<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

A concept for safe user support

Published on
20,786 Points
1,986 Views
8 Endorsements
Last Modified:
Approved

This is a guide to the following problem (not exclusive but here) on Windows:


Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge.


Any admin who takes security seriously fears attacks by his own colleagues. Thus he faces a small dilemma with user support: strictly speaking, each user PC is "enemy territory". We do not know if the user has evil intentions and might have prepared his already compromised machine, only waiting for us. How to authenticate there without running the risk that the user will somehow capture our password or hash?


Many questions arise:

  • Do we use remote assistance, remote desktop or TeamViewer?
  • Or walk over to the user and enter the password while he watches?
  • Or visit his computer (physically or from remote) "after hours"?
  • Do we use local Admins, or a/the domain admin or do we create an AD Group with delegated privileges? 
  • How do we maintain the passwords? Write lists, memorize, or set all to the same one?
  • Do we type that password in our own session only, or inside the user's session but only on the secure desktop of a UAC prompt, or may we use it with RunAs? Or would it be better to use 2-factor authentication?
  • Or shall we "surrender" and give all users admin rights so they can solve their problems alone? ;-)

You can find various recommendations also by Microsoft but I want to exhibit and recommend my own approach here. It comes without two-factor authentication, without additional software and is robust. I have been using it for more than a year now.


The main idea is: there is no need to use an account that is admin on more machines than the supported one! We are working on one (1) machine, so why should we use an account that is admin on all clients? The reason is convenience. And we pay for that laziness -- anyone familiar with mimikatz and similar exploitation tools will agree. I will show an alternate way that is secure and still convenient.


The usage scenario: User needs support, the problem has been identified: it is not a user profile problem so we will not need to work inside the user's session, but unfortunately, admin rights are needed to fix it. Still, the goal is to leave no exploitable credentials on the supported computer.


My intention is

  • to have one support admin account per computer
  • to have access to domain resources with this account 
  • to enable this account only for the period of the support case
  • not to create any password lists (I'll show that you do not even have to enter a password at all)

Now let's start:


Step 1: For each PC ("somePC") I automatically create a disabled user account "adminsomePC" with a random password that can log on nowhere. Therefore the parameter logonworkstations is set to some fantasy name (here: fantasynamehere). We can create a list.txt with all pc names inside and then run the following at the DC:

for /f %a in (list.txt) do net user /add admin%a /random /active:no /WORKSTATIONS:fantasynamehere

Step 2: These accounts will live in a their own OU, to which (weak) support employee accounts get delegated full rights (using the delegation of control wizard) in order to set those admin accounts active/inactive.


Step 3: A domain startup script makes the corresponding account member of the local admin group:


net localgroup /add administrators admin%computername% 

Step 4: If a supporter needs admin rights on somePC, he activates that somePCadmin account scripted (see below), lets the script set a new password and at the same time enter these credentials in the credential manager of his own computer and automatically set up a remote desktop connection to the PCxy. When he's done, the support account is disabled automatically.


The script itself is simple batch code, refined with a PowerShell script scripts.zip\Day6-PowerShell\GenerateRandomPassword.ps1 (public domain) from http://www.sans.org/windows-security/files/scripts.zip that generates random passwords (adjustable length, default: 15).


@echo off
set /p target=What machine?: %=%
for /f %%a in ('powershell \\server\share\GenerateRandomPassword.ps1') do net user admin%target% %%a /domain /active /workstations:%computername%,%target% & cmdkey /add:TERMSRV/%target% /user:netbiosdomainname\admin%target% /pass:%%a
start mstsc /v:%target%
pause
net user admin%target% /active:no /domain


The account can be used to help via RDP completely safely. If you correctly terminate the batch by pressing any key, that account will be deactivated immediately again. But just in case you should create a task that deactivates all support admins after working hours and schedule it to run on your DC. I had to minimally edit GenerateRandomPassword.ps1 to fit my needs. I commented out line 65:

#1..20 | foreach { Generate-RandomPassword -length $length } ; "`n"

and I added:


1 | foreach { Generate-RandomPassword -length $length } ; "`n"


That's it.

Certainly you can further refine this, my intent is to provide the base.

8
Comment
Author:McKnife
6 Comments
LVL 39

Expert Comment

by:Geert G
nice article, but why would a malicious user wait for you to come to him ?

what if the malicious user finds your account and tries  to login with it until it's locked because of n wrong passwords ...
the next level would be all supports accounts ...
0
LVL 62

Author Comment

by:McKnife
"what if the malicious user finds your account and tries  to login with it until it's locked because of n wrong passwords ... " - read it once more. That is not possible, because it is locked unless we activate it for the support rdp connection.
"nice article, but why would a malicious user wait for you to come to him ?" - if you have more questions, next time please ask them right at the article. Answer: to grab your password with mimikatz and extend his rights from admin@local to admin@allPCsThatAdminHasAccesto
1

Expert Comment

by:Mike
Nice article, McKnife
0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

LVL 32

Expert Comment

by:Blue Street Tech
I voted +1. Great article McKnife!
0
LVL 24

Expert Comment

by:Alan
Hi McKnife,

Great article - thanks!

Question:  Are you leaving this line:

net localgroup /add administrators admin%computername% 

Open in new window

in your login script permanently so it runs on ever machine at every login?

Thanks,

Alan.
0
LVL 62

Author Comment

by:McKnife
It's no logon script, but a startup script and yes, you can leave it, it does not matter if it's executed several times.
0

Featured Post

CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Join & Write a Comment

Please check the video also in regards to recovery of deleted emails from office 365 admin center and through the MFCMAPI tool. I have mentioned each and every step with the proper steps that need to be taken care of.
This is Part-2 of Learning to use the Power of Mailwasher Pro so if you haven't watched Part-1 yet, I urge you to do so before watching this video. Click this link to watch Part-1 (https://www.experts-exchange.com/videos/56638/Learn-to-use-the-POWER…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month