defence from incognito

[robin at digininja.org (Robin Wood)]

On 7 May 2010 20:50, Rob Fuller <jd.mubix at gmail.com> wrote:
> Tokens area a core functionality of Windows, there isn't a way to
> really 'fix' it. However there are group policy settings that limit
> remote logon (and their token)'s validity time, as well as having
> Domain Admins have separate accounts (std user + "admin") accounts
> that they only use when they absolutely have to. Also, don't have
> services running with Domain Admins ;-).
>
> Hope some mitigations will suffice..

That is kind of the conclusions I came to talking to friends. Its hard
to tell a client that you just popped their box through cached
credentials and tell them that there isn't much they can do as it is a
windows feature.

Oh well, glad I'm not missing something obvious.

Robin

> --
> Rob Fuller | Mubix
> Room362.com | Hak5.org | TheAcademyPro.com
> Ignore this:
> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
>
>
>
>
> On Wed, May 5, 2010 at 8:26 AM, Robin Wood <robin at digininja.org> wrote:
> > Hi
> > Has anyone got any good references I can pass on to clients I've owned
> > through incognito? Beyond suggesting be careful who you log in as and
> > using least privileges what else can I suggest?
> >
> > Robin
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com