Re: disclosure the administrative password

From: Jack Me (c0rupted_at_hotmail.com)
Date: 02/02/05

  • Next message: Thor: "Re: disclosure the administrative password" 
    To: borsk@techunix.technion.ac.il, thor@hammerofgod.com, focus-ms@securityfocus.com
Date: Wed, 02 Feb 2005 11:00:41 -0800

    Use fport from www.foundstone.com to map out every process. Chances are if
    the admin password has been compromised that is the least of your worries. I
    would start looking for backdoors any programs that would would just dump
    the user on the system. At that point the attacker could just come and go.
    Final though... Rebuild to make sure.

    >From: "Boris Skoblo" <borsk@techunix.technion.ac.il>
    >To: "Thor" <thor@hammerofgod.com>, <focus-ms@securityfocus.com>
    >Subject: Re: disclosure the administrative password
    >Date: Wed, 2 Feb 2005 09:09:59 +0200
    >
    >
    >----- Original Message ----- From: "Thor" <thor@hammerofgod.com>
    >To: "Boris Skoblo" <borsk@techunix.technion.ac.il>;
    ><focus-ms@securityfocus.com>
    >Sent: Tuesday, February 01, 2005 11:58 PM
    >Subject: Re: disclosure the administrative password
    >
    >
    >>This sounds like one of those "loaded" questions... This is a security
    >>list, so we will want to know "why." Why is a smart card and all other
    >>hardware not applicable?
    >
    >These methods not applicable because of budgetary limitations
    >
    >>Why can't the operations be delegated?
    >
    >For example, stoping and starting of various services for the diagnostic
    >purposes
    >
    >>And so what if it is a custom logger- it's still a driver. Is it a root
    >>kit logger? If so, how do you know that?
    >
    >Whether I do not know present keylogger at system,
    >but potential possibility exists therefore I should take safety measures
    >
    >>What actions does the admin have to perform that require RunAs in the
    >>first place, exactly? Answering these will help us give you better
    >>answers.
    >
    >
    >For example, stoping and starting of various services for the diagnostic
    >purposes
    >
    >>
    >>Wipe the machine and prevent non-admin loading of drivers. User SAFER
    >>restrictions to only allow designated software to run. Initiate corporate
    >>policy to fire and or prosecute offending users.
    >>
    >> Use Remote Desktop on XP to initiate administrative tasks which bypass
    >>the hardware keystroke logger (until Blue Boar and I write our Terminal
    >>Services Keystroke Logger, that is. We're calling it Terminal Stroke.)
    >>Worse case, change the admin password after you have to do whatever it is
    >>you have to do as an admin on the box.
    >
    >As about W2K workstations ?
    >>
    >>T
    >>
    >>----- Original Message ----- From: "Boris Skoblo"
    >><borsk@techunix.technion.ac.il>
    >>To: <focus-ms@securityfocus.com>
    >>Sent: Tuesday, February 01, 2005 4:50 AM
    >>Subject: disclosure the administrative password
    >>
    >>
    >>>Hi All,
    >>>
    >>>There is a usual situation: on normal users computers ( W2k and Winxp )
    >>>an administrator should perform an administrative actions
    >>>(for example, with help RunAs) thus the administrative password is
    >>>entered. Do exist a potential possibility that on the user's computer
    >>>there is keylogger.
    >>>
    >>>
    >>>What ways to perform administrative operations exist, thus not
    >>>endangering disclosure the administrative password? There are some
    >>>limitations:
    >>>
    >>>1. usage of smarts-cards and others hardvare devices are not applicable .
    >>>
    >>>2. performed operations cannot be delegated for various reasons
    >>>
    >>>3. keylogger is custom designed and any of existing protective software
    >>>yet does not find out it
    >>>
    >>>------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    >>>
    >>>Regards,
    >>>
    >>>Boris Skoblo
    >>>
    >
    >Boris
    >
    >
    >---------------------------------------------------------------------------
    >---------------------------------------------------------------------------
    >

    _________________________________________________________________
    Don’t just search. Find. Check out the new MSN Search!
    http://search.msn.click-url.com/go/onm00200636ave/direct/01/

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Thor: "Re: disclosure the administrative password"