Too many SIDs in access token

Download Report

Transcript Too many SIDs in access token 

Bezpečnost Windows pro
pokročilé: zajímavosti a UAC
Ing. Ondřej Ševeček | GOPAS a.s. |
MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker |
CHFI: Computer Hacking Forensic Investigator
[email protected] | www.sevecek.com |
GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS
Specialties and demos
Advanced Windows Security
Too many SIDs in access token
 Access token can accumulate only up to 1025
 More than that, user cannot log on
• cannot create the access token
• 0xC000015A = STATUS_TOO_MANY_CONTEXT_IDS
 But the Account Logon Event will appear on DC as
Kerberos authentication works fine
Translating SIDs in PowerShell
'S-1-5-18', 'S-1-5-32-544' | Select @{ n = 'SID' ; e = { $_ } }, @{
n = 'Name' ; e = { (New-Object
System.Security.Principal.SecurityIdentifier
$_).Translate([System.Type]::GetType('System.Security.Principal.NTA
ccount')).Value } }
'Administrators', 'NT AUTHORITY\Network Service' | Select @{ n =
'Name' ; e = { $_ } }, @{ n = 'SID' ; e = { (New-Object
Security.Principal.NTAccount
$_).Translate([Security.Principal.SecurityIdentifier]).Value } }
$rxSID = '[Ss]-1(?:-\d+){1,}'
[regex]::Match('This SID S-1-5-80-3964583643-2633443559-28344389353739664028-1580655619 has been detected', $rxSID).Value
Deleted domain user accounts
 AD LDAP replication requires tombstone technology
 All deleted objects remain in the database
• tombstone lifetime
• 60/180/360 days or anything configured manually
 SID, samAccountName
Enumerating all users and groups in
PowerShell
(1..10000) | % { "S-1-5-21-2533895723-4202532492-454630010-$_" } |
Select @{ n = 'SID' ; e = { $_ } }, @{ n = 'Name' ; e = { (NewObject System.Security.Principal.SecurityIdentifier
$_).Translate([System.Type]::GetType('System.Security.Principal.NTA
ccount')).Value } } | ? { $_.Name -ne $null }
Example IIS app pool identity
 Running IIS application pool under Network Service
enables it to receive authenticated traffic from
network
 It also allows it to access network authenticated as
the computer domain account
 Running IIS application pool under Local Service
prevents remote access
User Account Control
Advanced Windows Security
Restricted Users
 Users often work as local Administrators
• users on workstations/notebooks
• local administrators on servers
 We may want restrict their default permissions and
rights
• allow them to elevate if required
 Does not apply for remote (network) connections
UAC Options on Windows 7
UAC Options on Windows 8
 Only display settings
 You must use the policy
Restricting Local Administrators
 Windows XP and newer can restrict local
Administrators
• enforced by default on Windows Vista+
• must use Run As on Windows XP
 LSASS can issue restricted access token
• Administrators and Domain Admins groups are marked as
Deny
• Only basic user rights enabled
 LSASS maintains two separate Kerberos ticket
caches
“Deny” Groups in Access Token
 User is not member of the group for Allow ACEs
• if something is granted to the group, it does not apply
 User is member of the group for Deny ACEs
• if something is explicitly denied to the group, it still applies
• not a common case for Administrators, but still good to know

Deny Group in Access Token
UAC on Windows XP and 2003
Děkuji za pozornost
Ing. Ondřej Ševeček | GOPAS a.s. |
MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker |
CHFI: Computer Hacking Forensic Investigator
[email protected] | www.sevecek.com |
GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS