Suppose you own a domain and have issued laptops to your users, who are not local administrators because that's your policy. Some users want to have more stuff on their computer, but they can't install it because they're not administrators. So, they ask you to pass the UAC dialog for them so they can install it. Being a helpful domain admin, you check the installer program, enter your domain credentials, let them have their software.
This is a bad idea. Besides the possibility that the user might be waiting for you to authenticate on his machine so he can steal your access token, you're almost certainly leaving DCC hashes behind. Remember, physical access is complete access.
So, how can you install software on client computers without compromising your domain account? (Besides not giving computers to dishonest people. Legitimate users might have been hacked already, possibly infected with a backdoor or other badware to steal your credentials.) I will demonstrate using the principle of least access to produce a local admin account on that computer.
You'll need the Sysinternals Suite, specifically PsExec, but it's all really cool stuff. Use your domain admin account to run this command on any other computer (should be all on one line, replace the placeholder credentials with your real ones):
psexec \\client-computer -u DOMAIN\admin -p Se(ure-P4$$w0rd net user Administrator adminpass /ACTIVE:YES
This uses your domain account to authenticate to the client computer (using Kerberos, so the resulting hash and session are useless) and spawns a temporary service that activates the normal Administrator account with the password set to "adminpass" or whatever you want.
If the psexec program fails with an error that mentions the ADMIN$ share being disabled (it should be enabled on a domain), your user has already become local admin and is doing something shady.
Now, go over to your user's computer and enter the local credentials in the UAC box. Once you're done, use the following command to disable that account:
psexec \\client-computer -u DOMAIN\admin -p Se(ure-P4$$w0rd net user Administrator adminpass /ACTIVE:NO
Using this method, you avoid spawning any processes with your access token on a possibly-compromised machine; the service processes from PsExec are created as SYSTEM.
If your domain has Remote Administration running on all the clients (it should), you can always use MMC to check whether your users are doing anything suspicious.
No comments:
Post a Comment