What Makes An Admin An Admin

[madness]

I pose a question to the community. If i create an account on a local Windows machine and do not put the account into any local groups, how does that account become a local admin WITHOUT inserting it into the pre-canned groups.

[Infiltrator]

Any local account that has limited permissions/access will not become part of the administrators group all the sudden. It must be made part of that group, by someone who already possess administrator privilege in this case an Administrator.

So if I create a local user account, say in a XP box that account will automatically be part of the local "users" group. If you need that user account to be part of the administrators group, you will need to manually add that account to the local "administrators" group.

Unless you created that account off a template that already has all the permissions set to it, than you won't need to add that account to an "administrators" group.

Hope that answers your question!

[madness]

I understand that part. What I am attempting to accomplish is create alerting events that flag on giving a local user admin powers without putting them in the local admin group. I am assuming that this can be done by tweaking various local group policy settings or registry entries. I am a security admin working on advanced alerting to ensure that elevation of privileges cant be given under the radar. If a rogue admin was to create a local user and elevate their privileges through local policy and registry, they could possibly get by security controls. I need to know what specific rights make an account an admin account. Thanks for the responses.

[digip]

Actually, in XP, all users created by default are admin users unless the account is changed to a limited user, or restricted by a domain policy, which would mean the machine would have to be 1 - Joined to a domain, and 2 - locked down by the admin ahead of time. Local machine admins can make changes though, even if they aren't part of the domain, local admin group has full control of the physical machine itself, but not to the domain or rest of the network.

There are so many flaws in XP though, that something as simple as being able to use the "at" command can raise yourself not just to admin, but to SYSTEM level user. Example, create a task to start explorer.exe and then kill the existing explorer.exe. Wait for the shell to respawn via at command and when it does, it will do so as SYSTEM. From there, you can add users, delete users, do whatever you want, shut down, uninstall firewalls, anti-virus, etc. Limited users shouldn't be able to run the at command. This is disabled in Windows 7 and can only be done from elevated privileges, but all a user has to do is right click, run as administrator and if not configured properly, would just start the task without prompt for password. There are also ways to elevate privileges via PowerShell, which many environments have installed now, and is by default in Vista and 7.

About the only way to catch anything, is force your systems to not just audit logins for the event viewer, but send alerts to admins for every event that runs with any type of elevated privileges. This would cause major headaches and redundancy, since many parts of the system run with elevated privileges without having to be logged in as admin. I'm not good with snap-ins, but you could probably create an mmc console service that logs specifics to events you want to audit, and then have to check them reguarly for anything funky, like say new user added, permission changes, etc. Most of this stuff shows up in event viewer, but there are many things you can add that aren't there by default through both group policy and manual even querying. This also puts a toll on the system.

Important Event ID's to look for - http://www.windowsecurity.com/articles/event-ids-windows-server-2008-vista-revealed.html

[Infiltrator]

I understand that part. What I am attempting to accomplish is create alerting events that flag on giving a local user admin powers without putting them in the local admin group. I am assuming that this can be done by tweaking various local group policy settings or registry entries. I am a security admin working on advanced alerting to ensure that elevation of privileges cant be given under the radar. If a rogue admin was to create a local user and elevate their privileges through local policy and registry, they could possibly get by security controls. I need to know what specific rights make an account an admin account. Thanks for the responses.

Another possible way to elevate privileges on an user account without giving it via an administrator account would be through Kernel exploitation.

For example, you could use the Meterpreter module in the Metasploit framework to elevate/change the previleges on any user account.

One way to mitigate this risk is by maintaining all your computers and systems patched. In order to detect this sort of attack, you could also deploy an IDS (Intrusion Detection System) in your network and have all alerts/warnings sent to your email or logged to a log file server.