This article/blog discusses the Protected Administrative (PA)
account which is part of the User Account Control (UAC) set of security
controls.
The PA is an important component of the entire UAC security control set introduced with Windows Vista to protect users from accidental misconfigurations and from intentional actions being performed by malware.
The PA is an important component of the entire UAC security control set introduced with Windows Vista to protect users from accidental misconfigurations and from intentional actions being performed by malware.
Introduction
Windows UAC introduces the mechanism of using two separate
access tokens for the same user, if the user is an administrator on the system.
Protected admin is the aspect of UAC which protects the Administrator's account. This came first in windows vista and windows server 2008.
In operating systems before Vista after an installation the user that was created had full administrative privileges, and he had them for as long as he was logged in on the system. Since the administrator privileges are not required all the time therefore even the administrator is given the privileges for a very small time, the rest of the time the admin works with a standard user.
One access token can is the filtered access token that has a limited set of privileges as shown in the snippet snip1 below:
Protected admin is the aspect of UAC which protects the Administrator's account. This came first in windows vista and windows server 2008.
In operating systems before Vista after an installation the user that was created had full administrative privileges, and he had them for as long as he was logged in on the system. Since the administrator privileges are not required all the time therefore even the administrator is given the privileges for a very small time, the rest of the time the admin works with a standard user.
One access token can is the filtered access token that has a limited set of privileges as shown in the snippet snip1 below:
The filtered token as shown by the ‘whoami /all’ command in
Windows
|
USER INFORMATION
----------------
User Name: boXqube\saquib
SID:
S-1-5-21-2334885699-809931670-895787141-1001
GROUP INFORMATION
-----------------
Group Name: Mandatory Label\Medium Mandatory Level
Type: Label
SID: S-1-16-8192
Attributes:
Group Name: Everyone
Type: Well-known group
SID: S-1-1-0
Attributes: Mandatory group, Enabled by default, Enabled group
Group Name: NT AUTHORITY\Local account and member of Administrators
group
Type: Well-known group
SID: S-1-5-114
Attributes: Group used for deny only
Group Name: BUILTIN\Administrators
Type: Alias
SID: S-1-5-32-544
Attributes: Group used for deny only
Group Name: BUILTIN\Users
Type: Alias
SID: S-1-5-32-545
Attributes: Mandatory group, Enabled by default, Enabled group
Group Name: NT AUTHORITY\INTERACTIVE
Type: Well-known group
SID: S-1-5-4
Attributes: Mandatory group, Enabled by default, Enabled group
Group Name: CONSOLE LOGON
Type: Well-known group
SID: S-1-2-1
Attributes: Mandatory group, Enabled by default, Enabled group
Group Name: NT AUTHORITY\Authenticated Users
Type: Well-known group
SID: S-1-5-11
Attributes: Mandatory group, Enabled by default, Enabled group
Group Name: NT AUTHORITY\This Organization
Type: Well-known group
SID: S-1-5-15
Attributes: Mandatory group, Enabled by default, Enabled group
Group Name: MicrosoftAccount\saquibfarooq@hotmail.com
Type: User
SID:
S-1-11-96-3623454863-58364-18864-2661722203-1597581903-2803740363-3898146153-1545416234-1633511868-824148921
Attributes: Mandatory group, Enabled by default, Enabled group
Group Name: NT AUTHORITY\Local account
Type: Well-known group
SID: S-1-5-113
Attributes: Mandatory group, Enabled by default, Enabled group
Group Name: LOCAL
Type: Well-known group
SID: S-1-2-0
Attributes: Mandatory group, Enabled by default, Enabled group
Group Name: NT AUTHORITY\Microsoft Account Authentication
Type: Well-known group
SID: S-1-5-64-32
Attributes: Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name: SeShutdownPrivilege
Description: Shut down the
system
