Windows Protected Administrative Accounts

This article/blog discusses the Protected Administrative (PA) account which is part of the User Account Control (UAC) set of security controls.

The PA is an important component of the entire UAC security control set introduced with Windows Vista to protect users from accidental misconfigurations and from intentional actions being performed by malware.

Introduction

Windows UAC introduces the mechanism of using two separate access tokens for the same user, if the user is an administrator on the system.
Protected admin is the aspect of UAC which protects the Administrator's account. This came first in windows vista and windows server 2008.
 In operating systems before Vista after an installation the user that was created had full administrative privileges, and he had them for as long as he was logged in on the system. Since the administrator privileges are not required all the time therefore even the administrator is given the privileges for a very small time, the rest of the time the admin works with a standard user.

One access token can is the filtered access token that has a limited set of privileges as shown in the snippet snip1 below:

The filtered token as shown by the ‘whoami /all’ command in Windows

USER INFORMATION ---------------- User Name: boXqube\saquib SID:       S-1-5-21-2334885699-809931670-895787141-1001 GROUP INFORMATION ----------------- Group Name: Mandatory Label\Medium Mandatory Level Type:       Label SID:        S-1-16-8192 Attributes: Group Name: Everyone Type:       Well-known group SID:        S-1-1-0 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: NT AUTHORITY\Local account and member of Administrators group Type:       Well-known group SID:        S-1-5-114 Attributes: Group used for deny only Group Name: BUILTIN\Administrators Type:       Alias SID:        S-1-5-32-544 Attributes: Group used for deny only Group Name: BUILTIN\Users Type:       Alias SID:        S-1-5-32-545 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: NT AUTHORITY\INTERACTIVE Type:       Well-known group SID:        S-1-5-4 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: CONSOLE LOGON Type:       Well-known group SID:        S-1-2-1 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: NT AUTHORITY\Authenticated Users Type:       Well-known group SID:        S-1-5-11 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: NT AUTHORITY\This Organization Type:       Well-known group SID:        S-1-5-15 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: MicrosoftAccount\saquibfarooq@hotmail.com Type:       User SID:        S-1-11-96-3623454863-58364-18864-2661722203-1597581903-2803740363-3898146153-1545416234-1633511868-824148921 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: NT AUTHORITY\Local account Type:       Well-known group SID:        S-1-5-113 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: LOCAL Type:       Well-known group SID:        S-1-2-0 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: NT AUTHORITY\Microsoft Account Authentication Type:       Well-known group SID:        S-1-5-64-32 Attributes: Mandatory group, Enabled by default, Enabled group PRIVILEGES INFORMATION ---------------------- Privilege Name: SeShutdownPrivilege Description:    Shut down the system State:          Enabled Privilege Name: SeChangeNotifyPrivilege Description:    Bypass traverse checking State:          Enabled Privilege Name: SeUndockPrivilege Description:    Remove computer from docking station State:          Disabled Privilege Name: SeIncreaseWorkingSetPrivilege Description:    Increase a process working set State:          Disabled Privilege Name: SeTimeZonePrivilege Description:    Change the time zone State:          Disabled

Snip1: Contents of a filtered token

The other access token is called the “Elevated Access Token”, the contents of which are given in the snippet snip2 below:

