SetObjectSecurity.exe – SDDL

  • Introduction:

In this blog post you will learn more about the security permission model in Windows and how can you view and set permissions on securable objects by using tools like SetObjectSecurity.exe

A securable object is an object that can have a Security Descriptor. You can think of folders, registry keys, network shares, services, Active Directory objects, and much more.

NOTE: Everything is demonstrated for educational purposes. I highly recommend to do this in a lab environment and not in production.

  • What are Security Descriptors?

Security Descriptor Definition Language (SDDL) defines how permissions can be applied on securable objects, which includes information about the owner of the object, and who has what (access) rights on it.

A Security Descriptor is based on two important pieces that is called a DACL and a SACL. A Discretionary Access Control List (DACL) is used to identify all the users and groups that are assigned or denied access to a securable object.

While a DACL identifies all the access on a securable object. A System Control Access List (SACL) defines how access is audited on an object.

What we also have to include are the Access Control List (ACL), which is a list of Access Control Entries (ACE) that specifies a set of access right for each security principal.

Last, but not least are the Access Control Entries (ACE) that tells, what access rights each security principal has on an securable object.

So, how does it looks like? Well in the following example. I have specified a part that is in red. This is the DACL that identifies all the security principals that are assigned or denied access to a folder. At the yellow part, we can see an ACE. This is a security principal that has certain access rights on a folder. We can see that it has Read & execute, List folder contents, and Read permission.

  • SDDL String

An SDDL string contains five parts, which are the following; Header, DACL (D:), SACL (S:), primary group (G:), and owner (O:)

This is how a SDDL string looks like:

Let’s take small baby steps first, before we are going further. I just discussed that there is a part that belongs to a SDDL string. In the image above, we can see a small part of the entire SDDL string that looks like this: O:BAG:DUD:AI

Now we are going to translate this SDDL part to get familiar with it.

Ok, now we have all the information. Let’s verify to see if the Owner is actually Built-in Administrators and the Group is Domain Users.

Here we can verify that the Owner & Group are indeed Built-in Administrators and Domain Users.

Let’s now go further to the second example, which is translating the following SDDL part: (D;OICI;CCSWWPLORC;;;LG)

Everything has been translated and documented. We can see that we have denied access to the Local Guest account. It cannot read permissions, list any objects, etc.

Last step is to verify to see if we were right. As you can see, the Local Guest has been denied access on the C:\Folder.

  • What is SetObjectSecurity.exe?

“SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object (files, directories, registry keys, event logs, services, SMB shares, etc).”

Source: https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613

We are now going to use SetObjectSecurity.exe to set permissions on objects. However, this tool is not by default installed and can be downloaded here.

There is a folder in Windows 10 that has the following location:

C:\Windows\GameBarPresenceWriter

Let’s take a look at all the permissions on this object.

We can see that the Owner & Group is NT SERVICE\TrustedInstaller.

Now lets copy the entire SDDL string and paste it down:

O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831
038044-1853292631-2271478464
D:PAI(A;OICIIO;GA;;;CO)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;SY)(A;OICIIO;GA;
;;BA)(A;;0x1301bf;;;BA)(A;OICIIO;GXGR;;;BU)(A;;0x1200a9;;;BU)(A;CIIO;GA;;;S-1-5-80-956008885-3418522
649-1831038044-1853292631-2271478464)(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-22
71478464)(A;;0x1200a9;;;AC)(A;OICIIO;GXGR;;;AC)(A;;0x1200a9;;;S-1-15-2-2)(A;OICIIO;GXGR;;;S-1-15-2-2)

A good thing to know is that S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 is the security identifier (SID) for the TrustedInstaller principal.

Now we are going to use SetObjectSecurity.exe to change the Owner & Group attribute.

Run the following command:

.\SetObjectSecurity.exe FILE C:\Windows\GameBarPresenceWriter O:DAG:DA

The SDDL string will now look like the following:

O:DAG:DAD:PAI(A;OICIIO;GA;;;CO)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;SY)(A;OICIIO;GA;;;BA)(A;;0x1301bf;;;
BA)(A;OICIIO;GXGR;;;BU)(A;;0x1200a9;;;BU)(A;CIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-18532
92631-2271478464)(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a
9;;;AC)(A;OICIIO;GXGR;;;AC)(A;;0x1200a9;;;S-1-15-2-2)(A;OICIIO;GXGR;;;S-1-15-2-2)

This means that we indeed have changed the owner & group attribute to Domain Admins.

We are now going to give ourselves ”Full control” permission on the folder. In order to do this, we first need to get our SID.

S-1-5-21-286026694-570491570-841545031-1103

Our SDDL string will look like the following:

(A;OICI;GA;;;S-1-5-21-286026694-570491570-841545031-1103)

Now let’s look at the current SDDL string of C:\Windows\GameBarPresenceWriter

This image has an empty alt attribute; its file name is image-11.png

O:DAG:DAD:PAI(A;OICIIO;GA;;;CO)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;SY)(A;OICIIO;GA;;;BA)(A;;0x1301bf;;;
BA)(A;OICIIO;GXGR;;;BU)(A;;0x1200a9;;;BU)(A;CIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-18532
92631-2271478464)(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a
9;;;AC)(A;OICIIO;GXGR;;;AC)(A;;0x1200a9;;;S-1-15-2-2)(A;OICIIO;GXGR;;;S-1-15-2-2)

First let’s take it in small steps.

