Wednesday, February 19, 2014

Windows Protected Administrative Accounts



This article/blog discusses the Protected Administrative (PA) account which is part of the User Account Control (UAC) set of security controls.

The PA is an important component of the entire UAC security control set introduced with Windows Vista to protect users from accidental misconfigurations and from intentional actions being performed by malware.
Introduction
Windows UAC introduces the mechanism of using two separate access tokens for the same user, if the user is an administrator on the system.
Protected admin is the aspect of UAC which protects the Administrator's account. This came first in windows vista and windows server 2008.
 In operating systems before Vista after an installation the user that was created had full administrative privileges, and he had them for as long as he was logged in on the system. Since the administrator privileges are not required all the time therefore even the administrator is given the privileges for a very small time, the rest of the time the admin works with a standard user.

One access token can is the filtered access token that has a limited set of privileges as shown in the snippet snip1 below:
The filtered token as shown by the ‘whoami /all’ command in Windows
USER INFORMATION
----------------

User Name: boXqube\saquib
SID:       S-1-5-21-2334885699-809931670-895787141-1001


GROUP INFORMATION
-----------------

Group Name: Mandatory Label\Medium Mandatory Level
Type:       Label
SID:        S-1-16-8192
Attributes:

Group Name: Everyone
Type:       Well-known group
SID:        S-1-1-0
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Local account and member of Administrators group
Type:       Well-known group
SID:        S-1-5-114
Attributes: Group used for deny only

Group Name: BUILTIN\Administrators
Type:       Alias
SID:        S-1-5-32-544
Attributes: Group used for deny only

Group Name: BUILTIN\Users
Type:       Alias
SID:        S-1-5-32-545
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\INTERACTIVE
Type:       Well-known group
SID:        S-1-5-4
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: CONSOLE LOGON
Type:       Well-known group
SID:        S-1-2-1
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Authenticated Users
Type:       Well-known group
SID:        S-1-5-11
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\This Organization
Type:       Well-known group
SID:        S-1-5-15
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: MicrosoftAccount\saquibfarooq@hotmail.com
Type:       User
SID:        S-1-11-96-3623454863-58364-18864-2661722203-1597581903-2803740363-3898146153-1545416234-1633511868-824148921
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Local account
Type:       Well-known group
SID:        S-1-5-113
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: LOCAL
Type:       Well-known group
SID:        S-1-2-0
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Microsoft Account Authentication
Type:       Well-known group
SID:        S-1-5-64-32
Attributes: Mandatory group, Enabled by default, Enabled group

PRIVILEGES INFORMATION
----------------------

Privilege Name: SeShutdownPrivilege
Description:    Shut down the system
State:          Enabled

Privilege Name: SeChangeNotifyPrivilege
Description:    Bypass traverse checking
State:          Enabled

Privilege Name: SeUndockPrivilege
Description:    Remove computer from docking station
State:          Disabled

Privilege Name: SeIncreaseWorkingSetPrivilege
Description:    Increase a process working set
State:          Disabled

Privilege Name: SeTimeZonePrivilege
Description:    Change the time zone
State:          Disabled

Snip1: Contents of a filtered token

The other access token is called the “Elevated Access Token”, the contents of which are given in the snippet snip2 below:
The filtered token as shown by the ‘whoami /all’ command in Windows
USER INFORMATION
----------------

User Name: boXqube\saquib
SID:       S-1-5-21-2334885699-809931670-895787141-1001


GROUP INFORMATION
-----------------

Group Name: Mandatory Label\High Mandatory Level
Type:       Label
SID:        S-1-16-12288
Attributes:

Group Name: Everyone
Type:       Well-known group
SID:        S-1-1-0
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Local account and member of Administrators group
Type:       Well-known group
SID:        S-1-5-114
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: BUILTIN\Administrators
Type:       Alias
SID:        S-1-5-32-544
Attributes: Mandatory group, Enabled by default, Enabled group, Group owner

Group Name: BUILTIN\Users
Type:       Alias
SID:        S-1-5-32-545
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\INTERACTIVE
Type:       Well-known group
SID:        S-1-5-4
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: CONSOLE LOGON
Type:       Well-known group
SID:        S-1-2-1
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Authenticated Users
Type:       Well-known group
SID:        S-1-5-11
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\This Organization
Type:       Well-known group
SID:        S-1-5-15
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: MicrosoftAccount\saquibfarooq@hotmail.com
Type:       User
SID:        S-1-11-96-3623454863-58364-18864-2661722203-1597581903-2803740363-3898146153-1545416234-1633511868-824148921
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Local account
Type:       Well-known group
SID:        S-1-5-113
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: LOCAL
Type:       Well-known group
SID:        S-1-2-0
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Microsoft Account Authentication
Type:       Well-known group
SID:        S-1-5-64-32
Attributes: Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name: SeIncreaseQuotaPrivilege
Description:    Adjust memory quotas for a process
State:          Disabled

