- Hardening AppLocker - Thu, Jun 25 2020
- AppLocker Audit vs. Enforced mode - Tue, Jun 23 2020
- Creating AppLocker rules from the Windows event log - Wed, Jun 17 2020
The first thing every hacker needs to get into your network is a compromised endpoint. To install bad things in your network knowingly or unknowingly, hackers need admin rights for the user they have compromised. You need BitLocker to keep people from getting admin rights if they have physical access. And users can't install their own machines because then they would be admins—the first user account created in Windows is always an admin by default.
The most recommended security concept to fight against malware for years has been to remove admin rights from end users. This is why I was so happy when Microsoft introduced their new solution for replacing the old disk imaging: Autopilot! With Autopilot, you can provision your company's computers and, in a way, transform them from consumer devices to enterprise devices. The process is highly automated, and the only thing it requires is:
- The company buys a device from a manufacturer.
- The device's identification information (given by the manufacturer or retrieved with a script by the company) is registered in a cloud service.
- The user receives the device and unboxes it.
- The user powers on the machine.
- The traditional out-of-the-box experience (OOBE) starts.
- The user logs on with an Azure Active Directory (AD) account and password.
- The computer is identified as an Autopilot device.
- The computer provisions things like changing the SKU to Enterprise, installing apps, configuring security settings like enforcing BitLocker, and joining an Azure AD (and potentially an on-prem) domain.
- The user has an operational enterprise device with no intervention from the IT department and the computer never having seen the company premises.
Now back to the admin rights. The good thing for security is that Microsoft markets Autopilot as a solution where you don't have to give the end user admin rights at any point. A configuration setting when the company builds the setup bars Autopilot from granting admin privileges. Great! Now we can deliver machines to end users straight from the manufacturer, have them upgraded and configured correctly, and never give users admin rights!
Or… are you sensing a "but" here? 😉
Here we have a computer started with Windows 10 1909 OOBE, and the first screen looks like this:
We continue through the screens normally until we can log in with our Azure AD credentials like here:
Now if I continue normally, I will never get admin rights. But if at any point I hit Shift + F10, I get a command prompt with admin rights like here:
I can now create an admin account in various ways, for example, like this:
After I've finished the installation, I can use the "hacker" account when I need admin rights or add my Azure AD account to the local administrators group with this command:
NET LOCALGROUP ADMINISTRATORS AzureAD\Sami.Laiho /add
From a bad guy's perspective, I would say it's very tempting to find a computer in a box delivered to a company or just resetting the computer if it has already been provisioned!
And yes, I know, this breaks the immutable law of security: "If someone has physical access to your computer, it's not your computer anymore," and all bets are off in that sense. But Microsoft, please, can you make it at least slightly more difficult than just hitting Shift + F10?