back to article Security bod to MSFT: PowerShell's admin-lite scheme is an open door

Microsoft's PowerShell feature “Just Enough Administration” (JEA) is, apparently, “way too much administration” according to researcher Matt Weeks. In this write-up of JEA, root9B and Metasploit module developer Weeks says JEA profiles aren't much of a barrier, since people with JEA profiles can escalate themselves to sysadmin …

  1. Anonymous Coward
    Anonymous Coward

    poop throwing time

    Too lazy to look and don't care about Microsoft's pigs walking like men features but it sounds more like the use case of this might be for admins to limit the damage they can do with their 1337 MCSE CLI skills than as much of a user security limitation.

  2. Mikel

    It's OK

    You weren't using Microsoft software for anything important, were you?

  3. The Original Steve

    Explaination?

    I'm a bit puzzled by the first example.

    First I've heard of JEA, so probably a lack of understanding on my part...

    But - it sounds a little like the PowerShell environment is locked down to a subset of "approved" cmdlets...? Is that right? If so, then if you delegate access to the "Add-Computer" cmdlet, I don't see how it's a security flaw / bug if the delegated admin attempt to connect the machine to a different domain which has a different set of GPO's applied to it. In that scenario you'd need a malicious DNS and network access to the bad domain so the machine can connect to it.

    Is my understanding correct, or have I missed something important and probably obvious? :)

    If I am getting it, then I think it's a bit of a stretch to say that it's a big security issue. IMHO of course!

    1. Richard 26

      Re: Explaination?

      If the point of JEA is that you can give operators limited access to carry out administrative tasks, then it's not really fit for purpose if you have a BOFH. Whether that is a big deal or not depends on important 'least privilege' is for you. I would think that only a small minority of organisations are going to be able to handle malicious insiders at all well.

    2. phuzz Silver badge

      Re: Explaination?

      So JEA probably isn't fit for purpose yet, but maybe you have bigger problems if someone can set up their own domain controller on your network...

  4. Anonymous Coward
    Anonymous Coward

    Article title correction

    "Security bod to MSFT: PowerShell's admin-lite scheme is an yet another open door"

    Let's be honest, you're not going to install Windows because you need security. Everything else, maybe, but not security. That's not even an option you can buy at a higher cost like an Enterprise version.

    1. kryptylomese

      Re: Article title correction

      Indeed, "Everything else" including crappy performance limited capabilities poor up time due to having to reboot and install patches constant attacks from malware, and it is unreliable and expensive.

      ...and all of that is available in the "Enterprise version" - not in my enterprise thanks!

      1. Anonymous Coward
        Anonymous Coward

        Re: Article title correction

        "Everything else" including crappy performance limited capabilities poor up time due to having to reboot and install patches constant attacks from malware, and it is unreliable and expensive.

        No, no, no, you have that all wrong. That's exactly MFST's approach to protecting you. A rebooting system is simply not available long enough to hack. Moreover, combine petabyte sized patch downloads with large slurp uploads and there is simply not enough bandwidth left for any attacks.

        I can't believe anyone at Microsoft hasn't tried that line yet, but give it time :)

  5. Rob Moir

    Something seems odd about this as a security hole.

    According to the write up here, you can get around JEA by having the machine you're attacking pull policies from a domain controller you control.

    So for this to work you already need to be a domain admin on the domain concerned? If that's true, then sure it's a fault that needs fixing but I'm not convinced it's much of a security hole if you already need to be domain admin to use it. If I leave my car keys out in my house where anyone who lives here can take them, it might be something I need to stop doing if my kids become teenagers with a taste for joyriding, but it's not really a security issue with the car itself.

    1. Anonymous Coward
      Anonymous Coward

      Re: Something seems odd about this as a security hole.

      I agree, I'm a little confused by the whole thing.

      If you have admin access to a DC, you have bigger issues.

      1. Tom Paine

        Re: Something seems odd about this as a security hole.

        I have admin access to my personal laptop which is on my desk so I can listen to music / browse bits of net my control-freak employer has blocked (would you believe all "computing and IT security" sites are blocked? Hacking tools, apparently...) I could run up a DC on that, if it ran Windows rather than Linux anyway. (Yeah yeah, Samba 4,.. tried that? I have.... *thousand yard stare* )

        1. Anonymous Coward
          Anonymous Coward

          Re: Something seems odd about this as a security hole.

          "I could run up a DC on that,"

          yes and do bugger all with it.

          1. Anonymous Coward
            Anonymous Coward

            Re: Something seems odd about this as a security hole.

            "I could run up a DC on that,"

            yes and do bugger all with it.

            That depends. If you can mimic a valid DC but respond quicker to DC traffic than the "official" DC I suspect you will have created an internal Denial of Service vector that would be a swine to debug (especially if you randomised its activity a bit). It would probably take someone looking at the actual network packets with a network packet analyser to work out what on earth is happening.

            Note: I'm assuming this - so far, it's theory.

            1. ZenaB

              Re: Something seems odd about this as a security hole.

              DCs are found via DNS not by broadcast, so you'd need to poison the switch to get it to send the packets to you instead..

    2. phuzz Silver badge

      Re: Something seems odd about this as a security hole.

      The hypothetical malicious admin could have set up their own DC and plugged it into your network, but if someone is setting up their own servers on your network, maybe that's the problem to look at first...

      1. Tom Paine

        Re: Something seems odd about this as a security hole.

        What. you think everyone has NAC, or turns down switch ports that aren't in use?

      2. Rob Moir

        Re: Something seems odd about this as a security hole.

        Yes you can create your own DC. But you can't run a DC on my domain without already having credentials that allow you to promote a server to a DC and if you have those credentials already then you already own the network and don't need help from this kind of attack.

        1. Richard 26

          Re: Something seems odd about this as a security hole.

          @Rob Moir - It doesn't need to be on your domain though; you can just AddComputer <evildomain>

      3. Mikel

        Re: Something seems odd about this as a security hole.

        @phuzz

        Every road warrior's exploited laptop is a server on your network. And every PC that clicked a wrong link in IE, or previewed the wrong email in Outlook. And so on. And every PC that ever shared the network with those, even for one minute. And the printers and many other networked devices too. So... Everything.

    3. Robert Carnegie Silver badge

      Re: Something seems odd about this as a security hole.

      I think it's more about (1) Microsoft's default templates for JEA permissions having either "Add a computer to the network" or similar exploitable permissions granted, and (2) the hacker starts with permission to open your car door but not start the engine, but somehow ends up persuading your car to drive out of the garage and follow the hacker's own car all the way to Aberdeen (to choose a random and inconvenient destination). With you in it. Just using documented Microsoft tools correctly but imaginatively.

  6. Anonymous Coward
    Anonymous Coward

    Isn't it about time we started asking if Microsoft, in its present guise, can get anything right.

    At the moment it appears that MS has lost all direction.

    1. kryptylomese

      Looks like the Register automatic down vote for saying anything bad about Microsoft is prevalent in this thread.... It must be that because anyone with a brain would have commented on why they down voted!

      1. Anonymous Coward
        Anonymous Coward

        Looks like the Register automatic down vote for saying anything bad about Microsoft is prevalent in this thread

        It's actually not the Register who does this, but (judging by the style of downvotes) Microsoft PR people. Microsoft code would never be stable enough for such a consistent result so it is clearly done manually.

  7. Anonymous Coward
    Anonymous Coward

    Isn't it about time we started asking if Microsoft, in its present guise, can get anything right.

    Minimising tax? Oh, you meant anything that benefitted its customers, sorry. In that case, indeed no.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like