Re: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily Escalate Privileges andLogin as Cached Domain Admin Accounts (2010-M$-002)

[Michael Bauer <ravenmsb@xxxxxxxxx>]

Maybe what some of us need to learn from this is that we should never think in 
absolutes such as local VS domain users. There are  numerous account types and 
the overrides to take into account with any OS and they change.

This is more of a wakeup call to brush up on our understanding of permissions.

I know this is not a vulnerability but it was a great posting to wake some of 
us up and remind us that things are never absolute when it comes to 
permissions. We learn about things in such a manner that we forget to think 
outside the box. Even if controls are designed to work a specific way that 
doesn't mean they will. 

This is not directed at anyone rather an observation that might help other with 
similar thought on the subject.

Mike

Sent from my iPhone

On Dec 13, 2010, at 1:15 PM, "David Gillett" <gillettdavid@xxxxxxxx> wrote:

>> If I take the domain admin out of my local administrators, they can't do
> anything.  Done.
> 
>  Back when I did AD/domain support, all domain user accounts got a profile
> that included a trivial script to re-add Domain Admins to the Local Admins
> group.  So this kind of local removal shenanigans lasted only until the user
> next logged into the domain.
> 
> David Gillett
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/