Security Basics mailing list archives
Re: Access Sharing folder
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Wed, 15 Jul 2009 03:53:48 +0200
On 2009-07-15 A wrote:
2009/7/15 Ansgar Wiechers <bugtraq () planetcobalt net>:On 2009-07-14 A wrote:If you have "domain admin" credentials, you are automatically added to the Administrators group on all domain member machines. This gives you access to those shares, and assuming you have logged in as a domain admin, your credentials will allow you to access those shares remotely without a password. (This is against best practices, but you asked)Please elaborate. What about that would be against best practices?Why, Logging into a windows machine with "Domain Admin" credentials of course.. recommended procedure is to log in as a regular user, and elevate privileges when required..
Sorry, but I don't buy that. Not as broad as that claim is at least. I do agree that always working with an admin account is a bad practice. However, when I have several administrative tasks to do (or when I have a separate workstation solely for administrative purposes) I fail to see what would be wrong with logging in as a domain admin rather than authenticating for every single task separately. Also, when your regular user account is compromised, elevating privileges "when required" may raise several issues. Your domain admin password could be sniffed, or the task being run with elevated privileges may be susceptible to privilege elevation attacks (e.g. shatter attacks). From what I hear Microsoft changed the security model in Vista, so the latter may not longer be true for more recent versions, but up to XP that is an actual problem.
which would necessitate a password for accessing those particular shares, unless, as already explained, a local admin had granted permissions to said "regular user".
I agree. Access to administrative shares should be restricted to administrators. There may be situations where one will want to make a whole partition accessible to his users, but for situations like that it'd be better to share the drive with a "speaking" name rather than the drive letter. And assign appropriate permissions, of course. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- filtering MSN traffic Juan B (Jul 09)
- Re: filtering MSN traffic Edjenguele (Jul 10)
- Re: filtering MSN traffic Vinicius Menezes (Jul 13)
- Re: filtering MSN traffic George J. Jahchan (Jul 13)
- Access Sharing folder Vinicius Menezes (Jul 13)
- Re: Access Sharing folder Leonardo Cavallari Militelli (Jul 14)
- Re: Access Sharing folder The Security Community (Jul 14)
- Re: Access Sharing folder A (Jul 14)
- Re: Access Sharing folder Ansgar Wiechers (Jul 14)
- Re: Access Sharing folder A (Jul 15)
- Re: Access Sharing folder Ansgar Wiechers (Jul 15)
- RE: Access Sharing folder Ramki B Ramakrishnan (Jul 16)
- Re: Access Sharing folder Ansgar Wiechers (Jul 16)
- RE: Access Sharing folder Martyn Smith (Jul 17)
- Re: filtering MSN traffic Edjenguele (Jul 10)
- Re: Access Sharing folder Miguel Tubía (Jul 14)
- Re: filtering MSN traffic Edson Marquezani Filho (Jul 13)
- Re: filtering MSN traffic Danilo Nascimento (Jul 13)