The filtered token as shown by the ‘whoami /all’ command in Windows

USER INFORMATION ---------------- User Name: boXqube\saquib SID:       S-1-5-21-2334885699-809931670-895787141-1001 GROUP INFORMATION ----------------- Group Name: Mandatory Label\High Mandatory Level Type:       Label SID:        S-1-16-12288 Attributes: Group Name: Everyone Type:       Well-known group SID:        S-1-1-0 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: NT AUTHORITY\Local account and member of Administrators group Type:       Well-known group SID:        S-1-5-114 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: BUILTIN\Administrators Type:       Alias SID:        S-1-5-32-544 Attributes: Mandatory group, Enabled by default, Enabled group, Group owner Group Name: BUILTIN\Users Type:       Alias SID:        S-1-5-32-545 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: NT AUTHORITY\INTERACTIVE Type:       Well-known group SID:        S-1-5-4 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: CONSOLE LOGON Type:       Well-known group SID:        S-1-2-1 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: NT AUTHORITY\Authenticated Users Type:       Well-known group SID:        S-1-5-11 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: NT AUTHORITY\This Organization Type:       Well-known group SID:        S-1-5-15 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: MicrosoftAccount\saquibfarooq@hotmail.com Type:       User SID:        S-1-11-96-3623454863-58364-18864-2661722203-1597581903-2803740363-3898146153-1545416234-1633511868-824148921 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: NT AUTHORITY\Local account Type:       Well-known group SID:        S-1-5-113 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: LOCAL Type:       Well-known group SID:        S-1-2-0 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: NT AUTHORITY\Microsoft Account Authentication Type:       Well-known group SID:        S-1-5-64-32 Attributes: Mandatory group, Enabled by default, Enabled group PRIVILEGES INFORMATION ---------------------- Privilege Name: SeIncreaseQuotaPrivilege Description:    Adjust memory quotas for a process State:          Disabled Privilege Name: SeSecurityPrivilege Description:    Manage auditing and security log State:          Disabled Privilege Name: SeTakeOwnershipPrivilege Description:    Take ownership of files or other objects State:          Disabled Privilege Name: SeLoadDriverPrivilege Description:    Load and unload device drivers State:          Disabled Privilege Name: SeSystemProfilePrivilege Description:    Profile system performance State:          Disabled Privilege Name: SeSystemtimePrivilege Description:    Change the system time State:          Disabled Privilege Name: SeProfileSingleProcessPrivilege Description:    Profile single process State:          Disabled Privilege Name: SeIncreaseBasePriorityPrivilege Description:    Increase scheduling priority State:          Disabled Privilege Name: SeCreatePagefilePrivilege Description:    Create a pagefile State:          Disabled Privilege Name: SeBackupPrivilege Description:    Back up files and directories State:          Disabled Privilege Name: SeRestorePrivilege Description:    Restore files and directories State:          Disabled Privilege Name: SeShutdownPrivilege Description:    Shut down the system State:          Disabled Privilege Name: SeDebugPrivilege Description:    Debug programs State:          Disabled Privilege Name: SeSystemEnvironmentPrivilege Description:    Modify firmware environment values State:          Disabled Privilege Name: SeChangeNotifyPrivilege Description:    Bypass traverse checking State:          Enabled Privilege Name: SeRemoteShutdownPrivilege Description:    Force shutdown from a remote system State:          Disabled Privilege Name: SeUndockPrivilege Description:    Remove computer from docking station State:          Disabled Privilege Name: SeManageVolumePrivilege Description:    Perform volume maintenance tasks State:          Disabled Privilege Name: SeImpersonatePrivilege Description:    Impersonate a client after authentication State:          Enabled Privilege Name: SeCreateGlobalPrivilege Description:    Create global objects State:          Enabled Privilege Name: SeIncreaseWorkingSetPrivilege Description:    Increase a process working set State:          Disabled Privilege Name: SeTimeZonePrivilege Description:    Change the time zone State:          Disabled Privilege Name: SeCreateSymbolicLinkPrivilege Description:    Create symbolic links State:          Disabled

Snip2: The contents of an ‘Elevated Token’

Similarities in the two tokens

a-      In the above two snippets snip1 and snip2 notice the exactly same SID. Which means that these two tokens apply to the same security principal on this particular system.

b-      Group memberships are same except for the membership to the NT AUTHORITY and the Administrators group

c-       The Privileges SeShutdownPrivilege, SeChangeNotifyPrivilege, SeUndockPrivilege, SeIncreaseWorkingSetPrivilege and SeTimeZonePrivilege are assigned to both tokens.

Differences between the two tokens

a-      The elevated token has a High Integrity Level, i.e. it is more trusted by the system. To read more about the Windows Integrity Mechanism please visit: http://securityinternals.blogspot.ae/2014/01/windows-integrity-checks-mandatory.html

b-      The group memberships are different, the filtered token has a ‘deny only’ membership with Administrator and NT AUTHORITY groups while the elevated token has memberships to the NT AUTHORITY and the Administrators groups.

c-       The Privileges SeIncreaseQuotaPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege,  SeLoadDriverPrivilege, SeSystemProfilePrivilege, SeSystemtimePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeRemoteShutdownPrivilege, SeManageVolumePrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege and the SeCreateSymbolicLinkPrivilege are only assigned to the elevated token.

The difference between a right and a privilege needs to be clarified here:

Anything a user can do within his domain of access, like his folder, desktop and environment is his right. Anything power that the user is given beyond his (default) boundary is called privilege. E.g. a user can delete and create anything he likes in his personal folder, but if he shuts down computer other logged on users will be effected. These other logged on users are outside his boundary. The power to effect objects outside a user’s the rightful space is called a privilege.

Common example of protected administrator usage

The most frequent example given in this case is that of time changing and Time zone changing. Changing the time of a system is a security related issue as it can affect the audit logs being created on the machine. The changing of the time zone is not a security issue as it only changes how the time is displayed.

If we try to change the time using Control Panel -> Clock, Language-> Date and time we see the shield icon on 'Change date and time', which means that this is a protected action/function. Similarly anything under the control panel which is protected (a.k.a requires admin privileges has a shield next to it.)

Just to add a couple more examples to the actions that do not need administrator privileges is changing IP or installing optional updates to the system.

About the Author: Saquib Farooq Malik, is a senior Information Security Specialist . Saquib Specializes in Vulnerability Assessment, Penetration Testing and Microsoft Windows Security, implementations of ISO 27001 in different corporate environments in the Middle East.

He is a CISSP, an ITILv3 Foundation certified professional, ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension Certified Engineer.