RE: Threat vector of running a service using a domain account

["Roger A. Grimes" <roger () banneretcs com>]

Yes, it would be stored in LSA secrets and be retrievable in plaintext
if you have Admin access to the local machine.  In Vista and later, it's
better protected, and not so easily retrievable. Since you have to have
local admin access to pull it off in the first place, it's not the
biggest threat in the first place, but yes it can allow privilege
escalation from local admin to whatever security context the compromised
service account is using.

That's why, if a service needs admin rights, I'm personally leaning
toward assigning LocalSystem to the service's account instead.
LocalSystem doesn't have a hackable password. Of course, if you the
service doesn't need local admin rights, use something less privileged
in the first place.

Roger

*******************************************************************
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services  
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger () banneretcs com or rogrim () microsoft com
*Author of Windows Vista Security: Security Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*******************************************************************



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Jay
Sent: Friday, September 14, 2007 9:37 AM
To: Scott.Ramsdell () cellnet com; docbook.xml () gmail com
Cc: smanaois3 () gmail com; security-basics () securityfocus com
Subject: RE: Threat vector of running a service using a domain account

You guys may be right, but want to clarify what I meant. When I said
server I meant the one running the service (maybe should have said
workstaion or client)not one that is part of AD doing the authenication.

Correct me if im wrong but when you run a service you put in the id in
this case the Domain Admin and its password. So effectively that
password is now stored on the system that is running the service. If
that machine is taken offline when the service attempts to start should
fail.  it cant communicate to authenicate, but the password is still
present on the local machine (Believe in LSA Secrets). Granted its a
different hash than interactive users but a hash none the less.
Different attack vector - similiar problem.

Jay

----- Original Message -----
From: Ramsdell, Scott [mailto:Scott.Ramsdell () cellnet com]
To: docbook.xml () gmail com,jay.tomas () infosecguru com
Cc: smanaois3 () gmail com,security-basics () securityfocus com
Sent: Fri, 14 Sep 2007 09:01:05 -0400
Subject: RE: Threat vector of running a service using a domain account

Saqib,

I believe you're right.  Each time I've run cachedump for demonstration
I do not receive hashes for services logging in over the network, I only
receive hashes for interactive users.

Kind Regards,
Scott Ramsdell

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Ali, Saqib
Sent: Thursday, September 13, 2007 12:42 PM
To: Jay
Cc: smanaois3 () gmail com; security-basics () securityfocus com
Subject: Re: Threat vector of running a service using a domain account

> If a server does cache these creditonals then these can be attacked
independant of the AD and its underlying security controls.


If a service uses domain credential, do those credentials get cached?
I thought only interactive logon credentials are cached.

saqib
http://security-basics.blogspot.com/