Windows Privileges - Backup Operators
Note that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything, not even spelling. Read and digest at your own peril!
There exist two privileges that are highly relevant to backup.
But first, the Tao of Backup. Read it and then come back here.
A backup program (actually, I think it should be called “restore program”) has to be able to read and write all files, regardless of owner or access rights.
The “obvious” solution is to run restore programs as Administrator, obviously. It’s obvious. It’s also not recommended.
The restore program does not have to be able to administer the system, “only” to read and write all files.
This is rather equivalent to complete superuser rights, but requires the running of arbitrary code with those abilities and we are assuming the restore program does what it says.
First, see what happens when user benoit tries to read a file he cannot read and write a file he cannot write.
A directory Anti-Benoit with two files. User benoit is not a members of the Administrators group and has in fact been explicitly denied access:
PS C:\Anti-Benoit> cmd /c dir/b
barfile
foofile
PS C:\Anti-Benoit> icacls .
. CHAMPIGNAC\benoit:(OI)(CI)(N)
BUILTIN\Administrators:(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
PS C:\Anti-Benoit> icacls .\foofile
.\foofile CHAMPIGNAC\benoit:(I)(N)
BUILTIN\Administrators:(I)(F)
Successfully processed 1 files; Failed processing 0 files
PS C:\Anti-Benoit> icacls .\barfile
.\barfile CHAMPIGNAC\benoit:(I)(N)
BUILTIN\Administrators:(I)(F)
Successfully processed 1 files; Failed processing 0 files
PS C:\Anti-Benoit>As we can see, user benoit is quite helpless:
PS C:\> whoami
champignac\benoit
PS C:\> dir .\Anti-Benoit\
dir : Access to the path 'C:\Anti-Benoit' is denied.
At line:1 char:1
+ dir .\Anti-Benoit\
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Anti-Benoit\:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
PS C:\> cp C:\Anti-Benoit\foofile C:\Temp\
cp : Access is denied
At line:1 char:1
+ cp C:\Anti-Benoit\foofile C:\Temp\
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Anti-Benoit\foofile:String) [Copy-Item], UnauthorizedAccessException
+ FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.CopyItemCommand
cp : Cannot find path 'C:\Anti-Benoit\foofile' because it does not exist.
At line:1 char:1
+ cp C:\Anti-Benoit\foofile C:\Temp\
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Anti-Benoit\foofile:String) [Copy-Item], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.CopyItemCommand
PS C:\>Robocopy can pretend to be a restore program, but it won’t work for user benoit either:
PS C:\> robocopy /b .\Anti-Benoit\ C:\Temp\ foofile
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Source : C:\Anti-Benoit\
Dest : C:\Temp\
Files : foofile
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
ERROR : You do not have the Backup and Restore Files user rights.
***** You need these to perform Backup copies (/B or /ZB).
Simple Usage :: ROBOCOPY source destination /MIR
source :: Source Directory (drive:\path or \\server\share\path).
destination :: Destination Dir (drive:\path or \\server\share\path).
/MIR :: Mirror a complete directory tree.
For more usage information run ROBOCOPY /?
**** /MIR can DELETE files as well as copy them !
PS C:\>But now user benoit has been tasked with running a restore program. For this he needs SeBackupPrivilege and SeRestorePrivilege.
There is a built-in local group Backup Operators that holds those privileges and a few others deemed necessary for the proper functioning of a restore program.
PS C:\Program Files\ABTokenTools> .\AccountRights.exe "Backup Operators"
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeChangeNotifyPrivilege
SeInteractiveLogonRight
SeNetworkLogonRight
SeBatchLogonRight
7
PS C:\Program Files\ABTokenTools>From this we can conclude that a restore program should be able to backup and restore, possibly shutdown the computer after a backup job, traverse through all directories, and be allowed to log on interactively, as a scheduled task, or via the network. (I assume this includes the privileges required by the restore team to do restores.)
Note that those are system privileges and will hence be removed by UAC. This is probably a good thing since a user holding those privileges can run arbitrary code. These privileges should only be given to the restore program itself. If it is a service, see [Privileged Services], equip the service SID with those two privileges or the Backup Operators group, not the Administrators group. (The logon rights will not apply to the restore program service.)
User benoit with those privileges (or the Backup Operators group membership) can now read and write those formerly unreachable files:
PS C:\> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\> dir .\Anti-Benoit\
dir : Access to the path 'C:\Anti-Benoit' is denied.
At line:1 char:1
+ dir .\Anti-Benoit\
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Anti-Benoit\:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
PS C:\> robocopy /b .\Anti-Benoit\ C:\Temp\ foofile
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Source : C:\Anti-Benoit\
Dest : C:\Temp\
Files : foofile
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
1 C:\Anti-Benoit\
100% New File 12 foofile
------------------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras
Dirs : 1 0 1 0 0 0
Files : 1 1 0 0 0 0
Bytes : 12 12 0 0 0 0
Times : 0:00:00 0:00:00 0:00:00 0:00:00
Speed : 12,000 Bytes/sec.
Speed : 0.687 MegaBytes/min.
PS C:\>Now, everything is ready for the infamous “foo” attack, where user benoit abuses his abusable privilege and modifies the file and then “restores” it:
PS C:\> cd .\Temp\
PS C:\Temp> cat foofile
foo
PS C:\Temp> "pwned"|Out-File foofile
PS C:\Temp> cat foofile
pwned
PS C:\Temp> robocopy /b . C:\Anti-Benoit\ foofile
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Source : C:\Temp\
Dest : C:\Anti-Benoit\
Files : foofile
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
1 C:\Temp\
100% Newer 16 foofile
------------------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras
Dirs : 1 0 1 0 0 0
Files : 1 1 0 0 0 0
Bytes : 16 16 0 0 0 0
Times : 0:00:00 0:00:00 0:00:00 0:00:00
Speed : 1,066 Bytes/sec.
Speed : 0.061 MegaBytes/min.
PS C:\Temp>The administrator will now find the modified file:
PS C:\Anti-Benoit> icacls .\foofile
.\foofile CHAMPIGNAC\benoit:(I)(N)
BUILTIN\Administrators:(I)(F)
Successfully processed 1 files; Failed processing 0 files
PS C:\Anti-Benoit> cat .\foofile
pwned
PS C:\Anti-Benoit>So there you go, that’s why those privileges are considered system privileges. With those privileges and the ability to run arbitrary code, you are the system administrator. That means assign SeBackupPrivilege and SeRestorePrivilege or the Backup Operators group only to trustworthy restore programs (if you can find one) or to trustworthy people (who should then be considered to have powers equal to system administrators).
Refer to [Privileged Services] to learn about giving services specific group memberships or privileges. A short example follows.
PS C:\> sc.exe qc GeneralTestService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: GeneralTestService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\GeneralTestService\GeneralTestService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : GeneralTestService
DEPENDENCIES :
SERVICE_START_NAME : NT Service\GeneralTestService
PS C:\> Add-LocalGroupMember "Backup Operators" "NT Service\GeneralTestService"
PS C:\>Next: WupService