BugTraq
Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Dec 10 2010 01:06AM
StenoPlasma @ www.ExploitDevelopment.com (exploitdevelopmentdotcom gmail com) (1 replies)
Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Dec 10 2010 04:29PM
Stefan Kanthak (stefan kanthak nexgo de) (2 replies)
RE: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Dec 10 2010 06:12PM
George Carlson (gcarlson vccs edu) (2 replies)
RE: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002) Dec 11 2010 12:15AM
Thor (Hammer of God) (thor hammerofgod com) (2 replies)
Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Dec 13 2010 05:12PM
Andrea Lee (andrea kattrap net) (4 replies)
Re: Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002) Dec 10 2010 10:11PM
Stefan Kanthak (stefan kanthak nexgo de) (1 replies)
"George Carlson" <gcarlson (at) vccs (dot) edu [email concealed]> wrote:

> Your objections are mostly true in a normal sense.

And in abnormal sense?

> However, it is not true when Group Policy is taken into account.

Group Policies need an AD. Cached credentials are only used locally,
for domain accounts, when the computer can't connect to the AD.

> Group Policies differentiate between local and Domain administrators

Local administrators don't authenticate against an AD, they authenticate
against the local SAM. No GPOs there!
And: a local administrator can override ANY policy, even exempt the
computer completely from processing Group Policies.

> and so this
> vulnerability is problematic for shops that differentiate between
> desktop support and AD support.

Again: this is NO VULNERABILITY.
An administrator is an administrator is an administrator.

[braindead fullquote removed ]

Stefan

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus