Re: disclosure the administrative password

From: Boris Skoblo (borsk_at_techunix.technion.ac.il)
Date: 02/02/05

  • Next message: Boris Skoblo: "Re: disclosure the administrative password"
    To: "Thor" <thor@hammerofgod.com>, <focus-ms@securityfocus.com>
    Date: Wed, 2 Feb 2005 09:09:59 +0200
    
    

    ----- Original Message -----
    From: "Thor" <thor@hammerofgod.com>
    To: "Boris Skoblo" <borsk@techunix.technion.ac.il>;
    <focus-ms@securityfocus.com>
    Sent: Tuesday, February 01, 2005 11:58 PM
    Subject: Re: disclosure the administrative password

    > This sounds like one of those "loaded" questions... This is a security
    > list, so we will want to know "why." Why is a smart card and all other
    > hardware not applicable?

    These methods not applicable because of budgetary limitations

    > Why can't the operations be delegated?

    For example, stoping and starting of various services for the diagnostic
    purposes

    > And so what if it is a custom logger- it's still a driver. Is it a root
    > kit logger? If so, how do you know that?

    Whether I do not know present keylogger at system,
     but potential possibility exists therefore I should take safety measures

    >What actions does the admin have to perform that require RunAs in the first
    >place, exactly? Answering these will help us give you better answers.

    For example, stoping and starting of various services for the diagnostic
    purposes

    >
    > Wipe the machine and prevent non-admin loading of drivers. User SAFER
    > restrictions to only allow designated software to run. Initiate corporate
    > policy to fire and or prosecute offending users.
    >
    > Use Remote Desktop on XP to initiate administrative tasks which bypass
    > the hardware keystroke logger (until Blue Boar and I write our Terminal
    > Services Keystroke Logger, that is. We're calling it Terminal Stroke.)
    > Worse case, change the admin password after you have to do whatever it is
    > you have to do as an admin on the box.

    As about W2K workstations ?
    >
    > T
    >
    > ----- Original Message -----
    > From: "Boris Skoblo" <borsk@techunix.technion.ac.il>
    > To: <focus-ms@securityfocus.com>
    > Sent: Tuesday, February 01, 2005 4:50 AM
    > Subject: disclosure the administrative password
    >
    >
    >> Hi All,
    >>
    >> There is a usual situation: on normal users computers ( W2k and Winxp )
    >> an administrator should perform an administrative actions
    >> (for example, with help RunAs) thus the administrative password is
    >> entered. Do exist a potential possibility that on the user's computer
    >> there is keylogger.
    >>
    >>
    >> What ways to perform administrative operations exist, thus not
    >> endangering disclosure the administrative password? There are some
    >> limitations:
    >>
    >> 1. usage of smarts-cards and others hardvare devices are not applicable .
    >>
    >> 2. performed operations cannot be delegated for various reasons
    >>
    >> 3. keylogger is custom designed and any of existing protective software
    >> yet does not find out it
    >>
    >> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    >>
    >> Regards,
    >>
    >> Boris Skoblo
    >>

    Boris

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Boris Skoblo: "Re: disclosure the administrative password"