State: Enabled
Privilege Name: SeChangeNotifyPrivilege
Description: Bypass traverse
checking
State: Enabled
Privilege Name: SeUndockPrivilege
Description: Remove computer
from docking station
State: Disabled
Privilege Name: SeIncreaseWorkingSetPrivilege
Description: Increase a
process working set
State: Disabled
Privilege Name: SeTimeZonePrivilege
Description: Change the time
zone
State: Disabled
|
Snip1: Contents of a filtered
token
The other access token is called the “Elevated Access Token”,
the contents of which are given in the snippet snip2 below:
The filtered token as shown by the ‘whoami /all’ command in
Windows
|
USER INFORMATION
----------------
User Name: boXqube\saquib
SID:
S-1-5-21-2334885699-809931670-895787141-1001
GROUP INFORMATION
-----------------
Group Name: Mandatory Label\High Mandatory Level
Type: Label
SID: S-1-16-12288
Attributes:
Group Name: Everyone
Type: Well-known group
SID: S-1-1-0
Attributes: Mandatory group, Enabled by default, Enabled group
Group Name: NT AUTHORITY\Local account and member of Administrators
group
Type: Well-known group
SID: S-1-5-114
Attributes: Mandatory group, Enabled by default, Enabled group
Group Name: BUILTIN\Administrators
Type: Alias
SID: S-1-5-32-544
Attributes: Mandatory group, Enabled by default, Enabled group, Group
owner
Group Name: BUILTIN\Users
Type: Alias
SID: S-1-5-32-545
Attributes: Mandatory group, Enabled by default, Enabled group
Group Name: NT AUTHORITY\INTERACTIVE
Type: Well-known group
SID: S-1-5-4
Attributes: Mandatory group, Enabled by default, Enabled group
Group Name: CONSOLE LOGON
Type: Well-known group
SID: S-1-2-1
Attributes: Mandatory group, Enabled by default, Enabled group
Group Name: NT AUTHORITY\Authenticated Users
Type: Well-known group
SID: S-1-5-11
Attributes: Mandatory group, Enabled by default, Enabled group
Group Name: NT AUTHORITY\This Organization
Type: Well-known group
SID: S-1-5-15
Attributes: Mandatory group, Enabled by default, Enabled group
Group Name: MicrosoftAccount\saquibfarooq@hotmail.com
Type: User
SID:
S-1-11-96-3623454863-58364-18864-2661722203-1597581903-2803740363-3898146153-1545416234-1633511868-824148921
Attributes: Mandatory group, Enabled by default, Enabled group
Group Name: NT AUTHORITY\Local account
Type: Well-known group
SID: S-1-5-113
Attributes: Mandatory group, Enabled by default, Enabled group
Group Name: LOCAL
Type: Well-known group
SID: S-1-2-0
Attributes: Mandatory group, Enabled by default, Enabled group
Group Name: NT AUTHORITY\Microsoft Account Authentication
Type: Well-known group
SID: S-1-5-64-32
Attributes: Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name: SeIncreaseQuotaPrivilege
Description: Adjust memory
quotas for a process
State: Disabled
Privilege Name: SeSecurityPrivilege
Description: Manage auditing
and security log
State: Disabled
Privilege Name: SeTakeOwnershipPrivilege
Description: Take ownership
of files or other objects
State: Disabled
Privilege Name: SeLoadDriverPrivilege
Description: Load and unload
device drivers
State: Disabled
Privilege Name: SeSystemProfilePrivilege
Description: Profile system
performance
State: Disabled
Privilege Name: SeSystemtimePrivilege
Description: Change the
system time
State: Disabled
Privilege Name: SeProfileSingleProcessPrivilege
Description: Profile single
process
State: Disabled
Privilege Name: SeIncreaseBasePriorityPrivilege
Description: Increase
scheduling priority
State: Disabled
Privilege Name: SeCreatePagefilePrivilege
Description: Create a
pagefile
State: Disabled
Privilege Name: SeBackupPrivilege
Description: Back up files
and directories
State: Disabled
Privilege Name: SeRestorePrivilege
Description: Restore files
and directories
State: Disabled
Privilege Name: SeShutdownPrivilege
Description: Shut down the
system
State: Disabled
Privilege Name: SeDebugPrivilege
Description: Debug programs
State: Disabled
Privilege Name: SeSystemEnvironmentPrivilege
Description: Modify firmware
environment values
State: Disabled
Privilege Name: SeChangeNotifyPrivilege
Description: Bypass traverse
checking
State: Enabled
Privilege Name: SeRemoteShutdownPrivilege
