Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 481
  • Last Modified:

power users a risk

i am trying to quantiy the risk with the power users group on an old 2003 server. I notice the domain users group is a member of power users (so basically every user in the network has power user access on this server), however,, looking at this power users policy, they cannot remote onto the server via remote desktop,

my question is... is there any other way a power user could access resources on the server "remotely", or add themselves to admin level groups/policies "remotel"? I cant quite grasp the risk. The server is located in a secure data centre so they cant physically logon at console either, nor do they have access to the admin shares via map network drive etc. It sounds like a big problem, but I am not sure it is.

Obviously the ultimate solution would be to remove power user permissions on the server from the domain users group... but I would like to first understand the risks...
0
pma111
Asked:
pma111
  • 10
  • 7
  • 6
  • +1
2 Solutions
 
lruiz52Commented:
The power user group is able to install software, manage power and time-zone settings and install active X controls when longed on to the local machine.

for a user to remote in via RDP the have to be a member of the Local Administrators Group or the "Remote Desktop Users" group.

so if your users, do not have physical access to the server console and cant RDP in, then they really don't need to be members of the servers power users group.
0
 
pma111Author Commented:
my question was more though, is there any risk given the scenario, i.e. is there any other methods of gaining access remotely to a server and its data if you dont have either RDP or local console access to the server.
0
 
McKnifeCommented:
No, there is not. But take them out if that group anyway, it makes no sense.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Rich RumbleSecurity SamuraiCommented:
Yes, yes there is:http://blogs.technet.com/b/markrussinovich/archive/2006/05/01/the-power-in-power-users.aspx

Remotely, by default, you can use many of these services... (possibly installing your own)
PowerShell, WMI (aka vbscripts), Remote.exe, psexec, (hundreds and hundreds of remote administration tolls here). Adding themselves to the admin group is possible, but only if they were to install a service that acted as the system, and that service was then used to add themselves, but once a service is acting as system, it's over, system is already higher than Admin.
On of the old tricks, and it still works if you have a service that uses an unquoted path and you are a power user, the power user only has to put "program.exe in the C: and wait for the service to try to start itself. If the service uses an unquoted path, program.exe runs as that user (system 99%), and program.exe does whatever it was designed to do.
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Open in new window

PowerUsers don't have write access to the root of C:\ by default, but if you have other files or folders in program files, or c:\windows folder, power users can do the trick there
accesschk.exe -w "power users" c:\
RW c:\Program Files
RW c:\WINDOWS
-rich
0
 
McKnifeCommented:
Hi Rich.

Please don't just write "yes there is" or I'll stick to my "no there isn't", then :)
What can they do from remote? What attack do you have in mind if they cannot logon locally/remotely?
0
 
Rich RumbleSecurity SamuraiCommented:
>my question was more though, is there any risk given the scenario, i.e. is there any other methods of gaining access remotely to a server and its data if you dont have either RDP or local console access to the server.
Says "local console" (to me sounds like Keyboard, physical access) or RDP... so wmi, remote registry service, and maybe other programs/services. While WMI and the remote registry service do use the 135, 139 and 445 ports, they do not depend on the shares. You can remotely install programs, or change settings via powershell, wmi and other tools like remote.exe
The OP hasn't specified if the ports are closed and or that services are disabled, I'm assuming "the worst" :)
-rich
0
 
McKnifeCommented:
Please describe what motivated you to say power users can do something from remote. They cannot do more than standard users from remote.
0
 
pma111Author Commented:
can power users add themselves into the remote desktop users group? which does have RDP access? I know you cant add yourself to administrators group, but remote desktop users? I didnt know whether via any of the remote access tools rich mentions one could be used for remote local group management? maybe computer management console?
0
 
McKnifeCommented:
You cannot execute commands remotely without admin access. Power users cannot act remotely. If you would only tell us, why you would like to keep them in that group in the first place...?
0
 
pma111Author Commented:
What does it matter? The question was about understanding the risk in keeping them in there. Before taking action.
0
 
McKnifeCommented:
But your users cannot logon - I would really like to help you understand risks, but in this case, there is no difference if they are in there or not as they cannot logon.
0
 
pma111Author Commented:
so Rich's view that they (power users) can access the server remotely via various tools/services is incorrect?

Aside from that though, if the power user could login either via RDP or locally, could they add users or themselves to the remote desktop users group? Also, I assume its not default for domain users to be members of power users group on older windows versions?
0
 
McKnifeCommented:
on Rich's view: I hope he will explain, soon.
On remote Access in General: the ports that are open at the Server correspond to Services that are in the listening state. If those Services do care for user rights at all, they will make no difference between restricted users and power users, only between Administrators and non-admins, that's what I am trying to tell Rich.

> Also, I assume its not default for domain users to be members of power users group on older windows versions? - no, it isn't and never was.

