Saturday, May 8, 2010

Granular AD permissions and tools to accomplish it

Okay I will be unpopular with this...but I really can't stand it when a product/application says in their instructions that you must give the application account or service account local Administrator permissions...and the engineers believe it!

Recently I just did a short contract for software development company.  A name most of you have heard of.  I was extremely surprised at their huge lack of knowledge about the Microsoft products they were developing off the shelf software for.  Even when I showed them how to use a Service Account to run their app and how their app only needed read permissions in the place they were coding, they simply didn't care.  They insisted that "...we always state our application requires Domain Administrator privileges..." and they wouldn't stop. Need less to say for those that know me, I gave my notice and quit that contract.

Several years ago, I was on a Microsoft contract where we were applying the tightest security on our Microsoft servers. I was tasked with taking our entire application layer and determining what the lowest level permissions were actually needed for every service account and every application.  This of course took quite a bit of time in the lab, by me installing with the permissions the application owners said it needed (usually Administrator), then re-imaging and reinstalling with the individual permissions one by one until the install and application worked.  End result was there was absolutely no applications that we tested for our deployment that needed Administrator permissions. Some of the products I tested were; Veritas, Norton AV, several web applications, Office, Active Directory functions, DNS functions, Account and Server functions, and many other off the shelf products, including some Microsoft ones. Now this is not saying that none do.  If they don't take the time to code it right then it can.  But many don't even know themselves.

Vendors typically will say it needs Administrator permissions because they don't want to bother with testing the permissions one by one to see what exact granular permissions it needs.  Yes, even Microsoft has become worse about doing this.  Most applications only really need 4 NT rights to operate and those 4 rights added to an application account is what is a Service Account.  There are some that need some other additional privileges of course too.

If you want a tighten down environment you will always take the time to test the actual granular permissions needed, and never believe the vendor when they say it takes Administrator. 

ALSO, I come across so many engineers that will test it using the built-in groups (Administrators, Backup Operators, Account Operators, etc)  and say...see it only worked when I added the account into the Administrators group.  Open your eyes and learn your operating system better.  There are about 35+ granular permissions you can grant...but you have to use the proper tools to grant or remove them!  This is probably not a complete list either, but the two tools I use the most often to get the granular permissions needed.

DSacls found in the Support Tools

   Permissions

  • GR - Generic Read
  • GE - Generic Execute
  • GW - Generic Write
  • GA - Generic All
  • SD - Delete
  • DT - Delete an object and all its child objects.
  • RC - Read security information
  • WD - Change security information
  • WO - Change owner information
  • LC - List the child objects of an object
  • CC - Create child object. If {Object|Property} is not specified to define a specific property, this applies to all properties of an object. Otherwise, it applies to the specified property of the object.
  • DC - Delete child object. If {Object|Property} is not specified to define a specific property, this applies to all properties of an object. Otherwise, it applies to the specified property of the object.
  • WS - Write to self object. If {Object|Property} is not specified to define a specific property, this applies to all properties of an object. Otherwise, it applies to the specified property of the object.
  • RP - Read property. If {Object|Property} is not specified to define a specific property, this applies to all properties of an object. Otherwise, it applies to the specified property of the object.
  • WP - Write property. If {Object|Property} is not specified to define a specific property, this applies to all properties of an object. Otherwise, it applies to the specified property of the object.
  • CA - Control access right. If {Object|Property} is not specified to define a specific property, this applies to all properties of an object. Otherwise, it applies to the specified property of the object.
  • LO - List the object access. Can be used to grant list access to a specific object if List Children (LC) is not also granted to the parent. Can also be denied on specific objects to hide those objects if the user or group has LC on the parent. By default, Active Directory does not enforce this permission.

