Securing a Microsoft Windows Server-based system from today's threat environment is more about understanding and minimizing potential vulnerabilities than anything else.
Any individual with administrator access to a corporate computer represents one of the biggest potential threats of all. While it can be tough to stop a disgruntled employee with clear intent to do harm, there are mitigation steps to help minimize the harm that could be done. A similar but related threat from a compromised administrator account permits an attacker to potentially inflict as much damage as the disgruntled employee.
Pass-the-hash attacks exploit a credential caching feature found on Windows Server versions back to 2003. For a detailed explanation of this threat you'll want to download this white paper from the Microsoft download site. From a very high level the basic operation of this attack utilizes a compromised administrator account to harvest credentials stored on a local computer, which can then be used to compromise other systems connected to the same network.
Minimizing the amount of damage from a compromised or malevolent administrator account is all about moving from the use of global administrator accounts to limited local accounts with specific administrative functions. While this approach could be accomplished manually by creating multiple accounts with different privileges, there is an even better way using Windows PowerShell.
Windows PowerShell and Desired State Configuration
Windows Server 2012 R2 shipped with a new PowerShell feature named Desired State Configuration (DSC).The original intent of this capability was to enable the initial configuration and ongoing monitoring of a server using PowerShell and a special file called a configuration instance document or a .MOF file.
DSC makes it possible to install only the roles and features required for each specific server under administrative control and to then periodically check that server against the same configuration document to make sure it stays that way. The same functionality is also available on previous versions of Windows Server with the installation of the latest version of the Windows Management Framework (WMF).
Individual Windows PowerShell commands or cmdlets use a verb-noun syntax for consistency and to make the language more readable. The actual execution of the configuration settings uses version 4.0 of the WMF and the Distributed Management Task Force (DMTF) Common Information Model (CIM) classes. Windows PowerShell includes a remote execution feature which allows a properly authenticated session to execute commands across the network. Examples of DSC PowerShell cmdlets include:
Each of these commands accept parameters such as Path to specify the path to a configuration file and ComputerName to specify the target computer. The full extent of PowerShell's language can be brought to bear to cycle through a list of computers to fully automate the configuration and monitoring process. Couple DSC together with Windows PowerShell jobs and you have regularly scheduled automation.
Microsoft's Just Enough Admin (JEA)
The concepts behind "Just Enough Admin" or JEA were introduced at the 2014 Microsoft TechEd event held in Houston. (Watch the video here.) You can also download the Just Enough Administration Whitepaper from the Microsoft Technet site..
JEA implements the concepts of limiting administrative rights in a descriptive and scripted fashion. JEA takes advantage of the same basic tools used in DSC to create management endpoints with a very precisely defined set of functions. These endpoints are then used remotely to accomplish those, and only those, functions.
An example used in the JEA presentation describes an administrator in charge of maintaining a SQL Server instance on a production server. In the past this administrator would require full admin privileges in order to perform tasks such as stop and start specific system services related to the functioning of SQL server. With JEA, a new SQLAdmin endpoint with only the ability to start and stop services containing "SQL" in the service name makes it possible to limit the required privileges for this administrator without diminishing the ability to do what needs to be done.
JEA requires the Windows Management Framework 5.0 Preview available from the Microsoft download site. With the WMF 5.0 Preview installed, you will have the ability to install the xJEA module using the Install-Module cmdlet. You might need to install NuGet as well, which can be accomplished using the following command:
find-module -Name 'xJEA' -Verbose
After installation you'll find three example scripts in the Examples directory beneath xJea. The Demo1.ps1 example shows how to configure an endpoint, limiting the available functions to the Get-Process, Get-Service, Stop-Process and Restart-Service cmdlets. For the Stop-Process cmdlet a further limitation narrows the specific processes to calc and notepad. Additional examples show how to limit access to SMB functions and a list of specific file system related cmdlets.
While PowerShell DSC and JEA are great tools, they aren't magic bullets. Configuration by a knowledgeable administrator is still required and should be checked by a second person. Good security practices dictate audits and oversight. These best practices should not be overlooked even in the presence of these new tools. The good news, though, is you now have a supported method from Microsoft to begin the process of tightening up your administrator ship.
Paul Ferrill has been writing in the IT trade press for over 25 years. He's written hundreds of articles for publications like Datamation, Federal Computer Week, InfoWorld, Network Computing, Network World and PC Magazine and is the author of two books. He is a regular contributor to ServerWatch.com and several other QuinStreet Enterprise properties.