Tuesday, March 21, 2017

Prevent interactive logon of Local Admins - Only allow UAC elevation

Hi again!

I've been asked this many times:"How can I block interactive logon of an admin account so they would just be able to use UAC?"

This is a good point as this will:

  • Allow a user to use UAC-prompt to authorize admin procedures
  • Not allow the user to actually start logging on as that user (as a convenience for themselves)
Windows does not allow the separation of a "UAC Logon" which is annoying as this would be great. So I can block logon interactively but the UAC won't work and if I want to allow UAC then they can always logon as well.

My trick on making this happen is to use AppLocker/SRP to block them from using the Explorer.exe or Task Manager. When they logon they get an empty screen with no ability to do anything. You could replace it with launching a custom shell as well and that shell would just show a note: "You are not allowed to logon interactively with this user!!"

So these are the rules I use:

Sunday, March 19, 2017

The Fuzz about Terminal Services Session Hijacking


I just wanted to take a short moment and tell everyone on my blog about the latest news about TS Session hijacking. Mainly noted here: http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html

My two cents on this: "Calm down, Spread out, nothing to see here!"

This a normal feature of the OS that I use daily on my lab server where my students use VM's on. The OS is the same for the server and the client below the surface so you can do this on a client or a server for that reason. This "Feature" is known as shadowing.

Here's a few screen shots where I "HIJACK" a session and do "PRIVILEGE ELEVATION!!"

So any Admin can do this not just SYSTEM and not just with a Service.

With SYSTEM you get the privilege of attaching to disconnected sessions - that is a nice bonus. Just remember if you want to show the session hijack thing it's a lot easier by running PSEXEC -SID TASKMGR.exe
Then go to Users tab and choose who you want to be. No service needed and works on all OS's.

Also a good point once again that you can't allow Domain Admins to log on to normal workstations as they could be compromised and someone can use this trick against him.



Found a BUG in Windows Defender Anti-Tampering


You should never logon to your Windows 10 as an Admin - You know I think so. Now it was just so amazingly funny when Avecto called me and asked to to do a webinar on this, which I delivered this week on Thursday. Like I (sadly) often do I just looked at what I was supposed to talk about a few days before primetime :) I just then realized it said "Sami Will show how to disable anti-malware"... Uups... I didn't really know exactly how to do it as I haven't tried in a long time to block Windows Defender.. Microsoft has done a good job with the Anti-Tampering anyway so I was honestly a bit worried...

Then I told myseld what I keep telling you: "If you are an Admin you can anyway do whatever you want". And for sure it took me like 5 minutes to come up with a way to totally block Defender. No, not just make it silent in the background, I mean really block it :)

Here is a video on how to do it:

How to mitigate? Don't run as an admin!

Thursday, March 9, 2017

How I Choose Speakers and Sessions

A bit different topic this time. If you are not interested in how a topic gets on your conference agenda catalog or how I evaluate potential speakers then this post is probably not for you.

I am writing this because I get to choose sessions and speakers for TechMentor conferece which I am honored to be given the responsibility of being a Chair for. Here is the link for proposals - so after reading it's time to head over here: https://live360events.com/pages/call-for-presentations.aspx

This a list of things that came up to my head just now and might not be that well organized:

What I look for when choosing speakers/sessions:

  • Videos. Videos. Videos. If you need to prove you can speak at my conference you are best of if you can point to a video about you presenting (or I have seen you speak). If you need  tool to get into conferences it's this! Speak at a user group meeting and have a friend record it - I need to see you and hear you, that's all. Written material is important like books and blogs but they won't get you in usually as the only proof as I need to know if I can put you in front of an audience. Without a book on the other hand - you can easily get in (I've never written one - yet)
  • Bio. I want to know what you've done both as a speaker but also in practice. If you've done big projects that you are proud of tell me. This Bio needs to be easy to sell to attendees as well so not just to convince me. And I do need a picture. Every Speaker needs to start somewhere so got to user groups and present, then come back to me with a video. I've got a soft spot for new speakers as TechMentor was my first global conference I've ever spoken at (thanks to Greg Shields for betting on me).
  • Topic. I read the names of the session, hundreds of them, and make my mind if I'm gonna read the description more closely. I need the topic to be sexy but also tell what it is about. The topic doesn't need to be about Windows 10 or Server 2016 in my case. I build conferences that teach how to do things right, in practise. So I'd be happy to know how you've done a successfull IPv6 implementation as it is something people need and it's actually doable, but I don't want to hear you guess on how you pretend to know how Windows 10 can be better managed without Group Policy using only MDM. Give me facts, not fiction. General sessions like "What's new in Windows 10 build 17540" will always get a few slots - not my favorite but I need them as well. When I know you can't know in practise how these work I need to pick these more based on the speaker. That said, it does mean you can get in By being a good Speaker or just post a great topic - either might work.
    • In TechMentor the stuff you show (not regarding the What's new -sessions) NEEDS TO WORK AND BE APPLICABLE NOW! I want to know to how to do things in practise (read NO MARKETING SLIDES). 50% of people use Windows 7 so I'm fine if you want to talk about that as long as you are not the ones who says you are not planning to move to Windows 10. So I look for real life experience with the mentality of willingness to change and evolve.
    • If you think your session would be great but it's too old a topic - try your luck as I'm very willing to get stuff in that's not brand new.
  • I like soft skills as well but they need to be inspiring and entertaining to even more extent
  • Presentation itself needs to be interesting and hopefully entertaining. I have a few golden rules I follow on sessions:
    • Session needs to give something to the attendee that they Will take to their Office and start telling people:"Did you know this?", "Did you know this can be done with this?", "This is now so much faster when I learned this!", "Everyone, I just learned this!"
    • If you are aiming for great evals I always add something personal as well. Something that's not required at the Office but Will benefit the attendee in his personal life. A small tip about how I do backup at home for free or such.
    • The most important thing about any successful session and the one that is almost impossible to teach or cheat against - Passion and Inthusiasm. I need to present things you like and are passionate about. If you are not it shows and it's harder to get in next time...
    • My golden rule is that you can get into Top 100 sessions By just being extremely good at what you teach. To get into Top10 - it needs to be a show. So go and watch more standup comedy and remember to add some jokes to your sessions as well. For a person like me as a chair I can easily say I'd rather have an entertaining teacher who is not the most technical in the world, than having a technical Speaker that can't keep me awake. Don't get me wrong here I am sure we are aiming for the same goal. I've been teaching people for most of my life and I'll bet you people learn more when they are enjoying there time, and even more important: awake. I, as a chair, need to make sure people get return for their investment which in this case is learning. If you kept them awake and interested and managed to teach them ONE important concept that's way better that them walking out of session "well rested" but only looking for me to ask where they can get your slides from to know what you were talking about while they were sleeping. Written material is not what people come to conferences for but people. They can read more than enough on the Internet for free.
If you want to talk more you are free to join my Slack channel and discuss more: https://winfuslackautomate.herokuapp.com/
Hope to get you on board a fun journey :)