Windows Logon Types
One area I've spent more time digging around in than I expected to is Windows logon types. There are nine different ways to log on to a Windows system and nearly all of them expose your credentials to theft or abuse in some way or another.
Whether you're attacking or defending, knowing your logon types is important. Failure to understand which are risky and how to mitigate that risk is a great way to ensure you get an exciting day of incident response in the not-so-distant future.
This series of posts started with a table of logon types and a couple of questions. What are the different ways can we log on to a system? Why would we choose one over the other? Are some more dangerous then others?
Some choices are obvious---it's hard to edit a Word document with a batch logon---but some take a bit of digging.
In my experience, most system administrators default to some form of interactive logon while the lazy good ones will use network. One of the two is a great way to lose control of your domain, especially if you're using membership in your Domain Admins group as shorthand for this-is-great-I-have-local-admin-everywhere!
We're getting ahead of ourselves, though. Let's start where all good posts on complicated topics start: a visual aid.
|Logon Type||Logon Title||Notes|
|2||Interactive||Any logon where you are either physically at the keyboard, or virtually doing the same thing (VM console, KVM, iLO, etc.)|
|3||Network||Accessing a system across the network. Pretty straightforward.|
|5||Service||The log on type services use!|
|7||Unlock||I have returned from lunch. Let me in.|
|8||NetworkClearText||My developer would like to authenticate.|
|9||NewCredentials||Using RunAs will trigger this logon type.|
|10||RemoteInteractive||RDP, Remote Assistance|
|11||CachedInteractive||Logons using cached credentials|
If I were in charge of naming the above logon types, I'd definitely pick better names. Like AreYouInsane and ShellsForAll, but since Microsoft has taken the opaque approach to naming them, I have handcrafted another table so we can see how they shake out from a credential exposure standpoint.
|Logon Type||Cached Credentials||Cleartext Credentials||Delegate Token|
Looking at the above table, we can see that most logons are an exercise in chainsaw juggling, while one logon type stands out as the responsible choice of concerned citizens worldwide.
So Type 3 logons hey? Pretty fantastic! The reason for this is that when you log on to another system using a Type 3 logon, you prove your identity to that system without sending your credentials. This is the opposite of what happens when your log on using some flavour of Interactive or NetworkClearText.
So what can you do with a Type 3 logon? Pretty much everything. In fact, if you want to get a lot done everywhere at once, that's only possible using a Type 3 logon. Here are some examples:
- SMB-based tools (e.g. PsExec without the -u option)
- Remote MMC
- PowerShell Remoting (yessss!)
If you're combining interactive logons with privileged accounts, chances are that you're doing it wrong. If you're performing an interactive logon with a privileged account to a user's workstation, you're definitely doing it wrong.
Not sure what an interactive logon is? With few exceptions, if you're seeing the Windows desktop, you're logged on interactively. Also with few exceptions is the fact that whatever you're doing can likely be accomplished in a more secure and more efficient manner using a network logon.
Heed the siren call of PowerShell Remoting, my friend, and invest the time. You can thank me later. Preferably with beer.
But what happens if you ignore the siren call? How bad could that possibly be? Exposing your nether regions credentials on the occasional lady/gentleman of the night untrusted workstation couldn't really be that bad, could it?
Yes, it definitely could.
A significant chunk of Microsoft's excellent Securing Privileged Access guidance deals with preventing this very thing from happening. At least one offensive tool exists solely for the purposes of finding instances where this has happened so it can be abused.
A privileged session on a compromised machine is one of the very first things an attacker will look for, because finding them is that good. And what's good for the attackers is bad for you.
So what does pretty bad look like? What can we actually do to a system once a privileged account has logged on with something other than a Type 3 logon?
You'll never guess what happens next.
Interactive logon bad. Network logon good.