Penetration Testing mailing list archives

Re: How to find the users with local admin rights?

From: Teh Fizzgig <fizzgig () foofus net>
Date: Sun, 08 Apr 2007 15:58:54 -0500

WALI wrote:


Hi, on the same lines as an earlier posted who sought to find Blank
passwords, I was wondering if there is a way to find out, as to who all
have Local Administration Rights in my domain?


We have a tool we use internally that's not 100% stable called OWNR. The
module that performs this action uses the  NetUserGetInfo API function
to do it's dirty work by looking at the usri11_priv field (using the
"USER_INFO_11" information structure - this makes more sense when you
read the API docs). :) I haven't really spent any time searching out a
ready-made tool to do it, but it would be pretty easy to write a
script/simple program to do this. Look for accounts which have a user
privilege level of 2. Those will be your admin accounts. Keep in mind
you *may* need to have admin privileges to run this API with this level
of detail (easy enough if you are a domain admin).

FWIW, I am working on a new version of this tool for public consumption
that will address this as well as a lot more Windows domain data
gathering tasks. I'll post to the list as the release draws closer - I
imagine I'm still at least a month out. If you want help writing a
script/program though let me know, since I've already done it. :)

I mean, I want to Audit is if our Helpdesk personnel has scrupulously
given Local Admin rights on workstations, or created user accounts with
Local Admin rights for their friends/acquaintances etc.


Indeed - we strongly recommend to our customers that they audit this
frequently. This is obviously easy at a domain level, but monitoring
local admin accounts can be a pain.

I was wondering, if there is an alternative to restrict HelpDesk from
knowing local Admin username and password and still do not effect their
ability to troubleshoot a problem in case they need to have escalated
rights on someone's PC?


Make them a member of a domain group that is in the Administrators group
on local workstations? I strongly advise against giving HelpDesk folks
domain admin credentials unless they are the same ones doing actual
domain-level sys admin tasks. This is pushable via group policy.


--fizzgig

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

Current thread:

Query for blank passwords in Active Directory igor . mamuzic (Apr 04)
- Re: Query for blank passwords in Active Directory Teh Fizzgig (Apr 04)
  - Re: Query for blank passwords in Active Directory Marco Ivaldi (Apr 06)
  - Message not available
    - Re: Query for blank passwords in Active Directory Thor (Hammer of God) (Apr 08)
- Re: Query for blank passwords in Active Directory SD List (Apr 06)
  - How to find the users with local admin rights? WALI (Apr 08)
    - Re: How to find the users with local admin rights? Teh Fizzgig (Apr 10)