Never be sorry for blowing whistles. People need to call out issues when they see them or else issues don't get fixed.
Unfortunately for this one, the fix could be worse than the initial problem, though possibly MS should allow a special hardened platform version of Windows be locked down from physical tampering. I believe I have read about some special versions of *nix that are like that. Definitely not the mainstream stuff though. joe ------------- http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Tuesday, March 09, 2004 4:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin to Domain Admin escalation Joe & Guido, thanks for clearing this up. I was helping out someone and came up with the solution described below and when it worked I was totally sure I was missing something. I know that the topic is rather controversial and I am sorry for blowing the whistle, but I just had to know it for sure. Thanks again, Guy On Tue, 2004-03-09 at 08:43, joe wrote: > I agree with Guido. Its all about physical security. > > Consider if they fixed that little loophole... What would you do? You > obviously have done this enough you have worked up a nice little process. > You have probably described a method that 10% or better of the people > on the list read and said, no kidding and another 10% said don't say > it out loud, I don't want that fixed as it saves my butt all of the time. > > The only realistic fix from MS would be to make it so it isn't > possible to get into the box even if you have physical access and > could do the screensaver, at, service, gina, you name it, hack. > > Its like why don't they take away the whole creator/owner loophole on > ACLs.... Because the second they do someone is going to start > screaming they can't get at their stuff when they or someone else screwed up. > > Personally I am all for tough love and security, you screwed up and > can't get in, rebuild. You screwed up and locked yourself out of a > file or directory object, tough love. > > I have DCs all over the world and this is one thing that I don't even > start to take the time to worry about because I have zero control over > how physical security will in the end really be handled and zero > compensating controls I can feasibly put into place to prevent > anything bad if someone got the idea they wanted to do something bad. > > > > ------------- > http://www.joeware.net (download joeware) > http://www.cafeshops.com/joewarenet (wear joeware) > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > GRILLENMEIER,GUIDO > (HP-Germany,ex1) > Sent: Friday, February 27, 2004 3:33 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Local Admin to Domain Admin escalation > > no need to install a new service at all => scheduling an "at" command > in DSRM mode to execute the right script is sufficient, as the task > scheduler is configured to run as Local System. > > And even though I agree that it would be nice to see new services > being pre-configured to be run with the Local Service account an admin > can change it to run as local system anyways. Also, how is Windows > supposed to know, if the service doesn't require network access and > should thus use the Network Service instead... > > In summary: the default install account of a service should be the > least of your worries. Better to concentrate on physically securing the DC. > > > /Guido > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Guy > Teverovsky > Sent: Freitag, 27. Februar 2004 17:56 > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Local Admin to Domain Admin escalation > > Hi all, > > Recently I have been playing around with an idea of how do you deal > with a situation when you must have a Domain Admin access to AD but do > not have Domain Admin password (this can happen in small outsourced > companies or when the only Domain Admin is suddenly unavailable). > > > In W2K this was easy. You use one of those tools that reset the > Administrator's password in local SAM, boot in DS Restore Mode, copy > cmd.exe over logon.scr, reboot, wait and get a shell running in Local > System context. As this is a DC and LSA has enough privileges to reset > Domain Admin password, you are all set. > > In W2K3 this behavior has been changed. The screensaver runs in Local > Service account context and has no access to AD. This sounds nice and > dandy, BUT if I boot into DS Restore Mode, install a service (using > resource kit > utilities) that will spawn a shell, which will run a script, which > will reset Domain Admin password, I still get access to the AD (tested > successfully at home). > > The problem I see here is the fact that in DS Restore Mode (actually > it does not really matter in which mode), when you install a new > service, it will run by default in LSA context. > > I know that you will all say: "physical access = Domain Admin" and > will be right, but what bothers me more is the fact that local account > has a way to escalate it's rights by taking advantage of the fact that > new services default to run under Local System account. > > Your thoughts ? > > Guy > > -- > Smith & Wesson - the original point and click interface > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Smith & Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
