good points - usually the hardest ones to figure
out.
and if you knew AD well and the forest is setup
"appropriately", you might also want to leverage SIDhistory.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V Contractor NASIC/SCNA Sent: Freitag, 10. Februar 2006 18:19 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hiding in the Directory If I were wanting to hide out in the directory, and didnt
know much about Active Directory, but had a fair amount of general knowledge
about computers, I would check into the Active Directory hotel under a fake name
with the Mrs and I. I would call myself Intrasite Topology Generation
Account or something sounding official and then use that as my runas
buddy. Or I could just create a group called Federated Forest Knowledge
Consistency Checker's and then give the Topology Generation account membership
to it, and then give the Federated Forest Knowledge Consistency Checker all the
user rights of whatever kind of admin I would hope to be. I might even
install some services and make them sound official like Directory Services Cylic
Redundancy Checker and make the Topology generation Account the service account
it runs under as well. Why try to create a backdoor when you can just
create another front door? Kinda like the fake laundry service gag to
break out of prison you always see in the movies.
Nate From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, February 10, 2006 11:54 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Hiding in the Directory I have
been asked by a company to help them tighten what is currently a very loose
security model. Now, several non-IT-but-computer-adept employees have accounts
with full Domain Admin privileges. Many of these folks are programmer types and
pretty savvy (which leads them to think they know what they are doing – that’s
another story). They are also aware that we are going to tighten things down.
For political reasons, we could not just yank their admin
access. So the
question is: if you were one of these folks and were inclined to mischief (or
simply ensuring your continued access), how might you hide yourself in the
Directory? More to the point: where should I look beyond the obvious group
memberships? Thanks. --
nme -- |
- RE: [ActiveDir] Hiding in the Directory Grillenmeier, Guido