Understanding NT Authority\System rights

[Greg Francis <francis () GONZAGA EDU>]

There have been some concerns with some of our IT staff about the level of
access that can be obtained by a worm that has exploited the RPC
vulnerability.

My understanding of this is that whatever is executed is run as "NT
Authority\System", a local account that has high-level rights on the local
system but limited rights within the domain. Another understanding I have
is that even if this is a DC, the "NT Authority\System" account is still a
local account, not a domain account.

I have some questions based upon this:

1) What rights does NT Authority\System have within the domain that might
   allow it to further attack the domain (beyond enumeration)?

2) Is there anything that NT Authority\System can't do on the local
   system?

3) Can it run code as the user that is currently logged on?
   (I'm assuming that if it replaced a file that the user then executed,
    that would do it, but what about hijacking the user's credentials
    while they are logged into the domain?)

> From my understanding, if a system was compromised and unknown code was
execuated as "NT Authority\System", we should no longer trust the system
and it should be rebuilt. It doesn't seem to me that that would compromise
the integrity of the domain security unless the machine exploited was a DC
or a privileged user logged into an injected computer and executed
trojaned code.

I just haven't seen any discussion about this and I have some concerns.

Thanks,
Greg


Greg Francis                                Gonzaga University
Sr. System Administrator                    Spokane Washington
francis () gonzaga edu                         509-323-6896

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.