Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it possible to add a privilege to the Standard User Token created for an admin user by Windows?

This questions is a followup to Why is SeCreateSymbolicLinkPrivilege ignored on Windows 8?

Given:

  1. The user is in the Administrators group
  2. Turning off UAC is not an option for me.
  3. Running elevated is not an option.

Question: Is it possible to add the SeCreateSymbolicLinkPrivilege to the Standard User Token created by Windows for an admin user?


Appendix

Non elevated admin user:

C:\dayforce\SharpTop>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

C:\dayforce\SharpTop>

A regular user:

C:\Windows\system32>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links                Disabled

C:\Windows\system32>

Notice a regular user has the SeCreateSymbolicLinkPrivilege privilege, because I have enabled it in the Security Policy. But the admin user is screwed, because doing so does not affect its Standard User Token!

like image 283
mark Avatar asked Nov 01 '22 05:11

mark


1 Answers

(this is a nonanswer to the actually-asked question, but it is an attempt at an answer for what I perceive to be the actual goal)

I feel your pain -- I've been looking for a way to permit an admin user running nonelevated to create Symbolic Links, without success ...

  • I've investigated altering the process token (of "explorer" perhaps) to add the SeCreateSymbolicLinkPrivilege privilege, but it appears that there is no way to alter the privilege set of an existing token. Even if your patch process runs as SYSTEM and/or has the SeTcbPrivilege privilege.

  • I've investigated using CreateRestrictedToken to create your "own" nonelevated process, but with the SeCreateSymbolicLinkPrivilege privilege left enabled. But all anecdotes I've read about CreateRestrictedToken suggests that the resulting token cannot be made sufficiently similar to an "authentic" nonelevated token. There were insurmountable issues with the integrity level, or with the elevated flag associated with the token.

  • No matter what users you assign to the create-symlink user right in security policy manager, if your process runs nonelevated (from a user with admin), the SeCreateSymbolicLinkPrivilege privilege gets removed. This happens even if the only user added is "Everyone".

Microsoft really fouled us up on this one, there appears to be no good workaround. There is a possibly hackish solution though ...

Now for the hackish solution - during logon of the user, start a background program (elevated) which will create symlinks on behalf of other processes. This will need to use some sort of IPC, perhaps named pipes, to receive create-symlink-requests from the client process. It's ugly, and probably slow, but other than running Elevated (or disabling UAC), or removing the user from the Administrators group, I don't see any other way.

like image 54
William Avatar answered Nov 15 '22 04:11

William