Working on Bandolier has given me the opportunity to think more about the importance of system hardening and good system administration. When I worked for a university there was a small team of Windows systems administrators who did a great job maintaining systems. I was impressed (which doesn’t happen often in this context) with some of the security controls they were implementing. One such control was to have two accounts for every systems administrator. One account would be a regular user, placed in the “Domain Users” group within the domain. This account would be used to login to their workstations everyday, check email, and other non-administrative tasks. A separate account would then be created and assigned to each administrator that gave them administrator rights to the domain. Typically this was an account with a naming convention of “-admin”, and placed into the “Domain Admins” group. It was only used for administrative tasks.

This level of separation is important, and while I did not fully understand the benefits at the time, some new attack techniques have made me realize just how important they can be. Earlier this year Luke Jennings released a paper titled “Security Implications of Windows Access Tokens – A Penetration Tester’s Guide“ and described a technique for abusing Windows access tokens. Windows users and processes are issued tokens which determine the privileges they have on the system. Windows also contains the ability to impersonate tokens temporarily, so services can rely on the kernel for the access control functions (this concept is similar to UNIX setuid). You can read more about Windows Access Tokens here.

What does this mean with respects to security? If an administrator has logged into a system, or is currently logged in, you can impersonate the tokens and gain their privileges. This is especially useful if you have compromised a system and have local SYSTEM privileges, but need domain admin rights. If you can grab the domain admin tokens, you have access to any machine that is a domain member.

This puts the “principal of least privilege” in the spotlight, especially in the context of control systems. Only use your administrative privileges when absolutely necessary. Unfortunately, given the way Windows behaves by default, this may not be enough. Its completely normal for a Windows administrator to login to a web server and apply patches or install software, which would require higher privileges. To combat this threat we need to constantly monitor systems for behavior that may be out of the ordinary. For example, an attacker could compromise the web server and gain domain admin privileges by impersonating access tokens. If they were to use those privileges to access other, more sensitive, machines via SMB or Microsoft Terminal Services, this should set off a red flag.

References:

Token Passing With Incognito

Token Passing With Incognito – Part II