Security Basics mailing list archives
RE: Securing workstations from IT guys
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Tue, 27 Nov 2007 14:24:14 -0800
Mark is correct. I've been watching this thread with some interest. While there are multiple approaches you can take to reduce the problem, and many excellent suggestions have been mentioned, the simple fact is that at the end of the day you can't stop a sufficiently knowledgeable admin (or user) from bypassing whatever controls you put into place... You can only make it harder to hide their tracks. For the example below that has been under discussion, it's much easier to assume the credentials of an authorized account (SYSTEM, domain admin, whatever) and in some cases you don't even need to know what the password to that account is in order to elevate and bypass controls. With physical access, a standard user login, and your privilege escalation of choice ("at [time] /interactive cmd", odd spaces in cmd .exe invocations...pick your poison) you could use tool like the USB Switchblade (http://wiki.hak5.org/wiki/USB_Switchblade) to snag the password hashes and/or LSA of the target system. Then, using any number of brute-force tools to crack the password of your target account (large Rainbow tables are useful), subsequently access files/information by impersonating the target privileged user. You could also use something like CORE's pass-the-hash tool (http://oss.coresecurity.com/projects/pshtoolkit.htm) to effectively do the same impersonation with no password cracking necessary. In my opinion, the most severe threat to any organization from a security perspective are also the most critical resources you need to keep business flowing: your Security team and the Domain Admins. Pay them well :) -- Erin Carroll Moderator SecurityFocus pen-test list "Do Not Taunt Happy-Fun Ball"
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Mark Owen Sent: Tuesday, November 27, 2007 1:51 PM To: Liam Jewell Cc: Depp, Dennis M.; Lim Ming Wei; WALI; security-basics Subject: Re: Securing workstations from IT guys On Nov 27, 2007 3:05 PM, Liam Jewell <ljjewell () gmail com> wrote:Anybody who has physical access to the machine becomes a vulnerability. Even if you encrypt files under an administrator account on the local machine, simply resetting the password with a program like Passware, will not disable the encryption. Then an unauthorized user can log in to the admin account with a blank password (or a password of their choosing) and have access to all encrypted files.This is not entirely true. If you reset or delete the password for an account then that account will no longer be able to decrypt the files. -- Mark Owen
Current thread:
- Re: Securing workstations from IT guys, (continued)
- Re: Securing workstations from IT guys Bert Knabe (Nov 26)
- RE: Securing workstations from IT guys Nick Vaernhoej (Nov 26)
- Re: Securing workstations from IT guys James Alcasid (Nov 26)
- Re: Securing workstations from IT guys Tremaine Lea (Nov 26)
- Re: Securing workstations from IT guys Mark Owen (Nov 26)
- Re: Securing workstations from IT guys Kurt Buff (Nov 27)
- RE: Securing workstations from IT guys Lim Ming Wei (Nov 27)
- RE: Securing workstations from IT guys Depp, Dennis M. (Nov 27)
- Re: Securing workstations from IT guys Liam Jewell (Nov 27)
- Re: Securing workstations from IT guys Mark Owen (Nov 27)
- RE: Securing workstations from IT guys Erin Carroll (Nov 27)
- Re: Securing workstations from IT guys Christian Brenner (Nov 27)
- RE: Securing workstations from IT guys Holtz,Robert (Nov 27)
- RE: Securing workstations from IT guys Depp, Dennis M. (Nov 27)
- Re: Securing workstations from IT guys Micheal Espinola Jr (Nov 29)
- RE: Securing workstations from IT guys Nick Vaernhoej (Nov 28)
- Network protocol analyzers Malhoit, Lauren (Nov 28)
- Re: Network protocol analyzers Michael R. Martinez (Nov 28)
- RE: Network protocol analyzers Chris Boczko (Nov 28)
- Re: Network protocol analyzers crazy frog crazy frog (Nov 28)