> if the power user could login either via RDP or locally  could they add users or themselves to the remote desktop users Group
- no, they cannot do account Management Tasks.
0
 
pma111Author Commented:
Ok thanks, this link seems a bit misleading then:

https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_security_default_settings.mspx?mfr=true

"Create and manage local user accounts and groups." (albeit linked to XP, couldn't find similar for 2003).
0
 
pma111Author Commented:
0
 
McKnifeCommented:
> seems to hint they can only edit accounts they have created themselves
Not quite. They can only manage Groups that they themselves have created.
0
 
Rich RumbleSecurity SamuraiCommented:
I'll stand behind what I've said, give me some time today and I'll have a remote power user placed into the admin group, and reproducible by those here, if I was right :)
I just woke up, so I need coffee first.
-rich
0
 
pma111Author Commented:
Look forward to this Rich..
0
 
pma111Author Commented:
by the way ports 135 and 445 are open (epmap and microsoft ds)
0
 
Rich RumbleSecurity SamuraiCommented:
I'm not done yet, but I may be wrong after all :) The power user doesn't have rights in the places I thought they may when remote. The local power user might as well be an administrator, even M$ says so: http://support.microsoft.com/kb/825069
http://blogs.technet.com/b/jesper_johansson/archive/2006/03/12/421870.aspx
That's with logon rights.

Nonetheless, power user can't query much about a machine, but a fully updated 2003 machine, by default, is still vulnerable to null sessions and the null session can do much more than the power user account from remote...

PsExec was denied access for null and power user. Reg.exe (or regedit) had access to only HKU, not HKLM. this was NOT true for null sessions. I was able to use null sessions to query using WMI however, but not PowerUser.
From CMD:
net use \\ip.ip.ip.ip\ipc$ "" /user:""
wmic /node:ip.ip.ip.ip  process get name, executablepath, processid
wmic /node:ip.ip.ip.ip  bios get smbiosbiosversion, serialnumber
etc...

Open in new window

I checked wmimgmt.msc to see what might be writable and I didn't turn up anything with good WRITE permissions, but there are some, just not vital ones, and that's because the Everyone group not because of the PowerUsers group.

PowerUsers do not have C$ access from remote locations by default. YMMV but the default is no access. Mounting C$ as a remote drive doesn't work either naturally.

I was able to connect via MMC to 2003 as a power user and create accounts!! I was not able to simply place them in the administrators group, they defaulted the the USERS group. I was able to add more users into the power users group of the remote machine using the MMC. I could not add them to Backup, Remote Desktop, or DCom users groups. I was not able to change or stop services using MMC, nor view the Eventlogs.
i did not try a domain controller, so i didn't test write permissions to the netlogon shares and or possibly the logon scripts that run from there.

PowerUsers remote abilities are limited, but I think most of knew that locally (via RDP or console) they are not very limiting. Null Sessions by default is easy to fix, and perhaps your network already has the proper settings/GPO's.

Local power users have these abilities:
   Run legacy applications, in addition to Windows 2000 or Windows XP Professional certified applications.
    Install programs that do not modify operating system files or install system services.
    Customize system wide resources including printers, date, time, power options, and other Control Panel resources.
    Create and manage local user accounts and groups.
    Stop and start system services which are not started by default.
I couldn't create scheduled tasks from remote or locally being authenticated or null session.
That's about all the time I have for this now, I didn't try using MetaSploit or other tools, I was trying to be as "native" as possible. The null sessions+wmi was a surprise that it worked as well as it did for reading. Writing did not work, by default, that is not to say that a non-default configuration would be more secure, it could be quite the opposite. YMMV I suppose.
I humbly stand corrected :) (for remote powerusers) other 3rd party services or programs were not taken into account, just a windows only 2003 instance.
-rich
0
 
pma111Author Commented:
Thanks Rich - in regards to null sessions, are you saying you could access admin shares and open documents on those via this method? How can you determine if null sessions are on option or not?
0
 
pma111Author Commented:
is the dumpsec tool using a null session to gather remote information?
0
 
Rich RumbleSecurity SamuraiCommented:
I don't want to get off the orig question too much. From what i tried, I could use a null session and WMIC to read about all you need to read about a server. There were no actions I could take with the null session beyond reading, well for what I tried.
You can enumerate users and get information all about the system itself. It's more recon than exploit or escalation. The recon however could lead to more, again YMMV you have to try it out on your own to see.
I'd say overwhelmingly McKnife was correct in this question and should get the points. Other topics can certainly be discussed in other Q's.

I may also be mistaken on the null session... I'm trying to reproduce after rebooting everything in the lab, and I get accessed denied now, I'm sure I can reproduce but  just not right now :( I'll have to double check my work (again)...
0
 
Rich RumbleSecurity SamuraiCommented:
I was able to query the remote host using a Credentialed reg.exe session, certain reg keys are easily queryable, maybe writable if you are in the power users group. You cannot enumerate all of say HKLM from it's root.
net use \\ip.ip.ip.ip\icp$ pass_here /u:user_name
reg query "\\ip.ip.ip.ip\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion"
This is also true of any user, to be able to query specific registry keys, again I haven't looked for WRITE rights yet.

I'm still looking into how I was getting WMI to return results from what I thought was a null session, but it might have been credentialed after all.
Fact remains for now, that PowerUsers remote are not as powerful as they are local.
-rich
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 10
  • 7
  • 6
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now