Re: Securing workstations from IT guys

["Christian Brenner" <christian () unknownmanwithhat com>]

"the simple fact is that at the end of the day you can't stop a sufficiently 
knowledgeable admin (or user) from bypassing whatever controls you put into 
place... You can only make it harder to hide their tracks."

Well spoken. The problem is, that you can secure a workstation to prevent it 
from being attacked in any way, but then it wouldn't be a "work"station 
anymore. So the only way you can do is to find a optimal balance between 
security and useability. The only way I can think of is virtualisation. But 
this solutions is, depending on the size of your network and skills, very 
expensive and complex.

----- Original Message ----- 
From: "Erin Carroll" <amoeba () amoebazone com>
To: "'Mark Owen'" <mr.markowen () gmail com>; "'Liam Jewell'" 
<ljjewell () gmail com>
Cc: "'Depp, Dennis M.'" <deppdm () ornl gov>; "'Lim Ming Wei'" 
<mwlim () pacific net sg>; "'WALI'" <hkhasgiwale () gmail com>; 
"'security-basics'" <security-basics () securityfocus com>
Sent: Tuesday, November 27, 2007 11:24 PM
Subject: RE: Securing workstations from IT guys


> Mark is correct.
>
> I've been watching this thread with some interest. While there are 
> multiple
> approaches you can take to reduce the problem, and many excellent
> suggestions have been mentioned, the simple fact is that at the end of the
> day you can't stop a sufficiently knowledgeable admin (or user) from
> bypassing whatever controls you put into place... You can only make it
> harder to hide their tracks.
>
> For the example below that has been under discussion, it's much easier to
> assume the credentials of an authorized account (SYSTEM, domain admin,
> whatever) and in some cases you don't even need to know what the password 
> to
> that account is in order to elevate and bypass controls.
>
> With physical access, a standard user login, and your privilege escalation
> of choice ("at [time] /interactive cmd", odd spaces in cmd .exe
> invocations...pick your poison) you could use tool like the USB 
> Switchblade
> (http://wiki.hak5.org/wiki/USB_Switchblade) to snag the password hashes
> and/or LSA of the target system. Then, using any number of brute-force 
> tools
> to crack the password of your target account (large Rainbow tables are
> useful), subsequently access files/information by impersonating the target
> privileged user. You could also use something like CORE's pass-the-hash 
> tool
> (http://oss.coresecurity.com/projects/pshtoolkit.htm) to effectively do 
> the
> same impersonation with no password cracking necessary.
>
> In my opinion, the most severe threat to any organization from a security
> perspective are also the most critical resources you need to keep business
> flowing: your Security team and the Domain Admins. Pay them well :)
>
>
> --
> Erin Carroll
> Moderator
> SecurityFocus pen-test list
> "Do Not Taunt Happy-Fun Ball"
>
>
>
>
> > -----Original Message-----
> > From: listbounce () securityfocus com
> > [mailto:listbounce () securityfocus com] On Behalf Of Mark Owen
> > Sent: Tuesday, November 27, 2007 1:51 PM
> > To: Liam Jewell
> > Cc: Depp, Dennis M.; Lim Ming Wei; WALI; security-basics
> > Subject: Re: Securing workstations from IT guys
> >
> > On Nov 27, 2007 3:05 PM, Liam Jewell <ljjewell () gmail com> wrote:
> > > Anybody who has physical access to the machine becomes a
> > > vulnerability.  Even if you encrypt files under an administrator
> > > account on the local machine, simply resetting the password with a
> > > program like Passware, will not disable the encryption.  Then an
> > > unauthorized user can log in to the admin account with a blank
> > > password (or a password of their choosing) and have access to all
> > > encrypted files.
> > >
> >
> > This is not entirely true.  If you reset or delete the
> > password for an account then that account will no longer be
> > able to decrypt the files.
> > --
> > Mark Owen