Tuesday, March 21, 2017

Prevent interactive logon of Local Admins - Only allow UAC elevation

Hi again!

I've been asked this many times:"How can I block interactive logon of an admin account so they would just be able to use UAC?"

This is a good point as this will:

  • Allow a user to use UAC-prompt to authorize admin procedures
  • Not allow the user to actually start logging on as that user (as a convenience for themselves)
Windows does not allow the separation of a "UAC Logon" which is annoying as this would be great. So I can block logon interactively but the UAC won't work and if I want to allow UAC then they can always logon as well.

My trick on making this happen is to use AppLocker/SRP to block them from using the Explorer.exe or Task Manager. When they logon they get an empty screen with no ability to do anything. You could replace it with launching a custom shell as well and that shell would just show a note: "You are not allowed to logon interactively with this user!!"

So these are the rules I use:

Sunday, March 19, 2017

The Fuzz about Terminal Services Session Hijacking


I just wanted to take a short moment and tell everyone on my blog about the latest news about TS Session hijacking. Mainly noted here: http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html

My two cents on this: "Calm down, Spread out, nothing to see here!"

This a normal feature of the OS that I use daily on my lab server where my students use VM's on. The OS is the same for the server and the client below the surface so you can do this on a client or a server for that reason. This "Feature" is known as shadowing.

Here's a few screen shots where I "HIJACK" a session and do "PRIVILEGE ELEVATION!!"

So any Admin can do this not just SYSTEM and not just with a Service.

With SYSTEM you get the privilege of attaching to disconnected sessions - that is a nice bonus. Just remember if you want to show the session hijack thing it's a lot easier by running PSEXEC -SID TASKMGR.exe
Then go to Users tab and choose who you want to be. No service needed and works on all OS's.

Also a good point once again that you can't allow Domain Admins to log on to normal workstations as they could be compromised and someone can use this trick against him.



Found a BUG in Windows Defender Anti-Tampering


You should never logon to your Windows 10 as an Admin - You know I think so. Now it was just so amazingly funny when Avecto called me and asked to to do a webinar on this, which I delivered this week on Thursday. Like I (sadly) often do I just looked at what I was supposed to talk about a few days before primetime :) I just then realized it said "Sami Will show how to disable anti-malware"... Uups... I didn't really know exactly how to do it as I haven't tried in a long time to block Windows Defender.. Microsoft has done a good job with the Anti-Tampering anyway so I was honestly a bit worried...

Then I told myseld what I keep telling you: "If you are an Admin you can anyway do whatever you want". And for sure it took me like 5 minutes to come up with a way to totally block Defender. No, not just make it silent in the background, I mean really block it :)

Here is a video on how to do it:

How to mitigate? Don't run as an admin!

Thursday, March 9, 2017

How I Choose Speakers and Sessions

A bit different topic this time. If you are not interested in how a topic gets on your conference agenda catalog or how I evaluate potential speakers then this post is probably not for you.

I am writing this because I get to choose sessions and speakers for TechMentor conferece which I am honored to be given the responsibility of being a Chair for. Here is the link for proposals - so after reading it's time to head over here: https://live360events.com/pages/call-for-presentations.aspx

This a list of things that came up to my head just now and might not be that well organized:

What I look for when choosing speakers/sessions:

