One of the most difficult aspects of security in a Windows environment is keeping visibility to and control over Windows privileges. All too often, users are given more privileges than they actually need. This can lead to dangerous Windows Server privilege escalation that comes from an attacker gaining access to an account that has a high level of Windows Server privileges. In this post, we will look at Windows Server privilege escalation, why this is dangerous, and how your organization can effectively implement the tools and controls needed for effective least privilege management.
Windows privilege escalation happens when an attacker is able to gain high levels of privileges on a target Windows host. It is a very valuable type of exploit used by attackers to compromise systems and facilitate other types of attacks. This usually happens in one of two ways:
A common issue with many applications is the level of privileges needed to run the application. Organizations may use a particular business-critical application that is poorly written from a security standpoint, leading to the requirement for local administrator privileges.
This leads to the user account getting granted administrator privileges on the machine simply to ensure there are no problems with running the application. Using native Windows Server tooling, it is challenging if not close to impossible to do away with admin privileges for user accounts required to run these types of applications.
Organizations need to also keep in mind the dangers of Windows Server privilege escalation that come from attackers capitalizing on vulnerabilities found on your Windows machines. This is another type of Windows privilege escalation that organizations must protect against primarily by keeping Windows hosts updated with the latest patches available.
One of the best ways for organizations to protect their Windows environments is to enforce Windows Server least privilege across the environment. This means that end users have the least amount of privileges they need to carry out only those tasks they absolutely need to do.
As mentioned in the outset, having Windows users granted administrator privileges simply to run a particular application is a security risk that organizations need to give attention to. For the purposes of this discussion, this is the area we are going to key in on.
Businesses often face the security challenge of a business-critical application that needs to have administrator privileges on a Windows machine. This leads to granting administrator privileges to users who need to run the application. How can you go about enforcing least privilege to users while at the same time giving applications the privileges needed to run on a Windows host?
The important distinction that needs to be made with least privilege and application permissions is that it is the application that needs the permissions and not the user. However, the privilege and permissions model that is commonly employed today- involves assigning permissions to “users” and not applications.
How can you effectively provide the permissions to the applications in a way that allows controlling and restricting the administrator privileges needed to only the application and not to the whole system in general?
The challenge of least privilege and application administrator privileges is one that is easily solved by Securden Windows Privilege Manager (WPM). With Windows Privilege Manager, administrators can configure specific applications that are allowed for administrator escalation and then assign the privileges for that application to specific users who are allowed to launch the application with the privileges needed.
With this approach, administrator privileges are not given to the entire user session by way of making the user a member of the local administrators group on the local Windows host. Rather, the administrator privileges are granularly applied to the specific application for a specific user.
Let’s take a look at a scenario of applying administrator privileges to a specific application for a specific user and see how this can be done using the tools that Securden Windows Privilege Manager provides.
Suppose a user has a need to start/stop services in services.msc OR use inetMgr.exe as an example. Traditionally, the user may simply be placed inside the local administrators group on the local Windows machine. This would allow them to run the applications as administrator, however, would allow the user to have carte blanche admin privileges on the system.
Traditionally users have to be added to administrators group to run apps with administrator privileges
The better way is to use an application policy that allows assigning the admin permissions on an application-by-application basis. Let’s add the services.msc and inetMgr.exe application to Securden WPM and assign a policy to the underprivileged user to allow running these applications as an administrator.
Securden WPM provides detailed granularity in how the application policy is applied. We can assign a particular application to be allowed for a specific computer and for a specific user.
Now, logged in as an underprivileged user, the user can run services.msc or inetMgr.exe as an administrator using Securden WPM. You may note that even though we logged in as an underprivileged user, the application is run as an administrator.
Windows privilege escalation is an attack that organizations must give due time and attention. In addition to keeping Windows systems patched, enforcing least privilege access across the board is a great way to minimize the risk of compromised accounts with overprovisioned privileges.
With Securden Windows Privilege Manager, organizations have the ability to drastically reduce the attack surface that comes from giving end users local administrator privileges on Windows hosts simply to run certain applications. Applications can be granularly defined to run as an administrator for a specific user, on specific Windows computers.