Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily Escalate Privileges andLogin as Cached Domain Admin Accounts (2010-M$-002)
From: Michael Bauer <ravenmsb () gmail com>
Date: Mon, 13 Dec 2010 14:53:18 -0500

Maybe what some of us need to learn from this is that we should never think in absolutes such as local VS domain users. 
There are  numerous account types and the overrides to take into account with any OS and they change.

This is more of a wakeup call to brush up on our understanding of permissions.

I know this is not a vulnerability but it was a great posting to wake some of us up and remind us that things are never 
absolute when it comes to permissions. We learn about things in such a manner that we forget to think outside the box. 
Even if controls are designed to work a specific way that doesn't mean they will. 

This is not directed at anyone rather an observation that might help other with similar thought on the subject.

Mike

Sent from my iPhone

On Dec 13, 2010, at 1:15 PM, "David Gillett" <gillettdavid () fhda edu> wrote:

If I take the domain admin out of my local administrators, they can't do
anything.  Done.

 Back when I did AD/domain support, all domain user accounts got a profile
that included a trivial script to re-add Domain Admins to the Local Admins
group.  So this kind of local removal shenanigans lasted only until the user
next logged into the domain.

David Gillett



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]