[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <EA9FBD29-1DD9-4A73-939D-8C5D5BDF1CA1@gmail.com>
Date: Mon, 13 Dec 2010 14:53:18 -0500
From: Michael Bauer <ravenmsb@...il.com>
To: David Gillett <gillettdavid@...a.edu>
Cc: "Thor (Hammer of God)" <thor@...merofgod.com>,
George Carlson <gcarlson@...s.edu>,
"<bugtraq@...urityfocus.com>" <bugtraq@...urityfocus.com>,
"<full-disclosure@...ts.grok.org.uk>" <full-disclosure@...ts.grok.org.uk>
Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily Escalate Privileges andLogin as Cached Domain Admin Accounts (2010-M$-002)
Maybe what some of us need to learn from this is that we should never think in absolutes such as local VS domain users. There are numerous account types and the overrides to take into account with any OS and they change.
This is more of a wakeup call to brush up on our understanding of permissions.
I know this is not a vulnerability but it was a great posting to wake some of us up and remind us that things are never absolute when it comes to permissions. We learn about things in such a manner that we forget to think outside the box. Even if controls are designed to work a specific way that doesn't mean they will.
This is not directed at anyone rather an observation that might help other with similar thought on the subject.
Mike
Sent from my iPhone
On Dec 13, 2010, at 1:15 PM, "David Gillett" <gillettdavid@...a.edu> wrote:
>> If I take the domain admin out of my local administrators, they can't do
> anything. Done.
>
> Back when I did AD/domain support, all domain user accounts got a profile
> that included a trivial script to re-add Domain Admins to the Local Admins
> group. So this kind of local removal shenanigans lasted only until the user
> next logged into the domain.
>
> David Gillett
>
Powered by blists - more mailing lists