Windows Unprivileged - Unprivileged Accounts
I start this blog with a first article in a series I hope to extend about how to run Windows Server using unprivileged accounts.
By “unprivileged accounts” I mean user and service accounts that are not the system account, are not members of the Administrators group and do not hold so-called system privileges.
Note that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything, not even spelling. Read and digest at your own peril!
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Users\Administrator> net user
User accounts for \\CHAMPIGNAC
-------------------------------------------------------------------------------
Administrator benoit DefaultAccount
Guest legrand luke
WDAGUtilityAccount
The command completed successfully.
PS C:\Users\Administrator>
System privileges are those privileges that allow further privilege escalation and typically cause User Account Control to trigger. Among them are SeTcbPrivilege and SeDebugPrivilege. I will cover those later.
PS C:\Users\Administrator> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled
PS C:\Users\Administrator>
Unprivileged Accounts
An “unprivileged account” (also called “restricted account”) does not necessarily have no privileges and in fact often needs to have them to do its tasks. IT security experts refer to this idea as “least privilege principle”, the idea that every running program (and logged on users) should have the rights and privileges to do their specific tasks but no more than that. But an unprivileged account does not, typically, hold system privileges.
Making Windows Server usable in a least privilege principle is, in theory, supremely simple, because Windows provides a very fine-grained permission system.
However, most software vendors do not attempt to use it at all and many simply tell users to run everything with Administrators privileges (and, ideally, with the firewall turned off). That’s how they tested their software, after all. (And with one user. They don’t know if it works with two or more users, like it probably would be used in your enterprise.)
There are various mechanisms built into Windows to allow least privilege principle operation, among them Access Control Lists (ACLs) and privileges.
There is also one mechanism built into Windows to allow a secondary layer of security if the first layer is being ignored by vendors (and, very often, MSFT themselves). That mechanism is called Just Enough Admin (JEA) and basically means running the Windows Remote Management Service impersonating virtual user accounts that are members of the Administrators group on behalf of restricted users who are communicating with the Remote Management Service using PowerShell remoting.
User Account Control
User account control (UAC) is an inconvenience feature that was specifically created to annoy privileged users enough to notice it when they use their privileges.
It appears to work by creating two session tokens, one with the user’s system privileges (or Administrators membership) and one without (or with Administrators membership for denies only). The first token is called the “elevated token”.
The user can switch between the two session tokens by using the shell’s ShellExecute() API.
int main(int argc, char* argv[])
{
if (argc != 3) {
printf("ShellExecute [edit|explore|find|open|print|runas] pathFile\n");
return 0;
}//if
LPSTR sVerb = argv[1];
LPSTR pathFile = argv[2];
ShellExecuteA(NULL, sVerb, pathFile, NULL, NULL, SW_NORMAL);
error = GetLastError();
printf("Error: %d\n", error);
return error;
}
If the verb “runas” is used, ShellExecute() will spawn the process using the elevated token.
The built-in Administrator account is not affected by this.
This shows user benoit, proud member of the Administrators group logged in using the limited (non-elevated) token:
C:\Windows\System32>whoami/priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
C:\Windows\System32>whoami/groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================================= ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
C:\Windows\System32>
Using the TokenElevation.exe tool from ABTokenTools, the status can be shown:
C:\Windows\System32>"\Program Files\ABTokenTools\TokenElevation.exe"
Token elevation type is [3]. (1=default, 2=elevated, 3=limited)
Linked token elevation type is [2].
C:\Windows\System32>
And using the ShellExecute.exe wrapper for ShellExecute(), the other token can be summoned:
C:\Windows\System32>"\Program Files\ABTokenTools\ShellExecute.exe"
ShellExecute [edit|explore|find|open|print|runas] pathFile
C:\Windows\System32>"\Program Files\ABTokenTools\ShellExecute.exe" runas cmd.exe
Error: 0
C:\Windows\System32>
In a new window, cmd.exe is now running with the elevated token:
C:\Windows\System32>whoami/priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled
C:\Windows\System32>whoami/groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================================= ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group
CHAMPIGNAC\JEA_IIS Alias S-1-5-21-344341352-2539047333-2300305637-1003 Mandatory group, Enabled by default, Enabled group
CHAMPIGNAC\JEA_SmbShare Alias S-1-5-21-344341352-2539047333-2300305637-1004 Mandatory group, Enabled by default, Enabled group
CHAMPIGNAC\JEA_WindowsFeature Alias S-1-5-21-344341352-2539047333-2300305637-1001 Mandatory group, Enabled by default, Enabled group
CHAMPIGNAC\RG_GeneralTestService-RW Alias S-1-5-21-344341352-2539047333-2300305637-1007 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
C:\Windows\System32>
The TokenElevation.exe tool now shows:
C:\Windows\System32>"\Program Files\ABTokenTools\TokenElevation.exe"
Token elevation type is [2]. (1=default, 2=elevated, 3=limited)
Linked token elevation type is [3].
C:\Windows\System32>
Note that the Administrators membership is now longer “used for deny only”.
It is perhaps interesting to note
If a privileged user that is not a member of Administrators (for example a member of “Backup Operators” or a user who holds a system privilege like SeDebugPrivilege directly) logs on, UAC will strip the session token of the system privileges (and make the privileged group a “Group used for deny only”).
The ShellExecute() call with the “runas” verb will not work to switch to the elevated token. It is not clear how the user will ever be able to use the privileges interactively. They will work if the account is used to run a service or scheduled task though.
Generally UAC is not a good idea on a server.
Next: Windows Services