[Full-Disclosure] RE: Disabling Cached Logon Credentials

From: Nick Duda (nduda_at_VistaPrint.com)
Date: 12/31/03

  • Next message: sebastian_at_jawmail.org: "Re: [Full-Disclosure] weird worm ?" 
    To: <dwr3ck@hushmail.com>, <full-disclosure@lists.netsys.com>
Date: Wed, 31 Dec 2003 09:40:23 -0500

    Is it safe to say that a secured data center is in fact secured? Not
    naming certain datacenters I've used but in one of them they hold onto
    the keycard to the facility. They require the person requesting it to
    sign in and give the valid cage number and some minor security answers
    to get the key card. Social Engineering can have a field day with this.

    >>>>>Let's expand the definition of half-baked security. Half-baked
    security is implementing settings that are not necessary, which increase
    the TCO of the platform (via increasing downtime of revenue generating
    applications while trying to return them to service).

    >>>>>I believe disabling cached logon credentials for servers in data
    centers falls into the above definition

    This is where I disagree. Logon credientials being cached do not fall
    under the TCO situation. Having admin password 50 characters long and
    stored in a vault needing 2 keys to unlock it does. In fact I would
    assume that disabling cached logon credentials would be the ideal
    situation for a server(s) in a data center no matter how secure one
    finds it. If you do not have constant physical access to the server and
    someone else can when you cant (never say never), then by all means the
    above situation requires even little security measures such as Cached
    logon credentials being disabled.

    My .02

    - Nick

    -----Original Message-----
    From: dwr3ck@hushmail.com [mailto:dwr3ck@hushmail.com]
    Sent: Wednesday, December 31, 2003 9:23 AM
    To: full-disclosure@lists.netsys.com; Nick Duda
    Subject: RE: Disabling Cached Logon Credentials

    Even with physical access you (a hacker) want to do what you have to
    ,leave and still be undetected. If a hacker is going to get to a
    physical server only to change the admin password and do some hack (i.e.
    trojan), I would find it silly because when the admin finds out that its
    not a password he supplied, that system is as good as formatted.

    >>>>>True but some companies have thousands of servers with dozens of
    Admins. Maybe even humdreds of servers in remote offices. Might not
    always catch changed passwords right away. Event log software, custom
    scripts etc. can help to watch for admin acccount changes but sometimes
    budgets get in the way of implementing solutions.

    This is why disbaling stuff like autoplay on cd roms is a good idea, and
    not to just lock servers screensavers but rather logout.

    >>>>>Agreed. I'm only talking about cached logon credentials on this
    thread.

    I don't think disbaling cached logons is something to worry about if in
    a secured data center, but merly a common practice for any security
    professional (i.e. do the job right, or don't do it at all, don't
    halfass when it comes to security)

    - Nick

    >>>>>Let's expand the definition of half-baked security. Half-baked
    security is implementing settings that are not necessary, which increase
    the TCO of the platform (via increasing downtime of revenue generating
    applications while trying to return them to service).

    >>>>>I believe disabling cached logon credentials for servers in data
    centers falls into the above definition.

    >-----Original Message-----
    >From: dwr3ck@hushmail.com [mailto:dwr3ck@hushmail.com]
    >Sent: Tuesday, December 30, 2003 1:29 PM
    >To: focus-ms@securityfocus.com; full-disclosure@lists.netsys.com
    >Subject: Disabling Cached Logon Credentials
    >
    >Disabling cached logon credentials is on virtually every server
    >hardening checklist.
    >
    >If you have your servers physically secured in a data center what is
    >the real benefit of disabling cached logon credentials?
    >
    >Whenever a server is off the network, admins have to obtain the local
    >admin password. Depending on how you handle local RID=500 account
    >passwords this can add significantly to downtime when resolving issues.
    >
    >Does anyone know of a way to exploit cached credentials over the wire?
    >
    >
    >If someone has physical access to a system they own it anyway:
    >
    >http://home.eunet.no/~pnordahl/ntpasswd/

    Concerned about your privacy? Follow this link to get FREE encrypted
    email: https://www.hushmail.com/?l=2

    Free, ultra-private instant messaging with Hush Messenger
    https://www.hushmail.com/services.php?subloc=messenger&l=434

    Promote security and make money with the Hushmail Affiliate Program:
    https://www.hushmail.com/about.php?subloc=affiliate&l=427

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: sebastian_at_jawmail.org: "Re: [Full-Disclosure] weird worm ?"

    Relevant Pages