Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 5

In this blog series I am covering the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC), showing an attack example and explaining how the control could have prevented the attack from being successful. Please read previous posts covering:

• CSC 1: Inventory of Authorized and Unauthorized Devices
• CSC 2: Inventory of Authorized and Unauthorized Software
• CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• CSC 4: Continuous Vulnerability Assessment and Remediation

CSC 5: Controlled Use of Administrative Privileges

The Control

The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

The Attack

Some vulnerabilities can be caused out of the desire for functionality over security. It is not uncommon for organizations to grant end users administrative privileges on their machines so that IT does not need to get involved every time they want to install a piece of software. It is extremely common to see administrative privileges granted so that people can install tools such as WebEx or other conferencing software.

In my attack below, I will demonstrate how the improper assignment of administrative privileges can result in a user obtaining administrative privileges when they should not have them anywhere. This escalation of privileges attack is very common to find within organizations.

I have configured a system in the same way that I commonly see conference room computers configured. Due to the need for several users to access the system, often in conjunction with conference software, it is common to see that the domain users active directory group has been granted permissions to the administrator group. 

A conference room computer with domain users as an administrator

For all intents and purposes, this may seem like a benign problem because some organizations don’t really see risk in non-trivial systems such as conference room computers where no sensitive data is held. If an attacker is able to obtain domain credentials through phishing or password guessing, or leveraging temporary credentials a vendor may be given, the following screenshot shows how easy it is to scan for systems which allow administrative access.

Scanning for administrator privileges

Once a system is found where the username and password have administrative privileges, it is easy to exploit it to gain full access. Once the system has been compromised, it would be possible for an attacker to install key logging software to capture the credentials of anyone else who uses this shared machine or to extract the password hashes of the local accounts which are likely to be reused throughout the organization. This would provide an attacker with the ability to perform lateral movement to other machines and systems where they may be able to perform further escalation of privileges attacks or potentially obtain sensitive data.

Attacking a machine remotely with known credentials

The Solution

Again, this control starts with developing a policy. A policy should be defined on which users need administrator access and for what purposes administrator access will be granted. It is not uncommon for organizations to give all users local administrator access to the machines they use on a regular basis, however, this does not follow the principle of least privilege. Organizations should only grant privileges to the users who require those privileges in order to perform their daily duties.

Minimizing the number of administrator privileged accounts is a great first step, but it is by no means conclusive. Automated auditing tools should be configured to monitor these accounts for a couple things. First, all administrator account usage should be logged and maintained. This can assist in providing accountability of actions, but can also assist in forensic investigations where privileged accounts were compromised. Second, whenever a privileged account is modified, such as a password change, user creation or deletion, or activation or deactivation, it should be reporting in real-time to the organization’s administrators to determine if the action was indeed legitimate. 

It’s also important to ensure that any devices that are connected to the network or software installed on systems have had their built-in default administrator passwords changed. It is very common to identify devices and software within the organization configured with an initial setup and never visited again. Depending on the type of the device or application, this can provide an attacker with a strong foothold into a system or network.

The next post will cover CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs.