Solved

power users a risk

Posted on 2014-03-17
24
441 Views
Last Modified: 2014-03-19
i am trying to quantiy the risk with the power users group on an old 2003 server. I notice the domain users group is a member of power users (so basically every user in the network has power user access on this server), however,, looking at this power users policy, they cannot remote onto the server via remote desktop,

my question is... is there any other way a power user could access resources on the server "remotely", or add themselves to admin level groups/policies "remotel"? I cant quite grasp the risk. The server is located in a secure data centre so they cant physically logon at console either, nor do they have access to the admin shares via map network drive etc. It sounds like a big problem, but I am not sure it is.

Obviously the ultimate solution would be to remove power user permissions on the server from the domain users group... but I would like to first understand the risks...
0
Comment
Question by:pma111
  • 10
  • 7
  • 6
  • +1
24 Comments
 
LVL 17

Expert Comment

by:lruiz52
ID: 39934447
The power user group is able to install software, manage power and time-zone settings and install active X controls when longed on to the local machine.

for a user to remote in via RDP the have to be a member of the Local Administrators Group or the "Remote Desktop Users" group.

so if your users, do not have physical access to the server console and cant RDP in, then they really don't need to be members of the servers power users group.
0
 
LVL 3

Author Comment

by:pma111
ID: 39934479
my question was more though, is there any risk given the scenario, i.e. is there any other methods of gaining access remotely to a server and its data if you dont have either RDP or local console access to the server.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 300 total points
ID: 39935239
No, there is not. But take them out if that group anyway, it makes no sense.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 200 total points
ID: 39935503
Yes, yes there is:http://blogs.technet.com/b/markrussinovich/archive/2006/05/01/the-power-in-power-users.aspx

Remotely, by default, you can use many of these services... (possibly installing your own)
PowerShell, WMI (aka vbscripts), Remote.exe, psexec, (hundreds and hundreds of remote administration tolls here). Adding themselves to the admin group is possible, but only if they were to install a service that acted as the system, and that service was then used to add themselves, but once a service is acting as system, it's over, system is already higher than Admin.
On of the old tricks, and it still works if you have a service that uses an unquoted path and you are a power user, the power user only has to put "program.exe in the C: and wait for the service to try to start itself. If the service uses an unquoted path, program.exe runs as that user (system 99%), and program.exe does whatever it was designed to do.
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Open in new window

PowerUsers don't have write access to the root of C:\ by default, but if you have other files or folders in program files, or c:\windows folder, power users can do the trick there
accesschk.exe -w "power users" c:\
RW c:\Program Files
RW c:\WINDOWS
-rich
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39935513
Hi Rich.

Please don't just write "yes there is" or I'll stick to my "no there isn't", then :)
What can they do from remote? What attack do you have in mind if they cannot logon locally/remotely?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39935715
>my question was more though, is there any risk given the scenario, i.e. is there any other methods of gaining access remotely to a server and its data if you dont have either RDP or local console access to the server.
Says "local console" (to me sounds like Keyboard, physical access) or RDP... so wmi, remote registry service, and maybe other programs/services. While WMI and the remote registry service do use the 135, 139 and 445 ports, they do not depend on the shares. You can remotely install programs, or change settings via powershell, wmi and other tools like remote.exe
The OP hasn't specified if the ports are closed and or that services are disabled, I'm assuming "the worst" :)
-rich
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39936110
Please describe what motivated you to say power users can do something from remote. They cannot do more than standard users from remote.
0
 
LVL 3

Author Comment

by:pma111
ID: 39936264
can power users add themselves into the remote desktop users group? which does have RDP access? I know you cant add yourself to administrators group, but remote desktop users? I didnt know whether via any of the remote access tools rich mentions one could be used for remote local group management? maybe computer management console?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39936347
You cannot execute commands remotely without admin access. Power users cannot act remotely. If you would only tell us, why you would like to keep them in that group in the first place...?
0
 
LVL 3

Author Comment

by:pma111
ID: 39936411
What does it matter? The question was about understanding the risk in keeping them in there. Before taking action.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39936442
But your users cannot logon - I would really like to help you understand risks, but in this case, there is no difference if they are in there or not as they cannot logon.
0
 
LVL 3

Author Comment

by:pma111
ID: 39936468
so Rich's view that they (power users) can access the server remotely via various tools/services is incorrect?

Aside from that though, if the power user could login either via RDP or locally, could they add users or themselves to the remote desktop users group? Also, I assume its not default for domain users to be members of power users group on older windows versions?
0
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

 
LVL 53

Expert Comment

by:McKnife
ID: 39936484
on Rich's view: I hope he will explain, soon.
On remote Access in General: the ports that are open at the Server correspond to Services that are in the listening state. If those Services do care for user rights at all, they will make no difference between restricted users and power users, only between Administrators and non-admins, that's what I am trying to tell Rich.

> Also, I assume its not default for domain users to be members of power users group on older windows versions? - no, it isn't and never was.

