Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 15 submissions in the queue.

Security Researcher to Microsoft: Powershell's Admin-Lite Scheme is an Open Door

posted by janrinok on Tuesday October 11 2016, @12:31AM   Printer-friendly
from the easy-peasy dept.

Arthur T Knackerbracket has found the following story:

Microsoft's PowerShell feature "Just Enough Administration" (JEA) is, apparently, "way too much administration" according to researcher Matt Weeks.

In this write-up of JEA, root9B and Metasploit module developer Weeks says JEA profiles aren't much of a barrier, since people with JEA profiles can escalate themselves to sysadmin status. Cutting to the conclusion:

"Every JEA profile I had found Microsoft has published can be bypassed to obtain complete system administrative rights, most of them immediately, reliably, and without requiring any special configuration."

The idea with JEA is to provide granular administrative profile management – a good thing, if only it worked out that way.

By way of demonstration, Weeks provides a variety of examples in which capabilities in JEA are exploitable.

The Add-Computer "cmdlet", used to add a computer to a domain or change its domain, and which Weeks says is "a reliable vector to break the JEA security barrier, and escalate privileges to complete unrestricted system control".

His attack doesn't use any hacks-or-cracks stuff: it ends with the new computer pulling group policy from an attacker-controlled Domain Controller providing group policy settings.

Result? Success: the victim machine "will pull group policy settings from your new server, enabling you via a group policy configuration to change any setting, drop the firewall, execute any command as system via startup scripts or scheduled tasks, or directly log in as the domain admin. You have broken the 'security barrier' and have full unrestricted administrative control over the system."

Original Submission

 
This discussion has been archived. No new comments can be posted.
Security Researcher to Microsoft: Powershell's Admin-Lite Scheme is an Open Door | Log In/Create an Account | Top | 8 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Informative) by edIII on Tuesday October 11 2016, @12:59AM

    by edIII (791) on Tuesday October 11 2016, @12:59AM (#412733)

    The only barrier Microsoft cares about is the one in between the user's telemetry and Microsoft. Security? Only unless Telemetry is at risk, and only if it doesn't put Telemetry at risk.

    Microsoft has never, at any point in time, been a secure operating system once you had access. Privilege escalation was pretty much assumed, and if you wanted to be safe... disconnect from the Internet or use NAT.

    In most cases if you can touch a keyboard connected to a machine running Microsoft, sysadmin rights were moments away.

    --
    Technically, lunchtime is at any moment. It's just a wave function.
    Starting Score:    1  point
    Moderation   +2  
       Insightful=1, Informative=1, Total=2
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: 2, Informative) by Anonymous Coward on Tuesday October 11 2016, @02:52AM

    by Anonymous Coward on Tuesday October 11 2016, @02:52AM (#412773)
    Use NAT? Bollocks. Get yourself a real honest to goodness stateful firewall and you'll have all the safety that NAT supposedly gives and more. Repeat after me: NAT is NOT a security measure! It only looks that way because in order to implement NAT you need to have some of the functionality of a stateful firewall, but security is secondary to it and it can be easily circumvented. A true routable IP address behind a properly configured stateful firewall will be more secure than an RFC1918 host living behind a NAT.