Global war on local Administrator
Sergey V. Gordeychik, [email protected]
All seemed to be going well. The users' privileges have been minimized. User was not able to log on another user's workstation. No other programs than business-purposed were installed on user computers. According to system policy, user passwords must be changed once in a fortnight, and all the users obey orderly. Their password phrases resemble the programmer's cat name or the randomizer output. The management people use the two-way authentication hardware, so you can stop checking their CAPS LOCK status.
But all of a sudden, one day you realize that user accounts are moved from Users group to Administrators, and the group of operators has now got full control on the root folder of "C:\" volume. Now, who is responsible for all the trouble?
By default, Windows 2000 operating systems create two accounts. Guest account is normally blocked. The rights are extremely limited. Administrator accounts are granted with unlimited rights for the computer, and suffer most furious attacks.
After the workstation is included into a domain, the Administrator account is normally unused. You may want to use Administrator account as a last resort, for example, when you have to restore the operating system. However, the one logged as Administrator can block the group policy inheritance, extend the rights of domain users, and finally, receive Local System rights.
You cannot block this account (this feature is available in Windows XP and later). Local administrator's password is usually set up by the maintenance people or the users themselves. Centralized control over the administrator's password is unavailable. You can crack the administrator's password using the network connection, because the blocking policy does not affect this account.
If the workstation can be accessed physically, the local administrator password can be picked or just reset in a few minutes. However, there are certain operations to ensure that the network is not so much dependent on the local administrator's actions.
In some cases, they recommend to rename the local administrator's account. This operation can be performed locally or by using the group policy. Though, you can easily find out which account belongs to the local administrator. However, don't miss an opportunity to set up one more protection.
When the administrator's account is renamed, you have to choose the account to use for system restores. This can be a local or a domain account. The local account can be used for system restore even if the connection to the domain had been lost. Using a domain account, you ensure more safety, because in this case, the password cannot be reset physically. Besides, in such case the system restore cannot be performed easily without strong network connection.
It is recommended to use the local account in normally protected server systems with strong requirements to the restore operation. In this case, you should create an account different to the local administrator's. According to Dave Kleiman's recommendation (Dave Kleiman [email protected]), you'd better include special symbols in the account name, e.g., ALT+251. The researches demonstrate that the account names containing such symbols cannot be displayed correctly when using the programs like sid2user or showmbrs. Besides, such names make it difficult to pick out the password using L0phtCrack or like utilities. For the full list of such symbols and the detailed analysis of their usage, refer to Dave Kleiman, Defeating password cracking, from the [email protected] mailing.
For system restores on the workstations, we recommend using the domain accounts. Before starting the restore, you should limit the number of the users who can log to the workstation locally and set the number of logons to cache. This number cannot exceed the number of the users who can log locally. The support group should use domain accounts to perform the workstation setup to ensure that the password will be cached on the local host.
The next task is group policy change limitation. Group policy objects include Computer Settings\Administrative settings\System\Group Policy\User Group Policy loopback processing mode (MS KB Q231287). With this feature, you can modify the method of calculating the resultant group policy. You can use either the Merge Mode or the Replacement Mode. When the local system uses the Replacement Mode, and no other policies affect this value, the resultant group policy is determined only by which organizational unit the workstation belongs to, regardless of a user logged on.
Thus, the local administrator derives a possibility of walking around the group policy limitations like applications running, Start menu access or other user's limitations applied to all the users on the workstation.
To avoid such situation, you should set the User Group Policy loopback processing mode property of the domain-level group policy with No Override status to Disabled. When the computers predictably use this method, you should prevent their users from accessing the group policy controlling this mode.
The next step includes the restriction of local group membership. You can do it using group policies too. GPO Restricted Groups property allows you to specify which accounts should be included into a particular group. The domain administrators and the accounts of technical support staff must be included into the group of local administrators. Because these accounts may differ depending on the organizational unit, apply such policies on the level of organizational units.
When all these values are set, a user with administrator's rights can only include another user to the administrators group for the period between group policy updating. If a local account is used for the system restore, you should also include this account to the local administrators group using group policies.
After that, it is recommended to perform a centralized change of the local administrator's password. Besides, you should also change the password of the local account which is used for the system restore of the domain workstations. SetPassword method of User object allows you to change the user's password from both current and remote computer (Listing 1).
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
objUser.SetPassword strPassword
objUser.SetInfo
Listing 1. Using VBScript to change the local administrator's password
Using Startup Scripts for changing the local administrator's password is not recommended by safety means. The reason is that in such case the password should be specified in the script. Microsoft Script Encoder utility used for encoding the script files cannot provide enough protection because its output files can be decoded without difficulty. Most safe script presumes to periodically start up the application that changes all the local administrator's passwords in the domain. The list of domain computers is contained in a file. The passwords may differ for the local administrator of different computer groups. See Listing 2 for the example of such a script.
'On Error Resume Next
iaPass = "..bL@nK P/\ssw0rd!!"
