Skip to content

Windows Permissions

Windows takes a somewhat different approach to permissions. While we still have the same broad user levels, permissions can also be applied to individual files and services.

Note

While this gives a high level of control, it could be argued that the extra complexity increases the chance of misconfiguration

User Levels

Like Linux, Windows has also uses the concept of user "levels" to break access to functionality into groups. These levels can include

Users
The "Standard" account level, users are able to login, run most programs etc. However, a user cannot make system level changes, and this can include running programs that require access to lower level resources (for example WireShark)
Administrators
Similar to Linux Root users, these administrators have the right to install, modify and run any program.
Guests
These are user accounts that are designed for temporary access to a system. They are disabled by default, but will run with a similar level of access to a standard user.
"Microsoft Accounts"

In order to "standardise" access1, Windows 10 try's to get you to use a Microsoft account. Rather than a username (for example "Dang") an email addresses is used for authentication. A Microsoft account can have either User of Administrator access.

This does have some benefits, you get to share settings across machines2, get access to SSO across supported products, and things like password resets can be easier. Two factor authentication is also supported.

Windows also does a decent job of segregating access, while administrators might have the ability to modify the system, the default access level is user, with a additional password prompt when an admin task is performed, (kinda like sudo)

Domain Level Accounts

On our home systems user will be setup with a local level account. This means that the access levels, password and associated account details are only available locally, that is on that specific computer.

In an organisation, it is more likely that a domain level account will be used. Here, the authentication and authorisation are controlled by a central point. This is great from a sysadmin perspective as it means that there is only one set of user accounts to administer. Its also useful from a user perspective if you don't have a dedicated machine.

It is also possible to combine Local and Domain level accounts. For example, let say a user should have standard access rights on mot machines on the network, but has a dedicated machine that they need admin rights for (for example if they have a dev machine for coding or testing)

Service Accounts

Finally, we have the special system level accounts. These include

SYSTEM

The highest level of privileges in a Windows system. Think of this a root. As a service account, we cannot actually "login" as SYSTEM, instead it is used behind the scenes to manage processes. It is often used to run things like scheduled tasks or background administrative tools

However, like finding something that runs as root in Linux, if we can find a vulnerable process with the SYSTEM level privileges, we have full control over the machine

NETWORK SERVICE
The network service account handles authenticating with remote services. While it has fewer default privileges than the SYSTEM account, it still has some "admin" level rights. As its used for authentication across the network, it has some elevated privileges on the windows box, so can potentially be used for privesc.
LOCAL SERVICE
A local service account is used to manage local services. Like the network service it has some elevated permissions (though without the network components), and could potentially be used for privesc.

Note

Again, this more or less maps across to a Linux style system. If we think of SYSTEM as root, and the other service accounts as things like www-data (that exist as users but don't have login by default)

Modifying and Viewing permissions

As a primarily GUI based system, permissions settings tend to be controlled through a maze of windows all alike.

Using the Command Line

As we often get dropped into a low privilege shell from our initial exploit it can be useful to get some permission information from the command line

Like in Linux Whoami will tell us our current user information.

Use whoami /all to display everything.

C:\Users\Dan Goldsmith>whoami
desktop-df3a9ko\dan goldsmith

#Or with user group information

C:\Users\Dan Goldsmith>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

C:\Users\Dan Goldsmith>z

The net commands can be used to give us an overview, and if we have the correct permissions allow modification, of settings. For example we can get the user accounts on the system

C:\Users\Dan Goldsmith>net user

User accounts for \\DESKTOP-DF3A9KO

-------------------------------------------------------------------------------
Administrator            Dan Goldsmith            DefaultAccount
Guest                    TyefordM                 WDAGUtilityAccount
The command completed successfully.

Or the groups that are available

C:\Users\Dan Goldsmith>net localgroup

Aliases for \\DESKTOP-DF3A9KO

-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Cryptographic Operators
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Remote Desktop Users
*Remote Management Users
*Replicator
*System Managed Accounts Group
*Users
The command completed successfully.

Users with the Administrator Role

C:\Users\Dan Goldsmith>net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
Dan Goldsmith
The command completed successfully.


C:\Users\Dan Goldsmith>

While there isn't really an equivalent of ls -l we can get some idea of the permissions allocated to the files using the icacls command

C:\Users\Dan Goldsmith>icacls Documents
Documents NT AUTHORITY\SYSTEM:(OI)(CI)(F)
          BUILTIN\Administrators:(OI)(CI)(F)
          DESKTOP-DF3A9KO\Dan Goldsmith:(OI)(CI)(F)
          NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
          BUILTIN\Administrators:(I)(OI)(CI)(F)
          DESKTOP-DF3A9KO\Dan Goldsmith:(I)(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

Changing permissions using the GUI

There are also options for modifying permissions through the GUI To avoid just replicating screenshots, I wont include this here. I would recommend reading the MS access control documentation

Summary

In this article we introduced the Windows permission system. While it takes a different approach to assigning permissions than Linux, the general concepts of authentication and authorisation are similar.

Important

Still trying to work out a sane way (that doesn't involve uploading / downloading several Gig of VM) of playing with windows permissions. (or asking you to break your own windows box)

It looks like you are going to have to wait till we can get in the hacking lab before we can do this.

Further Reading

https://docs.microsoft.com/en-us/windows/security/identity-protection/ https://www.howtogeek.com/school/windows-network-sharing/lesson1/

  1. Or collect more data... 

  2. And with Microsoft 

Back to top