IN2Windows: Case of the Unexplained Access Denied
2013-05-19 15:47
232 查看
We received a strange case in April which is about "access denied" encountered when user tries to connect to a file share with a local admin account. In this case study, I will use a simplified and abstracted model from original case, to show you more details of the problem.
What's the problem?
Suppose there's a Windows 2012 server called "MLSDATA", and it has a local account named "test", which has admin rights. If you try to connect to \\MLSDATA\D$ with its local account "test", you will be prompted to input credentials more than once, and it will show "Access denied" at the same time. If we connect through CMD window, we can see something like this:
What did we do to investigate?
We called corporate IT helpdesk to check if they have any known solutions. They said they had received such kind of cases, but there's no escalation path, and they think it should be sporadical glitches, and they don't know under what kind of conditions this problem will happen. Emm… Since our customer said this problem happens on every new server on their team, I believe there must be a reason, so we did more tests.
Queried IPSec enforcement, and all of the servers were enforced with IPSec policy.
Tested with corporate (domain) credentials, and those work fine.
Tested with server local account (even with accounts that have admin rights), do not work.
Examined security logs, user authentication used NTLMv2, authentication passed, IPSec connections in the context worked fine, and local account accessed IPC$ named pipe successfully. But accessing administrative share "D$" was not even logged.
We can see the user's network logon gained privileged tokens like SeTakeOwnershipPrivilege, it should have admin rights.
We manually created a new share on drive D: and named this share as "D", then used local account "test" to access \\mlsdata\D, and this worked.
We used Remote Desktop to connect to that server with server local account "test", worked.
Based on all the tests we performed, we believe the problem is not an authentication issue because we saw user get appropriate security tokens, but something just happened in the authorization check phase. We can conclude this issue like this: There might be some restrictions implemented to restrict local user from accessing administrative shares remotely.
What we found later?
In the next day, an idea suddenly struck me that UAC might restrict admin users' rights according to LUA principles. But I was not very sure, because if the user is restricted, the user won't gain some of those security tokens. Maybe there's a technique that filtered user's tokens when system does authorization check to see if the user should access the hidden administrative share "D$".
And finally we found this:
To better protect users who are members of the local Administrators group, UAC restrictions are implemented on the network. This helps protect against "loopback" attacks and helps prevent local malicious software from running remotely with administrative rights. http://technet.microsoft.com/en-us/library/ee844186(v=ws.10).aspx
According to this article, we just created a new registry key called "LocalAccountTokenFilterPolicy" under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, and assigned a value of "1". And then rebooted the server. After that, everything works fine.
And we found more…
Since it is UAC that implemented this restriction, I believe that turning UAC off can always help solve this problem. I turned UAC off on Server 2012 through UI, and rebooted. But after it boots up, I see there's no effect. I launched a CMD window, and it's still running in a protected admin context with less security tokens. So I search the Internet, and found we need to use registry keys to turn UAC off on server 2012.
They key is called "EnableLUA", and is under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system. To turn UAC off, we need to change the value from 1 to 0.
The trends
We can see that Windows team believe UAC is an effective technique to help reduce risks caused by privileged user rights, though UAC is not a security boundary (because it can be bypassed somehow). And it seems that they will continue to implement and improve UAC in next generations of Windows and Windows Server.
Since this time we see the UAC is mandatorily enforced in Windows Server 2012 UI, I think this is a trend, and will be implemented primordially in Windows server and client later. (If one day it will be less annoying to users, I think it will enforce implementation on client OS.)
Well, last but not least, we encourage people to use corporate credentials in corporate IT environment.
What's the problem?
Suppose there's a Windows 2012 server called "MLSDATA", and it has a local account named "test", which has admin rights. If you try to connect to \\MLSDATA\D$ with its local account "test", you will be prompted to input credentials more than once, and it will show "Access denied" at the same time. If we connect through CMD window, we can see something like this:
What did we do to investigate?
We called corporate IT helpdesk to check if they have any known solutions. They said they had received such kind of cases, but there's no escalation path, and they think it should be sporadical glitches, and they don't know under what kind of conditions this problem will happen. Emm… Since our customer said this problem happens on every new server on their team, I believe there must be a reason, so we did more tests.
Queried IPSec enforcement, and all of the servers were enforced with IPSec policy.
