Re: Local admin becomes domain admin - Dubmwabbit

From: Lohkee (Lohkee@worldnet.att.net)
Date: 12/26/02


From: "Lohkee" <Lohkee@worldnet.att.net>
Date: Thu, 26 Dec 2002 07:37:08 GMT


"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:Op61X9CrCHA.1636@TK2MSFTNGP12...
> Ok, what methods other than trojans and web pages that use basic
> authentication and pull passwords and other ways that show poor domain
admin
> quality versus inadequacies in the OS?
>
> That wouldn't work in our environment, our domain admins are brighter than
> that and don't just log on to other people's PC's. The only machines they
> log into we have full control of and no one else has control of or in fact
> can even log into interactively.
>
> There is no valid way of doing it that doesn't require interaction with
> someone who already has domain admin rights.I.E.

The regular schmoe who has his own PC and is Admin of it isn't about to get
domain admin rights.

Have it your way. You might not like the answer but it has proven itself
extremely effective time after time after time. For what it is worth, the
"schmoe" does not even have to have local admin if he really knows his
stuff. If you want to limit the conversation to OS inadequacies, you may
want to explore the numerous holes that are routinely reported - about three
just this week I believe - (buffer overflows, etc) on forums such as bugtraq
which can be used to accomplish the same task (although why someone with
local admin would go to all that trouble when loading a simple driver will
accomplish the same goal with much less effort is beyond me). I might add it
is people like you that make life so much easier for people like me. Have a
good one.

Lohkee!

>
> --
> Joe Richards
> www.joeware.net
> ---
>
> "Lohkee" <Lohkee@worldnet.att.net> wrote in message
> news:wS9O9.12133$p_6.968968@bgtnsc04-news.ops.worldnet.att.net...
> > I disagree. Being a local admin makes it very easy to capture "domain
> > admin" rights. Several methods come to mind, the easiest being, to load
a
> > keystroke logging program and then get a domain admin to log on under
the
> > pretext of needing help with a problem.
> >
> > Lohkee!
> >
> >
> >
> > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
> > news:#Qlkvb7qCHA.2504@TK2MSFTNGP12...
> > > Being an admin of a workstation does not give you any capability to
> become
> > a
> > > Domain Admin.
> > >
> > > --
> > > Joe Richards
> > > www.joeware.net
> > > ---
> > >
> > > "Ray at home" <ray@lane34dotcommercial> wrote in message
> > > news:Ox4NiGxpCHA.1628@TK2MSFTNGP12...
> > > > (accidentally posted this once before as a reply to another thread -
> > > please
> > > > ignore that)
> > > >
> > > > Dubmwabbit,
> > > >
> > > > You wrote the snippets below in another post. I'm curious as to how
> > this
> > > > can be done. I'm not looking to do it myself or anything like that.
> > > Where
> > > > I work, I setup three domain groups called:
> > > >
> > > > DOMAIN\TempAdmin
> > > > DOMAIN\ISAdmin
> > > > DOMAIN\TempInstall
> > > >
> > > > Tempadmin and ISadmin groups are members of the local admin groups
on
> > all
> > > > the workstations. And the Tempinstall group is a member of the
power
> > > users
> > > > group on all the workstations. This way, if we need to give someone
> > admin
> > > > rights on his PC, we add him to the appropriate group. (This will
> give
> > > him
> > > > admin rights to other workstations then too; we are aware...). The
> > > ISAdmin
> > > > group is used for our helpdesk personel who need admin rights on the
> > > > workstations but no admin rights on the servers.
> > > >
> > > > So, if we give someone local admin rights, what is this about
> privilege
> > > > escalation to domain admin status?
> > > >
> > > > Thanks a lot,
> > > >
> > > > Ray at home
> > > >
> > > > "dumbwabbit" <dumbwabbit@yahoo.com> wrote in message
> > > > news:071c01c2a6e0$94454d10$8af82ecf@TK2MSFTNGXA03...
> > > >
> > > > > make them a member of the Local Administrators group
> > > >
> > > > Be advised however, that
> > > > > by granting this level of authority to the user, they can
> > > > > very easily (if they know how) perform a privilege
> > > > > escalation to give them Domain Admin status.
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>



Relevant Pages

  • Re: local admin account password
    ... What I think would be a better scheme is to set a very complex* random ... This eliminates the vulnerability created by weak admin passwords ... Do you think if someone wanted to break the local admin account they ...
    (Focus-Microsoft)
  • Re: Opinions needed on Windows Administrative Rights
    ... >> CAN'T GIVE USERS ANY RIGHTS! ... Issuing local admin privs is dangerous because: ... A lot of new viruses first go after anti-viruses by stopping the process ...
    (comp.security.misc)
  • Re: How can I change the admin password of all our XP PCs on the doma
    ... You don't go to each workstation and check if that user changed the local admin password. ... If the box has a problem that means you can't use a domain admin account to logon, it is usually quicker to rebuild than troubleshoot. ... If you want to control the Local Administrators on the workstations, just disable the Local Administrator, and then use another GPO or Script that adds a existing security group in your AD as member of the local Administrators on the workstations. ...
    (microsoft.public.windows.server.active_directory)
  • RE: Anonymous Web based printing for standard users
    ... local admin group, login and install the printeras the user, then remove ... them from the admin group. ... > which the printer is installed, either using IPP or RPC. ... > creates a local queue which requires local admin rights and with RPC it does ...
    (microsoft.public.inetserver.iis)
  • Re: Lost my quick launch
    ... What were the local admin tasks??? ... Since Quick Launch works OK for my wife's login and for the built in local ... >> my login to the local admin group. ...
    (microsoft.public.windowsxp.general)