SoylentNews

Arthur T Knackerbracket [soylentnews.org] writes:

Story automatically generated by StoryBot Version 0.2.1 rel 20161002.
Storybot ('Arthur T Knackerbracket') has been converted to Python3

Note: This is the complete story and will need further editing. It may also be covered by Copyright and thus should be acknowledged and quoted rather than printed in its entirety.

FeedSource: [TheRegister]

Time: 2016-10-10 01:37:24 UTC

Original URL: http://www.theregister.co.uk/2016/10/10/security_bod_to_microsoft_your_powershell_jea_feature_isnt_a_barrier_its_an_open_door/ [theregister.co.uk] using UTF-8 encoding.

Title: Security Bod To Msft: Powershell'S Admin-Lite Scheme Is An Open Door

--- --- --- --- --- --- --- Entire Story Below --- --- --- --- --- --- ---

Security Bod To Msft: Powershell'S Admin-Lite Scheme Is An Open Door

Arthur T Knackerbracket has found the following story [theregister.co.uk]:

Microsoft's PowerShell feature "Just Enough Administration" (JEA) is, apparently, "way too much administration" according to researcher Matt Weeks.

In this write-up of JEA [scriptjunkie.us], root9B and Metasploit module developer Weeks says JEA profiles aren't much of a barrier, since people with JEA profiles can escalate themselves to sysadmin status. Cutting to the conclusion:

The idea with JEA is to provide granular administrative profile management – a good thing, if only it worked out that way.

By way of demonstration, Weeks provides a variety of examples in which capabilities in JEA are exploitable.

The Add-Computer "cmdlet", used to add a computer to a domain or change its domain, and which Weeks says is "a reliable vector to break the JEA security barrier, and escalate privileges to complete unrestricted system control".

His attack doesn't use any hacks-or-cracks stuff: it ends with the new computer pulling group policy from an attacker-controlled Domain Controller providing group policy settings.

Result? Success: the victim machine "will pull group policy settings from your new server, enabling you via a group policy configuration to change any setting, drop the firewall, execute any command as system via startup scripts or scheduled tasks, or directly log in as the domain admin. You have broken the 'security barrier' and have full unrestricted administrative control over the system."

There are slips in the Microsoft-provided JEA General Profile, so an attacker can launch the New-Service cmdlet (any command is launched with SYSTEM rights); Get-WinEvent and Get-EventLog, while giving admins access to event logs also are "a critical vulnerability", by revealing admin account passwords.

There are also vulnerabilities in the JEA Web server admin profiles, he claims.

Weeks says Microsoft has promised to update its JEA documentation, making it clear that people with JEA profiles should be managed as closely as anybody else with administrative access.

Weeks' previous work includes creating a Metasploit module [theregister.co.uk] that attacked the favourite software of "your computer has been hacked" phone scammers. ®

Original Submission