Re: The "Lunch Break Hole"

From: Tony Chow (tchow@BLUETENTACLE.COM)
Date: 01/22/02


Date:         Tue, 22 Jan 2002 13:59:21 -0800
From: Tony Chow <tchow@BLUETENTACLE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM


> With ADSI, you do not need to be an Administrator or a Domain
> Administrator
> to get all the information about every account on your
> domain. Moreover, if
> you have a connection with another domain, you can also get
> the information
> about any account on this domain... Now, is it a kind of
> vulnerability ?
> Yes, no doubt.

ADSI security is regulated by the ACLs you place on the objects in the
Active Directory. Default permissions allows ordinary users to read
some, but not all, properties of each other's account objects. You can
deny domain-wide access to sensitive accounts by adjusting their ACLs.

That ADSI is accessible to all users is an intended feature, as it
allows everyone to use Active Directory as an information repository.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by VeriSign - The Internet Trust Company
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
FREE E-COMMERCE SECURITY INFRASTRUCTURE GUIDE
When building an e-commerce site, you want to start with a strong, secure
foundation. Learn how with VeriSign's FREE White Paper, "Building an
E-Commerce Trust Infrastructure." See how you can authenticate your site to
customers, use 128-Bit SSL encryption to secure your web servers, and accept
secure payments online. Click here:
http://www.verisign.com/cgi-bin/go.cgi?a=n116965650045000
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo



Relevant Pages

  • Re: Stop having to do the authentication check in OS X?
    ... Not if he has an admin account with no password, it isn't secure. ... the contents of the old administrator home folders contents to the new ... In other words can an attack happen no ...
    (comp.sys.mac.system)
  • Re: Stolen computer recovered but has password
    ... REMOVE YOUR PERSONAL ACCOUNT FROM THE ADMINISTRATOR'S GROUP. ... administrator account and supply its password. ... > Microsoft makes it way too difficult to secure a computer properly. ...
    (microsoft.public.windowsxp.security_admin)
  • RE: XP admin shares
    ... The administrator RID is ALWAYS 500. ... that the renamed account as well as what it was renamed to. ... Everyone group has rights to enumerate the SID of any user on your box. ... A truly secure box is a powered down box, locked in a safe, guarded by ...
    (Security-Basics)
  • Re: Have I been hacked?
    ... If the server is not physically secured and others have access to it then ... somebody could have possibly gained access as local administrator. ... to check is your security logs on that server for logon, account logon ... > Is Terminal Services regarded as secure? ...
    (microsoft.public.security)
  • catch an 401.2 error
    ... authenticate against a database or against ADSI. ... clients are) should an automatic authentication against ADSI ... an ADSI account) or from outside (user can be an employee ...
    (microsoft.public.dotnet.framework.aspnet.security)