RE: local admin compromisedFrom: CHRIS GRABENSTEIN (LFGRABC@lf.vccs.edu)
- Previous message: Mike Shaw: "Re: local admin compromised"
- Maybe in reply to: James D. Stallard: "RE: local admin compromised"
- Next in thread: Peter VE: "Re: local admin compromised"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <firstname.lastname@example.org> Date: Mon, 12 Nov 2001 15:38:31 -0500 From: "CHRIS GRABENSTEIN" <LFGRABC@lf.vccs.edu> To: <email@example.com> Subject: RE: local admin compromised
The workstation OS is Windows 2000 Professional. I realized I didn't
mention that about 10 seconds after I hit send. The system partition is
NTFS and they can boot from a floppy. I agree it's trivial to change
the admin password if you can boot from a removable disk. I just
thought it was odd that the cracker took the time to create a user
account with full name and description but apparently never bothered to
log in with that account. I thought perhaps he used a script or some
tool he found on the internet that created the account automatically.
If so, I'd like to figure out which one so I can find out if it does
anything else I should know about.
More information would be helpful. Perhaps you could start by telling
us what operating system the workstation was running followed by what
filesystem the NT boot drive was using and finishing it up by telling us
whether or not it would be possible for a user to boot into DOS off a
floppy drive. If so they couldve easily run NTFSDOS if nessacary, and
extracted the SAM file to another machine for cracking using everybodys
favorite program l0phtcrack.
Local Admin comprimises are not terribly uncommon given that with enough
time and direct phsyical access to the machine its virtually impossible
to stop an attacker from locally elevating their privileges. The key
here is to limit the possibilities for privilege escalation by ensuring
that the local Admin accounts do not share their passwords with any
Domain Admin accounts.