Is there a simple, quick, non-invasive windows admin task that can be performed from a java process to validate if the current process is running as administrator?
I know we could run batch commands to check if current user is member of administrator group. But there are complications of portability across Vista etc.
A simple example would be:
echo. 2> %SYSTEMROOT%\EmptyFile.txt
However, this is invasive. We dont want to create files
Any other option?
In general, you may find it a better choice to check for a specific permission rather than implying permissions from role assignments. One reason for this is that in a domain environment you may have local administrators and domain administrators. They are not necessarily equivalent. Also, even an administrator's permissions can be altered or specific file/directory permissions be "tweaked" to, for example, deny access to "localmachine\administrators".
Checking for a specific permission guarantees that, given specific user credentials, that user can or cannot perform some action, regardless of what roles they might be assigned to.
I know that doesn't answer your question, but it may help shed some light on the problem of assuming permissions from roles.
Related
I am running a windows 2016 server, we are running IIs 10 on it and i need to be able to assert if there is an AppPool setup before i deploy a website. If it doesn't exist i need setup the AppPool with a specific user and password.
All of this is done using a release agent through Azure Devops.
The agent is running as a NON-ADMIN, and i all accounts involved are running as NON-ADMIN. I have no intention at all to run any admin accounts, for security reasons i want to give least privildges to all accounts involved.
when i try to set up a AppPool using appcmd.exe i get the error msg:
KeySet does not exist.
When running everything as admin it works (and i have absolutely no intention in running any of this as admin).
What i have tried:
i have added the non-admin account to the IIS_IUSRS group.
Made sure that the user has read permissions to the file: 76944fb33636aeddb9590521c2e8815a_GUID in the %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys folder.
i have tried everything here: Error when you change the identity of an application pool by using IIS Manager from a remote computer
anyone that actually knows the cause of this problem?
UPDATE:
Microsoft clearly recommends that agents should be run using service accounts, which i am doing and i have no interest in giving build agents administrative rights to 1000s of servers when they clearly don't need that kind of powers actually. I want to restrict their powers to only be allowed to do what they need to do. I can't believe that giving everything admin is apparently the norm.
After a lot of googling, and i mean A LOT. I managed to solve this. And let me say, that it baffles me that "least privileged accounts" is not common practice in the Microsoft and windows world.
I found this excellent post by InfoSecMike locking down azure devops pipelines.
And we both have the exact same requirements and opinions on this topic.
You CLEARLY don't need admin rights to update IIs configurations (because that would be insane, right!?). The IIs configuration API does not care what rights you have, what you do need is access to certain files. But this is not documented. Microsoft themselves, just for simplicity, tells you that you need to be admin, and buries all the details really deep in documentation when this should be best practice. Also what amazes me is that no one questions it.
What you need is the following:
full access to C:\Windows\System32\inetsrv\Config
full acccess to C:\inetpub
read access to three keys in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\
6de9cb26d2b98c01ec4e9e8b34824aa2_GUID (iisConfigurationKey)
d6d986f09a1ee04e24c949879fdb506c_GUID (NetFrameworkConfigurationKey)
76944fb33636aeddb9590521c2e8815a_GUID (iisWasKey)
The 2 first bullet points can be obtained if you make sure your service account is a member of the group IIS_IUSRS.
This group will not give you access to the keys. You need to manually give read permissions to these 3 keys to the agent user.
If you don't give access to these keys you will get the obscure error message
Keyset does not exist ( exception from HRESULT : 0x8009000D)
Which is an incorrect error if you ask me as it should be an IllegalAccessException with proper reason telling you that you don't have access to read the key because the keys are there, they do exist (nice code microsoft, maybe you should open source this so we can fix).
I'll leave with this quote from infosecmike.
The goal was to lock down the permissions of the Azure Pipeline Agent {...}. I started Googling, pretty sure I would find a way to achieve this goal. I didn’t. It’s surprising to not find an answer about this. It seems like the principle of least privilege does not apply anymore in a devops world.
This is why i prefer Linux over Windows. This is a simple task there.
i've the following scenario:
In the company almost part of the computers works in domain. there is two admins with absolutely all permisions. Obviously, when a software is required in one of the computers one of the sysadmins must go to put his credentials and password.
So here starts the problem: with one of the admins everything works normally, but with the other user it's impossible. it says that the operation requires permissions elevation, and i insist that both users have exactly the same permissions.
Anyone have an idea what could be wrong?
thanks in advance
Let me see if I understand this. The first admin has no issues installing software, but the second admin does have issues (User Account Control Dialog box popping up). In what way have you determined they have the same permissions? Rather than answer that, just run through this checklist until you (or they) find the difference between their privileges and then correct it.
Compare the group memberships of their two accounts. One may be a Domain Admin, while the other might actually not be one, thus accounting for the UAC dialog box popping up.
If the above shows no differences, then compare a Resultant Set of Policy report between the both of them. This means when the first admin logs in, have him/her run this command: gpresult /H C:\Admin1.html
When the 2nd admin logs in, run a fresh report for him/her using gpresult /H C:\Admin2.html, then compare that to the first report, and act on any difference you see related to permissions:
I have 2 processes. One of them is running under admin account, second - under user account with no permissions to admin processes. They need to see each other and compare the path, from where this processes where executed. But first (user) process can't get the path of the second process. Getting path using CreateToolhelp32Snapshot -> OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION) -> QueryFullProcessImageName is not applicable because it works in Vista, Win7 and higher, and I need solution for lower versions of Win.
So, how can I give permissions for user process to see the path of admin process, or how can I share privileges of admin process for the user using Access Tokens or using SetNamedSecurityInfo ?
using delphi desirable.
You can alter this, yes (*) - but you really should reconsider your logic. For example, admin process can open shared MMF with predefined name and store any information you need. You can share this MMF to any user or group you want (you should consider giving read-only access only). This is much safer than opening entire process to out world.
(*) In admin process: OpenProcess, get token and security descriptor, modify DACL to include new right for the desired user account or group, set token/SD back.
Not sure if possible, but this the scenario:
A 'background' process writes to a log for its 'own' use. The same file is 'shared' across ALL users.
QUESTION:
Can I assign read/write/delete etc rights to a specific PROGRAM as opposed to a USER (currently forced to set to all). Although file itself is 'hidden', it would be preferable that no one could fiddle with it, including directories etc. Can Windows make such a distinction, and if so how?
the unix way of dealing with such a problem, is to create a special user (named after the program or service in question), and set the file access rights of the file to this specific user.
AFAIK when I set up my Azure roles I have only one way to specify how much priviledges the process running role code will have - by using <Runtime executionContext> XML tag.
However this looks coarse grained. If I specify "elevated" my code runs under "Local system" which is unlimited priviledges and if I specify "limited" my code runs under some low priviledges user that doesn't have priviledges my code needs.
Is there some convenient way to run Azure role code under some custom user that has limited priviledges that I myself would control?
Right now, your code will already run as a limited user. In fact, there are no users on the VM - it is using a SID injection technique to get a security context at all. From your question, it seems like you need more than a normal user, but less than an admin?
If you really want to have different permissions, you need to create some users (use Startup tasks and net add or DirectoryServices) and set permissions. All of this is scriptable.
The more challenging part comes now to run your code as that user. For this, you need to do what is called impersonation. Your more privileged code (an admin process typically) can obtain a token for a local user and use that to impersonate a user. The code then runs as the user and is restricted. Impersonation is a well covered topic in .NET and other languages.
If you want a clever example of running code as another user, check this post by David Aiken:
http://www.davidaiken.com/2011/01/19/running-azure-startup-tasks-as-a-real-user/