I agree with the security comments of @iszi. The security of the keyboard in UAC mode vs keyloggers is not well documented. IF you have not falled prey to phishing or a Trojan horse program that has side effects, any LIMITED USER/Base user process will not be able to read the UAC Secure desktop keyboard input. If a program sets the registry key disabling SecureDesktop when it runs its install (hopefully not possible with Install Sheild) UAC runs in the user context and any non-admin key logger grabs UAC content. (GOOD behavior detection AV catches keyloggers though) – Feb 27 '18 at 17:21. Short answer There are three, separate issues claiming the name of 'Secure Desktop':.
Secure Desktop 10. The Best Version Yet. Secure Desktop 10. Point of Sale, Cafe, Factory Automation, Lab, Kiosk, Hotel, Restaurant, or Library -- whatever your public environment, Secure Desktop will lock down Windows. Replace the start menu, task-bar, and desktop icons with the Secure Desktop shell to completely control what a user can. This solution offers the combination of the industry’s most deployed stateful firewall with a comprehensive range of next-generation network security services, including: Granular visibility and control,Robust web security onsite or in the cloud,Industry-leading intrusion prevention system (IPS) to protect against known threats,Comprehensive.
Windows builtin functions like GINA and the. Separation of privileged vs unprivileged applications running as the same user (nominally prevent privilege escalation), which may or may not be related to:.
SwitchDesktop, which is what KeePass is using and may or may not (I'm not sure) be resistant to DLL Injection. Detailed answer As a quick primer to how Windows GUIs are built, basically everything runs through a function called CreateWindow (I mean everything, every button, every menu, everything) and is given a hWnd or Window Handle. Modifying these Windows is done via another function, SendMessage. Here's the catch. As a user mode application, making the right API calls I can fairly easily send messages to other Windows. It's fairly trivial to make buttons disappear from other people's forms. It is a little harder to perform DLL injection and hook the message loop that receives messages (the OS sends Windows messages when things happen to them) but not that much harder.
If I can hook those events, I could automatically submit your 'yes/no' form. Or, I could change the label from ReallyDodgyVirus.exe to explorer.exe and you'd be none the wiser. Insert: on the various techniques of getting your code into the address space of a running process. Now, what are KeePass doing? A very brief perusal of the source shows they are using CreateDesktop, SwitchDesktop and CloseDesktop to create a second desktop connected to the physical viewing device you're on. In English, they're asking the kernel to create for them an isolated desktop whose hWnd objects are outside of the findable range of any other application's SendMessage.
I should point out that SwitchDesktop suspends the updating of the UI of the default desktop. I'm not sure if the message loops are also frozen - I suspect not since the desktop is created as a new thread. In this instance, KeePass is drawing the UI, so the execution is not, as I understand it, as NT AUTHORITY/SYSTEM. Instead, the new desktop is created in isolation from basically the rest of the current desktop, which protects it.
I'll be happy to be corrected on that. However, see the: The SwitchDesktop function fails if the desktop belongs to an invisible window station. SwitchDesktop also fails when called from a process that is associated with a secured desktop such as the WinLogon and ScreenSaver desktops. Processes that are associated with a secured desktop include custom UserInit processes.
Such calls typically fail with an 'access denied' error. I believe this means that these dialogs (screensavers, Windows Logon) are built more deeply into Windows such that they always execute as NT AUTHORITY SYSTEM and the UserInit process creates the sub processes on valid authentication at the required privilege level. The reason I bring this up is because I believe there are two issues: different desktops and privilege separation.
From Mark Russinovich's: The Windows Integrity Mechanism and UIPI were designed to create a protective barrier around elevated applications. One of its original goals was to prevent software developers from taking shortcuts and leveraging already-elevated applications to accomplish administrative tasks.
An application running with standard user rights cannot send synthetic mouse or keyboard inputs into an elevated application to make it do its bidding or inject code into an elevated application to perform administrative operations. As SteveS says, UAC runs a separate desktop process as NT AUTHORITY/SYSTEM.
If you can catch UAC in action ( consent.exe) via process explorer, it looks like this: Escalating privileges as a process I don't have the specifics of, but here is what I think I understand: I believe the process of privilege escalation in the Windows API causes a process running as NT AUTHORITY/SYSTEM (therefore able to execute the new process under whatever privileges it wants to, in this case an Administrator). When an application asks for higher privileges, that question is asked to you on a new desktop locally, to which none of your applications can get either the Desktop Handle or any of the GUI element handles. When you consent, consent.exe creates the process as the privileged user. Thus, the process running as NT AUTHORITY SYSTEM is a consequence of the need to create a new privileged process, not as a method of creating a secure desktop.
