Windows Server Privilege Escalation: Security Issues and Best Practices

One of the most difficult aspects of security in a Windows environment is keeping visibility to and control over Windows privileges. All too often, users are given more privileges than they actually need. This can lead to dangerous Windows Server privilege escalation that comes from an attacker gaining access to an account that has a high level of Windows Server privileges. In this post, we will look at Windows Server privilege escalation, why this is dangerous, and how your organization can effectively implement the tools and controls needed for effective least privilege management.

Windows Server Privilege Escalation Dangers

Windows privilege escalation happens when an attacker is able to gain high levels of privileges on a target Windows host. It is a very valuable type of exploit used by attackers to compromise systems and facilitate other types of attacks. This usually happens in one of two ways:

• Overprovisioned accounts
• Exploiting an unpatched vulnerability

Overprovisioned accounts

A common issue with many applications is the level of privileges needed to run the application. Organizations may use a particular business-critical application that is poorly written from a security standpoint, leading to the requirement for local administrator privileges.

This leads to the user account getting granted administrator privileges on the machine simply to ensure there are no problems with running the application. Using native Windows Server tooling, it is challenging if not close to impossible to do away with admin privileges for user accounts required to run these types of applications.

Exploiting an unpatched vulnerability

Organizations need to also keep in mind the dangers of Windows privilege escalation that come from attackers capitalizing on vulnerabilities found on your Windows machines. This is another type of Windows privilege escalation that organizations must protect against primarily by keeping Windows hosts updated with the latest patches available.

Window Least Privilege Management: The Best Practice Approach

One of the best ways for organizations to protect their Windows environments is to enforce Windows Server least privilege across the environment. This means that end users have the least amount of privileges they need to carry out only those tasks they absolutely need to do.

As mentioned in the outset, having Windows users granted administrator privileges simply to run a particular application is a security risk that organizations need to give attention to. For the purposes of this discussion, this is the area we are going to key in on.

Businesses often face the security challenge of a business-critical application that needs to have administrator privileges on a Windows machine. This leads to granting administrator privileges to users who need to run the application. How can you go about enforcing least privilege to users while at the same time giving applications the privileges needed to run on a Windows host?

The important distinction that needs to be made with least privilege and application permissions is that it is the application that needs the permissions and not the user. However, the privilege and permissions model that is commonly employed today- involves assigning permissions to “users” and not applications.

How can you effectively provide the permissions to the applications in a way that allows controlling and restricting the administrator privileges needed to only the application and not to the whole system in general?

Securden Endpoint Privilege Manager provides the tooling needed

The challenge of least privilege and application administrator privileges is one that is easily solved by Securden Endpoint Privilege Manager (EPM). With Endpoint Privilege Manager, administrators can configure specific applications that are allowed for administrator escalation and then assign the privileges for that application to specific users who are allowed to launch the application with the privileges needed.

With this approach, administrator privileges are not given to the entire user session by way of making the user a member of the local administrators group on the local Windows host. Rather, the administrator privileges are granularly applied to the specific application for a specific user.

Administrator privileges for specific applications

Let’s take a look at a scenario of applying administrator privileges to a specific application for a specific user and see how this can be done using the tools that Securden Endpoint Privilege Manager provides.

Suppose a user has a need to start/stop services in services.msc OR use inetMgr.exe as an example. Traditionally, the user may simply be placed inside the local administrators group on the local Windows machine. This would allow them to run the applications as administrator, however, would allow the user to have carte blanche admin privileges on the system.

The better way is to use an application policy that allows assigning the admin permissions on an application-by-application basis. Let’s add the services.msc and inetMgr.exe application to Securden WPM and assign a policy to the underprivileged user to allow running these applications as an administrator.

Securden WPM provides detailed granularity in how the application policy is applied. We can assign a particular application to be allowed for a specific computer and for a specific user.

Now, logged in as an underprivileged user, the user can run services.msc or inetMgr.exe as an administrator using Securden WPM. You may note that even though we logged in as an underprivileged user, the application is run as an administrator.

Concluding Thoughts

Windows privilege escalation is an attack that organizations must give due time and attention. In addition to keeping Windows systems patched, enforcing least privilege access across the board is a great way to minimize the risk of compromised accounts with overprovisioned privileges.

With Securden Endpoint Privilege Manager, organizations have the ability to drastically reduce the attack surface that comes from giving end users local administrator privileges on Windows hosts simply to run certain applications. Applications can be granularly defined to run as an administrator for a specific user, on specific Windows computers.