RE: Threat vector of running a service using a domain account

You guys may be right, but want to clarify what I meant. When I said server I meant the one running the service (maybe should have said workstaion or client)not one that is part of AD doing the authenication.

Correct me if im wrong but when you run a service you put in the id in this case the Domain Admin and its password. So effectively that password is now stored on the system that is running the service. If that machine is taken offline when the service attempts to start should fail. it cant communicate to authenicate, but the password is still present on the local machine (Believe in LSA Secrets). Granted its a different hash than interactive users but a hash none the less. Different attack vector - similiar problem.

Jay

----- Original Message -----
From: Ramsdell, Scott [mailto:Scott.Ramsdell@xxxxxxxxxxx]
To: docbook.xml@xxxxxxxxx,jay.tomas@xxxxxxxxxxxxxxx
Cc: smanaois3@xxxxxxxxx,security-basics@xxxxxxxxxxxxxxxxx
Sent: Fri, 14 Sep 2007 09:01:05 -0400
Subject: RE: Threat vector of running a service using a domain account

Saqib,

I believe you're right. Each time I've run cachedump for demonstration
I do not receive hashes for services logging in over the network, I only
receive hashes for interactive users.

Kind Regards,
Scott Ramsdell

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Ali, Saqib
Sent: Thursday, September 13, 2007 12:42 PM
To: Jay
Cc: smanaois3@xxxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Threat vector of running a service using a domain account

If a server does cache these creditonals then these can be attacked
independant of the AD and its underlying security controls.


If a service uses domain credential, do those credentials get cached?
I thought only interactive logon credentials are cached.

saqib
http://security-basics.blogspot.com/

Relevant Pages

  • RE: Threat vector of running a service using a domain account
    ... Each time I've run cachedump for demonstration ... I do not receive hashes for services logging in over the network, ... Threat vector of running a service using a domain account ... I thought only interactive logon credentials are cached. ...
    (Security-Basics)
  • Re: Vista SSO not working
    ... Same result (asked to login for app), except this time I wasn't even given the option to save the credentials. ... Manage your network passwords in the left panel, ... appear if SSO is working properly and you're using a Domain account. ...
    (microsoft.public.windows.terminal_services)
  • conflicting credentials
    ... >administrative share C$ on the IIS server. ... >credentials gives error "Supplied Credentials conflict ... >the Domain account name untill I click apply. ... >account name turns into SID info. ...
    (microsoft.public.win2000.security)
  • conflicting credentials
    ... shared home folder on the DC. ... administrative share C$ on the IIS server. ... credentials gives error "Supplied Credentials conflict ... the Domain account name untill I click apply. ...
    (microsoft.public.win2000.security)
  • Re: Domain user logon when network is not available
    ... A handy trick to log into a machine after your ... > domain account is disabled is to simply unplug the network cable. ... "Disable Caching of Logon Credentials During Interactive Log On ... This feature is provided for system availability reasons such as ...
    (comp.os.ms-windows.nt.admin.security)