UAC in MSI Notes: Easier for my current custom installer to support UAC than switch to MSI?
This is the twenty-forth in a series of notes about UAC in MSI. Per the earlier caveat, these are just my notes and not an official position from the Windows Installer team. The previous entries
- Introduce...
- Architecture Insights
- Common Package Mistakes
- More Architectural Insights
- Conversations with Customers
- Should I write my installer as a Standard User install? If yes, how?
- When General Custom Action Mitigation Fails
- How do I get the shield on the advertised shortcut?
- How do I troubleshoot UAC in MSI via the log?
- Do I need to consider "this" when I'm designing for UAC in MSI? Generally, no.
- Is "this" intentional? If so, why?
- How to Build Packages that work for both Standard User and Per-Machine?
This entry continues a section specifically focused on Question and Answers that often come up in the UAC in MSI dialogs. For this entry the topic is: wouldn't it just be easier for my current custom installer to support UAC than switch to MSI?
Easier for my current custom installer to support UAC than switch to MSI?
Generally no. The answer we provide to customers is 'use MSI'. The answer should be ‘use MSI’ and the customer has the burden to say why MSI is unacceptable.
When we say ‘use MSI’ we are acting in the customers best interests.
- First, customers building redundant services with the OS if the existing service in the OS provides all their needs is a waste of their resources.
- Second, the security risks to doing what’s listed below are substantial. Providing a elevated service creates an attack vector target for the black hats. If they can compromise this service, their technology is a vector to own the box. Is this customer really structured to mitigate and respond to this risk?
- Third, the ongoing maintenance of the experience is now borne by Microsoft so the one time cost in switching is made up for in Microsoft’s ongoing commitment to app compat.
Customers want a more secure experiance on their PC and it's our responsability to bring it to them.
In my experience, the idea that 'we are undertaking the burden of security on behalf the ISV by providing these secure services in the box' sells. This sells as Microsoft’s commitment to Trustworthy Computing and it sells as Vista’s commitment to delivering a more secure platform. By reminding customers of the value in aligning with initiatives from the platform, they are usually happier in the end as it allows them to increase their focus on their market differentiating value propositions.
What about Installer Detection? Isn't that an alterative to MSI based elevation?
For now, Installer Detection and security manifests do provide application compatability mitigation but it is not intended to be a permanent solution for deployment. For example, few programs get user state correct in the Over the Sholder cases. Generally elevated programs write to the administrator's profile that provided the credentials rather than the Standard User that invoked the program. Windows Installer is designed to handle this case correctly.
Updates and other maintenace operations will also require elevation if one is using Installer Detection and security manifests. The requirement to go get an administrator creates problems in enabling Standard Users to keep their software functional and secure.
But my needs are really special? Is there something you can recommend?
So the principle thing you are giving up are compelling packaging for corporate consumption. Windows Installer is a known quantity to IT departments so they trust MSI for their standard packaging format. When corporate IT departments get a package is not in the Windows Installer format, they repackage to MSI. You'll reduce the adoption costs of your software at scale if you use MSI.
When your application deviates significantly from the heuristics of the platform and you can't make the platform heuristics fit, the UAC currently recommends either:
- write their own service that runs as local system. One needs to focus on building a secure service. One should also have a plan for the black hats attacking the service and how you'll build and redistribute updates.
- ACL directories under All Users that only your application install, application itself, and application update that can touch the files.
Yes, there are ISVs that are geared up to get this done right. If you are one of these ISVs, all we ask is that you take the security issues seriously as you design and implement your service.
Comments
- Anonymous
October 01, 2006
PingBack from http://blog.devinstall.com/2006/09/24/understanding-uac-in-vista-and-windows-installer/ - Anonymous
October 02, 2006
Windows Vista introduces a security concept called User Account Control (UAC) which has multiple impacts