KB000002: Users retain their admin rights after their JIT period expires

Summary

When a user is granted just-in-time administrative access to a computer, if they remain logged into their session, they will retain administrative rights even after the JIT access period expires.

Cause

This is expected behavior due to the way Windows creates access tokens.

Let's consider an example where user1 requests just-in-time access to pc1, granted via the Active Directory unique JIT group for that PC, called jit-pc1. This group is added to the local administrators group of pc1 via group policy.

When Access Manager grants JIT access to a user, they are added to jit-pc1. Through jit-pc1's nested membership in the local administrators group, they have local admin permissions.

When the user logs onto the computer, Windows evaluates the domain-based group membership, finds the AD group membership in jit-pc1, and maps that membership to the local administrators group. The users access token will be constructed containing this group membership set.

However, once the access token is built at logon, Windows does not ever reconstruct the token. There are ways to force Windows to re-evaluate group membership, but this only impacts access to network resources, the access token providing access to local resources on the computer is never updated. Therefore, the user has administrative rights for the duration of their logon session.

Resolution

Access Manger's design goal, is to reduce standing admin rights across your Windows environments, with the intent of collapsing the lateral movement graph that an attacker could exploit.

It was not designed to specifically restrict user access to systems in a precise time-bound banner.

Our product operates under the assumption that authorized users are entitled to their access all the time, (e.g they are never not entitled to be an administrator), however we just don't want that access to be applied when it is not needed.

We do recommend combining the use of JIT with a tool like Lithnet Idle Logoff to ensure that users are logged off once they become idle, which ensures unnecessary administrative rights are cleared when no longer in use.

Last updated