Full Disclosure: Re: Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002)

Re: Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002)

From: Michael Bauer <ravenmsb () gmail com>
Date: Mon, 13 Dec 2010 12:19:32 -0500

An administrator is very different there are many levels of administrative control in windows to say an admin is an 
admin is absurd. There is a big difference between a local admin and a domain admin. There are many types of admin in 
windows and all of them have different levels of permission. I would be very scared to have anyone taking care of any 
of my systems windows or NIX who thought an admin was an admin and root is root. Here is a reference showing the 
different SIDs for some common windows accounts.
Http://support.microsoft.com/kb/24333

If you take time to read it you will see there are numerous types of windows administrator all with different 
permissions. 

Sent from my iPhone

On Dec 10, 2010, at 5:11 PM, "Stefan Kanthak" <stefan.kanthak () nexgo de> wrote:

"George Carlson" <gcarlson () vccs edu> wrote:

Your objections are mostly true in a normal sense.


And in abnormal sense?

However, it is not true when Group Policy is taken into account.


Group Policies need an AD. Cached credentials are only used locally,
for domain accounts, when the computer can't connect to the AD.

Group Policies differentiate between local and Domain administrators


Local administrators don't authenticate against an AD, they authenticate
against the local SAM. No GPOs there!
And: a local administrator can override ANY policy, even exempt the
computer completely from processing Group Policies.

and so this
vulnerability is problematic for shops that differentiate between
desktop support and AD support.


Again: this is NO VULNERABILITY.
An administrator is an administrator is an administrator.

[braindead fullquote removed ]

Stefan


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002), (continued)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Jason Lang (Dec 12)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) phil (Dec 12)