RE: local admin compromised

From: CHRIS GRABENSTEIN (LFGRABC@lf.vccs.edu)
Date: 11/12/01


Message-Id: <sbefee9a.024@lf.vccs.edu>
Date: Mon, 12 Nov 2001 15:38:31 -0500
From: "CHRIS GRABENSTEIN" <LFGRABC@lf.vccs.edu>
To: <focus-ms@securityfocus.com>
Subject: RE: local admin compromised

The workstation OS is Windows 2000 Professional. I realized I didn't
mention that about 10 seconds after I hit send. The system partition is
NTFS and they can boot from a floppy. I agree it's trivial to change
the admin password if you can boot from a removable disk. I just
thought it was odd that the cracker took the time to create a user
account with full name and description but apparently never bothered to
log in with that account. I thought perhaps he used a script or some
tool he found on the internet that created the account automatically.
If so, I'd like to figure out which one so I can find out if it does
anything else I should know about.

Thanks,
Chris

-----Original Message-----
From: "jaylittle" <jaylittle@jaylittle.com>
Sent: Monday, November 12, 2001 12:38 PM
To: <focus-ms@securityfocus.com>
Subject: Re: local admin compromised

More information would be helpful. Perhaps you could start by telling
us what operating system the workstation was running followed by what
filesystem the NT boot drive was using and finishing it up by telling us
whether or not it would be possible for a user to boot into DOS off a
floppy drive. If so they couldve easily run NTFSDOS if nessacary, and
extracted the SAM file to another machine for cracking using everybodys
favorite program l0phtcrack.
Local Admin comprimises are not terribly uncommon given that with enough
time and direct phsyical access to the machine its virtually impossible
to stop an attacker from locally elevating their privileges. The key
here is to limit the possibilities for privilege escalation by ensuring
that the local Admin accounts do not share their passwords with any
Domain Admin accounts.
J
                   



Relevant Pages

  • Re: Domain Profiles Borked - Cant Grant Admin Rights - HELP!!!
    ... > status of their account. ... local Admin rights were given to ... > afflicted machine and give them local Admin rights, ... the SID of your users is no longer the same as it was. ...
    (microsoft.public.windowsxp.setup_deployment)
  • RE: local admin account password
    ... Do you think if someone wanted to break the local admin account they ... more recovery console and don't think cached logins will work. ... 5)My main idea/plan is to store all the passwords on a central SQL server. ...
    (Focus-Microsoft)
  • Re: Problems installing SQL Server 2005 in two node cluster
    ... the SQL Server service account does not need to be a local admin. ... > -> Purging the setup files from the registry with the Windows Install ...
    (microsoft.public.sqlserver.clustering)
  • Re: Distribution lists
    ... Also I have found that making that account the local admin does bupkiss ... local admin rights on the sharepoint server. ... I have made the Sharepoint Central admin app pool owner of the OU I ...
    (microsoft.public.sharepoint.windowsservices)
  • RE: Correct setup of XP-Pro computer on Win2K Domain
    ... Setting up a local account on the xp machine does not result in local admin ... rights for that user, you need to put them in the local admin group. ... > inconsistent problems with security when I setup a new XP-Pro workstation. ...
    (microsoft.public.windowsxp.setup_deployment)