> if the power user could login either via RDP or locally  could they add users or themselves to the remote desktop users Group
- no, they cannot do account Management Tasks.
0
 
LVL 3

Author Comment

by:pma111
ID: 39936492
Ok thanks, this link seems a bit misleading then:

https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_security_default_settings.mspx?mfr=true

"Create and manage local user accounts and groups." (albeit linked to XP, couldn't find similar for 2003).
0
 
LVL 3

Author Comment

by:pma111
ID: 39936497
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39936513
> seems to hint they can only edit accounts they have created themselves
Not quite. They can only manage Groups that they themselves have created.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39936551
I'll stand behind what I've said, give me some time today and I'll have a remote power user placed into the admin group, and reproducible by those here, if I was right :)
I just woke up, so I need coffee first.
-rich
0
 
LVL 3

Author Comment

by:pma111
ID: 39936553
Look forward to this Rich..
0
 
LVL 3

Author Comment

by:pma111
ID: 39936556
by the way ports 135 and 445 are open (epmap and microsoft ds)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39937668
I'm not done yet, but I may be wrong after all :) The power user doesn't have rights in the places I thought they may when remote. The local power user might as well be an administrator, even M$ says so: http://support.microsoft.com/kb/825069
http://blogs.technet.com/b/jesper_johansson/archive/2006/03/12/421870.aspx
That's with logon rights.

Nonetheless, power user can't query much about a machine, but a fully updated 2003 machine, by default, is still vulnerable to null sessions and the null session can do much more than the power user account from remote...

PsExec was denied access for null and power user. Reg.exe (or regedit) had access to only HKU, not HKLM. this was NOT true for null sessions. I was able to use null sessions to query using WMI however, but not PowerUser.
From CMD:
net use \\ip.ip.ip.ip\ipc$ "" /user:""
wmic /node:ip.ip.ip.ip  process get name, executablepath, processid
wmic /node:ip.ip.ip.ip  bios get smbiosbiosversion, serialnumber
etc...

Open in new window

I checked wmimgmt.msc to see what might be writable and I didn't turn up anything with good WRITE permissions, but there are some, just not vital ones, and that's because the Everyone group not because of the PowerUsers group.

PowerUsers do not have C$ access from remote locations by default. YMMV but the default is no access. Mounting C$ as a remote drive doesn't work either naturally.

I was able to connect via MMC to 2003 as a power user and create accounts!! I was not able to simply place them in the administrators group, they defaulted the the USERS group. I was able to add more users into the power users group of the remote machine using the MMC. I could not add them to Backup, Remote Desktop, or DCom users groups. I was not able to change or stop services using MMC, nor view the Eventlogs.
i did not try a domain controller, so i didn't test write permissions to the netlogon shares and or possibly the logon scripts that run from there.

PowerUsers remote abilities are limited, but I think most of knew that locally (via RDP or console) they are not very limiting. Null Sessions by default is easy to fix, and perhaps your network already has the proper settings/GPO's.

Local power users have these abilities:
   Run legacy applications, in addition to Windows 2000 or Windows XP Professional certified applications.
    Install programs that do not modify operating system files or install system services.
    Customize system wide resources including printers, date, time, power options, and other Control Panel resources.
    Create and manage local user accounts and groups.
    Stop and start system services which are not started by default.
I couldn't create scheduled tasks from remote or locally being authenticated or null session.
That's about all the time I have for this now, I didn't try using MetaSploit or other tools, I was trying to be as "native" as possible. The null sessions+wmi was a surprise that it worked as well as it did for reading. Writing did not work, by default, that is not to say that a non-default configuration would be more secure, it could be quite the opposite. YMMV I suppose.
I humbly stand corrected :) (for remote powerusers) other 3rd party services or programs were not taken into account, just a windows only 2003 instance.
-rich
0
 
LVL 3

Author Comment

by:pma111
ID: 39937752
Thanks Rich - in regards to null sessions, are you saying you could access admin shares and open documents on those via this method? How can you determine if null sessions are on option or not?
0
 
LVL 3

Author Comment

by:pma111
ID: 39937777
is the dumpsec tool using a null session to gather remote information?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39937885
I don't want to get off the orig question too much. From what i tried, I could use a null session and WMIC to read about all you need to read about a server. There were no actions I could take with the null session beyond reading, well for what I tried.
You can enumerate users and get information all about the system itself. It's more recon than exploit or escalation. The recon however could lead to more, again YMMV you have to try it out on your own to see.
I'd say overwhelmingly McKnife was correct in this question and should get the points. Other topics can certainly be discussed in other Q's.

I may also be mistaken on the null session... I'm trying to reproduce after rebooting everything in the lab, and I get accessed denied now, I'm sure I can reproduce but  just not right now :( I'll have to double check my work (again)...
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39938217
I was able to query the remote host using a Credentialed reg.exe session, certain reg keys are easily queryable, maybe writable if you are in the power users group. You cannot enumerate all of say HKLM from it's root.
net use \\ip.ip.ip.ip\icp$ pass_here /u:user_name
reg query "\\ip.ip.ip.ip\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion"
This is also true of any user, to be able to query specific registry keys, again I haven't looked for WRITE rights yet.

I'm still looking into how I was getting WMI to return results from what I thought was a null session, but it might have been credentialed after all.
Fact remains for now, that PowerUsers remote are not as powerful as they are local.
-rich
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now