Me, Myself, and System
Using Become on Windows Jordan Borean Principal Software Engineer - Ansible Who Am I? + The Problem(s)?
● Need to auth to other servers from Windows ● Ansible commands act differently than running it manually ● Need to run in the scope of a user without their password ● Need to get the word out there about how good become can be for Windows Double Hop Our Saviour
- name: access network file win_copy: src: \\secure\accounting\payroll.csv dest: C:\Users\me\Documents\payroll.csv remote_src: yes become: yes become_method: runas vars: ansible_become_user: ‘{{ ansible_user }}’ ansible_become_pass: ‘{{ ansible_password }}’ DEMO - Beating Double-Hop Network Logon
● Cannot access DPAPI ● Wusa.exe flat out rejects us ● No cached credentials (excluding CredSSP/Kerb with delegation) ● Bound to be other issues but these are the major ones Available Logon Types
● Interactive (default) ● Batch ● Service ● New Credentials
- name: run with batch logon win_whoami: become: yes become_method: runas become_user: username become_flags: logon_type=batch DEMO - Bypassing Network Logons No Passwords!
● Originally could only do this for SYSTEM, Network Service, and Local Service ● Can now also do it for any local or domain accounts ● Loses credential delegation advantage ● Still enough to bypass a Network logon issue, runs as a batch logon
- name: run as SYSTEM win_whoami: become: yes become_method: runas become_user: SYSTEM Wait isn’t this a security issue? DEMO - Look Ma No Passwords Digging Deeper - What is a Token?
User The user account
Groups List of groups the token is a member of
Privileges List of privileges the token has
Elevation Type Full/Limited/Default
Linked Token A pointer to the linked Full/Limited token
Integrity Level The integrity level Low, Medium, High, etc
Authentication ID The LSA Logon ID
... Digging Deeper - Creating a Become Token
LogonUser GetTokenInformation CreateProcessWithToken
● Creates the initial logon ● An interactive logon ● Spawns a new process token returns a Limited token ● Uses the new token to ● The logon type is ● Call this with specify the account it specified here TokenLinkedToken to runs under ● Used when a pass is set, get the Full token ● Module execution runs other scenarios use ● Requires SeTcbPrivilege like usual another API (gotten by impersonation SYSTEM) DEMO - Token Info There are Limits
● No network auth without a password ● Run a process on a logged on user’s screen ○ Use PSExec with -i
● Make sure you have the SeDebugPrivilege ● Set become_method: runas on the task or ansible_become_method: runas as a hostvar ● Interactive logons require SeAllowLogOnLocally ● Use win_whoami to debug groups and privileges Want More? Windows Working Group
#ansible or #ansible-windows @ irc.freenode.net https://github.com/ansible/community/wiki/Windows