Once you give away the farm, you can’t take it back: Recovering from a rogue administrator
A security vulnerability report arrived that went roughly like this:
- Create a new user “Attacker” with Administrator privileges.
- Log in as “Attacker”.
- While logged in as “Attacker”, browse to a folder that require Administrator privilege.
- When Explorer tells you that you don’t have access, click “Continue” to gain access.
- Log out as “Attacker”.
- Log in another administrator account.
- Change the account category of “Attacker” from “Administrator” to “Standard user”.
- Log back in as “Attacker” and browse to those same folders.
- Notice that the Attacker has retained access to the folders, even though the Attacker is no longer an administrator.
This story is all accurate, but is there a security vulnerability?
Let’s go through the usual questions.
Who is the attacker? The attacker is the user we called “Attacker”.
Who is the victim? The victim is the other administrator who created the “Attacker” account and then later reduced the “Attacker” account’s privileges to Standard User.
What has the attacker gained? The attacker gained persistent access to resources.
But wait, this all assumes that the attacker was able to log on as the Attacker account and exercise its Administrator powers. The attacker is an administrator on the system. You have already lost!
Once you let the attacker into your system with administrator privileges, they can do all sorts of things to establish persistent access. They can add themselves to the security descriptors of various resources. They can plant a backdoor that gives them an administrative command prompt. They can install malware that steals passwords.
In fact, they can even patch the “Remove a user from the Administrator group” user interface code so that it says “Yup, totally removed Attacker from the Administrator group” without actually doing it.
Once you give away the farm, you can’t take it back. It’s gone.
Note that the system did ask an administrator for permission to grant the Attacker account permanent access to the folder. The prompt from Explorer says, “You don’t currently have permission to access this folder. Click Continue to permanently get access to this folder,” and the Continue button requires administrator privileges. So it requires administrator privileges to gain persistent access to a folder. Fortunately, there’s an administrator right there to grant that privilege: The Attacker!
Once you let a bad person become an administrator, you have lost the game. It is essential that you give administrator privileges only to people you trust.
The user interface to remove someone from the Administrator group does what it says on the tin: The user is removed from the Administrators group. But that is not sufficient to clean up behind a rogue administrator, because you haven’t cleaned up all the backdoors the rogue administrator may have planted while they still had administrator privileges. And you may never be sure that you found them all. As the philosopher Ellen Ripley put it, “Nuke the entire site from orbit. It’s the only way to be sure.”
You granted the user access to the folder.
And then were confused when the user had access to the folder.
Persistent access is rarely what the user actually wants, they just want to fiddle with a single file just this once most of the time. It would have been nice if Explorer asked you if you just want to launch a elevated window instead.
Of course, we are told that Explorer couldn’t run an elevated window, because there was only one Explorer, and everything was a flyweight around it. So either all Explorer was administrative, or none of it was.
I don’t know how true that was, or still is — I mean, the file permissions dialog seems to be able to elevate itself and I always thought that was baked into Explorer — and it was certainly possible to get an elevated Explorer, if you don’t mind borrowing it from an elevated app’s Open File dialog.
But it’s what we were told.
In any case, that “Continue to gain access” dialog is so very destructive. There is nothing worse than crafting a meticulous ACL around a set of sensitive folders, only for some other equally-privileged, painfully-unqualified, yet unfortunately-senior colleague to trample all over it with that bloody button.
That there isn’t GPO/registry that allows you to disable it is the real crime.
I found what most people want is an elevated explorer window rather than granting permissions.
It’s more like a footgun security issue rather than a true attack: operating the system in the most obvious way creates unintended security problems.
When I worked at the department of water resources; there was some software that had to be installed as administrator but also as the user who would be using it. So we did it the most obvious way; took the user’s laptop (which we needed to install), granted that user admin, logged in as the user, installed the software, logged out, logged in as our own account and took administrator away.
In these days it would have been tricky to set us up a bomb on the user’s account; but it wouldn’t have mattered much if they did; local admin was always available to them by the most basic methods of parallel booting.
I agree. When I see this dialog box I think “what do you mean ‘no access’? Do you know who I am? I’m the admin, I have access everywhere. Continue! See? I do have access.” and the box says nothing that the “continue” will modify permissions. Something like “ignore the ‘no entry’ sign rather than take it down”.