Full Disclosure mailing list archives
Re: Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002)
From: "StenoPlasma @ ExploitDevelopment" <StenoPlasma () exploitdevelopment com>
Date: Mon, 13 Dec 2010 08:20:21 -0800
Stefan, For you information: Cached domain accounts on a local system are not stored in the SAM. They are stored in the SECURITY registry hive. When a cached domain user logs in to the system, they do not authenticate against the SAM (As you can see in my article, I am not editing the SAM). ----------------------------------------------------- StenoPlasma at ExploitDevelopment.com www.ExploitDevelopment.com ----------------------------------------------------- -------- Original Message --------
From: "Stefan Kanthak" <stefan.kanthak () nexgo de> Sent: Monday, December 13, 2010 7:53 AM To: bugtraq () securityfocus com, full-disclosure () lists grok org uk Subject: Re: Flaw in Microsoft Domain Account CachingAllows Local
Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002)
"George Carlson" <gcarlson () vccs edu> wrote:Your objections are mostly true in a normal sense.And in abnormal sense?However, it is not true when Group Policy is taken into account.Group Policies need an AD. Cached credentials are only used locally, for domain accounts, when the computer can't connect to the AD.Group Policies differentiate between local and Domain administratorsLocal administrators don't authenticate against an AD, they authenticate against the local SAM. No GPOs there! And: a local administrator can override ANY policy, even exempt the computer completely from processing Group Policies.and so this vulnerability is problematic for shops that differentiate between desktop support and AD support.Again: this is NO VULNERABILITY. An administrator is an administrator is an administrator. [braindead fullquote removed ] Stefan
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002) StenoPlasma @ ExploitDevelopment (Dec 13)