Re: disclosure the administrative password

• Previous message: Thor: "Re: disclosure the administrative password"
• Maybe in reply to: Boris Skoblo: "disclosure the administrative password"
• Next in thread: Boris Skoblo: "Re: disclosure the administrative password"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 01 Feb 2005 19:07:24 -0600
To: <focus-ms@securityfocus.com>

Keyloggers are amongst my biggest fears...

I deal with this by telling my users that have sensitive privileges (should be called
"responsibilities," but that ship has sailed...) to simply not log on to machines that
are not trusted (essentially... anything besides their own workstations).

They all have laptops, and can run most administrative software from those,
and/or remote back to their workstations if the laptop can't handle it. I don't know
if that will work in your situation.

If you're talking about admin to the local workstation, my users have a separate
account (with a different password!) that grants them admin to the workstation
but no additional rights to the network. (We run NetWare/ZenWorks/Windows
workstations with about 1200 client systems and 3500 users [students and
staff].)

I guess the short answer is that you simply can't trust the client systems
with sensitive login credentials.

You can mitigate potential damage (from disclosure of the "local admin" account
password) by changing the password regularly.

If your systems are standardized enough (i.e., down to the same system image and
model/type/installed application base and peripherals) you could try booting with a
Linux CD that includes md5 digests for each file, and verify the system integrity with
that. You could use md5deep to accomplish this, and the digests would fit on a floppy.

If you're really paranoid, use sha256deep. :-)

Or simply go on the offensive, and install keyloggers before they do. There are
apps out there that will "notice" people trying to install malware, and alert you.
I won't name names for security reasons, but google has your answers.

Regards,

Tom Stowell
Network Administrator
DeForest Area School District
520 E. Holum St.
DeForest, WI 53532
Fax: (608)-842-6545
Voice: (608)-842-6500
Email: <jts@deforest.k12.wi.us>

console, n. [From latin consolatio(n) "comfort, spiritual solace."] A device for displaying or printing condolances or obituaries for the operator.
            -- Stan Kelly-Bootle, The Computer Contradictionary.

>>> "Boris Skoblo" <borsk@techunix.technion.ac.il> 02/01/05 06:50AM >>>
Hi All,

There is a usual situation: on normal users computers ( W2k and Winxp ) an
administrator should perform an administrative actions
 (for example, with help RunAs) thus the administrative password is entered.
Do exist a potential possibility that on the user's computer
 there is keylogger.

What ways to perform administrative operations exist, thus not endangering
disclosure the administrative password? There are some limitations:

1. usage of smarts-cards and others hardvare devices are not applicable .

2. performed operations cannot be delegated for various reasons

3. keylogger is custom designed and any of existing protective software yet
does not find out it

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Regards,

Boris Skoblo

---------------------------------------------------------------------------
---------------------------------------------------------------------------

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Thor: "Re: disclosure the administrative password"
• Maybe in reply to: Boris Skoblo: "disclosure the administrative password"
• Next in thread: Boris Skoblo: "Re: disclosure the administrative password"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]