Changing IP address without handing out local admin or elevated CMD

Posted by Crackmin@reddit | sysadmin | View on Reddit | 38 comments

I am so lost on this one, I've been staring at it for 5 hours banging my head So! We've recently implemented Admin by Request and started removing everyone's local admin. One issue, 60+ of our users need to change IP addresses regularly to interface with strange obscure devices, and Admin by Request works amazing for everything else, but doesn't pick up system dialog elevation requests properly. We need an automated solution to approving this or we'll be getting hundreds of requests per day Testing done: Creating an executable that runs ncpa.cpl through Admin by Request - still requires a second UAC prompt to change adapter settings, so can't be automated Using the Network Configuration Operators group - This also grants the ability to run CMD as admin, which we REALLY do not want people to do, we'd prefer if script-based attacks had to earn local admin the hard way Definitely not disabling UAC Had a look at using Simple IP Config, a free software - was told not to implement an additional software unless strictly necessary, so that's a last ditch option Has anyone done anything like this before and has advice? Thank you so much for your help

Reply to Post

38 Comments

[-]

Sabbest@reddit

You can add the user to the "Network Configuration Operators" group.

[-]

Crackmin@reddit (OP)

Yeah, sorry I mentioned about halfway through, we can't do that because it allows them to run CMD as admin and our pentesters are going to bully us next time they come over

[-]

Ferisii@reddit

I'd like to add, that said group, along with the Power Users-group, will not play nicely with the ABR client. As these groups gives semi-administrative rights on a device to the user, standard UAC-prompts will appear instead of ABR client's.

[-]

disposeable1200@reddit

This isn't right . https://www.itprotoday.com/networking-security/jsi-tip-8522-what-can-i-do-with-the-network-configuration-operators-group-built-into-windows-xp- Sure there's not extra settings or permissions going on? Whilst it makes the UAC prompt appear for most tasks, it is not elevating to full admin.

[-]

Crackmin@reddit (OP)

OH ..yeah this makes sense, sorry for my noobness

[-]

elpollodiablox@reddit

Our pentesters bully us no matter what we do, so you may as well do what works.

[-]

ithium@reddit

there's actually a feature in ABR to allow users to change IPs without needing admin rights. Workstation Global Settings, App Control, Tray Tools

[-]

Crackmin@reddit (OP)

OH MY GOD logging in to test this

[-]

redthrull@reddit

So....management doesn't want you (the IT) working with a free, simple software like that but is ok with users interacting with 'strange obscure devices'? Something doesn't add up.

[-]

Visible_Witness_884@reddit

We have users interacting with "strange obscure devices" which are for example PLCs for controlling valves, switchboards, heaters and so on. Which to a non-electrician or specialised programmer will be strange and obscure. They do require the user be able to change their IP all the time to interface with them. I don't currently have any other solution than they are in the netowrk config operators group.

[-]

Chairface30@reddit

Could those devices ve on vlan and those desktops joined to both networks?

[-]

Visible_Witness_884@reddit

The device is connected to directly without any other network equipment. No-one has desktops anymore. Having multiple network cards via USB-dongle is a feature we sometimes use.

[-]

Chairface30@reddit

I was thinking more along putting multiple statics on one nic so it dosent have to be changed back and forth.

[-]

elcheapodeluxe@reddit

Plug into a different PLC you may need to have a different IP on your local workstation. I work with the same kind of equipment described here. There will be IP changing as technicians service/program different equipment around the factory.

[-]

Crackmin@reddit (OP)

Yeah, they're heading to some facility in the desert with no internet and validating a bunch of machines, it's all engineering stuff I have no idea about

[-]

BubblySpaceMan@reddit

>>One issue, 60+ of our users need to change IP addresses regularly to interface with strange obscure devices Is this absolutely necessary? No other way around it in your environment?

[-]

Crackmin@reddit (OP)

Yeah they're hooking into some pile of circuit boards they've been sticking together, I don't know anything about PLCs

[-]

AccomplishedPlay7@reddit

I’m wondering if they are in manufacturing and needing to hook into offline flat networks regularly?

[-]

Stonewalled9999@reddit

sounds like us, but the PLC crap only runs on WinXP so we give them a crap P3 laptop with real serial ports and 10/100 NIC and deep freeze it so it reverts after a reboot. They have to move the cable to a different port (we have old Cisco switch tagged trunk uplink and each port is a different access VLAN) or they can console in. crude yet effective.

[-]

Visible_Witness_884@reddit

If it's anything like what we deal with, PLCs, it's absolutely necessary. The device is interfaced with directly via a patch cable.

[-]

DonnellyJohn@reddit

We ultimately created domain “PCAdmin” accounts for our process control engineers. 50 character random passwords stored in a password vault that they can use when changing their IP. The pcadmin accounts are removed from ‘domain users’ and only have rights on their respective machines. Crude but effective.

[-]

fp4@reddit

Sounds like you recreated [LAPS](https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview).

[-]

Background-Look-63@reddit

How many different IP addresses do they change to regularly? Is it the same set for everyone or each person has a different one. If so, write a autoit program with a gui. Or you could use powershell and convert it to exe.

[-]

FuriousRageSE@reddit

For me in industrial automation. Several times per day.

[-]

Imposing-Force@reddit

Consider utilizing the built-in "Tools" menu. Edit the relevant subsetting (or general, if it should be available for all), then select App Control in the left-hand side menu. Select "Tray Tools" and create a tray tool: Here's an example of what we did in our environment to achieve the same: [https://i.imgur.com/OHqdKmj.png](https://i.imgur.com/OHqdKmj.png)

[-]

ithium@reddit

+1 just add network adapter settings with pre-approved access to the tray tools....

[-]

FuriousRageSE@reddit

This is why I have started to make a C# program with a service to be able to change the ip on the adapters without admin privileges. Client software will tell the service to do the change.

[-]

PAiN_Magnet@reddit

Give them a separate local admin account with a different password. It's not ideal but at least their regular user account won't be privileged and the local admin won't have any domain impact.

[-]

SevaraB@reddit

*deep inhale* Everything about this ask is wrong. You don't want users with permissions to modify the *physical network adapter*... so _**give them different adapters that they can change**_. * Adapter[1]: physical NIC (restricted) * Adapter[2]: bridge adapter (restricted) * Adapter[3-*n*]: dedicated virtual NICs for each application/use case- instead of talking directly to the Internet, they use the bridge adapter as a default gateway so you stay in charge of whether they can talk to anything *outside* the specific local network they're supposed to be used in. If that seems like a lot to set up/administer, just replace the adapters with containers or even whole VMs (depending on your comfort level configuring them) to work with the "weird devices"- have the host be locked down but let the highly technical users change whatever they need in the guest.

[-]

w3warren@reddit

Curious what do the pentesters recommend as a secure method to do it?

[-]

thegarr@reddit

You could potentially (if you don't like the network operators approach) create a scheduled task that launches a batch script. Batch script renews DHCP or whatever it is you need to do and runs as a service account or system with highest permissions once per day/week/month/whatever. Then, users could manually right click > run scheduled task whenever they want to perform the actions.

[-]