There isn't unfortunately, your security team should hopefully be aware that this doesn't prevent Mimikatz attacks just makes it slightly harder. Once you are an admin it is trivial to give yourself the privileges necessary for Mimikatz to work (psexec -i -s mimikatz.exe). As for Ansible there really is no other way without us doing those same things that malware would do. We opted to make our code simple and require the standard rights you typically get as an administrator.
On Saturday, April 17, 2021 at 1:40:05 AM UTC+10 [email protected] wrote: > Hi > > Thanks for the update and it is the cause of issue, but Security team > requested to disable it to prevent Against Mimikatz Attacks. They are not > willing to enable it, is there any work around to make it work while > SeDebugPrivilage dsabled, we tried to become user and used runas method > still same error. > > On Thursday, April 15, 2021 at 10:53:17 PM UTC+1 [email protected] wrote: > >> The primary reason for not being able to get the SYSTEM token (required >> for passwordless become on Windows) is your connection user doesn't have >> the SeDebugPrivilege. This should be assigned to Admins users by default >> but sometimes custom environment settings remove this privilege. You can >> use the win_whoami module to check what privileges you account has, or even >> just 'win_command: whoami /priv'. >> >> On Friday, April 16, 2021 at 12:15:40 AM UTC+10 [email protected] >> wrote: >> >>> We are trying to install patches from Ansible on Windows servers and it >>> used to work fine well, but recently few changes happened from AD or GPO >>> which is causing the below error while executing the Windows updates script >>> from Ansible. >>> >>> "Failed to get token for NT AUTHORITY\SYSTEM required for become as a >>> service account or an account without a password" ---> System.Exception: >>> Failed to get token for NT AUTHORITY\SYSTEM required for become as a >>> service account or an account without a password >>> >>> "msg": "internal error: failed to become user 'SYSTEM': Exception >>> calling \"CreateProcessAsUser\" with \"9\" argument(s): \"Failed to get >>> token for NT AUTHORITY\\SYSTEM required for become as a service account or >>> an account without a password\" >>> >> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9944ada0-6d2a-4af4-bba6-49a6de21579dn%40googlegroups.com.
