace the existing TPM ecosystem and have the ability to push out firmware updates immediately.

Does this mean AMD and Intel will have to add Pluton support to enable this going forward?

OS loading of firmware might be ok for fixed hardware / mainstream devices like laptops that run at or close to stock. It may be a problem for enthusiasts who are more likely to customise settings which may get lost on update, as is commonly the case with firmware updates. With a manual update this can be restored as part of the process, but a "routine" update might cause this to be missed. In this specific aspect, I like the iOS behaviour where explicit user permission is required to update OS software versions.

[Hawx]

6 minutes ago, porina said:

Is it just the system or is the app ran virtualised? I think app virtualisation was talked about before and concern was possible performance hit.

The app itself. I'd recommend watching the relevant section of the video for more information. I don't see a performance hit being an issue with the architecture involved.

6 minutes ago, porina said:

Is this present in existing software?

What's to stop a dev asking for more than they need?

No, the application has to be updated to be bundled with a security manifest. Packaging tooling will come out later this year to support adding it.

Nothing stops the developer adding more permissions; however, users will be able to see what permissions the application needs and question the developer if something is included that doesn't make sense.

 

6 minutes ago, porina said:

Does this mean AMD and Intel will have to add Pluton support to enable this going forward?

Yes, future AMD and Intel products will include Pluton support.

 

6 minutes ago, porina said:

 It may be a problem for enthusiasts who are more likely to customise settings which may get lost on update, as is commonly the case with firmware updates.

This doesn't really matter. It's a security chip, so its existence will be completely transparent to the user and there'll be no settings to customize.

 

 

[porina]

1 hour ago, Hawx said:

No, the application has to be updated to be bundled with a security manifest. Packaging tooling will come out later this year to support adding it.

Which returns to my earlier question, what happens with all the apps created before that point?

 

1 hour ago, Hawx said:

This doesn't really matter. It's a security chip, so its existence will be completely transparent to the user and there'll be no settings to customize.

One of the features mentioned was loading firmware as a file. In other words: updating the bios. We have a half way there already, in that microcode can be loaded by OS to replace that included in bios. My concern is that customised settings would be lost in this process.

 

I'll look in more detail later, but it sounds like this is far off so they have time to work out how it works and also transition accordingly.

[Hawx]

6 minutes ago, porina said:

Which returns to my earlier question, what happens with all the apps created before that point?

They'll still work, nothing was mentioned regarding old win32 apps no longer running, app isolation will be opt-in for developers for the foreseeable future.

 

6 minutes ago, porina said:

One of the features mentioned was loading firmware as a file. In other words: updating the bios.

 

The whole point is to separate Pluton firmware so Microsoft can update it without waiting for manufacturers to push a new BIOS, thus it has nothing to do with BIOS updates. 

[porina]

2 minutes ago, Hawx said:

They'll still work, nothing was mentioned regarding old win32 apps no longer running, app isolation will be opt-in for developers for the foreseeable future.

Unless they're put into a separate security container they'll still be a security risk even if newer apps are updated.

 

2 minutes ago, Hawx said:

The whole point is to separate Pluton firmware so Microsoft can update it without waiting for manufacturers to push a new BIOS, thus it has nothing to do with BIOS updates. 

Ok, I misunderstood the intent.

[jagdtigger]

Oh boy, multi-year system and application breakage here we go...... (And at the end Windows will still be swiss cheese and still an easy AF target for hackers.)

Edited April 30, 2023 by jagdtigger

[Vishera]

1 hour ago, jagdtigger said:

Oh boy, multi-year system and application breakage here we go...... (And at the end Windows will still be swiss cheese and still an easy AF target for hackers.)

There are always vulnerabilities, doesn't matter how robust your security is - a capable hacker can hack it.

Especially when it comes to the most popular desktop OS that is targeted by hundreds of thousands if not millions of hackers worldwide.

[captain_to_fire]

Quote

Inspired by what third-party AVs already do, Smart app control is going to be added, working as a cloud-driven reputation system to only permit signed and/or well-known high-reputation software from running. This will be rolled out by default depending on what software someone uses. For example, if you use IDEs or other technical tools it'll be disabled, whilst someone that only uses Chrome and Spotify will have it enabled. The system can be disabled in a single click if required.

