Understanding Windows 7 Privilege Escalation: Domain Admin vs “Run as Administrator” Context Differences


7 views

In Windows 7 environments, executing programs under different privilege contexts has significant security implications. The key distinction lies in:

// Pseudo-code demonstrating privilege check
if (processToken.Contains(SE_GROUP_ENABLED) && 
    processToken.HasPrivilege(SE_TAKE_OWNERSHIP_PRIVILEGE)) {
    // Full system access granted
} else if (domainAdminContext) {
    // Domain-level permissions apply
}

When logged in as a domain administrator (typically part of the "Domain Admins" group):

  • Inherits all domain-level permissions
  • Can modify Active Directory objects
  • Network resources are accessible with domain credentials
  • Process runs with interactive logon session (LogonType 2)

Using the UAC elevation prompt (Shift+Right Click method):

// Sample PowerShell to test elevation
$windowsIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$principal = New-Object System.Security.Principal.WindowsPrincipal($windowsIdentity)
$principal.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)

Key characteristics:

  • Creates a split token with filtered privileges
  • Limited to local machine administration
  • Uses non-interactive logon session (LogonType 3 when elevated)
  • Cannot access domain resources requiring delegation

Case 1: Modifying local registry hive vs domain Group Policy

// Domain admin can modify GPOs via:
using (DirectoryEntry de = new DirectoryEntry("LDAP://CN=Policies,CN=System,DC=domain,DC=com"))
{
    // Domain-level changes
}

// Local admin can only access:
Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Policies", true);

Case 2: Service account management differences

The principle of least privilege suggests:

  1. Use domain admin only for domain-specific tasks
  2. Use local elevation for machine-specific changes
  3. Never run interactive sessions with domain admin privileges

Here's how to programmatically check context:

// C# example for context detection
using System.DirectoryServices;
using System.Security.Principal;

bool IsDomainAdmin()
{
    var context = new PrincipalContext(ContextType.Domain);
    var principal = UserPrincipal.FindByIdentity(context, 
        WindowsIdentity.GetCurrent().Name);
    return principal.GetGroups()
        .Any(g => g.Sid.IsWellKnown(WellKnownSidType.AccountDomainAdminsSid));
}

When executing programs in Windows 7 environments, privilege contexts differ significantly between:

  • Domain Administrator Account: A user account with administrative privileges across the entire Active Directory domain
  • "Run as administrator": A User Account Control (UAC) elevation mechanism for local execution

The key technical differences manifest in several dimensions:

// Example of checking privileges in C#
using System;
using System.Security.Principal;

class PrivilegeChecker {
    static void Main() {
        WindowsIdentity identity = WindowsIdentity.GetCurrent();
        WindowsPrincipal principal = new WindowsPrincipal(identity);
        
        Console.WriteLine("Running as domain admin: " + 
            principal.IsInRole(WindowsBuiltInRole.Administrator) + 
            " (Domain context)");
            
        Console.WriteLine("UAC elevation status: " + 
            new WindowsPrincipal(WindowsIdentity.GetCurrent(
                TokenAccessLevels.Query | TokenAccessLevels.Duplicate))
                .IsInRole(WindowsBuiltInRole.Administrator));
    }
}

The fundamental distinction lies in the access tokens generated:

  • Domain Admin login: Generates a full administrator token with domain-wide privileges
  • UAC elevation: Creates a filtered administrator token with local machine privileges only

Consider these scenarios when developing applications:

# PowerShell example showing different contexts
$DomainContext = [Security.Principal.WindowsIdentity]::GetCurrent().Groups -contains "S-1-5-32-544"
$ElevatedContext = (New-Object Security.Principal.WindowsPrincipal (
    [Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole(
    [Security.Principal.WindowsBuiltInRole]::Administrator)

Write-Host "Domain Admin Context: $DomainContext"
Write-Host "UAC Elevated Context: $ElevatedContext"

Key security implications developers should understand:

  • Domain admin credentials can access network resources
  • UAC-elevated processes are limited to local machine scope
  • Token filtering applies different restrictions to elevated processes

When coding for enterprise environments:

// C++ example checking token integrity level
#include <windows.h>
#include <stdio.h>

void CheckTokenLevel() {
    HANDLE hToken;
    DWORD dwIntegrityLevel;
    
    if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
        TOKEN_MANDATORY_LABEL* pTIL = NULL;
        DWORD dwSize = 0;
        
        GetTokenInformation(hToken, TokenIntegrityLevel, NULL, 0, &dwSize);
        pTIL = (TOKEN_MANDATORY_LABEL*)LocalAlloc(0, dwSize);
        
        if (GetTokenInformation(hToken, TokenIntegrityLevel, pTIL, dwSize, &dwSize)) {
            dwIntegrityLevel = *GetSidSubAuthority(pTIL->Label.Sid,
                (DWORD)(UCHAR)(*GetSidSubAuthorityCount(pTIL->Label.Sid)-1));
            
            printf("Process integrity level: %d\n", dwIntegrityLevel);
        }
        LocalFree(pTIL);
        CloseHandle(hToken);
    }
}