You knew where I was going with that, and I know that YOU know all this, so I'll just leave that one alone :)
t >-----Original Message----- >From: David Gillett [mailto:gillettda...@fhda.edu] >Sent: Monday, December 13, 2010 11:14 AM >To: Thor (Hammer of God); 'George Carlson'; bugt...@securityfocus.com; >full-disclosure@lists.grok.org.uk >Subject: RE: [Full-disclosure] Flaw in Microsoft Domain AccountCachingAllows >Local Workstation Admins to TemporarilyEscalate PrivilegesandLogin as >Cached Domain Admin Accounts (2010-M$-002) > >If our users hadn't been local admins (not my choice), they would not have >been able to eject Domain Admins from the Local Admins group in the first >place.... > >David Gillett > >-----Original Message----- >From: Thor (Hammer of God) [mailto:t...@hammerofgod.com] >Sent: Monday, December 13, 2010 10:49 >To: David Gillett; 'George Carlson'; bugt...@securityfocus.com; full- >disclos...@lists.grok.org.uk >Subject: RE: [Full-disclosure] Flaw in Microsoft Domain AccountCachingAllows >Local Workstation Admins to TemporarilyEscalate PrivilegesandLogin as >Cached Domain Admin Accounts (2010-M$-002) > >You made all domain users local admin? Or did you do some sort of RUNAS in >the logon script? > >>-----Original Message----- >>From: David Gillett [mailto:gillettda...@fhda.edu] >>Sent: Monday, December 13, 2010 10:16 AM >>To: Thor (Hammer of God); 'George Carlson'; bugt...@securityfocus.com; >>full-disclosure@lists.grok.org.uk >>Subject: RE: [Full-disclosure] Flaw in Microsoft Domain Account >>CachingAllows Local Workstation Admins to Temporarily Escalate >>Privileges andLogin as Cached Domain Admin Accounts (2010-M$-002) >> >>> If I take the domain admin out of my local administrators, they can't >>> do >>anything. Done. >> >> Back when I did AD/domain support, all domain user accounts got a >>profile that included a trivial script to re-add Domain Admins to the >>Local Admins group. So this kind of local removal shenanigans lasted >>only until the user next logged into the domain. >> >>David Gillett _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/