Application Security Testing: An Integral Part of DevOps
User rights (permissions) and privileges is a topic that will eventually come up at some point in your developer career. It is inevitable. In this article, you will explore the various ways to cater to Admin permissions in your Visual Basic programs.
The Difference Between Privileges and Permissions
In computer security, a permission is a property of an object; the object can be a file, for example. It indicates which agents are permitted to use the object, and what they are permitted to do (read, write, or modify it). A privilege is a property of an agent, for example, a user. Privileges let the agent perform tasks that are not ordinarily allowed.
A User account is an established relationship between a user and a computer, network, or information service. User accounts are given a username; passwords are optional. For personal computers, there are typically two types of user accounts: standard and Administrator. A standard user is commonly prevented from performing tasks such as installing applications, whereas administrators have the complete run of the computer.
User Account Types
Administrator: Administrator accounts are accounts that should be used for making changes to system settings or managing other people's accounts. Admins have full access to every setting on the computer.
Standard: Standard accounts are the accounts you use for everyday tasks. Standard users can do all the day-to-day tasks, such as running software applications or copying and deleting files.
Guest: Guest accounts have very limited permissions. Some of their restrictions are as follows:
- Guest accounts do not have a password and passwords cannot be set for it.
- Guest accounts cannot install applications or hardware devices.
- Guest accounts cannot change account types, names, or pictures.
Administrator Permission in Your Visual Basic Applications
There are numerous ways to give your Visual Basic applications Admin permissions. You can use any of the following methods:
- You could use the Process object and execute it with ShellExecute and supply the "runas" verb.
- You could use a Manifest and specify the desired requestedExecutionLevel.
- You could create WindowsIdentity and WindowsPrincipal objects and specify the desired Role.
- There may be other methods as well. If you know of any other methods, please let me know in the Comments section at the end of this article.
Our project will make use of all of the above-mentioned ways to give our Visual Basic application Administrator privileges.
Create a new Visual Basic Windows Forms application. Once the Visual Basic application has been created, please add two buttons onto the Form.
Adding Administrator Privileges to a Visual Basic Application Method 1: Manifest
Add a Manifest to your Visual Basic application. Follow these steps:
- Click Project.
- Click Add New Item…
Figure 1: Project Menu
- Select Application Manifest File from the list.
- Click Add.
Figure 2: Application Manifest File
Modify your Manifest file to include the correct requestedExecutionLevel, as shown in the following XML code:
<?xml version="1.0" encoding="utf-8"?> <asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <assemblyIdentity version="22.214.171.124" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="requireAdministrator" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> </application> </compatibility> </asmv1:assembly>
The available requestedExecutionLevel options are:
- As Invoker: The application runs with the same access token as the parent process.
- Highest Available: The application runs with the highest privileges the current user can obtain.
- Require Administrator: The application runs only for administrators and requires that the application be launched with the full access token of an administrator.
- No Execution Level Information: The Advanced Installer does not embed the requested execution level information in the Windows application manifest.
Adding Administrator Privileges to a Visual Basic Application Method 2: The Process Object
Add the following code to your application:
Private Sub Form1_Load(sender As Object, e As EventArgs) _ Handles MyBase.Load '1' If System.Environment.OSVersion.Version.Major >= 6 Then Dim prcProc As New Process() prcProc.StartInfo.FileName = "notepad" prcProc.StartInfo.UseShellExecute = True prcProc.StartInfo.Verb = "runas" prcProc.Start() End If End Sub Public Sub RunAsAdmin(strFileName As String) '2' Dim proc As New Process() proc.StartInfo.FileName = strFileName proc.StartInfo.UseShellExecute = True proc.StartInfo.Verb = "runas" proc.Start() End Sub Private Sub Button1_Click(sender As Object, e As EventArgs) _ Handles Button1.Click '2' RunAsAdmin("notepad.exe") End Sub
Inside Form_Load, I do a check to determine the Operating System version. The reason for this is to ensure that the Operating System supports the UAC. I created a Process Object and supplied its parameters. These parameters include the name of the process, should it use ShellExecute—which forces the Default Application to be launched—and supplied the runas verb. The runas verb ensures the application will run in Administrator mode.
The second section of code looks similar. The only difference is that I have created a Sub procedure to do the previous tasks.
Adding Administrator Privileges to a Visual Basic Application Method 3: WindowsIdentity and WindowsPrincipal
Add the following code:
Public Function AdminUser() As Boolean '3' Dim blnAdmin As Boolean Try Dim wiUser As WindowsIdentity = _ WindowsIdentity.GetCurrent() Dim wpPrincipal As New WindowsPrincipal(wiUser) blnAdmin = wpPrincipal.IsInRole _ (WindowsBuiltInRole.Administrator) Catch uaex As UnauthorizedAccessException blnAdmin = False Catch ex As Exception blnAdmin = False End Try Return blnAdmin End Function Private Sub Button2_Click(sender As Object, e As EventArgs) _ Handles Button2.Click '3' MessageBox.Show(AdminUser) End Sub
WindowsIdentity represents a Windows user and WindowsPrincipal enables code to check the Windows group membership of a Windows user. The try and catch blocks also help identify if the user is authorized.
I invite you to download the accompanying code from the Download link to help you on your journey.
You will encounter situations where you will need to elevate your applications to Admin level so that the UAC can be bypassed. Now, you have three different ways to accomplish this.