  • Videos. Videos. Videos. If you need to prove you can speak at my conference you are best of if you can point to a video about you presenting (or I have seen you speak). If you need  tool to get into conferences it's this! Speak at a user group meeting and have a friend record it - I need to see you and hear you, that's all. Written material is important like books and blogs but they won't get you in usually as the only proof as I need to know if I can put you in front of an audience. Without a book on the other hand - you can easily get in (I've never written one - yet)
  • Bio. I want to know what you've done both as a speaker but also in practice. If you've done big projects that you are proud of tell me. This Bio needs to be easy to sell to attendees as well so not just to convince me. And I do need a picture. Every Speaker needs to start somewhere so got to user groups and present, then come back to me with a video. I've got a soft spot for new speakers as TechMentor was my first global conference I've ever spoken at (thanks to Greg Shields for betting on me).
  • Topic. I read the names of the session, hundreds of them, and make my mind if I'm gonna read the description more closely. I need the topic to be sexy but also tell what it is about. The topic doesn't need to be about Windows 10 or Server 2016 in my case. I build conferences that teach how to do things right, in practise. So I'd be happy to know how you've done a successfull IPv6 implementation as it is something people need and it's actually doable, but I don't want to hear you guess on how you pretend to know how Windows 10 can be better managed without Group Policy using only MDM. Give me facts, not fiction. General sessions like "What's new in Windows 10 build 17540" will always get a few slots - not my favorite but I need them as well. When I know you can't know in practise how these work I need to pick these more based on the speaker. That said, it does mean you can get in By being a good Speaker or just post a great topic - either might work.
    • In TechMentor the stuff you show (not regarding the What's new -sessions) NEEDS TO WORK AND BE APPLICABLE NOW! I want to know to how to do things in practise (read NO MARKETING SLIDES). 50% of people use Windows 7 so I'm fine if you want to talk about that as long as you are not the ones who says you are not planning to move to Windows 10. So I look for real life experience with the mentality of willingness to change and evolve.
    • If you think your session would be great but it's too old a topic - try your luck as I'm very willing to get stuff in that's not brand new.
  • I like soft skills as well but they need to be inspiring and entertaining to even more extent
  • Presentation itself needs to be interesting and hopefully entertaining. I have a few golden rules I follow on sessions:
    • Session needs to give something to the attendee that they Will take to their Office and start telling people:"Did you know this?", "Did you know this can be done with this?", "This is now so much faster when I learned this!", "Everyone, I just learned this!"
    • If you are aiming for great evals I always add something personal as well. Something that's not required at the Office but Will benefit the attendee in his personal life. A small tip about how I do backup at home for free or such.
    • The most important thing about any successful session and the one that is almost impossible to teach or cheat against - Passion and Inthusiasm. I need to present things you like and are passionate about. If you are not it shows and it's harder to get in next time...
    • My golden rule is that you can get into Top 100 sessions By just being extremely good at what you teach. To get into Top10 - it needs to be a show. So go and watch more standup comedy and remember to add some jokes to your sessions as well. For a person like me as a chair I can easily say I'd rather have an entertaining teacher who is not the most technical in the world, than having a technical Speaker that can't keep me awake. Don't get me wrong here I am sure we are aiming for the same goal. I've been teaching people for most of my life and I'll bet you people learn more when they are enjoying there time, and even more important: awake. I, as a chair, need to make sure people get return for their investment which in this case is learning. If you kept them awake and interested and managed to teach them ONE important concept that's way better that them walking out of session "well rested" but only looking for me to ask where they can get your slides from to know what you were talking about while they were sleeping. Written material is not what people come to conferences for but people. They can read more than enough on the Internet for free.
If you want to talk more you are free to join my Slack channel and discuss more: https://winfuslackautomate.herokuapp.com/
Hope to get you on board a fun journey :)



Wednesday, February 1, 2017

The True Story of Windows 10 and the DMA-protection

This blog post will tell you if / how Windows 10 protects against DMA (Direct Memory Access) bases attacks used against BitLocker and other encryption mechanisms by stealing the encryption key from the memory of a running computer. The story might be long(ish) but rest assured you want to read it through.

It all actually started when I was delivering a session on Windows 8.1 in TechEd. I believed what the documentation says and told people that in Windows 8.1 never before seen DMA-enabled devices would not be usable on the logon screen. So if your computer had no one logged on or the computer was locked we would not need to worry about DMA-attacks anymore. As I soon learned this did not actually work in Windows 8.1 and Microsoft told me that it had "skipped" from the RTM build without them (that I was interacting with) knowing about it. I felt horrible as I had given misinformation but more that I had "skipped" the vital "Always test - Don't just trust" policy of mine.

Now the story continued when things like this showed up:

Quote from: https://technet.microsoft.com/en-us/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511

New Bitlocker features in Windows 10, version 1507

  • DMA port protection. You can use the DataProtection/AllowDirectMemoryAccess MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
So I decided that I would this time show how it finally worked at Microsoft Ignite. Nowadays the need for this is much bigger as before we could just block FireWire and ThunderBolt as no one used them - but now most of my customers have ThunderBolt 3 docking stations so we can't just disable the bus anymore. I started experimenting with this and soon found out something that I showed on my Ignite session for 3000 people (https://myignite.microsoft.com/videos/15848). It still didn't work! At least By default.

So the problem with Windows 10 was that Microsoft gave misinformation to my customers and on their websites that Windows 10 would now protect them from the DMA-attacks as wasn't the case by default. Now the bigger problem with this is that MS only supports settings this ON via MDM. Now honestly how many of my customers have MDM? Almost none :( There is no support to set it via SCCM (as it doesn't support custom URIs), Provisioning package or most of all Group Policy...

I got a friend of mine (thanks to Petri Paavola @petripaavola) to help me and build me a PowerShell script so I could experiment without InTune.

I set the setting but DMA still worked. I thought maybe I really need InTune so I installed InTune and set the setting from there... Still nothing... Now I got really worried. Was the setting done wrong or was this yet again a "skipped" feature. Now I needed to get secure@microsoft.com and the product Group on board with this as this seemed.. well.. fishy...

