Me, Myself, and System Using Become on Windows Jordan Borean Principal Software Engineer - Ansible Who Am I? + The Problem(s)? ● Need to auth to other servers from Windows ● Ansible commands act differently than running it manually ● Need to run in the scope of a user without their password ● Need to get the word out there about how good become can be for Windows Double Hop Our Saviour - name: access network file win_copy: src: \\secure\accounting\payroll.csv dest: C:\Users\me\Documents\payroll.csv remote_src: yes become: yes become_method: runas vars: ansible_become_user: ‘{{ ansible_user }}’ ansible_become_pass: ‘{{ ansible_password }}’ DEMO - Beating Double-Hop Network Logon ● Cannot access DPAPI ● Wusa.exe flat out rejects us ● No cached credentials (excluding CredSSP/Kerb with delegation) ● Bound to be other issues but these are the major ones Available Logon Types ● Interactive (default) ● Batch ● Service ● New Credentials - name: run with batch logon win_whoami: become: yes become_method: runas become_user: username become_flags: logon_type=batch DEMO - Bypassing Network Logons No Passwords! ● Originally could only do this for SYSTEM, Network Service, and Local Service ● Can now also do it for any local or domain accounts ● Loses credential delegation advantage ● Still enough to bypass a Network logon issue, runs as a batch logon - name: run as SYSTEM win_whoami: become: yes become_method: runas become_user: SYSTEM Wait isn’t this a security issue? DEMO - Look Ma No Passwords Digging Deeper - What is a Token? User The user account Groups List of groups the token is a member of Privileges List of privileges the token has Elevation Type Full/Limited/Default Linked Token A pointer to the linked Full/Limited token Integrity Level The integrity level Low, Medium, High, etc Authentication ID The LSA Logon ID ... Digging Deeper - Creating a Become Token LogonUser GetTokenInformation CreateProcessWithToken ● Creates the initial logon ● An interactive logon ● Spawns a new process token returns a Limited token ● Uses the new token to ● The logon type is ● Call this with specify the account it specified here TokenLinkedToken to runs under ● Used when a pass is set, get the Full token ● Module execution runs other scenarios use ● Requires SeTcbPrivilege like usual another API (gotten by impersonation SYSTEM) DEMO - Token Info There are Limits ● No network auth without a password ● Run a process on a logged on user’s screen ○ Use PSExec with -i <session id> or a scheduled task ● No elevation from limited to admin user :( ○ Petition Microsoft to implement sudo for Windows! Troubleshooting ● Make sure you have the SeDebugPrivilege ● Set become_method: runas on the task or ansible_become_method: runas as a hostvar ● Interactive logons require SeAllowLogOnLocally ● Use win_whoami to debug groups and privileges Want More? Windows Working Group #ansible or #ansible-windows @ irc.freenode.net https://github.com/ansible/community/wiki/Windows .