Privilege escalation is the process of exploiting a bug or design flaw in an operating system and obtaining elevated privileges to access information, change data, or exploit vulnerabilities. This blog post explores some common ways privilege escalation could be mitigated.
Prevent Privilege Escalation:
- Remove administrator rights for users with non-administrative roles: Even if a user does not have administrative rights, it is possible to escalate privileges by using vulnerabilities that allow “low privilege” users to elevate their privileges without any form of authorization from administrators. By removing admin rights from all but administrators, you are ensuring that even if a vulnerability exists which allows unauthorized access, it will not be used maliciously by those who do not have the means to wield it. This is best achieved by placing all administrative roles into a separate Active Directory container.
- Disable account logon scripts: Some operating systems, such as Windows Vista / Server 2008, allow user accounts to automatically execute certain system scripts when they are logged in. While this can be beneficial in terms of security and adding an extra layer of protection, it can also become a problem if users decide to bypass the normal user logon process and directly run any unknown system scripts on the compromised system. If you do enable user account logon scripts, ensure that they are non-authoritative (i.e., they do not run with administrator rights). Also, ensure that these user logon scripts are disabled on all systems within your organization by editing the registry and setting “Run as different user” to “Disabled”.
- Limit local privileges: One of the most common ways of exploiting a vulnerability is by creating a local account with unlimited privileges and then using this account to log in at an elevated, privileged level. To prevent this, you should use standard user accounts when performing administrative tasks and limit any elevated privilege accounts to their specific function.
- Disable SMB protocol support: Some operating systems, such as Microsoft Server 2008 / 2012 and Windows 7 / 10, allow attackers to exploit vulnerabilities via the remote file sharing protocol (also known as SMB). Windows Server 2000, Windows Server 2003, and Windows Vista do not support SMB but allow for alternative versions called SMB v1 and v2. To prevent files from being transferred using any of these protocols, you should use the following steps:
- Use strong passwords: Once you’ve completed the above steps, you’re probably wondering, “then what’s the point of having administrator rights in the first place?”. it turns out that adding a layer of added security to your system is still beneficial if you have to take it away. This can be done using locally-stored passwords which are unique to each account (e.g., “password1234567”).
Important Points:
- Creating brute force protection for passwords is not advised because it only secures the passwords, it does not secure the files.
- Do not create locally stored passwords.
- The password should be at least 6 to 8 characters long, with no spaces or special characters.
- Passwords should never be reused. (Never reuse the password of an administrator).
- Keep all accounts up to date. Microsoft has identified some known privilege escalation vulnerabilities, such as CVE-2010-0294 and CVE-2010-0380. To determine which operating systems are vulnerable to these bugs, you can use this Microsoft Security Bulletin Query Tool.
Countermeasures:
- Use authenticated command execution in scripts: Authenticated command execution is a way of providing the user with an additional level of security when performing an action that requires administrator privilege. By executing commands as though they are in fact a member of the local Administrators group, users cannot accidentally perform actions they should not be able to do. This can be implemented by running your scripts with the “Run as Administrator” option and checking that this option is enabled on each script. In addition, you can use Microsoft’s Group Policy Editor to set up a script block for these actions.
- Disable rebooting the computer remotely: By default, some operating systems allow for remote rebooting via services or applications running on other computers
Conclusion:
Remember that using strong passwords, disabling SMB, and preventing remote reboots are always to prevent privilege escalation vulnerabilities. However, they do not help prevent accidental privilege escalation – for example, if a user clicks on the wrong file. In addition, the authentication required by authenticated command execution scripts is yet another step that must be taken BEFORE a command can be executed. This is far from ideal! The only way to eliminate all forms of privilege escalation for an organization is to use Microsoft’s Server Core installation option. This allows administrators to run their network services remotely from another computer, with the complete absence of user interface software (i.e., no login screen).