Bezpečnost Windows pro pokročilé: zajímavosti a UAC

GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS

Ing. Ondřej Ševeček | GOPAS a.s. |MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker | CHFI: Computer Hacking Forensic Investigator

ondrej@sevecek.com | www.sevecek.com |

Specialties and demos

Advanced Windows Security

Too many SIDs in access token

Access token can accumulate only up to 1025 More than that, user cannot log on

• cannot create the access token• 0xC000015A = STATUS_TOO_MANY_CONTEXT_IDS

But the Account Logon Event will appear on DC as Kerberos authentication works fine

Translating SIDs in PowerShell

'S-1-5-18', 'S-1-5-32-544' | Select @{ n = 'SID' ; e = { $_ } }, @{ n = 'Name' ; e = { (New-Object System.Security.Principal.SecurityIdentifier $_).Translate([System.Type]::GetType('System.Security.Principal.NTAccount')).Value } }

'Administrators', 'NT AUTHORITY\Network Service' | Select @{ n = 'Name' ; e = { $_ } }, @{ n = 'SID' ; e = { (New-Object Security.Principal.NTAccount $_).Translate([Security.Principal.SecurityIdentifier]).Value } }

$rxSID = '[Ss]-1(?:-\d+){1,}'[regex]::Match('This SID S-1-5-80-3964583643-2633443559-2834438935-3739664028-1580655619 has been detected', $rxSID).Value

Deleted domain user accounts

AD LDAP replication requires tombstone technology All deleted objects remain in the database

• tombstone lifetime• 60/180/360 days or anything configured manually

SID, samAccountName

Enumerating all users and groups in PowerShell

(1..10000) | % { "S-1-5-21-2533895723-4202532492-454630010-$_" } | Select @{ n = 'SID' ; e = { $_ } }, @{ n = 'Name' ; e = { (New-Object System.Security.Principal.SecurityIdentifier $_).Translate([System.Type]::GetType('System.Security.Principal.NTAccount')).Value } } | ? { $_.Name -ne $null }

Example IIS app pool identity

Running IIS application pool under Network Service enables it to receive authenticated traffic from network

It also allows it to access network authenticated as the computer domain account

Running IIS application pool under Local Service prevents remote access

User Account Control

Advanced Windows Security

Restricted Users

Users often work as local Administrators• users on workstations/notebooks• local administrators on servers

We may want restrict their default permissions and rights• allow them to elevate if required

Does not apply for remote (network) connections

UAC Options on Windows 7

UAC Options on Windows 8

Only display settings You must use the policy

Restricting Local Administrators

Windows XP and newer can restrict local Administrators• enforced by default on Windows Vista+• must use Run As on Windows XP

LSASS can issue restricted access token• Administrators and Domain Admins groups are marked as

Deny• Only basic user rights enabled

LSASS maintains two separate Kerberos ticket caches

“Deny” Groups in Access Token

User is not member of the group for Allow ACEs• if something is granted to the group, it does not apply

User is member of the group for Deny ACEs• if something is explicitly denied to the group, it still applies• not a common case for Administrators, but still good to know

Deny Group in Access Token

UAC on Windows XP and 2003

Děkuji za pozornost

GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS

Ing. Ondřej Ševeček | GOPAS a.s. |MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker | CHFI: Computer Hacking Forensic Investigator

ondrej@sevecek.com | www.sevecek.com |