[Full-Disclosure] RE: Disabling Cached Logon Credentials

• Previous message: sebastian_at_jawmail.org: "Re: [Full-Disclosure] weird worm ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com, nduda@VistaPrint.com
Date: Wed, 31 Dec 2003 06:22:49 -0800

Even with physical access you (a hacker) want to do what you have
to ,leave and still be undetected. If a hacker is going to get to a
physical server only to change the admin password and do some hack (i.e.
trojan), I would find it silly because when the admin finds out that
its
not a password he supplied, that system is as good as formatted.

>>>>>True but some companies have thousands of servers with dozens of
Admins. Maybe even humdreds of servers in remote offices. Might not
always catch changed passwords right away. Event log software, custom
scripts etc. can help to watch for admin acccount changes but sometimes
budgets get in the way of implementing solutions.

This is why disbaling stuff like autoplay on cd roms is a good idea,
and not to just lock servers screensavers but rather logout.

>>>>>Agreed. I'm only talking about cached logon credentials on this
thread.

I don't think disbaling cached logons is something to worry about
if in a secured data center, but merly a common practice for any security
professional (i.e. do the job right, or don't do it at all, don't halfass
when it comes to security)

- Nick

>>>>>Let's expand the definition of half-baked security. Half-baked
security is implementing settings that are not necessary, which increase
the TCO of the platform (via increasing downtime of revenue generating
applications while trying to return them to service).

>>>>>I believe disabling cached logon credentials for servers in data
centers falls into the above definition.

>-----Original Message-----
>From: dwr3ck@hushmail.com [mailto:dwr3ck@hushmail.com]
>Sent: Tuesday, December 30, 2003 1:29 PM
>To: focus-ms@securityfocus.com; full-disclosure@lists.netsys.com
>Subject: Disabling Cached Logon Credentials
>
>Disabling cached logon credentials is on virtually every server
>hardening checklist.
>
>If you have your servers physically secured in a data center what
>is the
>real benefit of disabling cached logon credentials?
>
>Whenever a server is off the network, admins have to obtain the
>local
>admin password. Depending on how you handle local RID=500 account
>passwords this can add significantly to downtime when resolving
>issues.
>
>Does anyone know of a way to exploit cached credentials over the
>wire?
>
>
>If someone has physical access to a system they own it anyway:
>
>http://home.eunet.no/~pnordahl/ntpasswd/

Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: sebastian_at_jawmail.org: "Re: [Full-Disclosure] weird worm ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]