[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Insufficient Authentication vulnerability in Asus notebook
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Re: Insufficient Authentication vulnerability in Asus notebook
- From: Ansgar Wiechers <bugtraq@xxxxxxxxxxxxxxxx>
- Date: Fri, 15 May 2009 10:56:59 +0200
On 2009-05-14 nameless wrote:
> Steve Quan wrote:
>> Is there something like su/sudo in the Windows world ? How do windows
>> administrators handle this (ie accountability) ?
>
> There is "runas".
Indeed. There's also a variety of third-party tools like SuperiorSU [1].
> There is no accountability with the local admin account. You can
> disable the account and use domain credentials, but when the domain
> isn't available, you're screwed, so it is a poor decision.
I wouldn't agree entirely. It depends on who is given the password for
the local administrator account. You only have no accountability if more
than one person knows that password.
[...]
> In regards to changing the Admin account name, why make it easy for
> the kiddiots? It is trivial for any of us to bypass this, right?
Please elaborate. What attack scenarios do you see that aren't mitigated
by a strong password? Besides, even if you change the login name, the
SID of the account (which is well-known) still remains the same.
[...]
> Changing the Administrator name is just another layer in the onion of
> your defensive strategy.
I entirely fail to see what additional security that will gain you, so
please explain.
[...]
> And I'm not trying to be a smart ass, but does anyone really use
> LM-hashes anymore?
I don't believe they're actually used by anyone anymore. However, the
use of LM-hashes is still enabled by default on any XP.
[1]
http://www.stefan-kuhr.de/cms/index.php?option=com_content&view=article&id=62&Itemid=73
Regards
Ansgar Wiechers
--
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html