I start this blog with a first article in a series I hope to extend about how to run Windows Server using unprivileged accounts.

By “unprivileged accounts” I mean user and service accounts that are not the system account, are not members of the Administrators group and do not hold so-called system privileges.

Note that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything, not even spelling. Read and digest at your own peril!

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Users\Administrator> net user

User accounts for \\CHAMPIGNAC

-------------------------------------------------------------------------------
Administrator            benoit                   DefaultAccount
Guest                    legrand                  luke
WDAGUtilityAccount
The command completed successfully.

PS C:\Users\Administrator>

System privileges are those privileges that allow further privilege escalation and typically cause User Account Control to trigger. Among them are SeTcbPrivilege and SeDebugPrivilege. I will cover those later.

PS C:\Users\Administrator> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Disabled
SeSecurityPrivilege                       Manage auditing and security log                                   Disabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Disabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Disabled
SeSystemProfilePrivilege                  Profile system performance                                         Disabled
SeSystemtimePrivilege                     Change the system time                                             Disabled
SeProfileSingleProcessPrivilege           Profile single process                                             Disabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Disabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Disabled
SeBackupPrivilege                         Back up files and directories                                      Disabled
SeRestorePrivilege                        Restore files and directories                                      Disabled
SeShutdownPrivilege                       Shut down the system                                               Disabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Disabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Disabled
SeUndockPrivilege                         Remove computer from docking station                               Disabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Disabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Disabled
SeTimeZonePrivilege                       Change the time zone                                               Disabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled
PS C:\Users\Administrator>



Unprivileged Accounts

An “unprivileged account” (also called “restricted account”) does not necessarily have no privileges and in fact often needs to have them to do its tasks. IT security experts refer to this idea as “least privilege principle”, the idea that every running program (and logged on users) should have the rights and privileges to do their specific tasks but no more than that. But an unprivileged account does not, typically, hold system privileges.

Making Windows Server usable in a least privilege principle is, in theory, supremely simple, because Windows provides a very fine-grained permission system.

However, most software vendors do not attempt to use it at all and many simply tell users to run everything with Administrators privileges (and, ideally, with the firewall turned off). That’s how they tested their software, after all. (And with one user. They don’t know if it works with two or more users, like it probably would be used in your enterprise.)

There are various mechanisms built into Windows to allow least privilege principle operation, among them Access Control Lists (ACLs) and privileges.

There is also one mechanism built into Windows to allow a secondary layer of security if the first layer is being ignored by vendors (and, very often, MSFT themselves). That mechanism is called Just Enough Admin (JEA) and basically means running the Windows Remote Management Service impersonating virtual user accounts that are members of the Administrators group on behalf of restricted users who are communicating with the Remote Management Service using PowerShell remoting.



User Account Control

User account control (UAC) is an inconvenience feature that was specifically created to annoy privileged users enough to notice it when they use their privileges.

It appears to work by creating two session tokens, one with the user’s system privileges (or Administrators membership) and one without (or with Administrators membership for denies only). The first token is called the “elevated token”.

The user can switch between the two session tokens by using the shell’s ShellExecute() API.

int main(int argc, char* argv[])
{
	if (argc != 3) {
		printf("ShellExecute [edit|explore|find|open|print|runas] pathFile\n");
		return 0;
	}//if

	LPSTR sVerb = argv[1];
	LPSTR pathFile = argv[2];
	ShellExecuteA(NULL, sVerb, pathFile, NULL, NULL, SW_NORMAL);
	error = GetLastError();
	printf("Error: %d\n", error);
	return error;
}

If the verb “runas” is used, ShellExecute() will spawn the process using the elevated token.

The built-in Administrator account is not affected by this.

