I was given a standard non-admin user and a workstation to perform internal pentest assessment. To my surprise, I was able to open cmd prompt as administrator, use psexec and gain a SYSTEM shell giving me local admin access. Is it normal to let standard users open elevated command prompts even if they're non-admins? If not, what would the remediation be?
Asked
Active
Viewed 63 times
0
-
2That should only work if the account is in the local administrators group. – Robert Jun 23 '22 at 07:27
-
spot on, bloodhound confirmed this. Thank you. – sxmad Jun 24 '22 at 07:20
1 Answers
1
Like Robert said in the comments, this is not standard - the user will need to have been added to the local computer group "Administrators". This can be handy for some types of user who may need to admin the local machine without getting admin anywhere else. In this case you might log in as "bob" to the workstation "bobslaptop", but logging in as "bob" to "janeslaptop" wont be the same, as bob wont be in the local admins group.
Remediation is "dont add users to local admin". The most common reason for doing this is to allow users to install software that they might need - a better solution is to use a management system that can push software and settings, or worst-case a separate local-only admin account that can be used for this when needed.
captainmish
- 91
- 5
-
1Stacking on to "don't add users to local admin" but also "don't add Domain Administrators to local admin". There should be only one local administrator account (ie built-in Administrator) and its password should be looked up via LAPS https://www.microsoft.com/en-us/download/details.aspx?id=46899 – Al Longley Jun 23 '22 at 12:05
-
Hashicorp have a really cool recipe similar to LAPS if you're not an all-MS shop and want the same for your *nix machines as well as windows: https://www.hashicorp.com/resources/painless-password-rotation-hashicorp-vault – captainmish Jun 23 '22 at 16:20
-