Looks like they're bringing Defender for Endpoint/Business features to everyone like a few of attack surface reduction rules [here] [here]. Though it's kinda disappointing that one needs to enable optional telemetry data on top of the required telemetry data just to enable Smart App Control. [here]

[Doobeedoo]

So we're going to see more under the hood changes huh. It better not be half assed because that just backfires.

[jagdtigger]

1 hour ago, Vishera said:

There are always vulnerabilities, doesn't matter how robust your security is - a capable hacker can hack it.

Yeah sure, everything can be hacked. But windows is about the same bad as IoT devices and that tells a lot......

[StDragon]

5 hours ago, Hawx said:

Yes, future AMD and Intel products will include Pluton support.

Ryzen 6000 series already contain Pluton, and maybe Intel 13th gen as well (12th confirmed to not).

 

Basically, Pluton much like an embassy is sovereign die space allocated to Microsoft; AMD and Intel can't manage it. Basically it's a tiny Microsoft CPU within your main CPU.

[bcredeur97]

I can tell you this is going to break a lot of software in the medical industry. 

good god the kind of stuff you see in that industry...

[captain_to_fire]

5 hours ago, bcredeur97 said:

I can tell you this is going to break a lot of software in the medical industry. 

good god the kind of stuff you see in that industry...

Considering how awful EPIC and other EHRs is already yup I can see it breaking lol

[Techstorm970]

5 hours ago, bcredeur97 said:

I can tell you this is going to break a lot of software in the medical industry. 

good god the kind of stuff you see in that industry...

Now there's an industry whose tech needs to be transported to the 21st century.

[starsmine]

21 minutes ago, Caroline said:

I can't put this in letters that are bold enough

 

 

STOP REPLACING PASSWORDS WITH HELLISH FACIAL RECOGNITION SOFTWARE, IT'S NOT SAFER, IT'S NOT FASTER, IT'S NOT "SMART", IT'S NOT BETTER IN ANY WAY

?
Windows Hello Biometrics kinda are more secure and faster, and you dont have to use biometrics if you dont want to.

one of the largest benifits are that you are getting people that were passwordless before to have one.

[Thaldor]

16 hours ago, Hawx said:

TPMs within the ecosystem are not in a healthy state, with telemetry telling Microsoft that many are running vulnerable firmware due to manufactures not pushing out updates, and some being inoperable due to hardware failures or other issues. Microsoft is working on its Pluton security chip to replace/augment the existing TPM ecosystem and have the ability to push out firmware updates via Windows Update.

So, now that we need AGAIN new MB's and CPUs to run Windows 12, do we even then get a final product or some half way done shitshow as the Windows 11: Fingerprint Smudge with decade old UI design guidelines for devices that, at least Microsoft, fucked up totally with?

[Quackers101]

hope it works well with other systems, as I sure as hell dont trust microsoft alone. also seeing most big brands being hacked.
Just like most remote access features, still wonder how AMD did with theirs.

[StDragon]

9 hours ago, bcredeur97 said:

I can tell you this is going to break a lot of software in the medical industry. 

good god the kind of stuff you see in that industry...

Yes, but considering how much of a target they've been for ransomware, it's about time the industry gets off its ass and modernize to compliant cybersecurity best-practices. If this the push that's required, so be it.

[StDragon]

3 hours ago, Caroline said:

I can't put this in letters that are bold enough

 

 

STOP REPLACING PASSWORDS WITH HELLISH FACIAL RECOGNITION SOFTWARE, IT'S NOT SAFER, IT'S NOT FASTER, IT'S NOT "SMART", IT'S NOT BETTER IN ANY WAY

Windows Hello is regarded as secure due the public-private key pair, and with the private key stored in the TPM the hardware is already attested (trusted).

 

FYI, Windows 11 requires TPM 2.0

[leadeater]

4 hours ago, Caroline said:

I can't put this in letters that are bold enough

 

 

STOP REPLACING PASSWORDS WITH HELLISH FACIAL RECOGNITION SOFTWARE, IT'S NOT SAFER, IT'S NOT FASTER, IT'S NOT "SMART", IT'S NOT BETTER IN ANY WAY

Passwords have always sucked, pass phrases still suck. Something that can only be you it's immensely better in every way.