Full Disclosure: Re: Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily Escalate Privileges andLogin as Cached Domain Admin Accounts (2010-M$-002)

Re: Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily Escalate Privileges andLogin as Cached Domain Admin Accounts (2010-M$-002)

From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Mon, 13 Dec 2010 18:49:24 +0000

You made all domain users local admin?  Or did you do some sort of RUNAS in the logon script?

-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu]
Sent: Monday, December 13, 2010 10:16 AM
To: Thor (Hammer of God); 'George Carlson'; bugtraq () securityfocus com;
full-disclosure () lists grok org uk
Subject: RE: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows
Local Workstation Admins to Temporarily Escalate Privileges andLogin as
Cached Domain Admin Accounts (2010-M$-002)

If I take the domain admin out of my local administrators, they can't
do

anything.  Done.

 Back when I did AD/domain support, all domain user accounts got a profile
that included a trivial script to re-add Domain Admins to the Local Admins
group.  So this kind of local removal shenanigans lasted only until the user
next logged into the domain.

David Gillett


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002), (continued)
(Thread continues...)