O:DAG:DAD:PAI(A;OICIIO;GA;;;S-1-5-21-286026694-570491570-841545031-1103)

If we run the following command:

.\SetObjectSecurity.exe FILE C:\Windows\GameBarPresenceWriter “O:DAG:DAD:PAI(A;OICI;GA;;;S-1-5-21-286026694-570491570-841545031-1103)”

We completely modified the entire SDDL.

Let’s now add everything back, which is the reason why we copy and paste the entire SDDL string first 😉

If we now run the following command:

.\SetObjectSecurity.exe FILE C:\Windows\GameBarPresenceWriter O:DAG:DAD:PAI(A;OICI;GA;;;S-1-5-21-286026694-570491570-841545031-1103)(A;OICIIO;GA;;;CO)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;SY)(A;OICIIO;GA;;;BA)(A;;0x1301bf;;;BA)(A;OICIIO;GXGR;;;BU)(A;;0x1200a9;;;BU)(A;CIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;AC)(A;OICIIO;GXGR;;;AC)(A;;0x1200a9;;;S-1-15-2-2)(A;OICIIO;GXGR;;;S-1-15-2-2)”

We can see that we have ”Full control” and the SDDL string has been changed to the previous one, while adding ourselves to it.

  • Set permissions on services

In this example, we are going to configure permissions on a service. The goal is to stop a service as a standard user.

Here we are trying to stop the spooler service.

We can’t stop this service, so let’s find out why that’s the case. Unfortunately it is not possible to use the GUI to view the security permissions on a service.

However, in order to do this. We can run the following command in cmd:

sc sdshow spooler

This is the SDDL string for the Spooler service:

D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)

The interesting SDDL part is in our case (A;;CCLCSWRPWPDTLOCRRC;;;SY), because this is the local SYSTEM account. You can recognize it via the ”SY” trustee at the end. The SYSTEM account is the most powerful account on Windows.

Ok, lets translate this SDDL now.

What if we just copy the exact SDDL string of the local SYSTEM account, but replace the ”SY” trustee with ”BU” (Built-in Users)? Let’s see if that’s works.

Our SDDL string will look like the following:

A;;CCLCSWRPWPDTLOCRRC;;;BU)

If we now run the following command:

SetObjectSecurity.exe SERVICE \\Client\Spooler D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)A;;CCLCSWRPWPDTLOCRRC;;;BU)

We can see that the SDDL of the Spooler service has been changed:

Let’s try to stop the service now as a standard user.

As you can see here. We are just a standard user.

Here you can see that we were able to stop the spooler service as a standard user.

Let’s now focus a bit on least-privilege. What are the required rights to disable a service while being a standard user, but… We’re not allowed to give additional rights.

The following rights are required to allow standard users to stop a service. I didn’t went too deep into this, but I’ll assume the rights can even be more restricted.

There is a service in Windows that is called TokenBroker, which we can’t stop as a standard user. When we are trying to stop the service. It will say that access has been denied.

If we are now going to take a look at the SDDL string of the TokenBroker service.

We will receive the following results:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

If we now add the following part (A;;RPWPCR;;;BU) to the SDDL string. Our entire SDDL string will look like:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;BU)

If we now run the following command with SetObjectSecurity.exe

SetObjectSecurity.exe SERVICE \Client\TokenBroker D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;BU)

We can see that our part has been added to the SDDL string of the TokenBroker service.

Now we can stop the service as a standard user.

  • Set permissions on Registry keys

The last example is to set permissions on registry keys. We are going to find out what permissions are set on the following registry key:

HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

When we are trying to add a value in this registry key (as a standard user). It will show that access has been denied.

Let’s get back to the SDDL string of this registry key:

O:SYG:SYD:PAI(A;CIIO;GA;;;CO)(A;;KA;;;SY)(A;CIIO;GA;;;SY)(A;;KA;;;SY)(A;CIIO;GA;;;BA)(A;;KA;;;BA)
(A;CIIO;GR;;;BU)(A;;KR;;;BU)(A;;KR;;;AC)(A;CIIO;GR;;;AC)(A;;KR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)(A;CIIO;GR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)

I’m interested in (A;CIIO;GR;;;BU)(A;;KR;;;BU), because we can see the string ends with ”BU” trustee. This is prefix for the Built-in Users.

Let’s now add (A;;KA;;;BU) to the entire SDDL string.

If we now run the following command:

SetObjectSecurity.exe KEY “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options” O:SYG:SYD:PAI(A;CIIO;GA;;;CO)(A;;KA;;;SY)(A;CIIO;GA;;;SY)(A;;KA;;;SY)(A;CIIO;GA;;;BA)(A;;KA;;;BA)(A;CIIO;GR;;;BU)(A;;KR;;;BU)(A;;KR;;;AC)(A;CIIO;GR;;;AC)(A;;KR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)(A;CIIO;GR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)(A;;KA;;;BU)

We can see that the permissions has been applied on the registry key.

To verify that we can create a value in the registry key as a standard user:

References:

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: