RE: local admin compromised

From: CHRIS GRABENSTEIN (LFGRABC@lf.vccs.edu)
Date: 11/12/01


Message-Id: <sbefee9a.024@lf.vccs.edu>
Date: Mon, 12 Nov 2001 15:38:31 -0500
From: "CHRIS GRABENSTEIN" <LFGRABC@lf.vccs.edu>
To: <focus-ms@securityfocus.com>
Subject: RE: local admin compromised

The workstation OS is Windows 2000 Professional. I realized I didn't
mention that about 10 seconds after I hit send. The system partition is
NTFS and they can boot from a floppy. I agree it's trivial to change
the admin password if you can boot from a removable disk. I just
thought it was odd that the cracker took the time to create a user
account with full name and description but apparently never bothered to
log in with that account. I thought perhaps he used a script or some
tool he found on the internet that created the account automatically.
If so, I'd like to figure out which one so I can find out if it does
anything else I should know about.

Thanks,
Chris

-----Original Message-----
From: "jaylittle" <jaylittle@jaylittle.com>
Sent: Monday, November 12, 2001 12:38 PM
To: <focus-ms@securityfocus.com>
Subject: Re: local admin compromised

More information would be helpful. Perhaps you could start by telling
us what operating system the workstation was running followed by what
filesystem the NT boot drive was using and finishing it up by telling us
whether or not it would be possible for a user to boot into DOS off a
floppy drive. If so they couldve easily run NTFSDOS if nessacary, and
extracted the SAM file to another machine for cracking using everybodys
favorite program l0phtcrack.
Local Admin comprimises are not terribly uncommon given that with enough
time and direct phsyical access to the machine its virtually impossible
to stop an attacker from locally elevating their privileges. The key
here is to limit the possibilities for privilege escalation by ensuring
that the local Admin accounts do not share their passwords with any
Domain Admin accounts.
J