Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Security / How to Obtain SeDebugPrivilege when Debug Program Policy is Enabled

December 28, 2017 SecuritySQL ServerWindows Server 2012 R2

How to Obtain SeDebugPrivilege when Debug Program Policy is Enabled

In the previous article, we told that one of the ways to defending against mimikatz-like utilities is disabling the debug privilege for system administrators using Debug Program policy. However, recently it turned out that without the debug privilege (it is SeDebugPrivilege in Windows), a local server administrator cannot install or update Microsoft SQL Server. The matter is that when started, the SQL Server installer checks if there are the SeSecurity, SeBackup and SeDebug privileges. It needs to run the SQL Server process and get the information about the successful start of SQL Server. Here is what it looks like.

During SQL Server installation, the installer performs preliminary checks and identifies some problems with Setup account privileges.

sql server setup error: Setup account privileges failed

If you click the Failed link, you can see the following message:

Rule “Setup account privileges” failed.
The account that is running SQL Server Setup does not have one or all of the following rights: the right to back up files and directories, the right to manage auditing and the security log and the right to debug programs. To continue, use an account with both of these rights. For more information, see https://msdn.microsoft.com/en-us/library/ms813696.aspx, https://msdn.microsoft.com/en-us/library/ms813959.aspx and https://msdn.microsoft.com/en-us/library/ms813847.aspx.

Rule “Setup account privileges” failed.

Now open the SystemConfigurationCheck_Report.htm report.

HasSecurityBackupAndDebugPrivilegesCheck failed

As you can see, when checking the HasSecurityBackupAndDebugPrivilegesCheck rule, the installer has found that the current process hasn’t got one of the following privileges:

  • SeSecurity – managing the audit and security logs
  • SeBackup – the permissions to backup files and folders
  • SeDebug — the privilege to debug programs

There is some detailed information in the log showing that the installation process doesn’t have SeDebug flag.

(09) 2017-12-12 11:15:13 Slp: Initializing rule      : Setup account privileges
(09) 2017-12-12 11:15:13 Slp: Rule is will be executed  : True
(09) 2017-12-12 11:15:13 Slp: Init rule target object: Microsoft.SqlServer.Configuration.SetupExtension.FacetPrivilegeCheck
(09) 2017-12-12 11:15:13 Slp: Rule ‘HasSecurityBackupAndDebugPrivilegesCheck’ Result: Running process has SeSecurity privilege, has SeBackup privilege and does not have SeDebug privilege.
(09) 2017-12-12 11:15:13 Slp: Evaluating rule        : HasSecurityBackupAndDebugPrivilegesCheck
(09) 2017-12-12 11:15:13 Slp: Rule running on machine: msk-sql10
(09) 2017-12-12 11:15:13 Slp: Rule evaluation done   : Failed

I have decided to look for a workaround solution of getting SeDebugPrivilege without changing or disabling the Debug programs policy. It turned out that there is quite an easy way to bypass this policy if you have local administrator privileges on your server. The secedit tool that allows managing local security policies of the server will help us.

Check the current privileges:

whoami /priv

whoami priv

As you can see, there is no SeDebugPrivilege in the current token of the user.

Export the current user rights set by the group policies to a text file:

secedit /export /cfg secpolicy.inf /areas USER_RIGHTS

Using any text editor, open secpolicy.inf and add a string to the [Privilege Rights] section that enables Debug Programs privileges to the group of local administrators.

SeDebugPrivilege = *S-1-5-32-544

set SeDebugPrivilege for local adminis group

Note. The SID of the group of local administrators, S-1-5-32-544, may be changed to any other SID. To transform a group or user name into SID, see How to Convert SID to UserName and Vice Versa.

Save the file. Now apply the new user rights:

secedit /configure /db secedit.sdb /cfg secpolicy.inf /overwrite /areas USER_RIGHTS

Note. You have to confirm the overwriting of the current settings.

secedit overwrite USER_RIGHTS

Log off and log on again and using secpol.msc make sure that the Debug Program privileges are assigned to the group of local administrators. The same is shown in the results of whoami /priv command:

SeDebugPrivilege                Debug programs                            Enabled

Obtaining SeDebugPrivilege

Now you can run the installation or update your SQL Server. But bear in mind that SeDebugPrivilege is assigned temporarily and it will be reset at the next GPO update cycle (after the user has logged off).

You should understand that if you enable Debug programs policy it will not completely protect you from getting SeDebugPrivilege by malicious software that has already penetrated to your server with the local administrator rights, and it may compromise all user/administrator accounts working on the server.

5 comments
3
Facebook Twitter Google + Pinterest
previous post
Adobe Flash Player: Application Initialization Error
next post
Error 0x00000002 – Windows Cannot Connect to Printer

Related Reading

Change the Default Port Number (TCP/1433) for a...

February 24, 2021

Using TSADMIN.msc and TSCONFIG.msc Snap-Ins on Windows Server...

February 2, 2021

MS SQL Server 2019 Installation Guide: Basic Settings...

January 19, 2021

Updating the PowerShell Version on Windows

December 24, 2020

Zerologon (CVE-2020-1472): Critical Active Directory Vulnerability

December 4, 2020

5 comments

Jack June 28, 2019 - 11:29 pm

Went through it all. Twice. SeDbugPrivilege is still disabled (but at least it’s THERE – it wasn’t before). Now what?

Reply
SM July 1, 2019 - 6:11 pm

Great article! Thank you for this article. I spent more than a week looking for a fix for this issue and finally came across your article.

Reply
sa September 18, 2019 - 5:50 pm

save my work, thaks a lot.

Reply
Akshay Pujari March 7, 2020 - 6:28 am

Save my time and work. I have been working on this issue from 3 days. Thank you.!

Reply
Nathan May 29, 2020 - 4:27 pm

Thank You!

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • Accessing USB Flash Drive from VMWare ESXi

    February 26, 2021
  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021
  • Fixing “Winload.efi is Missing or Contains Errors” in Windows 10

    February 5, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Disable NetBIOS Over TCP/IP and LLMNR Using GPO
  • Securing Administrative (Priveleged) Accounts in Active Directory
  • Defending Windows Domain Against Mimikatz Attacks
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top