Re: [Full-disclosure] Flaw in Microsoft Domain AccountCachingAllows Local Workstation Admins to TemporarilyEscalate PrivilegesandLogin as Cached Domain Admin Accounts (2010-M$-002)

Thor (Hammer of God) Mon, 13 Dec 2010 12:26:13 -0800

You knew where I was going with that, and I know that YOU know all this, so 
I'll just leave that one alone :)


t

>-----Original Message-----
>From: David Gillett [mailto:gillettda...@fhda.edu]
>Sent: Monday, December 13, 2010 11:14 AM
>To: Thor (Hammer of God); 'George Carlson'; bugt...@securityfocus.com;
>full-disclosure@lists.grok.org.uk
>Subject: RE: [Full-disclosure] Flaw in Microsoft Domain AccountCachingAllows
>Local Workstation Admins to TemporarilyEscalate PrivilegesandLogin as
>Cached Domain Admin Accounts (2010-M$-002)
>
>If our users hadn't been local admins (not my choice), they would not have
>been able to eject Domain Admins from the Local Admins group in the first
>place....
>
>David Gillett
>
>-----Original Message-----
>From: Thor (Hammer of God) [mailto:t...@hammerofgod.com]
>Sent: Monday, December 13, 2010 10:49
>To: David Gillett; 'George Carlson'; bugt...@securityfocus.com; full-
>disclos...@lists.grok.org.uk
>Subject: RE: [Full-disclosure] Flaw in Microsoft Domain AccountCachingAllows
>Local Workstation Admins to TemporarilyEscalate PrivilegesandLogin as
>Cached Domain Admin Accounts (2010-M$-002)
>
>You made all domain users local admin?  Or did you do some sort of RUNAS in
>the logon script?
>
>>-----Original Message-----
>>From: David Gillett [mailto:gillettda...@fhda.edu]
>>Sent: Monday, December 13, 2010 10:16 AM
>>To: Thor (Hammer of God); 'George Carlson'; bugt...@securityfocus.com;
>>full-disclosure@lists.grok.org.uk
>>Subject: RE: [Full-disclosure] Flaw in Microsoft Domain Account
>>CachingAllows Local Workstation Admins to Temporarily Escalate
>>Privileges andLogin as Cached Domain Admin Accounts (2010-M$-002)
>>
>>> If I take the domain admin out of my local administrators, they can't
>>> do
>>anything.  Done.
>>
>>  Back when I did AD/domain support, all domain user accounts got a
>>profile that included a trivial script to re-add Domain Admins to the
>>Local Admins group.  So this kind of local removal shenanigans lasted
>>only until the user next logged into the domain.
>>
>>David Gillett

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Flaw in Microsoft Domain AccountCachingAllows Local Workstation Admins to TemporarilyEscalate PrivilegesandLogin as Cached Domain Admin Accounts (2010-M$-002)

Reply via email to