S 4.338 Use of Windows Vista and Windows 7 File and Registry Virtualization

Initiation responsibility: Head of IT

Implementation responsibility: IT Security Officer, Administrator, Head of IT

Old Windows applications, also called legacy applications, refers to applications originally developed for previous Windows versions but that need to be run in a current Windows version, for example in Windows Vista and Windows 7. In many cases, legacy applications that were developed for standard users have a certain security vulnerability: Legacy applications require write privileges to critical file folders or registry keys. Critical file folders include, for example, the %ProgramFiles% folder (C:\Program Files in a standard installation) or %SystemRoot% (C:\Windows in a standard installation). Write operations to these critical areas require administrative privileges. As a result, the standard user needs to log in to an administrator account in order to use a legacy application of the type described. This poses a threat to the integrity of the Windows system in the form of malicious software that executes with privileges of the account in which the user logs in, in this case of an administrator account.

Windows Vista and Windows 7 use the File Virtualization and Registry Virtualization technologies for the secure use of legacy applications. The mechanisms used by these technologies allow a legacy application to run using a standard user account, i.e. an account without administrative privileges. This counteracts the described threat to the integrity of the actual, "unvirtualised" Windows system. When File Virtualization and Registry Virtualization are used, Windows Vista and Windows 7 redirect all write accesses and, if necessary, all read accesses of an application to critical directories or registry areas for which the application does not have authorisation. The accesses are redirected to special areas that only affect the user currently logged in. Violations to the integrity of these areas do not threaten the integrity of the actual Windows system, but the integrity of the "virtualised" system seen by the corresponding user remains unprotected.

In general, legacy applications only running with administrative privileges in Windows versions prior to Windows Vista should not be used by standard users. However, the operation of such a legacy application may be essential in order to perform certain tasks in a specialised procedure or business process. In such individual cases, operating the legacy application in Windows Vista and Windows 7 may be taken into consideration having weighed the safety-related risks.

In Windows Vista and Windows 7, the command line tool reg.exe contains an extension, the FLAGS command. With this command, an administrator can control whether or not Registry Virtualization should be supported for registry keys in \HKLM\Software.

The necessity of operating legacy applications of the type described should be examined critically. It is recommended to minimise the number of registry keys supporting Registry Virtualization while taking the requirements of the legacy applications into account.

In the long term, though, consideration should be given to replacing legacy applications posing the described threat by secure applications. Secure applications do not need to perform write operations to critical directories or registry areas when run as an application by standard users. Another reason why it is recommended to migrate to secure applications is that Microsoft itself only considers the File Virtualization and Registry Virtualization technologies as temporary solutions for insecure legacy applications.

Review questions:

• Was the necessity of operating legacy applications in Windows Vista and Windows 7 subject to a critical review?
• Is Registry Virtualization restricted to those keys needed??
• Is there a strategy for transferring to secure applications as al alternative to legacy applications in Windows Vista and Windows 7?