Security Basics mailing list archives
RE: Threat vector of running a service using a domain account
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Fri, 14 Sep 2007 15:13:24 -0400
Yes, it would be stored in LSA secrets and be retrievable in plaintext if you have Admin access to the local machine. In Vista and later, it's better protected, and not so easily retrievable. Since you have to have local admin access to pull it off in the first place, it's not the biggest threat in the first place, but yes it can allow privilege escalation from local admin to whatever security context the compromised service account is using. That's why, if a service needs admin rights, I'm personally leaning toward assigning LocalSystem to the service's account instead. LocalSystem doesn't have a hackable password. Of course, if you the service doesn't need local admin rights, use something less privileged in the first place. Roger ******************************************************************* *Roger A. Grimes, Senior Security Consultant *Microsoft Application Consulting and Engineering (ACE) Services *http://blogs.msdn.com/ace_team/default.aspx *CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada... *email: roger () banneretcs com or rogrim () microsoft com *Author of Windows Vista Security: Security Vista Against Malicious Attacks (Wiley) *http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470 101555 ******************************************************************* -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jay Sent: Friday, September 14, 2007 9:37 AM To: Scott.Ramsdell () cellnet com; docbook.xml () gmail com Cc: smanaois3 () gmail com; security-basics () securityfocus com Subject: RE: Threat vector of running a service using a domain account You guys may be right, but want to clarify what I meant. When I said server I meant the one running the service (maybe should have said workstaion or client)not one that is part of AD doing the authenication. Correct me if im wrong but when you run a service you put in the id in this case the Domain Admin and its password. So effectively that password is now stored on the system that is running the service. If that machine is taken offline when the service attempts to start should fail. it cant communicate to authenicate, but the password is still present on the local machine (Believe in LSA Secrets). Granted its a different hash than interactive users but a hash none the less. Different attack vector - similiar problem. Jay ----- Original Message ----- From: Ramsdell, Scott [mailto:Scott.Ramsdell () cellnet com] To: docbook.xml () gmail com,jay.tomas () infosecguru com Cc: smanaois3 () gmail com,security-basics () securityfocus com Sent: Fri, 14 Sep 2007 09:01:05 -0400 Subject: RE: Threat vector of running a service using a domain account Saqib, I believe you're right. Each time I've run cachedump for demonstration I do not receive hashes for services logging in over the network, I only receive hashes for interactive users. Kind Regards, Scott Ramsdell -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ali, Saqib Sent: Thursday, September 13, 2007 12:42 PM To: Jay Cc: smanaois3 () gmail com; security-basics () securityfocus com Subject: Re: Threat vector of running a service using a domain account
If a server does cache these creditonals then these can be attacked
independant of the AD and its underlying security controls. If a service uses domain credential, do those credentials get cached? I thought only interactive logon credentials are cached. saqib http://security-basics.blogspot.com/
Current thread:
- Re: Threat vector of running a service using a domain account, (continued)
- Re: Threat vector of running a service using a domain account Jay (Sep 13)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 13)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
- RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 14)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
- RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 18)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 13)
- Re: Threat vector of running a service using a domain account Jay (Sep 13)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 14)
- RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 14)