Passwords are stored in the registry for accounts that are used for
services. You can easily pull them out locally on the machine with LSAdump,
etc.
If you use a domain account, anyone that compromises that host will have a
domain account to play with. They would have access to all Everyone/Domain
Users shares (which is a bad idea to allow anyway). Most companies allow
dial-in and remote access (VPN, etc) for all domain accounts, which would
give an attacker the ability to remotely access your LAN should they
discover the dial-up phone number or VPN address. (Please, use two-factor
auth on VPNS !!!!)
If you use a local account with a password that is not used on any other
host, the primary exposure would be local machine access; secondary exposure
would be that the have an IP on your network. But if they are able to run
LSADump locally, they already have that. They would have to work a little
harder to get access to other systems based on domain credentials.
As a side note, do not make the local account part of the Administrators
group. This will make remote attacks more difficult.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Matt Wagenknecht CISSP | MCSE
Sr. Security Administrator
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Never be afraid to try something new.
Remember, amateurs built the ark; professionals built the Titanic.
This email may contain confidential and privileged information for the sole
use of the intended recipient. Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact
the sender and delete all copies of this email message.
-----Original Message-----
From: Leon, Mauricio (Toronto) [mailto:Mauricio.Leon (at) WatsonWyatt (dot) com [email concealed]]
Sent: Tuesday, January 20, 2004 8:00 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Local Account Vs Domain Account
If you have to install a component or an application that runs using an
account , what are the disadvantages/risks (from security standpoint)of
using a Domain Account instead of a Local Account and vice versa.
services. You can easily pull them out locally on the machine with LSAdump,
etc.
If you use a domain account, anyone that compromises that host will have a
domain account to play with. They would have access to all Everyone/Domain
Users shares (which is a bad idea to allow anyway). Most companies allow
dial-in and remote access (VPN, etc) for all domain accounts, which would
give an attacker the ability to remotely access your LAN should they
discover the dial-up phone number or VPN address. (Please, use two-factor
auth on VPNS !!!!)
If you use a local account with a password that is not used on any other
host, the primary exposure would be local machine access; secondary exposure
would be that the have an IP on your network. But if they are able to run
LSADump locally, they already have that. They would have to work a little
harder to get access to other systems based on domain credentials.
As a side note, do not make the local account part of the Administrators
group. This will make remote attacks more difficult.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Matt Wagenknecht CISSP | MCSE
Sr. Security Administrator
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Never be afraid to try something new.
Remember, amateurs built the ark; professionals built the Titanic.
This email may contain confidential and privileged information for the sole
use of the intended recipient. Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact
the sender and delete all copies of this email message.
-----Original Message-----
From: Leon, Mauricio (Toronto) [mailto:Mauricio.Leon (at) WatsonWyatt (dot) com [email concealed]]
Sent: Tuesday, January 20, 2004 8:00 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Local Account Vs Domain Account
If you have to install a component or an application that runs using an
account , what are the disadvantages/risks (from security standpoint)of
using a Domain Account instead of a Local Account and vice versa.
Mauricio
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]