lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 13 Dec 2010 12:19:32 -0500
From: Michael Bauer <ravenmsb@...il.com>
To: Stefan Kanthak <stefan.kanthak@...go.de>
Cc: "<full-disclosure@...ts.grok.org.uk>" <full-disclosure@...ts.grok.org.uk>,
	"<bugtraq@...urityfocus.com>" <bugtraq@...urityfocus.com>,
	George Carlson <gcarlson@...s.edu>
Subject: Re: Flaw in Microsoft Domain Account
	CachingAllows Local Workstation Admins to Temporarily
	EscalatePrivileges and Login as Cached Domain Admin Accounts
	(2010-M$-002)

An administrator is very different there are many levels of administrative control in windows to say an admin is an admin is absurd. There is a big difference between a local admin and a domain admin. There are many types of admin in windows and all of them have different levels of permission. I would be very scared to have anyone taking care of any of my systems windows or NIX who thought an admin was an admin and root is root. Here is a reference showing the different SIDs for some common windows accounts.
Http://support.microsoft.com/kb/24333

If you take time to read it you will see there are numerous types of windows administrator all with different permissions. 

Sent from my iPhone

On Dec 10, 2010, at 5:11 PM, "Stefan Kanthak" <stefan.kanthak@...go.de> wrote:

> "George Carlson" <gcarlson@...s.edu> wrote:
> 
>> Your objections are mostly true in a normal sense.
> 
> And in abnormal sense?
> 
>> However, it is not true when Group Policy is taken into account.
> 
> Group Policies need an AD. Cached credentials are only used locally,
> for domain accounts, when the computer can't connect to the AD.
> 
>> Group Policies differentiate between local and Domain administrators
> 
> Local administrators don't authenticate against an AD, they authenticate
> against the local SAM. No GPOs there!
> And: a local administrator can override ANY policy, even exempt the
> computer completely from processing Group Policies.
> 
>> and so this
>> vulnerability is problematic for shops that differentiate between
>> desktop support and AD support.
> 
> Again: this is NO VULNERABILITY.
> An administrator is an administrator is an administrator.
> 
> [braindead fullquote removed ]
> 
> Stefan
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