[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-disclosure] Active Directory accounts
- To: <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: RE: [Full-disclosure] Active Directory accounts
- From: "Angel Barrio" <abmartinez@xxxxxxxxxxxx>
- Date: Fri, 8 Sep 2006 15:21:49 +0200
Hi Steve,
Yes I was aware that the LastLogon property is not replicated among ADs and
therefore, in my script, I query for the LastLogon property value of every
user at every AD within our domain and eventually I keep record of the last
date registered among all the controllers.
It seems that the testing you've done confirms my theory about how and when the
LastLogon property is updated. It's good to know that this property changes
every time the user authenticates to the domain regardless the way it does,
otherwise this property would not be reliable to look at for security concerns.
Thank you very much for your information.
Regards,
--------------------------------------------------------
Angel Barrio Martínez,
Systems Security Engineer
mail: abmartinez@xxxxxxxxxxxx
phone: +34 944011768
fax: 944011030
LinkedIn: http://www.linkedin.com/in/abmartinez
EUSKALTEL, S.A.
Parque tecnológico de Zamudio Edificio 809 Planta J
48160 Derio (VIZCAYA)
------------------------------Aviso Legal / Legal Disclaimer / Lege
Oharra-----------------------------------------
Este mensaje se dirige exclusivamente a su destinatario y puede contener
información privilegiada o confidencial. Si no es vd. el destinatario indicado,
queda notificado de que la utilización, divulgación y/o copia sin autorización
está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje
por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y
proceda a su destrucción.
This message is intended exclusively for its addressee and may contain
information that is CONFIDENTIAL and protected by professional privilege. If
you are not the intended recipient you are hereby notified that any
dissemination, copy or disclosure of this communication is strictly prohibited
by law. If this message has been received in error, please immediately notify
us via e-mail and delete it.
Mezu honen hartzaile zarenez, jakinarazten dizugu posta elektronikoak eta
Internet bidezko komunikazioek ez dutela ziurtatzen ez bermatzen bidalitako
mezuen konfidentzialtasuna, osotasuna ez eta behar bezala jasoko direnik ere.
Hori dela eta, Euskaltel S.A.k ez du bere gain hartzen egoera horien
erantzukizunik. Ez baduzu baimenik eman nahi posta elektronikoa erabiltzeko edo
komunikazioak Internet bidez bidaltzeko, mesedez, jakinaraz iezaguzu
lehenbailehen. Mezu honen hartzailearentzat bakarrik da mezu hau. Baliteke
informazio konfidentziala izatea edo sekretu profesionalari loturiko
informazioa izatea, eta Legeak ez du baimentzen informazio hori zabaltzea. Mezu
hau hutsegite baten ondorioz jaso baduzu, mesedez, jakinaraz iezaguzu berehala,
bidaltzaileari mezu elektronikoa bidalita, eta ezabatu mezua eta horri
erantsitako dokumentuak.
-----------------------------------------------------------------------------------------------------------------
-----Mensaje original-----
De: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] En nombre de Steven Rakick
Enviado el: viernes, 08 de septiembre de 2006 15:00
Para: full-disclosure@xxxxxxxxxxxxxxxxx
Asunto: RE: [Full-disclosure] Active Directory accounts
Hello Angel,
You are aware that the lastLogon property isn't
replicated right? If you have a multi-domain
controller environment, you have to poll each DC for
the lastLogon value to get an accurate value. That was
probably the reason for the inconsistency. I have
already validated that AD Inspector polls all domain
controllers for the value. My concern was more along
the lines of at what point is the lastLogon updated.
I've done some testing and it does appear that it's
updated any time the object authenticates, regardless
of how or where.
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On
Behalf Of Angel Barrio
Sent: Friday, September 08, 2006 7:13 AM
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: RE: [Full-disclosure] Active Directory
accounts
Hi
We have recently developed a script to gather detailed
user information from our AD in order to identify user
accounts not used for a long time and proceed with
deletion of such users.
During our test, at least we have observed that the
LastLogon property is changed not only with the
interactively logon to a desktop system, but also
while mapping a network drive. We have not tested it
with third party applications that make use of the AD
just as and LDAP for authentication, but it is very
likely that this property will also be updated this
way.
Regards,
--------------------------------------------------------
Angel Barrio Martínez,
Systems Security Engineer
mail: abmartinez@xxxxxxxxxxxx
phone: +34 944011768
fax: 944011030
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/