Friday, January 8, 2010

Part-time Superman

The other night I went out for a few pints with a mate who is a network manager at a prison. We were discussing a new application that he is rolling out to inmates and as I asked questions it came out that he, along with all the other network admins have domain admin privileges on their day to day user accounts and all IT Staff have local admin privileges. I was shocked that in a prison more emphasis wasn't placed on network security. My mate explained that although all the books he had read and all the courses he had attended had always recommended that you should only have the minimum privileges necessary to do your job, the reason for having these admin rights is it's impossible to work without them. I told him that I thought that was total bollocks and thanks to Conficker I had managed to push through policies at my workplace where no IT staff has Domain Admin rights on their day to day account and no user (including IT staff) has local admin rights. I spent the next half hour or so explaining that this wasn't about preventing the admins from having god like control over their computers, it's more about having the least privileges needed to perform a particular function.

Having a policy that puts IT administrators into the Local Administrator group puts every workstation at risk if the IT administrators PC is compromised or infected with malware. Having users with Domain Admin rights on their day to day accounts puts not only every workstation at risk but every server at risk as well. Hopefully by the end of my drunken rant he got the idea.

OK, so the way I have achieved this level of account control is by the use of SuperUser accounts. Each administrator has their normal day to day account which is as restricted as a normal user and they also have a SuperUser account. The SuperUser accounts have Local Admin and Domain Admin privileges, but they do not have mailboxes or Internet access. This forces the admins to use there day to day account to log in and work as normal. Admittedly this does mean there are more accounts to keep track of but I have a few PowerShell shell scripts that I regularly run to help with that.

When the admin needs to remote onto a server he uses his SuperUser account, which provides a useful audit trail which isn't achievable if all admins use the administrator account. When the admin needs to run tools from his PC I advise them to use the RunAs command. I have the following shortcuts set up on my computer which covers nearly everything I have to do.

Command Prompt
When I launch cmd.exe I'm prompted for my superuser password, then everything I run from the shell is within the context of my superuser account.

C:\WINDOWS\system32\runas.exe /user:DomainName\SuperUserAccount "C:\WINDOWS\system32\cmd.exe"

I have configured a PowerShell shortcut to run as my superuser account. I also have a standard PowerShell shortcut that I use where possible. The shortcut uses the following command:

C:\WINDOWS\system32\runas.exe /user:DomainName\SuperUserAccount "C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe"

Windows Explorer
The explorer shortcut is really handy if I need to browse the file systems of remote servers. The shortcut uses the following command:

C:\WINDOWS\system32\runas.exe /user:DomainName\SuperUserAccount "explorer /separate"

Custom MMC
I have created a custom MMC with add-ins that I require to perform admin tasks such as Active Directory User and Computers, Sites and Services, Computer Management and a few others. I have saved the MMC in a directory that's easy to launch from a command prompt that I'm running as my SuperUser account.

Any other program need to run under elevated permissions are either run using the RunAs command or i right clicked on and use RunAs from the context menu.

The PowerShell function I created script to regularly check that the SuperUser accounts group membership is quite simple and works well as all the superuser accounts are named similarly.

Function Check-SuperUsers {
Write-Host "SuperUser Group Membership" -ForegroundColor Yellow
$names = (Get-QADUser -sizelimit 0 -SamAccountName "*-superuser")
Foreach ($name in $names){
write-host $Name -ForegroundColor Red
$user = (get-qaduser $Name); $groups = $user.memberof
Foreach($group in $groups)
{$strGroup = $group.split(',')[0]
$strGroup = $strGroup.split('=')[1]

Finally, another effect of this reduction in privileges for admins and IT staff is we get affected by group policies and software issues in the same way that users do, although this may be viewed as inconvenient I think it makes us better at solving problems. In the same vein we as admins are (or should be) affected by the same security restrictions as typical users on our day to day accounts, if we can find loopholes or gaps in these restrictions to allow us to bypass them then so can the users. Far too often I make hear management make comments that users will not be able to bypass this or that restriction because they are to stupid. I often wonder who the stupid ones really are.


javatard said...

As for my 2cents. As a network support guy in an OU in a Domain, I run into having to get creative with installing and remote calls. For me, PsExec does wonders. I can install software on a remote system, with a user running as non-admins, using my Super-User account.
Another thing I had to learn by trial and error, was getting login scripts to work for non-admins. Placing the path to the script in the users profile in Active Directory helped clear that up as well.

SynJunkie said...

I know exactly what you mean. PSExec is pretty handy for getting out of a sticky situation I use it quite a but also.

Sherwyn aka (Infolookup) said...

Nice to see you are back posting again, looking forward to this year.Great content!


SynJunkie said...

Thanks Sherwyn.

What did you decide to go for with your lab, Xen or VMWare?

Anonymous said...

nice work friend

SynJunkie said...


Charactraus said...

I agree too well with those last 2 sentences on this blog. Town I live in is full of those people who think people with user accounts are just below their admin account. That admin account does not really look above user when you know loopholes.

Love the blog also. I am learning quite a bit of things. Thanks!