Tested with corporate (domain) credentials, and those work fine.
Tested with server local account (even with accounts that have admin rights), do not work.
Examined security logs, user authentication used NTLMv2, authentication passed, IPSec connections in the context worked fine, and local account accessed IPC$ named pipe successfully. But accessing administrative share "D$" was not even logged.
We can see the user's network logon gained privileged tokens like SeTakeOwnershipPrivilege, it should have admin rights.
We manually created a new share on drive D: and named this share as "D", then used local account "test" to access \\mlsdata\D, and this worked.
We used Remote Desktop to connect to that server with server local account "test", worked.
Based on all the tests we performed, we believe the problem is not an authentication issue because we saw user get appropriate security tokens, but something just happened in the authorization check phase. We can conclude this issue like this: There might be some restrictions implemented to restrict local user from accessing administrative shares remotely.
What we found later?
In the next day, an idea suddenly struck me that UAC might restrict admin users' rights according to LUA principles. But I was not very sure, because if the user is restricted, the user won't gain some of those security tokens. Maybe there's a technique that filtered user's tokens when system does authorization check to see if the user should access the hidden administrative share "D$".
And finally we found this:
To better protect users who are members of the local Administrators group, UAC restrictions are implemented on the network. This helps protect against "loopback" attacks and helps prevent local malicious software from running remotely with administrative rights. http://technet.microsoft.com/en-us/library/ee844186(v=ws.10).aspx
According to this article, we just created a new registry key called "LocalAccountTokenFilterPolicy" under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, and assigned a value of "1". And then rebooted the server. After that, everything works fine.
And we found more…
Since it is UAC that implemented this restriction, I believe that turning UAC off can always help solve this problem. I turned UAC off on Server 2012 through UI, and rebooted. But after it boots up, I see there's no effect. I launched a CMD window, and it's still running in a protected admin context with less security tokens. So I search the Internet, and found we need to use registry keys to turn UAC off on server 2012.
They key is called "EnableLUA", and is under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system. To turn UAC off, we need to change the value from 1 to 0.
The trends
We can see that Windows team believe UAC is an effective technique to help reduce risks caused by privileged user rights, though UAC is not a security boundary (because it can be bypassed somehow). And it seems that they will continue to implement and improve UAC in next generations of Windows and Windows Server.
Since this time we see the UAC is mandatorily enforced in Windows Server 2012 UI, I think this is a trend, and will be implemented primordially in Windows server and client later. (If one day it will be less annoying to users, I think it will enforce implementation on client OS.)
Well, last but not least, we encourage people to use corporate credentials in corporate IT environment.
相关文章推荐
- IN2Windows: Case of the Unexplained Access Denied
- Potential causes of the "SQL Server does not exist or access denied" error message
- error: (-5) in the case of classification problem the responses must be cate
- White Paper: Understanding the Relative Costs of Client Access Server Workloads in Exchange Server
- The object of type 'RectTransform' has been destroyed but you are still trying to access it
- The rxfastforest algorithm case of kaggle
- Comparision Among The Access Speed Of Cache , Memory And Disk
- 解决Windows7Windows2K8下的"Windows Cannot Connect To The Printer. Access is Denied"
- Tomcat404错误:All URLs used to access the Manager application should now start with one of the followi
- HTTP Status 403 - Access to the requested resource has been denied
- The target assembly contains no service types. You may need to adjust the Code Access Security policy of this assembly." 目标程序集不包含服务类型。可能需要调整此程序集的代码访问安全策略。
- The coverage of test case
- Case of the Zeros and Ones
- windows下Mysql数据库安装错误解决方案Install/Remove of the Service Denied
- 16 Which statement most accurately describes the implementation of a SQL Access Advisor recommendati
- 找规律/贪心 Codeforces Round #310 (Div. 2) A. Case of the Zeros and Ones
- SharePoint 爬网错误:Access is denied. Check that the Default Content Access Account has access to this content && 本机无法访问moss 站点
- 安装mysql服务出现Install/Remove of the Service Denied!错误
- 当尝试从ArcCatalog、.net应用或是Java应用中连接ArcGIS Server 时,显示下面任何一种错误提示: "Access Denied" 或 "The connection could not be made"
- 上传自己的镜像被拒绝denied: requested access to the resource is denied