I would like to thank Microsoft for working with me on this. It took a long time but now finally we have some results. First of all the DMA-protection is not FULL. Quote from MS:

This mitigation only protects PCI-based buses, for example, ExpressCard, Thunderbolt, & some docking stations (PCIe based).  Older, non-PCI busses such as 1394 and CardBus are still vulnerable.”

That is why I got it working all the time as I was using FireWire to steal the memory.

So the story continues By Microsoft providing me instructions to deal with this:

  1. Set the DMA protection on https://msdn.microsoft.com/en-us/library/dn904962(v=vs.85).aspx#DataProtection_AllowDirectMemoryAccess
  2. Use Group Policy to block Firewire like we have done for years: Blocking the SBP-2 driver
So I started to experiment again. Sadly this information is not complete either and I know most of my customers have them deployed incomplete as well and have had for many years :( When I used the instructions as such the TB3-devices didn't work (as I expected). When I used the recommended GP-settings to block just FireWire my TB3-devices and Dock now worked but so did PassWare Memory Imager... This is in turn because the instructions don't include all 1394 devices that you can find from here: https://msdn.microsoft.com/en-us/library/windows/hardware/ff553426(v=vs.85).aspx

I have reported this to Microsoft as well and I hope the instructions are fixed soon.

Now to give you what you are probably here for :) First how to set the DMA-protection on without InTune:

  • In a few days/weeks you will get an Insider Build that has a Group Policy settings to set this! Thanks to a lot of feedback from MVPs and customers.
  • Until then the registry key you can set with any method you want is this:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\PnP\Pci
      • DisableExternalDMAUnderLock (DWORD) = 1
Second, here is recommendation from now on to my customers to block DMA but allow the use of ThunderBolt 3 devices:

    1. Have UEFI+SecureBoot+TPM+NoAdminRights
    2. Block DMA for ThunderBolt by using the registry key until we get the GPO
                                                               i.      Or MDM of course if you have one…
    1. Use Group Policy to disable FireWire
                                                               i.      See the old article: https://support.microsoft.com/en-us/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-dma-and-thunderbolt-dma-threats-to-bitlocker
                                                             ii.      But block these ClassIDs:
          • {7ebefbc0-3200-11d2-b4c2-00a0C9697d07}
          • {c06ff265-ae09-48f0-812c-16753d7cba83}
          • {d48179be-ec20-11d1-b6b8-00c04fa372a7}
          • {6bdd1fc1-810f-11d0-bec7-08002be2092f}
For some cases if the customer really requires it: add a PIN code protector and disable standby.

Hope this clears things out and sorry it took a while but there is coordinated disclosure procedure I want to respect. If you found this helpful please enrol to my newsletter at: http://eepurl.com/F-GOj

And remember my training videos on PluralSight and my Dojo at https://win-fu.com/dojo/


Tuesday, December 6, 2016

Every Windows 10 in-place Upgrade (even with SCCM) is a SEVERE Security risk PART II

So, 127000 blog reads and a week later I believe it's a good time to publish the episode II of this story. Please read these few points and then see how to apply this on SCCM managed machines as well.

First a few things:

  1. My bad, I used the wrong term that was used in previous Windows versions. The BitLocker is SUSPENDED not DISABLED like I said. The end result is of course the same but I do want to use the correct terms.
  2. Most comments say this is an old thing that was in Windows decades ago. Yes, the Shift+F10 feature has been there for ages and I've used it for troubleshooting for ages. That is why I knew to look for it. I found it first in the beta-version of Windows 10. After finding it I knew the first time it really was an issue was the time when people upgraded from Windows 8 to 8.1 as that was the first time the in-place upgrade was recommended and we had BitLocker. So in XP you could press Shift+F10 but so what, we didn't use it to bypass BitLocker (I actually played Solitaire with it just for fun) - so I don't think this is the same thing at all…
  3. What makes this a "bug" (again you have to give me some slack, I'm Finnish and English is not my first language. I speak a language where we log on to Windows using the local Administrator account name of JÄRJESTELMÄNVALVOJA). So let me rephrase, this is a "mistake" that Microsoft forgot this in the upgrade sequence as they know how to block it and have a feature for that.
  4. I categorize myself as a conceptual hacker. This means that I find and use holes that are not Zeroday attacks or 3rd party application issues but holes based on principles that I know to look for because I've studied the OS for over 20 years. I teach Windows Internals and always tell my students that the base knowledge on the OS is a requirement for both creative troubleshooting and taking care of security. How would you know what's bad if you don't know what's normal.
    1. You can find my training on http://PluralSight.com/ and http://win-fu.com/ Let me teach you to find this stuff as well :)
  5. LTSB. You don't have to agree with me on this. This was just my personal opinion. I did offer other choices as well like the not leaving computers unattended when they are upgrading. I currently plan on staying on LTSB until 2018 and the do an easy upgrade to CBB - If things are worked out to the level I want by then.
  6. Will there be a time when this all will be put to a test? Yes, Microsoft just declared 1607 as Current Branch for Business. This means that 1507 release will be out of support in a few months and we will get to test this in action ;) You can read more about this here: https://blogs.technet.microsoft.com/windowsitpro/2016/11/29/windows-10-1607-is-now-a-current-branch-for-business-cbb-release/
  7. I know the Immutable laws of security and I know the computer is not your computer anymore if someone has physical access to it. If it wasn't a case like this trust me I would have gotten a bounty on this from Microsoft ages ago. I still believe that this is an issue as if I don't do inplace upgrades I don't have this issue… Some people got upset that I called it "SEVERE"… Well if you ask me when a computers integrity protection and data protection fail by pressing two keys… Sorry, I just believe it's SEVERE - I will agree to disagree with you on this if you don't.
  8. I also saw some recommendations on using Linux to hack the box - Although Linux is Finnish and I like to promote it, you don't need Linux to hack Windows - It does so itself just fine as I show in the next video.

