Maximize your protection, eliminate business risks.
Optimize and modernize with cloud transformation.
Empower your people to work securely from anywhere.
Let us handle IT so you can focus on growing your business.
Get multichannel 24/7/365 expert end-user support.
Stay ahead of attacks with 24/7 protection and monitoring.
Maximize uptime with with industry-leading DRaaS.
Improve efficiency, productivity and outcomes with cloud.
Ensure all mobile devices, everywhere, are secure.
Gain a competitive edge with strategic IT solutions.
This battle-tested checklist enables your team to swiftly initiate a ransomware response.
IT for businesses of all sizes, in any industry.
Empower institution growth with custom IT solutions.
Ensure your firm is always in compliance.
Improve patient care and staff morale.
Deal with pressing legal matters, not IT.
Keep up with the evolving digital landscape.
Focus on your mission by outsourcing IT.
Accelerate PE client deals and secure data.
Leverage your technology as a strategic asset.
Execute initiatives and develop IT strategies.
Get the latest industry insights and trends.
Join us at events in person and online.
Hear from clients and learn more about strategic IT.
See how Dataprise can make IT your greatest asset.
Get informative technical resources from IT experts.
Stay on stop of emerging cybersecurity threats.
Discover the key areas of DR your organization needs to address to ensure downtime is minimized.
Gain a strategic asset by bringing harmony to IT.
Ensure 24/7 support and security with dedicated teams.
Drive business forward by partnering with Dataprise.
Meet our one-of-a-kind leadership team.
Discover the recognition Dataprise has earned.
Help us help businesses with strategic IT.
Embracing different perspectives and backgrounds.
Find a Dataprise location near you.
Dataprise is committed to empowering more women to consider a career in technology.
Posts
By: Dataprise
Table of content
On July 20nd, The Carnegie Mellon University’s Software Engineering Institute published a note on a vulnerability (VU#506989) affecting windows 10 issued a warning about a critical vulnerability affecting Windows 10 build 1809 and above which can grant non-administrative users access to SAM, SYSTEM and SECURITY files. Which can allow for LPE (Local Privilege Escalation). No patch has been issued yet, the work around involves restricting access to SAM, SYSTEM and SECURITY Files and removing VSS Shadow Copies.
Gaining access to Windows 10’s systems SAM, SYSTEM and SECURITY files on a vulnerable system with VSS shadow copies of the system drive a locally authenticated user may be able to achieve LPE, masquerade as other users, or even cause other security related impacts.
Starting with Windows 10 build 1809, the BUILTIN\Users group is given RX permissions to the following files:C:\Windows\System32\config\sam
C:\Windows\System32\config\system
C:\Windows\System32\config\security
If there is VSS shadow copy of the system drive available, a non-privileged user may leverage access to these files to achieve impacts described (but not limited to these) below:
NOTE: Even though VSS shadow copies may not explicitly be enabled in a system – Having a drive that is larger than 128GB and performing windows updates or installing an MSI Packet will automatically create a shadow copy.
To check if a system has shadow copies enabled, the following command can be run from a command prompt:vssadmin list shadows
A system with active shadow copies will return a report such as:
A system with active shadow copies will return:
“No items found that satisfy the query.”
A vulnerable system will output a message like this: BUILTIN\Users:(I)(RX)
There are no current indicators of compromise, but running the following command from a non-privileged account will help identify if the system is vulnerable:
icacls %windir%\system32\config\sam
A system that is not vulnerable will output a message similar to this:
We are currently unaware of a solution to this vulnerability, following workaround is recommended:
icacls %windir%\system32\config\sam /remove “Users”
icacls %windir%\system32\config\security /remove “Users”
icacls %windir%\system32\config\system /remove “Users”
Once the CLS have been adjusted for these viles, any VSS shadow copies of the system must be deleted to ensure protection against this exploitation, assuming that the system drive is C:
vssadmin delete shadows /for=c: /Quiet
Check that VSS shadow copies have been deleted:
vssadmin list shadows
INSIGHTS
Subscribe to our blog to learn about the latest IT trends and technology best practices.