Privilege Name: SeSecurityPrivilege
Description:    Manage auditing and security log
State:          Disabled

Privilege Name: SeTakeOwnershipPrivilege
Description:    Take ownership of files or other objects
State:          Disabled

Privilege Name: SeLoadDriverPrivilege
Description:    Load and unload device drivers
State:          Disabled

Privilege Name: SeSystemProfilePrivilege
Description:    Profile system performance
State:          Disabled

Privilege Name: SeSystemtimePrivilege
Description:    Change the system time
State:          Disabled

Privilege Name: SeProfileSingleProcessPrivilege
Description:    Profile single process
State:          Disabled

Privilege Name: SeIncreaseBasePriorityPrivilege
Description:    Increase scheduling priority
State:          Disabled

Privilege Name: SeCreatePagefilePrivilege
Description:    Create a pagefile
State:          Disabled

Privilege Name: SeBackupPrivilege
Description:    Back up files and directories
State:          Disabled

Privilege Name: SeRestorePrivilege
Description:    Restore files and directories
State:          Disabled

Privilege Name: SeShutdownPrivilege
Description:    Shut down the system
State:          Disabled

Privilege Name: SeDebugPrivilege
Description:    Debug programs
State:          Disabled

Privilege Name: SeSystemEnvironmentPrivilege
Description:    Modify firmware environment values
State:          Disabled

Privilege Name: SeChangeNotifyPrivilege
Description:    Bypass traverse checking
State:          Enabled

Privilege Name: SeRemoteShutdownPrivilege
Description:    Force shutdown from a remote system
State:          Disabled

Privilege Name: SeUndockPrivilege
Description:    Remove computer from docking station
State:          Disabled

Privilege Name: SeManageVolumePrivilege
Description:    Perform volume maintenance tasks
State:          Disabled

Privilege Name: SeImpersonatePrivilege
Description:    Impersonate a client after authentication
State:          Enabled

Privilege Name: SeCreateGlobalPrivilege
Description:    Create global objects
State:          Enabled

Privilege Name: SeIncreaseWorkingSetPrivilege
Description:    Increase a process working set
State:          Disabled

Privilege Name: SeTimeZonePrivilege
Description:    Change the time zone
State:          Disabled

Privilege Name: SeCreateSymbolicLinkPrivilege
Description:    Create symbolic links
State:          Disabled

Snip2: The contents of an ‘Elevated Token’
Similarities in the two tokens
a-      In the above two snippets snip1 and snip2 notice the exactly same SID. Which means that these two tokens apply to the same security principal on this particular system.
b-      Group memberships are same except for the membership to the NT AUTHORITY and the Administrators group
c-       The Privileges SeShutdownPrivilege, SeChangeNotifyPrivilege, SeUndockPrivilege, SeIncreaseWorkingSetPrivilege and SeTimeZonePrivilege are assigned to both tokens.


Differences between the two tokens
a-      The elevated token has a High Integrity Level, i.e. it is more trusted by the system. To read more about the Windows Integrity Mechanism please visit: http://securityinternals.blogspot.ae/2014/01/windows-integrity-checks-mandatory.html
b-      The group memberships are different, the filtered token has a ‘deny only’ membership with Administrator and NT AUTHORITY groups while the elevated token has memberships to the NT AUTHORITY and the Administrators groups.
c-       The Privileges SeIncreaseQuotaPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege,  SeLoadDriverPrivilege, SeSystemProfilePrivilege, SeSystemtimePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeRemoteShutdownPrivilege, SeManageVolumePrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege and the SeCreateSymbolicLinkPrivilege are only assigned to the elevated token.