This shows user benoit, proud member of the Administrators group logged in using the limited (non-elevated) token:

C:\Windows\System32>whoami/priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeShutdownPrivilege           Shut down the system           Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

C:\Windows\System32>whoami/groups

GROUP INFORMATION
-----------------

Group Name                                                    Type             SID                                           Attributes
============================================================= ================ ============================================= ==================================================
Everyone                                                      Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114                                     Group used for deny only
BUILTIN\Users                                                 Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                                        Alias            S-1-5-32-544                                  Group used for deny only
NT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                                                 Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                                Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account                                    Well-known group S-1-5-113                                     Mandatory group, Enabled by default, Enabled group
LOCAL                                                         Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level                        Label            S-1-16-8192

C:\Windows\System32>

Using the TokenElevation.exe tool from ABTokenTools, the status can be shown:

C:\Windows\System32>"\Program Files\ABTokenTools\TokenElevation.exe"
Token elevation type is [3]. (1=default, 2=elevated, 3=limited)
Linked token elevation type is [2].

C:\Windows\System32>

And using the ShellExecute.exe wrapper for ShellExecute(), the other token can be summoned:

C:\Windows\System32>"\Program Files\ABTokenTools\ShellExecute.exe"
ShellExecute [edit|explore|find|open|print|runas] pathFile

C:\Windows\System32>"\Program Files\ABTokenTools\ShellExecute.exe" runas cmd.exe
Error: 0

C:\Windows\System32>

In a new window, cmd.exe is now running with the elevated token:

C:\Windows\System32>whoami/priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Disabled
SeSecurityPrivilege                       Manage auditing and security log                                   Disabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Disabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Disabled
SeSystemProfilePrivilege                  Profile system performance                                         Disabled
SeSystemtimePrivilege                     Change the system time                                             Disabled
SeProfileSingleProcessPrivilege           Profile single process                                             Disabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Disabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Disabled
SeBackupPrivilege                         Back up files and directories                                      Disabled
SeRestorePrivilege                        Restore files and directories                                      Disabled
SeShutdownPrivilege                       Shut down the system                                               Disabled
SeDebugPrivilege                          Debug programs                                                     Disabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Disabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Disabled
SeUndockPrivilege                         Remove computer from docking station                               Disabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Disabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Disabled
SeTimeZonePrivilege                       Change the time zone                                               Disabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled

C:\Windows\System32>whoami/groups

GROUP INFORMATION
-----------------

Group Name                                                    Type             SID                                           Attributes
============================================================= ================ ============================================= ===============================================================
Everyone                                                      Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114                                     Mandatory group, Enabled by default, Enabled group
CHAMPIGNAC\JEA_IIS                                            Alias            S-1-5-21-344341352-2539047333-2300305637-1003 Mandatory group, Enabled by default, Enabled group
CHAMPIGNAC\JEA_SmbShare                                       Alias            S-1-5-21-344341352-2539047333-2300305637-1004 Mandatory group, Enabled by default, Enabled group
CHAMPIGNAC\JEA_WindowsFeature                                 Alias            S-1-5-21-344341352-2539047333-2300305637-1001 Mandatory group, Enabled by default, Enabled group
CHAMPIGNAC\RG_GeneralTestService-RW                           Alias            S-1-5-21-344341352-2539047333-2300305637-1007 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                                                 Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                                        Alias            S-1-5-32-544                                  Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                                                 Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                                Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account                                    Well-known group S-1-5-113                                     Mandatory group, Enabled by default, Enabled group
LOCAL                                                         Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level                          Label            S-1-16-12288

C:\Windows\System32>

The TokenElevation.exe tool now shows:

C:\Windows\System32>"\Program Files\ABTokenTools\TokenElevation.exe"
Token elevation type is [2]. (1=default, 2=elevated, 3=limited)
Linked token elevation type is [3].

C:\Windows\System32>

Note that the Administrators membership is now longer “used for deny only”.



It is perhaps interesting to note

If a privileged user that is not a member of Administrators (for example a member of “Backup Operators” or a user who holds a system privilege like SeDebugPrivilege directly) logs on, UAC will strip the session token of the system privileges (and make the privileged group a “Group used for deny only”).

The ShellExecute() call with the “runas” verb will not work to switch to the elevated token. It is not clear how the user will ever be able to use the privileges interactively. They will work if the account is used to run a service or scheduled task though.

Generally UAC is not a good idea on a server.

Next: Windows Services