Windows can be the most confusing operating system on the planet some times. I teach classes to many auditors and administrators every year and find that it is very confusing just how to grant privileges in Windows. Of course, the obvious placement in groups is a no brainer, but there are more options than that. So, in this article we will discuss how to grant elevated privileges over Active Directory and a server. There are differences and the differences are quite varied. In the end, you will know the different methods that are possible to grant elevated privileges in a Windows environment.
What are Elevated Privileges?
Elevated privileges is when a user is granted the ability to do more than a standard user. A standard user is someone that has “zero administrative” privileges in any capacity. Examples of elevated privileges would include:
- Administering the domain
- Adding a user
- Modifying a group member
- Shutting down a server
- Creating a Group Policy Object (GPO)
- Changing the system time
- Modifying the permissions for a file on a server
Some of these tasks are related to Active Directory, some are related to servers, and some could be performed on a domain controller. The key is to understand what can be done and how to achieve that privilege. There are some privileges, such as changing the system time, which can be accomplished in a few different ways. Some tasks, such as modifying a site for the Active Directory forest, are only accomplished in one way.
There are some groups that are created during the installation of Active Directory and a server that have “built-in” privileges. These groups, if a user is added to them, automatically are granted certain privileges. The list of privileges are too vast to cover here, but the point is that when a user is added to one of the groups they can do more than the standard user. There are actually three levels of these groups: local server, domain, and forest. The groups that grant elevated privileges for each level include:
Group Policy Creator Owners
User rights are configurations that control “who” can do “what” to the computer where the user right is configured. User rights are configured per computer, so that each computer can have a unique set of administrators controlling different areas of that computer. It is typical to have all domain controllers use the same user rights, so they function as a unit. The Default Domain Controllers Policy establishes the user rights for domain controllers in Active Directory by default.
There are over 35 user rights per computer. Some of the most common user rights that control elevated privileges over a computer include:
- Shut down the system
- Force shutdown of remote system
- Log on as a batch job
- Log on as a service
- Log on locally
- Act as part of the OS
- Backup and Restore files and directories
- Enable trusted for delegation
- Generate security audits
- Load and unload device drivers
- Manage auditing and security log
- Replace process level token
- Synchronize directory service data
- Take ownership of files and other objects
There are other user rights that control terminal service logon, accessing the computer from the network, and denying certain avenues of access.
User rights are deployed using Group Policy, either local or via Active Directory. This provides a way to control the access to servers in a consistent manner, so that servers that should have similar configurations all receive the same settings.
File and Folder Access Control List
Each file, folder, and Registry key has an Access Control List (ACL). The ACL is nothing more than a list of users, groups, and/or computers that are granted certain permission over the object associated with the ACL. A typical ACL looks like that in Figure 1.
Figure 1: Typical ACL for a file.
The ACL provides standard permissions, those shown in Figure 1 such as Full control, Modify, Read. These standard permissions are really combinations of more granular permissions. The standard permissions allow for easier configuration and overall control over the objects. Granular/Advanced permissions are usually not configured, unless there is a very unique situation that requires a specific level of control.
Active Directory Delegation
In a similar way to file and folder ACLs, each object in Active Directory has an ACL too. These ACLs are referred to as delegation, but in essence are the same control that an ACL for a file provides. The difference comes in the overall control that you can grant over a user, group, or organizational unit in comparison to a file or folder. For a user alone there are over one hundred individual permissions you can set, which you can see a subset and length of the permission list in Figure 2.
Figure 2: Permissions for a user object.
There are many delegations you can grant over objects in Active Directory, but there are a few that are most common. The two most common delegations are:
- Resetting passwords for user accounts
- Modifying group membership
The delegations are typically performed at the OU level and then the permissions set affect all of the objects in the OU. This is similar to setting ACLs at the folder level and have the inheritance of permissions affect all of the files in the folder.
Group Policy Delegation
Another type of privilege escalation that you can grant is to manage Group Policy. Since Group Policy can configure so many areas in a computer or for a user, the privileges can allow great power over a computer. The Group Policy Management Console (GPMC) by Microsoft is the chosen tool for most administrators to create, modify, and control GPOs. There are three primary delegations (again similar to file and folder ACLs) you can grant over Group Policy.
- Creating GPOs
- Linking GPOs to the domain, a site, or an OU
- Editing a GPO
All of these delegations are performed inside the GPMC. Each delegation has a specific area where it can be configured, based on the scope of the delegation. For example, the creation of GPOs is domain wide, so it is done at the Group Policy Objects node in the GPMC, which can be seen in Figure 3.
Figure 3: Delegation over who can create GPOs for the domain.
Linking GPOs can only be done to a site, the domain, or an OU. So, for each of these nodes in the GPMC you will have a delegation tab and control over who can perform that task.
Editing a GPO is per GPO, so each GPO has a delegation tab to control who can edit that GPO.
The concept of granting privileges for a Windows Server and for Active Directory is not a simple one. There are many controls that grant elevated privileges. Some privileges are small and some are quite large. In order to see all of the privileges that have been granted you will need to look in many different areas. Unfortunately, there is no one location to see all of the elevated privileges, so you will need to look at each area individually. Once you check and verify that all of the above settings listed are correct, you can have great confidence you know who has privileges for your Windows enterprise.