Me, Myself, and System

Using Become on Windows Jordan Borean Principal Software Engineer - Ansible Who Am I? + The Problem(s)?

● Need to auth to other servers from Windows ● Ansible commands act differently than running it manually ● Need to run in the scope of a user without their password ● Need to get the word out there about how good become can be for Windows Double Hop Our Saviour

- name: access network file win_copy: src: \\secure\accounting\payroll.csv dest: C:\Users\me\Documents\payroll.csv remote_src: yes become: yes become_method: runas vars: ansible_become_user: ‘{{ ansible_user }}’ ansible_become_pass: ‘{{ ansible_password }}’ DEMO - Beating Double-Hop Network Logon

● Cannot access DPAPI ● Wusa.exe flat out rejects us ● No cached credentials (excluding CredSSP/Kerb with delegation) ● Bound to be other issues but these are the major ones Available Logon Types

● Interactive (default) ● Batch ● Service ● New Credentials

- name: run with batch logon win_whoami: become: yes become_method: runas become_user: username become_flags: logon_type=batch DEMO - Bypassing Network Logons No Passwords!

● Originally could only do this for SYSTEM, Network Service, and Local Service ● Can now also do it for any local or domain accounts ● Loses credential delegation advantage ● Still enough to bypass a Network logon issue, runs as a batch logon

- name: run as SYSTEM win_whoami: become: yes become_method: runas become_user: SYSTEM Wait isn’t this a security issue? DEMO - Look Ma No Passwords Digging Deeper - What is a Token?

User The user account

Groups List of groups the token is a member of

Privileges List of privileges the token has

Elevation Type Full/Limited/Default

Linked Token A pointer to the linked Full/Limited token

Integrity Level The integrity level Low, Medium, High, etc

Authentication ID The LSA Logon ID

... Digging Deeper - Creating a Become Token

LogonUser GetTokenInformation CreateProcessWithToken

● Creates the initial logon ● An interactive logon ● Spawns a new process token returns a Limited token ● Uses the new token to ● The logon type is ● Call this with specify the account it specified here TokenLinkedToken to runs under ● Used when a pass is set, get the Full token ● Module execution runs other scenarios use ● Requires SeTcbPrivilege like usual another API (gotten by impersonation SYSTEM) DEMO - Token Info There are Limits

● No network auth without a password ● Run a process on a logged on user’s screen ○ Use PSExec with -i or a scheduled task ● No elevation from limited to admin user :( ○ Petition Microsoft to implement sudo for Windows! Troubleshooting

● Make sure you have the SeDebugPrivilege ● Set become_method: runas on the task or ansible_become_method: runas as a hostvar ● Interactive logons require SeAllowLogOnLocally ● Use win_whoami to debug groups and privileges Want More? Windows Working Group

#ansible or #ansible-windows @ irc.freenode.net https://github.com/ansible/community/wiki/Windows