From an external or an internal perimeter, an attacker will look for weaknesses on the workstation or the server she just gained access. After web server breach in a DMZ or a workstation in the user LAN, her goal is to get access to other machines, to sensitive information that needs more authorization and accesses, taking advantage of machines weaknesses.
Most of the time, the local privilege escalation is a technique that pays off.
- Privilege Escalation
- Basic Hardening
- Golden Image
- Patch Management
A privilege escalation takes advantage of a misconfiguration, a design flaw or a bug in order to gain elevated access to information that are normally protected from an application or a user. In the case of an elevation of privileges on an operating system, the associated risks can be very important.
By accessing to a new level of information and new applications, an attacker can retrieve sensitive internal documents but also pivot to new systems. In the worst cases, privilege escalations can be the starting point of the domain compromise. In other words, it can lead to a full access to all domain’s workstations and servers with the possibility to steal sensitive data.
In concrete terms, a basic example a privilege escalation can be performed using the password mining attack vector that takes advantage of forgotten installation files, configuration files, scripts or registry keys with passwords.
To decrease the risk related to this type of attack, machines must be hardened.
Regardless of the operating system, machines have to be hardened following several best practices:
- Applications must run with appropriate rights (least privilege principle);
- Read and write permissions must be reviewed for files and paths, especially for sensitive configuration files;
- Minimize unnecessary software and services;
- Configure the desktop operating system firewall.
These rules slow the attacker progression on its way to gain access to higher privileges on the same machine and potentially on other machines. In addition, it improves the detection surface increasing the probability to detect malicious actions.
In case of physical access to a workstation regardless of its operating system, additional hardening techniques must be considered:
- Password protection of the BIOS;
- Disk encryption using Trusted Platform module (TPM) and pre-boot authentication;
- USB ports must not allow booting with a USB key and should be protected against rogue HID devices. If possible, USB ports can be disabled in the BIOS.
Without these security best practices a penetration tester can boot another operating system, mount the original system partition and retrieve sensitive information such as local accounts hashes.
As it must be applied to all workstations and servers, the creation of a hardened and maintained golden image is useful. In addition, processes limit human mistakes and ease the enrollment of each new workstation, server or domain user.
A golden image is a template for a virtual machine (VM), virtual desktop, server or hard disk drive. It must be hardened from both the operating system and software points of view, following the best practices described above.
As it evolves, the golden image should be regularly penetration tested on a typical workstation.
Patch management has an important role because vulnerabilities on applications and systems leading to a privilege escalation are disclosed regularly.
For example, the Windows Task Scheduler’s Advanced Local Procedure Call (ALPC) bug found in August 2018. It allows gaining local admin privileges from a standard user on 64-bit Windows 10 machines and Windows 2016 server.
A lacking patch management is often responsible for machine compromise or worst the compromise of a domain with full access on servers and workstations.
Depending on the way the information system is administrated, workstations and servers could be affected at the security level directly.
For local administration task, you should deploy LAPS or similar proprietary software.
The purpose of these solutions is to assign a unique local administrator’s password on each workstation. However, this method can prove uneasy to deploy and maintain, especially in an enterprise infrastructure.
To make it easier Microsoft has released LAPS (Local Administrator Password Solution). LAPS centralizes the management of the workstations and servers local password. It generates a unique, random password per system, and stores them in Active Directory, protected by AD policy. LAPS will also manage the life cycle of the passwords. Amongst the functionalities of LAPS is the possibility to configure authorization and access rights to the passwords.
A healthy information system is mostly the result of hardened golden images that follow best practices and a good recurrent patch management. In addition, this hardening must be evaluated regularly with penetration tests in order to detect oversights.
A workstation assessment and/or an internal penetration test usually gives a great picture of the machine hardening status.