Re: Risks of Local Admin Access on Domain PC?
From: Lanwench [MVP - Exchange] (lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 02/25/03
- Next message: Lanwench [MVP - Exchange]: "Re: Creating a folder with a password"
- Previous message: Lanwench [MVP - Exchange]: "Re: Creating a locked folder on Window XP"
- In reply to: Karl Levinson [x y] mvp: "Re: Risks of Local Admin Access on Domain PC?"
- Next in thread: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Risks of Local Admin Access on Domain PC?"
- Reply: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Risks of Local Admin Access on Domain PC?"
- Reply: David Caldwell: "Re: Risks of Local Admin Access on Domain PC?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Lanwench [MVP - Exchange]" <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> Date: Tue, 25 Feb 2003 15:11:44 -0500
... I agree with Karl - I would not run apps that were so badly written as
to require local admin permissions. Check with the vendors. There may be
workarounds.
Karl Levinson [x y] mvp wrote:
> Which software programs? Are you sure Administrator privileges are
> required?
>
> AFAIK the attack you describe is not a common attack. Local
> administrators can do lots of other things... install a sniffer to
> gather password hashes across the network, install a keystroke logger
> to capture other passwords, etc. It may be wise to restrict the
> administrator of a machine to just the person or people who are
> likely to need to use that machine, instead of letting anyone log in
> anywhere. It may also be a good idea to research or quiz the vendors
> of the apps you're thinking of to confirm that Administrator
> privileges are the only way to go.
>
> Although it is a challenge to harden a computer against an authorized
> user in the administrators group, you may also want to generally
> harden the computers:
>
> http://securityadmin.info/faq.htm#harden
>
> In such a case, auditing, change monitoring, event log monitoring and
> detection becomes more important, so you can see signs of unauthorized
> access in places where you aren't able to reliably forbid access:
>
> http://securityadmin.info/faq.htm#auditing
>
>
> "David Caldwell" <dlcaldwell@netscape.net> wrote in message
> news:3E5B7FF9.3050203@netscape.net...
>> Hello Everyone,
>>
>> How and where does Windows 2000/XP store cached passwords?
>> What is the chance a user with local admin access can read and
>> try to break those passwords? I am rolling out Active
>> Directory in our area. Unfortunately, many of the software
>> programs the users need require them to have local Admin access
>> to the computer. I'm concerned they may able to gain access to
>> other people's passwords - especially passwords of our domain
>> admin staff. Are there any other potential security risks when
>> users have local admin access to computers that are members of an
>> Active Directory domain?
>>
>> Any insights would be greatly appreciated.
>>
>>
>>
>> --Dave
>>
>>
>> -------------------------
>> David L. Caldwell
>> College of Engineering
>> University of Delaware
- Next message: Lanwench [MVP - Exchange]: "Re: Creating a folder with a password"
- Previous message: Lanwench [MVP - Exchange]: "Re: Creating a locked folder on Window XP"
- In reply to: Karl Levinson [x y] mvp: "Re: Risks of Local Admin Access on Domain PC?"
- Next in thread: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Risks of Local Admin Access on Domain PC?"
- Reply: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Risks of Local Admin Access on Domain PC?"
- Reply: David Caldwell: "Re: Risks of Local Admin Access on Domain PC?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