The difference between a right and a privilege needs to be clarified here:
Anything a user can do within his domain of access, like his folder, desktop and environment is his right. Anything power that the user is given beyond his (default) boundary is called privilege. E.g. a user can delete and create anything he likes in his personal folder, but if he shuts down computer other logged on users will be effected. These other logged on users are outside his boundary. The power to effect objects outside a user’s the rightful space is called a privilege.
Common example of protected administrator usage

The most frequent example given in this case is that of time changing and Time zone changing. Changing the time of a system is a security related issue as it can affect the audit logs being created on the machine. The changing of the time zone is not a security issue as it only changes how the time is displayed.
If we try to change the time using Control Panel -> Clock, Language-> Date and time we see the shield icon on 'Change date and time', which means that this is a protected action/function. Similarly anything under the control panel which is protected (a.k.a requires admin privileges has a shield next to it.)
Just to add a couple more examples to the actions that do not need administrator privileges is changing IP or installing optional updates to the system.

About the Author: Saquib Farooq Malik, is a senior Information Security Specialist . Saquib Specializes in Vulnerability Assessment, Penetration Testing and Microsoft Windows Security, implementations of ISO 27001 in different corporate environments in the Middle East.
He is a CISSP, an ITILv3 Foundation certified professional, ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension Certified Engineer.


The User Access Control (UAC) Prompts

This article/blog discusses the behavior of the prompts presented by UAC when an application is requiring administrative access.



The UAC prompt is an important component UAC security control set introduced with Windows Vista to protect users from accidental misconfiguration and from intentional actions being performed by malware.



The UAC prompt shows up in case if actions similar to the following take place
       a.       Installing applications
       b.      System settings are being changed
       c.       The application has requested a privilege escalation in its application manifest. (To read more about application manifests visit this page: http://securityinternals.blogspot.ae/2014/01/application-manifests-and-assemblies.html )


Controlling the UAC prompting behavior
The prompts can be controlled from Control panel -> User Account -> User Account -> Change User Accountr Control Settings and they can also be changed via the Group Policy editor, as shown below in figure Fig1
 Fig1: The Control panel app to control behavior of the UAC prompts

Types of UAC prompts
There are different UAC prompts depending on the type of activity being carried out and by who i.e. the trust level of the application being run or the application requesting elevated access.

The credentials prompt
1 - In the user is not signed in with administrative account the prompt will ask him for a username and password for an account that has administrative credentials on the system as shown in Fig2.

Fig2: The UAC prompt when the signed in user is not an administrator
Click image to enlarge

The consent prompts

When an application executes under the explorer.exe shell the following sequence takes place
a. The shell calls 'ShellExecute' to execute the application.
b. The shell checks with the Application Information Service (AIS) to see what conditions are needed for the application to execute.
c. The AIC checks the application's manifest to see if the application requires elevation. For more information about manifests go to the article on manifests: http://securityinternals.blogspot.ae/2014/01/application-manifests-and-assemblies.html
d. If the application requires elevation consent.exe (C:\Windows\System32\consent.exe) is called.
e. consent.exe prompts the user for their consent.
f. If the consent is provided the AIS creates a process with an elevated token and 'reparents' the the newly created process, making it a child of the explorer.exe process that launched it in the first place.
g. If consent.exe does not provide the cosent then the application will not run.

The above sequence is illustrated in the image Fig3 below:




Fig3: Role of consent.exe in the UAC command prompt
Click to enlarge image


2 - If a Windows Signed component needs to carry out an administrative action the shield with blue and yellow quarters will come up. This is the case where the user has an administrative account. The prompt is shown in Fig4


Fig4: The UAC prompt when a Windows Signed application requires administrative access
Click image to enlarge
 



3 - If the application is not Windows native signed by known publisher then the prompt is as shown in Fig4. The non-Windows publisher can be Microsoft, Adobe or Oracle. Also to emphasize Microsoft signed applications are not trusted like Windows signed applications.

Fig4: The UAC prompt when an application by a non-Windows but known
publisher requires administrative access
Click image to enlarge

4 - If the publisher is unidentified then the prompt is as shown in the the figure Fig5.

Fig5: The UAC prompt when an application signed by an unidentified publisher
requires administrative access
Click image to enlarge

5 - If the application requiring administrative access is from an explicity blocked or untrusted publisher then the prompt is as shown in the figure Fig6.
Fig6: The UAC propmt when an application signed by an explicitly blocked
or unknown publisher is requiring administrative access
Click image to enlarge


About the Author: Saquib Farooq Malik, is a senior Information Security Specialist . Saquib Specializes in Vulnerability Assessment and Penetration Testing, implementations of ISO 27001 in different corporate environments in the Middle East.
He is a CISSP, an ITILv3 Foundation certified professional, ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension Certified Engineer.