The fact the desktop is different to the default is what adds security in both cases. I believe what Mark means above is that, in addition to these secure desktops, two things are happening:. Your default administrator desktop is in fact running unprivileged, contrary to Windows XP and earlier and. Unprivileged and privileged applications now exist on separate desktops (disclaimer: could just be ACLs on the objects in memory, I'm not sure), ensuring that unprivileged code can't access privileged objects. The Windows Logon UI is different again in Vista/7. Clearly, none of these methods will defend you against kernel mode rootkits, but they do prevent privilege escalation and UI integrity compromise by isolating privileged applications, or in the case of KeePass, the sensitive dialog. Edit Having looked harder at the KeePass code, I saw this handy piece of C#: Bitmap bmpBack = UIUtil.CreateScreenshot; if(bmpBack!= null) UIUtil.DimImage(bmpBack); /./ SecureThreadParams stp = new SecureThreadParams; stp.BackgroundBitmap = bmpBack; stp.ThreadDesktop = pNewDesktop; From this you can see that in fact in order to mimic consent.exe, KeePass takes a screenshot of the background, dims it and creates its new desktop with the background of the old desktop.
I therefore suspect the old desktop continues running even while it isn't being rendered. This I think confirms that no magic NT AUTHORITY SYSTEM action is happening both with KeePass and consent.exe (I suspect consent.exe is doing the same thing UI-wise, it just happens to be launched in the context of NT AUTHORITY SYSTEM).
Edit 2 When I say DLL Injection, I'm specifically thinking of DLL injection to corrupt the UI. DLL Injection remains possible on KeePass as a process, I'm just not sure whether it could be used to influence that secure UI. It could, however, be used to access the memory of the process and its threads, thereby grabbing the entered password pre-encryption. Hard, but I think possible. I'd appreciate someone advising on this if they know. @SteveS I think, if my understanding is right, there are two different types of desktop, 'Secure' as in 'part of Windows and only customisable via GINA, say' and 'Secure' as in 'isolated'. I'm not 100% that separate desktops are created for unprivileged and privileged applications run by the same user but I think that is what Mark R is alluding to.
Unfortunately, separating out these concepts becomes non trivial fairly quickly.! Your answer is fine I think, as for all intents and purposes the same ideas (at a high level) are used. – user2213 May 12 '11 at 16:25.
A 'Secure Desktop' is a desktop that can only be run by the system itself. That sounds a bit weird, and probably doesn't explain much. In Windows, a desktop is a view that allows you to interact with processes. When you log into Windows (the log in prompt) you are on a desktop. When you are logged in, and see the start menu, you are on a seperate desktop. When you lock your PC, you are on yet another desktop.
When UAC pops up you are on another desktop. There are quite a few different desktops in Windows. A Secure Desktop is a desktop that is out of scope of other applications accessibility. The Log In desktop is a secure desktop (created by winlogon.exe), as is the UAC desktop.
No other process can interact with the desktop, so therefore no other process can do things like activate a button, or read the contents of a textbox. This is why UAC is (in theory) useful.
Third party applications can create a secure desktop to request information (such as a master password) and then pass it into the application in question. This way no other process can, in theory, snoop the password. A good starter on secure desktops is the first half of this article on how UAC works with on the secure desktop:.
Cisco ASA firewall licensing used to be pretty simple, but as features were rolled out as licenses, the scheme became quite complex. The matters are further complicated since different appliances and versions change the rules.
This document will help you make sense of ASA licensing, but is not intended to be used as a design guide. Make sure you work with your reseller if you are looking to deploy these features. Security Plus Security Plus licensing exists only on 5505 and 5510. On the 5505 it has the following effects:.
Upgrades the maximum VPN sessions from 10 to 25. Upgrades the maximum connections from 10,000 to 25,000. Increases the number of VLANs from 3 to 20 and enables trunking. Enables optional stateless active/standby failover.
On the 5510 it has slightly different set of features it enables:. Upgrades the maximum connections from 50,000 to 130,000. Moves 2 of the 5 FastEthernet ports to 10/100/1000. Increases the number of VLANs from 50 to 100. Enables security contexts and allows for 2.
Up to 5 can be supported on the 5510. Enables optional active/active and active/standby failover.
Enables VPN clustering and load balancing. The 5520 and up do not have Security Plus licensing. They come with the Base license and need nothing more to get the most performance out of the unit. Update: As Stojan pointed out in the comments, the 5585X series does have Security Plus licenses which enables the 10GB SFP+ slots. 5505 User Licenses The 5505 is the only ASA which has a restriction on the number of “users” behind a firewall.
A user is considered an internal device which communicates with the external VLAN. By default the 5505 ships with a 10 user license but can be upgraded to 50 or unlimited users. SSL VPN Licenses SSL VPN debuted on the ASA when it was first released but has evolved more than any other licensed based feature on the ASA. SSL licenses break into two general types: Essentials and Premium. Essentials provides AnyConnect client based connections from personal computers including Windows and Mac systems. Installing an Essentials license allows for up to the maximum number of VPN sessions on the platform to be concurrently used for SSL. For example, a 5510 would immediately allow for up to 250 SSL VPN connections from the AnyConnect client.
