Wednesday, February 19, 2014

Windows Protected Administrative Accounts



This article/blog discusses the Protected Administrative (PA) account which is part of the User Account Control (UAC) set of security controls.

The PA is an important component of the entire UAC security control set introduced with Windows Vista to protect users from accidental misconfigurations and from intentional actions being performed by malware.
Introduction
Windows UAC introduces the mechanism of using two separate access tokens for the same user, if the user is an administrator on the system.
Protected admin is the aspect of UAC which protects the Administrator's account. This came first in windows vista and windows server 2008.
 In operating systems before Vista after an installation the user that was created had full administrative privileges, and he had them for as long as he was logged in on the system. Since the administrator privileges are not required all the time therefore even the administrator is given the privileges for a very small time, the rest of the time the admin works with a standard user.

One access token can is the filtered access token that has a limited set of privileges as shown in the snippet snip1 below:
The filtered token as shown by the ‘whoami /all’ command in Windows
USER INFORMATION
----------------

User Name: boXqube\saquib
SID:       S-1-5-21-2334885699-809931670-895787141-1001


GROUP INFORMATION
-----------------

Group Name: Mandatory Label\Medium Mandatory Level
Type:       Label
SID:        S-1-16-8192
Attributes:

Group Name: Everyone
Type:       Well-known group
SID:        S-1-1-0
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Local account and member of Administrators group
Type:       Well-known group
SID:        S-1-5-114
Attributes: Group used for deny only

Group Name: BUILTIN\Administrators
Type:       Alias
SID:        S-1-5-32-544
Attributes: Group used for deny only

Group Name: BUILTIN\Users
Type:       Alias
SID:        S-1-5-32-545
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\INTERACTIVE
Type:       Well-known group
SID:        S-1-5-4
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: CONSOLE LOGON
Type:       Well-known group
SID:        S-1-2-1
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Authenticated Users
Type:       Well-known group
SID:        S-1-5-11
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\This Organization
Type:       Well-known group
SID:        S-1-5-15
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: MicrosoftAccount\saquibfarooq@hotmail.com
Type:       User
SID:        S-1-11-96-3623454863-58364-18864-2661722203-1597581903-2803740363-3898146153-1545416234-1633511868-824148921
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Local account
Type:       Well-known group
SID:        S-1-5-113
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: LOCAL
Type:       Well-known group
SID:        S-1-2-0
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Microsoft Account Authentication
Type:       Well-known group
SID:        S-1-5-64-32
Attributes: Mandatory group, Enabled by default, Enabled group

PRIVILEGES INFORMATION
----------------------

Privilege Name: SeShutdownPrivilege
Description:    Shut down the system
State:          Enabled

Privilege Name: SeChangeNotifyPrivilege
Description:    Bypass traverse checking
State:          Enabled

Privilege Name: SeUndockPrivilege
Description:    Remove computer from docking station
State:          Disabled

Privilege Name: SeIncreaseWorkingSetPrivilege
Description:    Increase a process working set
State:          Disabled

Privilege Name: SeTimeZonePrivilege
Description:    Change the time zone
State:          Disabled

Snip1: Contents of a filtered token

The other access token is called the “Elevated Access Token”, the contents of which are given in the snippet snip2 below:
The filtered token as shown by the ‘whoami /all’ command in Windows
USER INFORMATION
----------------

User Name: boXqube\saquib
SID:       S-1-5-21-2334885699-809931670-895787141-1001


GROUP INFORMATION
-----------------

Group Name: Mandatory Label\High Mandatory Level
Type:       Label
SID:        S-1-16-12288
Attributes:

Group Name: Everyone
Type:       Well-known group
SID:        S-1-1-0
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Local account and member of Administrators group
Type:       Well-known group
SID:        S-1-5-114
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: BUILTIN\Administrators
Type:       Alias
SID:        S-1-5-32-544
Attributes: Mandatory group, Enabled by default, Enabled group, Group owner

Group Name: BUILTIN\Users
Type:       Alias
SID:        S-1-5-32-545
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\INTERACTIVE
Type:       Well-known group
SID:        S-1-5-4
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: CONSOLE LOGON
Type:       Well-known group
SID:        S-1-2-1
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Authenticated Users
Type:       Well-known group
SID:        S-1-5-11
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\This Organization
Type:       Well-known group
SID:        S-1-5-15
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: MicrosoftAccount\saquibfarooq@hotmail.com
Type:       User
SID:        S-1-11-96-3623454863-58364-18864-2661722203-1597581903-2803740363-3898146153-1545416234-1633511868-824148921
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Local account
Type:       Well-known group
SID:        S-1-5-113
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: LOCAL
Type:       Well-known group
SID:        S-1-2-0
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Microsoft Account Authentication
Type:       Well-known group
SID:        S-1-5-64-32
Attributes: Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name: SeIncreaseQuotaPrivilege
Description:    Adjust memory quotas for a process
State:          Disabled

