Dear feedb4ck (at) z4ck (dot) org [email concealed],

--Thursday, May 25, 2006, 5:46:43 PM, you wrote to bugtraq (at) securityfocus (dot) com [email concealed]:

fzo> Although it is a well known fact that Windows desktops and servers still
fzo> use LM Hashes and cache the last ten userids and passwords locally, just
fzo> in-case an Active Directory, Domain, or NDS tree are not available, has
fzo> anyone thought about the consequences of this issue in a hot-desking, or
fzo> flexible working environment?

Windows doesn't cache passwords. If I remember correctly, the cached
value is actually MD5 from NT key and can not be used directly. LM
hashes can be disabled through group policy, see
http://support.microsoft.com/?kbid=299656. Local SAM doesn't store
domain accounts.

fzo> Now, I know what everyone is saying, wait a minute, for PWDUMP to work you
fzo> need to be administrator to the local machine. But think again, how
fzo> often is this the case? Many companys only look to restrict network
fzo> access - as restricting local access may cause issues with applications
fzo> which need to access the local drive.

If your users on shared hosts work with local administrators privileges
- you have no security at all. Forget about about PWDUMP, it's too hard.
Think about trojans and keyloggers user can install to obtain
credentials of different user. Even more: if you have shared computer
and you have no physical security, everyone can install hardware
keylogger.

Your problem is you have strange approach to security. Good approach is:

What should I protect?

--
~/ZARAZA
http://www.security.nnov.ru/

[ reply ]