Tuesday, December 9, 2014

Why "Server Operators" and "Backup Operators" are Equivalent to "Administrators"

Alternatively titled "Why SeRestorePrivilege Should Be Called SeTakeOverTheDomainPrivilege"

On Windows domains, there are special built-in groups called Server Operators and Backup Operators. Backup Operators are allowed to log on to domain controllers and access all the files everywhere for the purpose of backing them up. Server Operators are glorified Backup Operators, except that Server Operators can format hard drives, manage some services, and shut down the server remotely.

Both these groups hold SeBackupPrivilege and SeRestorePrivilege. SeBackupPrivilege, when activated by the user, is essentially an overriding Allow entry on GENERIC_READ for every DACL ever. In other words, holders of this privilege can read and copy every single file, including the full Active Directory or SAM databases. Depending on your credential storage hash strength, you may have handed all the passwords over to the Operators.

More importantly, SeRestorePrivilege allows the holder to write to anything anywhere, update any DACLs, and set any file metadata. This could be abused to lay a logon script trap for a full Administrator, or just use the sethc.exe trick to elevate to SYSTEM on a domain controller and do whatever to the Active Directory. Registering services to run as SYSTEM would work equally well.

As a side note, the Print Operators group has SeLoadDriverPrivilege, which allows a user to register user- or kernel-mode drivers. That ability opens up any number of system takeover avenues, so Print Operators are also just Administrators who haven't realized it yet.

You can learn all about the built-in groups and their privileges in TechNet's "Default groups: Active Directory" article.

So, you might want to reconsider adding semi-trusted people to these groups. They're pretty powerful once they realize it - it's not a large jump from any type of Operator to Administrator.

No comments:

Post a Comment