On Mon, Dec 13, 2010 at 2:13 PM, David Gillett <gillettda...@fhda.edu> wrote: > If our users hadn't been local admins (not my choice), they would not have > been able to eject Domain Admins from the Local Admins group in the first > place.... Ouch! But at least it keeps the help desk calls down ;)
> -----Original Message----- > From: Thor (Hammer of God) [mailto:t...@hammerofgod.com] > Sent: Monday, December 13, 2010 10:49 > To: David Gillett; 'George Carlson'; bugt...@securityfocus.com; > full-disclosure@lists.grok.org.uk > Subject: RE: [Full-disclosure] Flaw in Microsoft Domain AccountCachingAllows > Local Workstation Admins to TemporarilyEscalate PrivilegesandLogin as Cached > Domain Admin Accounts (2010-M$-002) > > You made all domain users local admin? Or did you do some sort of RUNAS in > the logon script? > >>-----Original Message----- >>From: David Gillett [mailto:gillettda...@fhda.edu] >>Sent: Monday, December 13, 2010 10:16 AM >>To: Thor (Hammer of God); 'George Carlson'; bugt...@securityfocus.com; >>full-disclosure@lists.grok.org.uk >>Subject: RE: [Full-disclosure] Flaw in Microsoft Domain Account >>CachingAllows Local Workstation Admins to Temporarily Escalate >>Privileges andLogin as Cached Domain Admin Accounts (2010-M$-002) >> >>> If I take the domain admin out of my local administrators, they can't >>> do >>anything. Done. >> >> Back when I did AD/domain support, all domain user accounts got a >>profile that included a trivial script to re-add Domain Admins to the >>Local Admins group. So this kind of local removal shenanigans lasted >>only until the user next logged into the domain. >> >>David Gillett > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/