lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <EA9FBD29-1DD9-4A73-939D-8C5D5BDF1CA1@gmail.com>
Date: Mon, 13 Dec 2010 14:53:18 -0500
From: Michael Bauer <ravenmsb@...il.com>
To: David Gillett <gillettdavid@...a.edu>
Cc: "Thor (Hammer of God)" <thor@...merofgod.com>,
	George Carlson <gcarlson@...s.edu>,
	"<bugtraq@...urityfocus.com>" <bugtraq@...urityfocus.com>,
	"<full-disclosure@...ts.grok.org.uk>" <full-disclosure@...ts.grok.org.uk>
Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily Escalate	Privileges andLogin as Cached Domain Admin Accounts (2010-M$-002)

Maybe what some of us need to learn from this is that we should never think in absolutes such as local VS domain users. There are  numerous account types and the overrides to take into account with any OS and they change.

This is more of a wakeup call to brush up on our understanding of permissions.

I know this is not a vulnerability but it was a great posting to wake some of us up and remind us that things are never absolute when it comes to permissions. We learn about things in such a manner that we forget to think outside the box. Even if controls are designed to work a specific way that doesn't mean they will. 

This is not directed at anyone rather an observation that might help other with similar thought on the subject.

Mike

Sent from my iPhone

On Dec 13, 2010, at 1:15 PM, "David Gillett" <gillettdavid@...a.edu> wrote:

>> If I take the domain admin out of my local administrators, they can't do
> anything.  Done.
> 
>  Back when I did AD/domain support, all domain user accounts got a profile
> that included a trivial script to re-add Domain Admins to the Local Admins
> group.  So this kind of local removal shenanigans lasted only until the user
> next logged into the domain.
> 
> David Gillett
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