Educause Security Discussion mailing list archives
Understanding NT Authority\System rights
From: Greg Francis <francis () GONZAGA EDU>
Date: Wed, 3 Sep 2003 15:39:22 -0700
There have been some concerns with some of our IT staff about the level of access that can be obtained by a worm that has exploited the RPC vulnerability. My understanding of this is that whatever is executed is run as "NT Authority\System", a local account that has high-level rights on the local system but limited rights within the domain. Another understanding I have is that even if this is a DC, the "NT Authority\System" account is still a local account, not a domain account. I have some questions based upon this: 1) What rights does NT Authority\System have within the domain that might allow it to further attack the domain (beyond enumeration)? 2) Is there anything that NT Authority\System can't do on the local system? 3) Can it run code as the user that is currently logged on? (I'm assuming that if it replaced a file that the user then executed, that would do it, but what about hijacking the user's credentials while they are logged into the domain?)
From my understanding, if a system was compromised and unknown code was
execuated as "NT Authority\System", we should no longer trust the system and it should be rebuilt. It doesn't seem to me that that would compromise the integrity of the domain security unless the machine exploited was a DC or a privileged user logged into an injected computer and executed trojaned code. I just haven't seen any discussion about this and I have some concerns. Thanks, Greg Greg Francis Gonzaga University Sr. System Administrator Spokane Washington francis () gonzaga edu 509-323-6896 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Understanding NT Authority\System rights Greg Francis (Sep 03)
- <Possible follow-ups>
- Understanding NT Authority\System rights Doug Sandford (Sep 03)