| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 10 Dec 2010 23:11:35 +0100 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk> Cc: "George Carlson" <gcarlson@...s.edu> Subject: Re: Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002) "George Carlson" <gcarlson@...s.edu> wrote: > Your objections are mostly true in a normal sense. And in abnormal sense? > However, it is not true when Group Policy is taken into account. Group Policies need an AD. Cached credentials are only used locally, for domain accounts, when the computer can't connect to the AD. > Group Policies differentiate between local and Domain administrators Local administrators don't authenticate against an AD, they authenticate against the local SAM. No GPOs there! And: a local administrator can override ANY policy, even exempt the computer completely from processing Group Policies. > and so this > vulnerability is problematic for shops that differentiate between > desktop support and AD support. Again: this is NO VULNERABILITY. An administrator is an administrator is an administrator. [braindead fullquote removed ] Stefan
Powered by blists - more mailing lists