组策略的部署及下发原理

Local Group Policy and Intra-Domain Group Policy

How Domain Servers Store Group Policy

Group Policy Issuance and Acquisition

How does a client store group policy

Server Manager 的组策略管理工具

A more professional group policy management tool GPMC, which can manage multiple domains

Create and edit the content of a group policy

Group policies are divided into host policy and user policy, machine and users directories;

Script type and non-script type, script directory

Management Group Policy Application Scope (Demo)

组策略的存储

Stored in the server, \domain\sysvol\policies, stored as xml, ini, inf and other files in plaintext

Open read permissions to all users in the domain

组策略的更新

The client actively obtains the group policy every 90 minutes to check whether the group policy has changed.

Clients use gpupdate /force to force immediately check group policy

Parameters can be divided into host and user, gpupdate /force /target:computer

组策略的下发和获取

Query principle of group policy:

LDAP searches all group policies, those of their own

Query the group policy, the server decides which policies it needs to be returned (version number is an important factor in the decision)

ACL 访问控制链

Access Control Link

ACL for Windows security objects

All Windows objects are called secure objects, files, processes, registry, memory, etc.

Assign a security descriptor to each security object

Security identifiers (SIDs) for the owner and primary group of an object

A DACL that specifies the access rights allowed or denied to particular users or groups

a SACL that specifies the types of access attempts that generate audit records for the object

DACL

DACL consists of multiple ACEs (Access Control Entry)

Windows 的访问控制

Windows access control includes three parts : access token, object security descriptor and access check

Access tokens are reflected as a container through tokens

The object security descriptor represents the security attributes of the target object, and the object gives permissions to different user groups through the security matrix.

Access check means that by comparing the access token and the ACL, it determines whether the process has the corresponding permissions to apply for when accessing.

If there is improper ACL setting for files and directories owned by high-permission services and processes in Windows, the "write" or even "execution" permissions are opened to low-permission users. Low-permission users can achieve the purpose of executing specified code by modifying and replacing file content. For example, if the Windows System332 directory has opened write permissions, you can write a DLL to the directory and wait for the system to restart. The permissions can be increased by loading programs such as Svchost (demo)

ACL 安全审计

The accesschk.exe provided by Sysinternalsuit can perform ACL checks on specified directories and files. The command is accesschk.exe -w -s directory where directory is the directory that needs to be detected.

accesschk.exe, can audit the permissions that the process opens to all user groups. Using the rule accesschk.exe -ppid can obtain permissions open to a process, where pid can be used with ‘*’ to detect permissions open to all processes to different user groups. In order to ensure normal operation, higher permissions are required when running Taccesschk.exe

利用

Methods for exploiting process ACL vulnerabilities

第一种

Get the process handle through OpenProcess and write the target code into the process space. Run these codes with the permissions of the process, and the running code permission is the permissions of the process;

第二种

Get the process handle through OpenProcess, and then get the token of the process through OpenProcessToken, and use this Tokeni to use CreateProcessAsUser to createProcessAsUser for the new process. The new process permissions and the target process permissions are consistent.

注册表的 ACL

Startup items and service add-ins in the registry If write permissions are developed for low-privileged users, low-privileged users can write specified files to these table entries and wait for the system to restart to achieve permission enhancement.

Use the command accesschk.exe -w -s -k HKLM to indicate that the recursive scan of the table entry with write permissions is opened in HKLM.