RE: AD access
From: Matt Priestley (mpriest@microsoft.com)Date: 12/03/01
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #63"
- Next in thread: Matt Priestley: "RE: AD access"
- Reply: Matt Priestley: "RE: AD access"
- Reply: Michael Ward: "RE: AD access"
- Reply: Zimmer, Brian M: "RE: AD access"
- Reply: Erik Birkholz: "RE: AD access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 3 Dec 2001 11:25:12 -0800 From: "Matt Priestley" <mpriest@microsoft.com> To: "Focus on Microsoft Mailing List" <FOCUS-MS@SECURITYFOCUS.COM>
It's sometimes useful to delete the Guest account because it helps
prevent an information leak regarding the system's password lockout
parameters.
There is a difference between a disabled account and an account that has
been locked out. When an account is locked out, NT will not even check
whether the supplied password was correct - it will just fail. When an
account is disabled, NT does check the password, but even in the case of
success it won't let the user in. More importantly perhaps, the two
states have different error messages.
Although Guest is disabled by default it still validates logon attempts
against the registered Guest password and notes internally if the logon
attempt failed. If an attacker wishes to know the lockout thresholds for
a system, s/he could experiment with the Guest account until the system
reported that the user had exceeded the lockout threshold. The attacker
would then have some information about the tolerances of the system and
set his/her password cracking scripts accordingly.
A pretty minor threat though overall.
-matthew Priestley
mpriest@microsoft.com
Phone: 425-703-9478
Pager: 866-776-9851
-----Original Message-----
From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
Sent: Friday, November 30, 2001 3:16 PM
To: Robert Rota; Focus on Microsoft Mailing List
Subject: Re: AD access
Why are you trying to delete the guest account, specifically?
Aside from that, if you boot into directory services restore mode on a
DC,
AD is not initialized and you can manipulate it with utilities like
NTDSUTIL.
Laura
----- Original Message -----
From: "Robert Rota" <robert.a.rota@saic.com>
To: <focus-ms@securityfocus.com>
Sent: Friday, November 30, 2001 10:29 AM
Subject: AD access
>
>
> Quick question that I would like anyone to answer..
> Do you know of a utility that will access Active
> Directory in the LocalSystem Context? I would like to
> be able to delete the Guest account after I have
> promoted the server. As you know, accounts are then
> stored in ntds.dit. For some reason I cannot
> manipulate the name spaces the way I could the
> registry. Do you know of a tool that can modify these
> fields and that will run with system privilege? I have
> opened the adsi edit utility with LocalSystem privilege
> and still not been able to delete the Guest account.
> Any incite that you may have into this process would
> be appreciated. Also, do you know of a tool that can
> manipulate Active Directory if it is not loaded into
> memory? For instance, say I boot the DC with a
> floppy and mount the FS. Now I have bypassed ACLs
> and I want to edit ntds.dit? I assume the ADSI may be
> programmed to do this but I am skepticle about the
> ACL?
>
> Again, any incite would be greatly appreciated....
>
> Thanks,
>
> Rob
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #63"
- Next in thread: Matt Priestley: "RE: AD access"
- Reply: Matt Priestley: "RE: AD access"
- Reply: Michael Ward: "RE: AD access"
- Reply: Zimmer, Brian M: "RE: AD access"
- Reply: Erik Birkholz: "RE: AD access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