Sub Error_(i)
s = Err.Number
WScript.echo "Error " & s & " " & Err.Description
if i<>0 Then Err.Clear
End Sub
Set Args = WScript.Arguments
Sub chPass(host)
' On Error Resume Next
strComputer = host
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
objUser.SetPassword iaPass
objUser.SetInfo
If Err.Number<>0 Then
s = Err.Number
WScript.echo host & " Ч Error " & s & " " & Err.Description
Err.Clear
End If
End Sub
Sub ReadHostFile(filename)
Dim fso, f
' On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
Wscript.Echo "Read hosts file"
Set f = fso.OpenTextFile(filename, 1, False)
if Err.Number<>0 then
call Error_(0)
else
while not f.atEndOfStream
s = f.ReadLine
Call chPass(s)
Err.Clear
wend
f.Close
end if
End Sub
for i=0 to args.count-1
If Args(i) = "-f" Then
iaComputers = Args(i+1)
Else If Args(i) = "-p" Then
iaPass = Args(i+1)
Else If Args(i) = "-h" Then
iaHost = Args(i+1)
End If
End If
End If
Next
If Err=0 Then
If iaHost<>"" Then
Call chPass(iaHost)
If Err.Number<>0 Then
call Error_()
End If
Else
Call ReadHostFile(iaComputers)
End If
End If
if Err <> 0 Then
Wscript.Echo ""
Wscript.Echo "lapass [-f filename] [-h hostname] [-p] password"
Wscript.Echo ""
Wscript.Echo "-f get hostТs list from file"
Wscript.Echo "-h change password for one host"
Wscript.Echo "-p new password"
Wscript.Echo ""
End IfListing 2. lapass.vbs script
Consider several schemes of the script's operation. To change the local administrator's password on the workstation, you should type the following command in the Run dialog box:
cscript lapass.vbs -h . -p pass
To change the local administrator's password on the workstations, whose names are stored in the hosts.txt file, you should type the command with the following parameters:
cscript lapass.vbs -f host.txt -p pass
The application creates a list of computers whose administrator's password could not have been changed. This list can be used on the next iteration. The list is also useful to decide which computers have a setup that goes against the domain security policy. Include special symbols into the administrator's password to make password guessing more difficult.
As a next step, you can forbid the local administrator to access the computer through the network or to log on locally. Remember that preventing the administrator from logging on may cause a lot of difficulty in case of system crash, unless there is another user with the administrator's rights on this computer. Therefore, it is not recommended to forbid the domain server's administrators to log on locally. Restraining the local administrator's possibilities of remote log on is preferable. To deny the administrator's remote logon (MS KB Q281140), specify the administrator's account in Computer Settings\Windows Settings\Security Settings\Local Polices\User Right Assigments\Deny access to this computer from the network. Another parameter regulating the local logon is resided in the same group policy section.
Denying the remote access does not remove the danger of picking the password through the network (SMB, SMTP, HTTP etc). The group policy is applied after the authentication is complete: the message reading that the remote access is prohibited for this user appears after the right password has been entered.
To avoid such situation, you can use passprop tool from the Windows NT Reskit. This tool allows locking out the administrator account in case the counter of unsuccessful remote logins has been exceeded. The number of attempts is set using the Computer Settings\Windows Settings\Security Settings\Local Polices\Account Lockout Policy\Account lockout threshold parameter. The lockout does not affect the local logon attempts. It is recommended to set up short periods (10 minutes) of lockout after 20-30 failed logon attempts because there can be additional local accounts (such as an application users) in the system. This method is more efficient if the passwords change periodically.
The methods above provide more effective protection from the majority of common schemes that involve getting local administrator's rights and illegal usage of administrative privileges. Another protection layer allows you to spot timely the successful logons to accounts with the rights of the local administrators. For this purpose, you should follow the workstations journal's events with EventID 528 or 540 whose Domain value concurs with Workstation Name value.
Unfortunately, Windows 2000 operating system does not include a system with monitoring and real-time response functions. There are a number of host-level attack detection systems and the systems for central management of network infrastructure.
As a simple solution, we can recommend the usage of Start Scripts to assign a special log on script to the local users. This script should notify the network administrator of the user logon.
on error resume next
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set Query = "Select * from Win32_OperatingSystem"
Set colItems = objWMIService.ExecQuery(Query,,48)
For Each objItem in colItems
path = objItem.SystemDirectory
Next
Set fso = CreateObject("Scripting.FileSystemObject")
path = path+"\\Repl"
fso.CreateFolder(Path)
path = path+"\\import"
fso.CreateFolder(Path)
path = path+"\\scripts"
fso.CreateFolder(Path)
Set f = fso.OpenTextFile(path+"\\Echo.vbs", 2, True)
f.WriteLine "Set WNetwork = Wscript.CreateObject(""Wscript.Network"")"
f.WriteLine "If WNetwork.ComputerName = WNetwork.Userdomain Then"
f.WriteLine "Set WshShell = WScript.CreateObject(""WScript.Shell"")"
f.WriteLine " WshShell.Run ""net send w2k10 Local logon "" &"_
& " WNetwork.UserName"
f.WriteLine "End If"
f.Close
Set objUser = GetObject("WinNT://./Administrator")
objUser.Put "LoginScript", "Echo.vbs"
objUser.SetInfoListing 3. Script.vbs script
This script finds out the path to the Windows system folder and attempts to create there the subfolder \Repl\Import\Scripts. This folder contains user scripts. By default, this folder os created on the domain controllers only. After that, the Echo.vbs file is created in this folder. This file is assigned to local users as a start script. The script determines whether the logged account is local or domain. In the former case, the script notifies the domain administrator.
Script.vbs script is applied each time the computers start and rewrites the Echo.vbs script. Besides, the script updates the assignments of user start scripts to this file. The Echo.vbs file is applied when a local user logs to the system. You can extend the Script.vbs's script functions to changing all local users' startup scripts.
The methods above cannot protect the system from skilled hackers who can replace the computer's operating system but provide effective protection from middle-level attacks.