These licenses are relatively inexpensive, currently priced around a hundred dollars with the price varying per platform. These are platform specific SKUs so make sure the one you’re buying matches the device it is going on.
For example, on the 5510 make sure the license is L-ASA-AC-E-5510=. AnyConnect Essentials licenses debuted with ASA release v8.2. Premium licenses are more complicated than Essentials. Premium licenses allow for both AnyConnect client based and clientless SSL VPN. Clientless VPN is established through a web browser.
While it is typically less functional than AnyConnect client based VPN, it is adequate access for many users. Additionally, Cisco Secure Desktop (Host Scan and Vault functionality) is included.
Premium licenses do not max out the unit they’re on of SSL VPN sessions as does the Essentials license. Instead, this is a per seat license that can be purchased in bulk quantities. These quantities are 10, 25, 50, 100, 250, 500, 750, 1000, 2500, 5000, 10000 with each platform being able to support only the maximum number of licenses which it supports total VPN connections (ex. 5510 supports up to 250). These tiers must be observed when adding additional licensing.
For example, if an administrator needed 35 concurrent clientless connections a 50 connection pack would need to be purchased. The 10 and 25 cannot be stacked. Cisco does offer upgrade licenses to upgrade tiers. Premium licenses are significantly more expensive than Essentials. Contact your reseller for pricing on Premium licenses. If a VPN license is activated on an ASA, it will overwrite any existing VPN license. HA Pair License Dynamics Prior to ASA software v8.3, licenses had to be identical on a HA pair.
A 5510 with SSL VPN enabled wouldn’t pair with a 5510 lacking SSL VPN. As of v8.3, most licenses are replicated on a HA pair. On a 5505 or 5510 both ASAs require Security Plus licenses since Security Plus enables the HA functionality. SSL Essentials and Premium are replicated between licenses. In an active/active pair, license quantities (when applicable) are merged.
For example, two 5510s are in an active/active pair with 100 SSL Premium seats each. The licenses will merge to have a total of 200 SSL VPNs allowed in the pair. The combined number must be below the platform limitation. If the count exceeds the platform limit (ex. 250 SSL VPN connections on a 5510) the platform limit will be used on each.
Flex Licenses ASA Flex licenses are temporary SSL VPN licenses for emergencies or situations where there is a temporary peak in SSL VPN connections. Each license is valid for 60 days. Perhaps these are best explained as a scenario. Had some flooding in their corporate office which houses 600 employees. They own an ASA 5520 with 50 SSL Premium licenses. Cisco’s Flex licenses will allow them to temporarily ‘burst’ the number of licenses their 5520 is enabled for.
The key for 750 users is added to the 5520, starting the 60 day timer. The 5520 is now licensed to support up to 750 SSL VPN users on client based or clientless VPN. After 60 days the key will expire. Has their building up and running again earlier than 60 days, the administrator can disable the temporary license by reactivating the permanent license they were previously using.
This will pause the timer on the Flex licenses, allowing them to use the remainder of the time in the future. Is pretty good and explains some of the gotchas around the licenses.
Be sure to read it before purchasing and using the license. AnyConnect Premium Shared Licenses Large deployments of SSL VPN may require multiple ASAs positioned in multiple geographic areas. Shared licenses allow a single purchase of SSL VPN licenses to be used on multiple ASAs, possibly over large physical areas. Starting with software v8.2, Cisco allows the shared license to ease this situation.
Shared licenses are broken into two types: main and participant. The main license starts at 500 SSL Premium sessions and scales to 100,000 sessions. The main license acts as a license pool which participants pull from in 50 session increments. A secondary ASA can act as a backup in case the primary fails. There is no specific backup license, as the ASA only requires a participant license. If there is no secondary ASA, the participant ASAs may not be able to reach the main ASA in the event of a connectivity problem.
The participant ASA is able to use the sessions that were last borrowed from the main for 24 hours. Beyond 24 hours, the sessions are released. Currently connected clients are not disconnected but new connections are not allowed. In Active/Standby mode, the server ASA is actually the ASA pair. The backup ASA would be the backup pair. The standby server in a pair wouldn’t be the shared license backup. The manual explains this concept pretty well: “For example, you have a network with 2 failover pairs.
Pair #1 includes the main licensing server. Pair #2 includes the backup server. When the primary unit from Pair #1 goes down, the standby unit immediately becomes the new main licensing server. The backup server from Pair #2 never gets used. Only if both units in Pair #1 go down does the backup server in Pair #2 come into use as the shared licensing server. If Pair #1 remains down, and the primary unit in Pair #2 goes down, then the standby unit in Pair #2 comes into use as the shared licensing server.” – Advanced Endpoint Assessment Advanced Endpoint Assessment will scan a SSL VPN client using Cisco Secure Desktop for security policy compliance and attempt to remediate if the system is out of compliance.
