Windows – Are processes launched by elevated processes themselves elevated

uacwindows

I have a program that launches a browser window when a user performs certain actions. My program requires Administrator access (i.e. must be launched via "Run as Administrator" or have requestedElevationLevel set to requireAdministrator in its manifest file in Vista or Win7).

I am worried that the browser will inherit the elevation level of the parent process; that is, I'm concerned the browser will also be launched with Administrator elevation. Is this correct? If so, is there any way to prevent this?

Best Answer

UAC can be a rather complex concept to wrap your head around. Generally speaking, a child process inherits its access token from the parent process. However, this only occurs if both processes have the same integrity level:

Each application that requires the administrator access token must prompt the administrator for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user access token from the parent process. Both the parent and child processes, however, must have the same integrity level.

Integrity levels depend on a variety of things, but generally speaking, a web browser is a low integrity application, and will likely require an additional UAC prompt if it tries to do any operation requiring a higher level of privilege:

Windows 7 protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Applications with lower integrity levels cannot modify data in applications with higher integrity levels.

If you wish to learn more about UAC, the following articles are a good resource:

Related Solutions

Windows – How to deny elevation to a program

A possible solution is to use two policies in concert:

Configure the already mentioned ConsentPromptBehaviorUser group policy setting to Automatically deny elevation requests. As stated in the question, this will affect all programs that run.
Next ENABLE the User Account Control: Only elevate executables that are signed and validated policy setting. (From Microsoft) This setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
Sign any trusted programs with your organization's key and publish it to the Trusted Publishers certificate store on all computers in your organization. More info.

Windows – Prevent specific applications from being run as administrator

I agree, in principle, with the "RUNAS" answer.

It seems to me that what you want is for sub-process instances to be auto-restricted if they are running as admin.

There are a couple of approaches. However, they are/can be drastic and are not for the timid admin because the overhead is annoying. They will do the job, though.

Only showing Approach one unless more are requested:

For each application you want to restrict:

right click the executable and go to **PROPERTIES**
go to the **SECURITY** tab
click **ADVANCED** at the bottom
click **ADD** at the bottom
type **ADMINISTRATORS** for the name. if you have a domain then adjust appropriately
press **OK** to get the custom settings for the administrator's group
check the **DENY** checkbox next to "TRAVERSE FOLDER/ EXECUTE FILE" permission (2nd on the list)
hit OK and so-on until you've closed the properties entry for that file.

Now, members of the administrators group cannot execute that file. They can go back in and change the permissions to un-check that so they can run it, but they have to knowingly do that.

Also, since you're worried about this occurring during an installer, you would want to do the same procedure for the SYSTEM "user", which also (effectively) runs as admin as well, because this account can be used during some installations (a Windows "ADMIN" account credentials can be used to gain a SYSTEM credentials token... but this is way beyond what this question is targeting).

Here are some picture of doing this on windows 7:

enter image description here

Best Answer

Related Solutions

Windows – How to deny elevation to a program

Windows – Prevent specific applications from being run as administrator

Related Question