Now let's talk about the next "issue" here. My good friend Johan Arwidmark made an amazing job in building a bandage for the Shift+F10 to be blocked. It could be used by SCCM/MDT or any manual upgrade. Here is the link: http://deploymentresearch.com/Research/Post/567/Using-ConfigMgr-to-fix-the-Shift-F10-security-issue-for-Windows-10-inplace-upgrades This is what Microsoft will probably use to fix the hole in the first place as well.

Although this is great I guess some people didn't see the real problem in this whole issue. If the Shift+F10 is a "bug" or a "mistake" it can be easily fixed as we see. The real security issue is the suspending of BitLocker. The next video shows you how to use this against any system including SCCM/WSUS controlled machines. Again it uses the knowledge gained on Windows Internals classes. I also do Security Audits (hire me ;) ) and you can bet I will take this into my toolbox for myself when I have the next bank to break into ;) And yes it does require physical access still and yes I boot the machine from a bootable media so you can just glue the USB ports. I will then take the disk at correct point and move it to another machine or start playing with Linux. Anyway at the end of the day you are fighting against windmills.

And BTW I have a big issue to disclose that's totally unrelated to this and needs Microsoft's actions before I can talk about it so do enroll to my newsletter - like thousands of you already have: http://eepurl.com/F-GOj

And be sure to follow me on Twitter @samilaiho

Thanks for all the great feedback,


Monday, November 28, 2016

Every Windows 10 in-place Upgrade is a SEVERE Security risk

This is a big issue and it has been there for a long time. Just a month ago I finally got verification that the Microsoft Product Groups not only know about this but that they have begun working on a fix. As I want to be known as a white hat I had to wait for this to happen before I blog this.

There is a small but CRAZY bug in the way the "Feature Update" (previously known as "Upgrade") is installed. The installation of a new build is done by reimaging the machine and the image installed by a small version of Windows called Windows PE (Preinstallation Environment). This has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt. This sadly allows for access to the hard disk as during the upgrade Microsoft disables BitLocker. I demonstrate this in the following video. This would take place when you take the following update paths:

  • Windows 10 RTM --> 1511 or 1607 release (November Update or Anniversary Update)
  • Any build to a newer Insider Build (up to end of October 2016 at least)

The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine. And of course that this doesn't require any external hardware or additional software. It's just a crazy bug I would say :(

Here's the video:

Why would a bad guy do this:

  1. An internal threat who wants to get admin access just has to wait for the next upgrade or convince it's OK for him to be an insider
  2. An external threat having access to a computer waits for it to start an upgrade to get into the system

I sadly can't offer solutions better than:

  • Don't allow unattended upgrades
  • Keep very tight watch on the Insiders
  • Stick to LTSB version of Windows 10 for now

(Update 6.12.2016: Read the next blog as well: http://blog.win-fu.com/2016/12/every-windows-10-in-place-upgrade-even.html )

I am known to share how I do things myself and I'm happy to say I have instructed my customers to stay on the Long Time Servicing Branch for now. At least they can wait until this is fixed and move to a more current branch then. I meet people all the time who say that LTSB is a legacy way but when I say I'm going to wait a year or two to get the worst bugs out of this new "Just upgrade" model - this is what I meant…

Remember to subscribe to my newsletter as I will disclose more like this very soon! Subscribe here!
And you can learn how to find these by yourself by letting me teach you some Windows Internals!