So you are saying that the use can perform action on the domain?
Things like create/delete user accounts. Your initial statement does
not say anything about taking action on any network resources. I find
it hard to believe that would be the case because user would not have
a valid kerberos ticket because they did not log into the domain.
Jason Lang
From: jcoyle () winwholesale com
Date: Fri, 10 Dec 2010 14:44:35 -0500
You are completely missing the point..
Local admins become Domain Admins.
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
To: <bugtraq () securityfocus com>,
<full-disclosure () lists grok org uk>
Cc: <stenoplasma () exploitdevelopment com>
Date: 12/10/2010 01:08 PM
Subject: Re: Flaw in Microsoft Domain Account Caching Allows Local
Workstation Admins to Temporarily Escalate Privileges and Login
as Cached Domain Admin Accounts (2010-M$-002)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
