Re: disclosure the administrative password

From: Thor (thor_at_hammerofgod.com)
Date: 02/02/05

  • Next message: d.pigna_at_email.it: "Re: disclosure the administrative password"
    To: "Boris Skoblo" <borsk@techunix.technion.ac.il>, <focus-ms@securityfocus.com>
    Date: Wed, 2 Feb 2005 09:47:03 -0800
    
    

    Thanks for the explanation- it helps to have context in mind when offering
    opinions...

    Inline--

    >> This sounds like one of those "loaded" questions... This is a security
    >> list, so we will want to know "why." Why is a smart card and all other
    >> hardware not applicable?
    >
    > These methods not applicable because of budgetary limitations

    You can use USB-based readers that aren't that expensive at all... Just have
    the admin keep it in his bag o' tricks. It's smart to require smartcard
    logon for admin anyway, and it is a very effective way to require 2 stage
    authentication.

    >> Why can't the operations be delegated?
    >
    > For example, stoping and starting of various services for the diagnostic
    > purposes

    Remote management would work in this example, and hopefully many others.

    >> Wipe the machine and prevent non-admin loading of drivers. User SAFER
    >> restrictions to only allow designated software to run. Initiate
    >> corporate policy to fire and or prosecute offending users.
    >>
    >> Use Remote Desktop on XP to initiate administrative tasks which bypass
    >> the hardware keystroke logger (until Blue Boar and I write our Terminal
    >> Services Keystroke Logger, that is. We're calling it Terminal Stroke.)
    >> Worse case, change the admin password after you have to do whatever it is
    >> you have to do as an admin on the box.
    >
    > As about W2K workstations ?

    SAFER restrictions wouldn't apply, but the general policy of restricting
    driver installation would. It should really be a standard policy setting
    anyway. Note that there is a separate policy object that also allows/denies
    *printer* driver installation as well. Typically in larger organizations,
    I've seen the policy set to allow users to install printers but not other
    drivers. While I've never seen a root-kit posing as a printer driver, it's
    doable, so you would have to weigh the cost of having an admin install
    drivers vs. the risk of introducing a root-kit via printer driver.

    As stated before, Remote Desktop would work on XP, but not Win2k
    workstations. You'd need some other remote-management software for those.
    But if budget is an issue, that probably won't fly. Also, many of these
    remote-management products introduce their own security concerns in the
    process.

    Knowing that budget keeps you from using smart cards, I'd like to offer the
    following: IT expenditures should not look only at hard dollars. Buying a
    few smart card readers and some smart cards will cost you X. What will
    *not* buying them cost you? How much additional admin time will be burned
    by administering cut-and-paste-from-floppy kludges? How much admin time will
    be burned by having to change the admin password every time someone uses
    RunAs at a workstation? How much for remote admin software or upgrades to
    XP? And in the end, these solutions still leave admin access open to anyone
    with the password.

    But, barring all that, the simplest "as is" solution is group policy and
    remote admin.
    t

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: d.pigna_at_email.it: "Re: disclosure the administrative password"

    Relevant Pages

    • Re: Securing win32_process.create ?
      ... The reason you are having problems is essentially because you're expecting an admin operation to be able to be performed by a user who does not have admin rights. ... Looking at TrueCrypt, it certainly does not look like it's been designed for remote instantiation, nor to run as a non-interactive remote process. ... would be allowed to run a process on a remote machine and you'd also ...
      (microsoft.public.win32.programmer.wmi)
    • Re: DC Admin question
      ... There is actually a middle ground, but the line between it and admin is so ... The use case has bearing on the driver install need. ... You have to be an admin to perform the original driver installation. ... It does not grant the privilege. ...
      (microsoft.public.windows.server.security)
    • Re: DC Admin question
      ... could with great ease become an admin. ... The use case has bearing on the driver install need. ... You have to be an admin to perform the original driver installation. ... It does not grant the privilege. ...
      (microsoft.public.windows.server.security)
    • Re: ISA and RWW
      ... now when I type in mail.company.com/exchange or remote I am directed to ... because they are running ISA". ... in the previous admin. ... in a single server enviornment and I have never used ISA in any of the ...
      (microsoft.public.windows.server.sbs)
    • Re: remote access trouble
      ... This is the precise reason why you don't go for general terminal services ... > I add the user to the remote desktop users group AND assign the right to ... > Now the admin has no rights to access the computer remotely....at all. ...
      (microsoft.public.windows.server.active_directory)