I agree with Guido. Its all about physical security. Consider if they fixed that little loophole... What would you do? You obviously have done this enough you have worked up a nice little process. You have probably described a method that 10% or better of the people on the list read and said, no kidding and another 10% said don't say it out loud, I don't want that fixed as it saves my butt all of the time.
The only realistic fix from MS would be to make it so it isn't possible to get into the box even if you have physical access and could do the screensaver, at, service, gina, you name it, hack. Its like why don't they take away the whole creator/owner loophole on ACLs.... Because the second they do someone is going to start screaming they can't get at their stuff when they or someone else screwed up. Personally I am all for tough love and security, you screwed up and can't get in, rebuild. You screwed up and locked yourself out of a file or directory object, tough love. I have DCs all over the world and this is one thing that I don't even start to take the time to worry about because I have zero control over how physical security will in the end really be handled and zero compensating controls I can feasibly put into place to prevent anything bad if someone got the idea they wanted to do something bad. ------------- http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Friday, February 27, 2004 3:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin to Domain Admin escalation no need to install a new service at all => scheduling an "at" command in DSRM mode to execute the right script is sufficient, as the task scheduler is configured to run as Local System. And even though I agree that it would be nice to see new services being pre-configured to be run with the Local Service account an admin can change it to run as local system anyways. Also, how is Windows supposed to know, if the service doesn't require network access and should thus use the Network Service instead... In summary: the default install account of a service should be the least of your worries. Better to concentrate on physically securing the DC. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Freitag, 27. Februar 2004 17:56 To: [EMAIL PROTECTED] Subject: [ActiveDir] Local Admin to Domain Admin escalation Hi all, Recently I have been playing around with an idea of how do you deal with a situation when you must have a Domain Admin access to AD but do not have Domain Admin password (this can happen in small outsourced companies or when the only Domain Admin is suddenly unavailable). In W2K this was easy. You use one of those tools that reset the Administrator's password in local SAM, boot in DS Restore Mode, copy cmd.exe over logon.scr, reboot, wait and get a shell running in Local System context. As this is a DC and LSA has enough privileges to reset Domain Admin password, you are all set. In W2K3 this behavior has been changed. The screensaver runs in Local Service account context and has no access to AD. This sounds nice and dandy, BUT if I boot into DS Restore Mode, install a service (using resource kit utilities) that will spawn a shell, which will run a script, which will reset Domain Admin password, I still get access to the AD (tested successfully at home). The problem I see here is the fact that in DS Restore Mode (actually it does not really matter in which mode), when you install a new service, it will run by default in LSA context. I know that you will all say: "physical access = Domain Admin" and will be right, but what bothers me more is the fact that local account has a way to escalate it's rights by taking advantage of the fact that new services default to run under Local System account. Your thoughts ? Guy -- Smith & Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
