The busy work of network management often requires administrators to make on-the-fly decisions to facilitate access and streamline ongoing business operations. Among these measures may be temporarily elevating the access rights of specific users without recording these changes in the Active Directory (AD) of an organization – on the understanding/assumption that these elevated rights will be downgraded once the conditions demanding them have been met.
But with human nature being what it is (and network administrators being as human as anyone else), decisions like this may be forgotten in the rush to address the next crisis or challenge facing the enterprise – potentially leaving a population of undocumented network users with privileges and access rights beyond their officially recorded status.
Regular users with permissions like a super user, enjoying special privileges despite not being documented members of a privileged AD group: These unseen administrators or “Shadow Admins” can provide effective cover for cyber-attackers looking to perform deep reconnaissance or set the stage for an advanced assault – emphasizing the need to identify all such users on a network, and to properly adjust or rectify their standing in the official network hierarchy.
Exploiting Shadow Admins
Whether by scouring network activity to locate undocumented administrators whose credentials can be hijacked, or by engineering Shadow Admin identities of their own (socially, by the introduction of malware, or by other means), cyber-attackers gaining access to a network will most likely seek to exploit user accounts having Domain Admin permissions.
Cyber-security analyst Asaf Hecht has identified three typical scenarios, representing the sort of network infiltration strategy commonly used in Shadow Administration exploits:
- Using an account having “Full control” over Domain Admins group objects, an attacker in this position has the ability to register to the Domain Admins group at will.
- An account having “Reset Password” permission over other known Domain Admin accounts effectively gains the power of a system administrator.
- Gaining access to an account having “Replicating Directory Changes All” permissions gives the attacker authority to replicate any object on the Active Directory – including passwords. This position is the “mother lode” for an attacker looking to penetrate more deeply into a network and puts them on a level with Domain Controllers and Domain Administrators.
As recently as April 2017, security researchers uncovered a set of Shadow Admin exploits targeting Oracle’s Solaris operating platform, within the archive of NSA cyber-attack tools leaked by the so-called “Shadow Brokers” group. Two particular programs – EXTREMEPARR and EBBISLAND – were discovered that could elevate a logged in user’s access privileges to Root, and enable remote root access to Solaris networks on vulnerable hosts running versions 6 to 10 on x86 and Sparc-based systems.
According to British security analyst Matthew Hickey, a hacker with these tools has “…effectively got a skeleton key to open a root shell on any Solaris system in the world. ”
The revelations prompted Oracle to issue an emergency security patch for the EXTREMEPARR and EBBISLAND vulnerabilities in its April bundle of critical updates.
Understanding Access Control Lists (ACLs)
Security professionals looking to assist enterprise clients in safeguarding against the activities of Shadow Admins need to understand something of the basic principles underlying network administration – a field that even experienced IT staffers can find challenging.
An Access Control List or ACL is a table detailing the access rights or privileges that each authorized user of a network has to particular system objects, such as folders, applications, or files. Each object within the network in turn has its own ACL, defined by its specific security attribute. Common network privileges include the ability to read or write to a file or set of files, or to run (execute) designated applications or programs.
ACLs are employed by several mainstream computer operating systems, including UNIX-based platforms, Microsoft Windows, Novell’s NetWare, and Digital’s OpenVMS.
Knowing the Network Hierarchy, as Defined
The first stage in mounting an effective defense lies in establishing the structure of the existing network hierarchy, as documented in its ACL. Attention should be focused on those users having privileged accounts in four main categories:
- Those with Domain privileged accounts, including Domain admin users and DHCP admin users
- Local Administrator accounts associated with endpoints and servers, or “Root” privileges on *nix boxes, and other Local privileged accounts
- Users with Application/services privileged accounts, including Database or SharePoint administrators
- Those with Application/services privileged accounts, which might include Finance departments or enterprise social media accounts
Knowing the Actual Hierarchy
That’s the official line. But the whole point of exploiting Shadow Admins is that attackers can gain access to user accounts with privileges which are “off the books”.
This emphasizes the critical necessity of mapping out the actual hierarchy of a network in its current state – which will include those users whose access privileges have been altered on an ad hoc basis due to operational demands, those whose status has been altered in the past but not returned to its official level, and any user accounts created or compromised by potential cyber-attackers.
Effectively Identifying All High-Level Access Accounts to Find Shadow Admins
Querying a network’s Active Directory will simply yield its official list of privileged accounts, as defined in its onboard roster of privileged groups. Such a search won’t reveal administration groups created on the fly by those within an organization after the Active Directory was first defined. Nor will it reveal any Access Control List assignments that have since been forgotten or mismanaged.
Monitoring ACL Permissions
A thorough permission analysis of the Active Directory to determine all ACL permissions granted to each account is a far more effective way to establish which user accounts currently enjoy sensitive privileges or permissions.
This requires drilling down to discover the specific list of permissions (known as Access Control Entries or ACEs) associated with every object in the Active Directory contributing to the Access Control List. Only a comprehensive analysis like this can reveal which user accounts on the network have been granted sensitive privileges by direct action over and above (in the case of officially sanctioned moves by administrators), or below and undetected (in the case of more malicious actors) those spelled out in the ACL.
Network Security – Best Practices to Avoid Shadow Admins
Administrators in each organization will understand best the hierarchy and infrastructure of their own enterprise networks, and there are third-party software utilities available to assist in deep analysis of Access Control Lists. But the following recommendations apply generally:
- Organizations with operating platforms that include an Active Directory are most at risk. In particular, ACLs should be monitored to ensure that only Domain Admin groups and Domain Controllers be allowed privileges such as “Full control”. “Reset Password”, or “Replicating Directory Changes All”.
- Permissions and privileges should be assigned strictly on an “as needed” basis.
- If potential “Shadow Admin” accounts are discovered, it should immediately be established whether or not these accounts represent an attack in progress.
- Personal user accounts should be segregated from their associated administrator accounts.
- Strong password protocols and secure password storage should be used to safeguard credentials from theft or interception.
- Continuous monitoring and periodic review of network user permissions are also advised.
Share this Post