Description: Force shutdown
from a remote system
State: Disabled
Privilege Name: SeUndockPrivilege
Description: Remove computer
from docking station
State: Disabled
Privilege Name: SeManageVolumePrivilege
Description: Perform volume
maintenance tasks
State: Disabled
Privilege Name: SeImpersonatePrivilege
Description: Impersonate a
client after authentication
State: Enabled
Privilege Name: SeCreateGlobalPrivilege
Description: Create global
objects
State: Enabled
Privilege Name: SeIncreaseWorkingSetPrivilege
Description: Increase a
process working set
State: Disabled
Privilege Name: SeTimeZonePrivilege
Description: Change the time
zone
State: Disabled
Privilege Name: SeCreateSymbolicLinkPrivilege
Description: Create symbolic
links
State: Disabled
|
Snip2: The contents
of an ‘Elevated Token’
Similarities in the two tokens
a-
In the above two snippets snip1 and snip2 notice
the exactly same SID. Which means that these two tokens apply to the same
security principal on this particular system.
b-
Group memberships are same except for the
membership to the NT AUTHORITY and the Administrators group
c-
The Privileges SeShutdownPrivilege, SeChangeNotifyPrivilege,
SeUndockPrivilege, SeIncreaseWorkingSetPrivilege and SeTimeZonePrivilege are
assigned to both tokens.
Differences between the two tokens
a-
The elevated token has a High Integrity Level,
i.e. it is more trusted by the system. To read more about the Windows Integrity
Mechanism please visit: http://securityinternals.blogspot.ae/2014/01/windows-integrity-checks-mandatory.html
b-
The group memberships are different, the
filtered token has a ‘deny only’ membership with Administrator and NT AUTHORITY
groups while the elevated token has memberships to the NT AUTHORITY and the
Administrators groups.
c-
The Privileges SeIncreaseQuotaPrivilege, SeSecurityPrivilege,
SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeSystemProfilePrivilege,
SeSystemtimePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege,
SeCreatePagefilePrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege,
SeSystemEnvironmentPrivilege, SeRemoteShutdownPrivilege, SeManageVolumePrivilege,
SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege
and the SeCreateSymbolicLinkPrivilege are only assigned to the elevated token.
The difference between a right and a privilege needs to be clarified here:
Anything a user can do within his domain of access, like his
folder, desktop and environment is his right.
Anything power that the user is given beyond his (default) boundary is called privilege. E.g. a user can delete and
create anything he likes in his personal folder, but if he shuts down computer
other logged on users will be effected. These other logged on users are outside
his boundary. The power to effect objects outside a user’s the rightful space
is called a privilege.
Common example of
protected administrator usage
The most frequent example given in this case is that of time changing and Time zone changing. Changing the time of a system is a security related issue as it can affect the audit logs being created on the machine. The changing of the time zone is not a security issue as it only changes how the time is displayed.
If we try to change the time using Control Panel ->
Clock, Language-> Date and time we see the shield icon on 'Change date and
time', which means that this is a protected action/function. Similarly anything
under the control panel which is protected (a.k.a requires admin privileges has
a shield next to it.)
Just to add a couple more examples to the actions that do
not need administrator privileges is changing IP or installing optional updates
to the system.
About the Author: Saquib Farooq Malik, is a senior
Information Security Specialist .
Saquib Specializes in Vulnerability Assessment, Penetration Testing and Microsoft Windows Security,
implementations of ISO 27001 in different corporate environments in the Middle
East.
He is a CISSP, an ITILv3 Foundation certified professional,
ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension
Certified Engineer.