One of the most difficult aspects of security in a Windows environment is keeping visibility to and control over Windows privileges. All too often, users are given more privileges than they actually need. This can lead to dangerous Windows Server privilege escalation that comes from an attacker gaining access to an account that has a high level of Windows Server privileges. In this post, we will look at Windows Server privilege escalation, why this is dangerous, and how your organization can effectively implement the tools and controls needed for effective least privilege management.
Windows privilege escalation happens when an attacker is able to gain high levels of privileges on a target Windows host. It is a very valuable type of exploit used by attackers to compromise systems and facilitate other types of attacks. This usually happens in one of two ways:
A common issue with many applications is the level of privileges needed to run the application. Organizations may use a particular business-critical application that is poorly written from a security standpoint, leading to the requirement for local administrator privileges.
This leads to the user account getting granted administrator privileges on the machine simply to ensure there are no problems with running the application. Using native Windows Server tooling, it is challenging if not close to impossible to do away with admin privileges for user accounts required to run these types of applications.
Organizations need to also keep in mind the dangers of Windows Server privilege escalation that come from attackers capitalizing on vulnerabilities found on your Windows machines. This is another type of Windows privilege escalation that organizations must protect against primarily by keeping Windows hosts updated with the latest patches available.
One of the best ways for organizations to protect their Windows environments is to enforce Windows Server least privilege across the environment. This means that end users have the least amount of privileges they need to carry out only those tasks they absolutely need to do.
As mentioned in the outset, having Windows users granted administrator privileges simply to run a particular application is a security risk that organizations need to give attention to. For the purposes of this discussion, this is the area we are going to key in on.
Businesses often face the security challenge of a business-critical application that needs to have administrator privileges on a Windows machine. This leads to granting administrator privileges to users who need to run the application. How can you go about enforcing least privilege to users while at the same time giving applications the privileges needed to run on a Windows host?
The important distinction that needs to be made with least privilege and application permissions is that it is the application that needs the permissions and not the user. However, the privilege and permissions model that is commonly employed today- involves assigning permissions to “users” and not applications.
How can you effectively provide the permissions to the applications in a way that allows controlling and restricting the administrator privileges needed to only the application and not to the whole system in general?
The challenge of least privilege and application administrator privileges is one that is easily solved by Securden Windows Privilege Manager (WPM). With Windows Privilege Manager, administrators can configure specific applications that are allowed for administrator escalation and then assign the privileges for that application to specific users who are allowed to launch the application with the privileges needed.
With this approach, administrator privileges are not given to the entire user session by way of making the user a member of the local administrators group on the local Windows host. Rather, the administrator privileges are granularly applied to the specific application for a specific user.
Let’s take a look at a scenario of applying administrator privileges to a specific application for a specific user and see how this can be done using the tools that Securden Windows Privilege Manager provides.
Suppose a user has a need to start/stop services in services.msc OR use inetMgr.exe as an example. Traditionally, the user may simply be placed inside the local administrators group on the local Windows machine. This would allow them to run the applications as administrator, however, would allow the user to have carte blanche admin privileges on the system.
Traditionally users have to be added to administrators group to run apps with administrator privileges
The better way is to use an application policy that allows assigning the admin permissions on an application-by-application basis. Let’s add the services.msc and inetMgr.exe application to Securden WPM and assign a policy to the underprivileged user to allow running these applications as an administrator.
Securden WPM provides detailed granularity in how the application policy is applied. We can assign a particular application to be allowed for a specific computer and for a specific user.
Now, logged in as an underprivileged user, the user can run services.msc or inetMgr.exe as an administrator using Securden WPM. You may note that even though we logged in as an underprivileged user, the application is run as an administrator.
Windows privilege escalation is an attack that organizations must give due time and attention. In addition to keeping Windows systems patched, enforcing least privilege access across the board is a great way to minimize the risk of compromised accounts with overprovisioned privileges.
With Securden Windows Privilege Manager, organizations have the ability to drastically reduce the attack surface that comes from giving end users local administrator privileges on Windows hosts simply to run certain applications. Applications can be granularly defined to run as an administrator for a specific user, on specific Windows computers.
May God defend me from my friends
As stories of trusted insiders causing information security breaches continue to unfold, it’s time organizations woke up to...
Dec 21 · 4 min read
Ransomware attack on Colonial Pipeline: Executing cyberattacks, now a child's play!
With the easy availability billions of compromised credentials on the dark web, and the practice of password reuse rampant, hackers...
jun 7 · 5 min read
Eliminating Admin Rights and Controlling Applications (Part 3)
One of the most effective approaches to reducing risks is eliminating the local admin accounts altogether and...
May 17 · 4 min read
Looking for a Passwordstate alternative?
Passwordstate, an enterprise password manager developed by Click Studios, suffered a supply chain attack between...
Apr 30 · 3 min read
Local Admin Accounts Management: Microsoft LAPS Vs. PAM (Part-2)
In the previous post, we dealt with the importance of local admin accounts, the associated security risks, and...
Apr 06 · 3 min read
Top 10 password policy recommendations for sysadmins in 2021
Passwords are omnipresent in our personal and business digital environments. An average person has at least...
Apr 01 · 6 min read
Local Admin Accounts - Security Risks and Best Practices (Part 1)
We are all too familiar with the local administrator account that gets created automatically when installing a Windows...
Mar 19 · 4 min read
Poor password security practices cause massive security breaches
Weak passwords, password reuse, password sharing, hard-coded credentials, lax measures to storing credentials...
Mar 13 · 6 min read