NTrights.exe found in the Resource Kit

  • SeTcbPrivilege
    Act as part of the operating system
    Allows a process to authenticate like a user and thus gain access to the same resources as a user. Only low-level authentication services should require this privilege.
  • SeMachineAccountPrivilege
    Add computers to a domain
    Allows the user to add a computer to a specific domain. For the privilege to be effective, it must be assigned to the user as part of local security policy for domain controllers in the domain.
  • SeBackupPrivilege
    Back up files and directories
    Allows the user to circumvent file and directory permissions to back up the system. The privilege is checked only when an application attempts access through the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply.
    • By default, this privilege is assigned to Administrators and Backup Operators. See also Restore files and directories in this table.
  • SeChangeNotifyPrivilege
    Bypass traverse checking
    Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in any Windows file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories.
    • By default, this privilege is assigned to Administrators, Backup Operators, Power Users, Users, and Everyone.
  • SeSystemTimePrivilege
    Change the system time
    Allows the user to set the time for the internal clock of the computer.
    • By default, this privilege is assigned to Administrators and Power Users.
  • SeCreatePagefilePrivilege
    Create a page file
    Allows the user to create and change the size of a page file.
    • By default, this privilege is assigned to Administrators.
  • SeCreateTokenPrivilege
    Create a token object
    Allows a process to create an access token by calling NtCreateToken() or other token-creating APIs.
  • SeCreatePermanentPrivilege
    Create permanent shared objects
    Allows a process to create a directory object in the Windows 2000 or Windows Server 2003 object manager.
  • SeRemoteShutdownPrivilege
    Force shutdown from a remote system
    Allows a user to shut down a computer from a remote location on the network. See also Shut down the system in this table.
    • By default, this privilege is assigned to Administrators.
  • SeAuditPrivilege
    Generate security audits
    Allows a process to create, generate, and add entries in the security log. The security log is used to track unauthorized system access. See also Manage auditing and security log in this table.
  • SeIncreaseQuotaPrivilege
    Increase quotas
    Allows a process that has Write Property access to another process to increase the processor quota that is assigned to the other process. This privilege is useful for system tuning, but it can be misused, as in a denial of service attack.
    • By default, this privilege is assigned to Administrators.
  • SeIncreaseBasePriorityPrivilege
    Increase scheduling priority
    Allows a process that has Write property access to another process so that it can increase the execution priority of the other process. A user with this privilege can change the scheduling priority of a process in the Task Manager dialog box.
    • By default, this privilege is assigned to Administrators.
  • SeLoadDriverPrivilege
    Load and unload device drivers
    Allows a user to install and uninstall Plug and Play device drivers. Device drivers that are not Plug and Play are not affected by this privilege and can be installed only by Administrators. Because device drivers run as trusted (highly privileged) programs, this privilege can be misused to install hostile programs and give them destructive access to resources.
    • By default, this privilege is assigned to Administrators.
  • SeLockMemoryPrivilege
    Lock pages in memory
    Allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege can significantly degrade system performance. This privilege is obsolete and should therefore never be selected.
  • SeSecurityPrivilege
    Manage auditing and security log
    Allows a user to specify object access auditing options on individual resources such as files, Active Directory objects, and registry keys. Object access auditing must first be enabled in Audit Policy (under Security Settings, Local Policies). With this privilege a user can then specify individual objects for auditing in Windows Explorer. A user who has this privilege can also view and clear the security log from Event Viewer.
    • By default, this privilege is assigned to Administrators.
  • SeSystemEnvironmentPrivilege
    Modify firmware environment values
    Allows modification of system environment variables either by a process through an API or by a user through System Properties.
    • By default, this privilege is assigned to Administrators.
  • SeProfileSingleProcessPrivilege
    Profile a single process
    Allows a user to run Windows 2000® and Windows Server 2003 performance-monitoring tools to monitor the performance of nonsystem processes.
    • By default, this privilege is assigned to Administrators and Power Users.
  • SeSystemProfilePrivilege
    Profile system performance
    Allows a user to run Windows 2000 and Windows Server 2003 performance-monitoring tools to monitor the performance of system processes.
    • By default, this privilege is assigned to Administrators.
  • SeAssignPrimaryTokenPrivilege
    Replace a process-level token
    Allows a parent process to replace the access token associated with a child process.
  • SeRestorePrivilege
    Restore files and directories
    Allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object. See also Back up files and directories in this table.
    • By default, this privilege is assigned to Administrators and Backup Operators.
  • SeShutdownPrivilege
    Shut down the system
    Allows a user to shut down the local computer. See also Force shutdown from a remote system in this table. In Windows XP Professional:
    • By default, this privilege is assigned to Administrators, Backup Operators, Power Users, and Users. In Windows Server 2003 :
    • By default, this privilege is not assigned to Users, only to Administrators, Backup Operators, and Power Users.
  • SeTakeOwnershipPrivilege
    Take ownership of files or other objects
    Allows a user to take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.
    • By default, this privilege is assigned to Administrators.

Published: 7/25/2007 9:06 PM

No comments:

Post a Comment