Re: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002)

["Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>]

>The attack has some academically interesting details about how cached
>credentials work, but I agree with Stefan. If you own the machine, you own
>the machine. What's to stop you from, say, simply installing a rootkit?

Exactly.  More importantly, even if you must make users local admins, there is 
never *any* reason why the domain administrator should interactively log onto a 
workstation as the domain administrator anyway.  Service personnel log on with 
support accounts, not the domain admin accounts.  If they do, well, then you've 
got other problems.  But in this case even if a domain admin logs in 
interactively (or via RDP), it's not an issue.  Cached credentials can't be 
used for anything other than to log on to the local machine if there is no DC 
available.  After a domain account logs on to a local system, after AD 
authenticates the request, then *another* hash is made of the hashed password 
with *a different salt* each time, for each user cached. 

As far as the academic interest, cached account behavior is a documented 
process which has been around for years, local admin overwrite capabilities 
included.  

t

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/