Privilege Name: SeSecurityPrivilege
Description:    Manage auditing and security log
State:          Disabled

Privilege Name: SeTakeOwnershipPrivilege
Description:    Take ownership of files or other objects
State:          Disabled

Privilege Name: SeLoadDriverPrivilege
Description:    Load and unload device drivers
State:          Disabled

Privilege Name: SeSystemProfilePrivilege
Description:    Profile system performance
State:          Disabled

Privilege Name: SeSystemtimePrivilege
Description:    Change the system time
State:          Disabled

Privilege Name: SeProfileSingleProcessPrivilege
Description:    Profile single process
State:          Disabled

Privilege Name: SeIncreaseBasePriorityPrivilege
Description:    Increase scheduling priority
State:          Disabled

Privilege Name: SeCreatePagefilePrivilege
Description:    Create a pagefile
State:          Disabled

Privilege Name: SeBackupPrivilege
Description:    Back up files and directories
State:          Disabled

Privilege Name: SeRestorePrivilege
Description:    Restore files and directories
State:          Disabled

Privilege Name: SeShutdownPrivilege
Description:    Shut down the system
State:          Disabled

Privilege Name: SeDebugPrivilege
Description:    Debug programs
State:          Disabled

Privilege Name: SeSystemEnvironmentPrivilege
Description:    Modify firmware environment values
State:          Disabled

Privilege Name: SeChangeNotifyPrivilege
Description:    Bypass traverse checking
State:          Enabled

Privilege Name: SeRemoteShutdownPrivilege
Description:    Force shutdown from a remote system
State:          Disabled

Privilege Name: SeUndockPrivilege
Description:    Remove computer from docking station
State:          Disabled

Privilege Name: SeManageVolumePrivilege
Description:    Perform volume maintenance tasks
State:          Disabled

Privilege Name: SeImpersonatePrivilege
Description:    Impersonate a client after authentication
State:          Enabled

Privilege Name: SeCreateGlobalPrivilege
Description:    Create global objects
State:          Enabled

Privilege Name: SeIncreaseWorkingSetPrivilege
Description:    Increase a process working set
State:          Disabled

Privilege Name: SeTimeZonePrivilege
Description:    Change the time zone
State:          Disabled

Privilege Name: SeCreateSymbolicLinkPrivilege
Description:    Create symbolic links
State:          Disabled

Snip2: The contents of an ‘Elevated Token’
Similarities in the two tokens
a-      In the above two snippets snip1 and snip2 notice the exactly same SID. Which means that these two tokens apply to the same security principal on this particular system.
b-      Group memberships are same except for the membership to the NT AUTHORITY and the Administrators group
c-       The Privileges SeShutdownPrivilege, SeChangeNotifyPrivilege, SeUndockPrivilege, SeIncreaseWorkingSetPrivilege and SeTimeZonePrivilege are assigned to both tokens.


Differences between the two tokens
a-      The elevated token has a High Integrity Level, i.e. it is more trusted by the system. To read more about the Windows Integrity Mechanism please visit: http://securityinternals.blogspot.ae/2014/01/windows-integrity-checks-mandatory.html
b-      The group memberships are different, the filtered token has a ‘deny only’ membership with Administrator and NT AUTHORITY groups while the elevated token has memberships to the NT AUTHORITY and the Administrators groups.
c-       The Privileges SeIncreaseQuotaPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege,  SeLoadDriverPrivilege, SeSystemProfilePrivilege, SeSystemtimePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeRemoteShutdownPrivilege, SeManageVolumePrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege and the SeCreateSymbolicLinkPrivilege are only assigned to the elevated token.

The difference between a right and a privilege needs to be clarified here:
Anything a user can do within his domain of access, like his folder, desktop and environment is his right. Anything power that the user is given beyond his (default) boundary is called privilege. E.g. a user can delete and create anything he likes in his personal folder, but if he shuts down computer other logged on users will be effected. These other logged on users are outside his boundary. The power to effect objects outside a user’s the rightful space is called a privilege.
Common example of protected administrator usage

The most frequent example given in this case is that of time changing and Time zone changing. Changing the time of a system is a security related issue as it can affect the audit logs being created on the machine. The changing of the time zone is not a security issue as it only changes how the time is displayed.
If we try to change the time using Control Panel -> Clock, Language-> Date and time we see the shield icon on 'Change date and time', which means that this is a protected action/function. Similarly anything under the control panel which is protected (a.k.a requires admin privileges has a shield next to it.)
Just to add a couple more examples to the actions that do not need administrator privileges is changing IP or installing optional updates to the system.

About the Author: Saquib Farooq Malik, is a senior Information Security Specialist . Saquib Specializes in Vulnerability Assessment, Penetration Testing and Microsoft Windows Security, implementations of ISO 27001 in different corporate environments in the Middle East.
He is a CISSP, an ITILv3 Foundation certified professional, ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension Certified Engineer.


No comments:

Post a Comment