This is similar but a little less feature-rich than NAC. Licenses are simple for Advanced Endpoint Assessment. One license per ASA is required in addition to SSL Premium. If the ASA is in a HA pair, one license per pair is required if using ASA software v.
8.3(1) or later. Security Contexts Security Contexts are virtual firewalls. Each context allows for its own set of rules and default policies. Security Contexts are sold in quantities of 5, 10, 20, 50, 100 and cannot be stacked.
Cisco sells incremental licensing to move between tiers. Note that two security contexts are used when in a HA pair. Unified Communications Proxy Licenses Cisco UC Proxy allows for Cisco IP phones to create a TLS tunnel between a remote phone and the ASA located at a corporate office. Typically if a secure connection between a phone and office were required, a firewall would have to sit at the user’s location. In many cases this would be a 800 series router.
This deployment architecture doesn’t scale well due to management costs and cost of routers with their corresponding SMARTnet. UC Proxy bypasses the router and uses the IP phone as the VPN endpoint. UC Proxy licenses are sold in numerous tiers ranging from 24 to 10,000 concurrent connections. The licenses cannot be stacked, but incremental licenses can be purchased. AnyConnect Mobile Licenses Out of the box, ASAs do not accept connections from mobile devices such as iOS or Android systems. The AnyConnect Mobile client must be installed on the client’s device. In addition to the client, the ASA must have AnyConnect Essentials or Premium enabled and a Mobile license used in conjunction.
Only one Mobile license is required per ASA. The Mobile license inherits the number of SSL users allowed by Essentials or Premium. Intercompany Media Engine IME is a UC feature which allows for interoperability between organizations using Communications Manager.
Licensing is simple, as a single IME license is required on the ASA. My eyes are absolutely bleeding. Really, does any IT group have the staff time to manage this nonsense?
Contrast this mess with the “batteries included” approach offered by so many other networking vendors. You buy a piece of kit for $X+maintenance, and you have all the functionality and licenses you need included.
Some vendors might have one or two add-on options for filtering or IPS signature subscriptions, or maybe just a “gold” edition with more functionality such as OSPF/BGP, but it is all still reasonably straightforward. The reason it’s complicated is that Cisco is cramming a ton of different security feature sets into a single appliance. The biggest offender is the SSL VPN licensing model which I believe is overly complex and generates way too much confusion. Additionally, SSL VPN licenses are not stackable. So, if you have 100 licenses today and you need 150 in the future you will need to purchase the 150 licenses bundle. (Unless they’ve changed that in the last 12 months since I bought SSL VPN licensing.) This makes pay-as-you-go a very expensive proposition and you will need to very carefully plan for your maximum number of clients that will connect from day one.
Then have the fun time of justifying the capital cost to management.Edited to add. — All this said, it’s still easier to understand than some of the other licensing models out there by some vendors. What is supposed to happen when you stack licences?? I had a base 5510 to which I added Anyconnect Essentials and the activation keys showed as below: Licensed features for this platform: Maximum Physical Interfaces: Unlimited perpetual Maximum VLANs: 50 perpetual Inside Hosts: Unlimited perpetual Failover: Disabled perpetual Encryption-DES: Enabled perpetual Encryption-3DES-AES: Enabled perpetual Security Contexts: 0 perpetual GTP/GPRS: Disabled perpetual AnyConnect Premium Peers: 2 perpetual AnyConnect Essentials: 250 perpetual. Syed, the issue is almost assuredly related to licensing (read the section above titled “5505 User Licenses”. Your customer’s ASA either has a 10-user or 50-user license and any connections that exceed that would be blocked.
You will need an upgrade license; the SKUs are: L-ASA5505-10-50 (upgrade from 10 to 50 users), L-ASA5505-10-UL (upgrade from 10 to unlimited users),and L-ASA5505-50-UL (upgrade from 50 to unlimited users), I would suggest you get the “unlimited” user license since the cost difference between it and the 50-user license is nominal. Installing the license should bring immediate relief.
I hope this helps. Are security contexts stackable? For example, the Cisco ASA 5515-X has 2 default contexts (out of the box, without additional licensing). If I buy the 5 context security upgrade, does this add up to 7 licenses (2+5), or do the 5 replace the 2 contexts (resulting in 5 usable contexts)?I couldn’t find this on CCO, I found contradictionary info at best. Also, I’m wondering about a piece of information in the article above: In the part about security contexts it says “Note that two security contexts are used when in a HA pair.” What does that mean? If I use HA I have to give up 2 of my security contexts?