Joe & Guido, thanks for clearing this up. I was helping out someone and came up with the solution described below and when it worked I was totally sure I was missing something.
I know that the topic is rather controversial and I am sorry for blowing the whistle, but I just had to know it for sure. Thanks again, Guy On Tue, 2004-03-09 at 08:43, joe wrote: > I agree with Guido. Its all about physical security. > > Consider if they fixed that little loophole... What would you do? You > obviously have done this enough you have worked up a nice little process. > You have probably described a method that 10% or better of the people on the > list read and said, no kidding and another 10% said don't say it out loud, I > don't want that fixed as it saves my butt all of the time. > > The only realistic fix from MS would be to make it so it isn't possible to > get into the box even if you have physical access and could do the > screensaver, at, service, gina, you name it, hack. > > Its like why don't they take away the whole creator/owner loophole on > ACLs.... Because the second they do someone is going to start screaming they > can't get at their stuff when they or someone else screwed up. > > Personally I am all for tough love and security, you screwed up and can't > get in, rebuild. You screwed up and locked yourself out of a file or > directory object, tough love. > > I have DCs all over the world and this is one thing that I don't even start > to take the time to worry about because I have zero control over how > physical security will in the end really be handled and zero compensating > controls I can feasibly put into place to prevent anything bad if someone > got the idea they wanted to do something bad. > > > > ------------- > http://www.joeware.net (download joeware) > http://www.cafeshops.com/joewarenet (wear joeware) > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO > (HP-Germany,ex1) > Sent: Friday, February 27, 2004 3:33 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Local Admin to Domain Admin escalation > > no need to install a new service at all => scheduling an "at" command in > DSRM mode to execute the right script is sufficient, as the task scheduler > is configured to run as Local System. > > And even though I agree that it would be nice to see new services being > pre-configured to be run with the Local Service account an admin can change > it to run as local system anyways. Also, how is Windows supposed to know, > if the service doesn't require network access and should thus use the > Network Service instead... > > In summary: the default install account of a service should be the least of > your worries. Better to concentrate on physically securing the DC. > > > /Guido > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky > Sent: Freitag, 27. Februar 2004 17:56 > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Local Admin to Domain Admin escalation > > Hi all, > > Recently I have been playing around with an idea of how do you deal with a > situation when you must have a Domain Admin access to AD but do not have > Domain Admin password (this can happen in small outsourced companies or when > the only Domain Admin is suddenly unavailable). > > > In W2K this was easy. You use one of those tools that reset the > Administrator's password in local SAM, boot in DS Restore Mode, copy cmd.exe > over logon.scr, reboot, wait and get a shell running in Local System > context. As this is a DC and LSA has enough privileges to reset Domain Admin > password, you are all set. > > In W2K3 this behavior has been changed. The screensaver runs in Local > Service account context and has no access to AD. This sounds nice and dandy, > BUT if I boot into DS Restore Mode, install a service (using resource kit > utilities) that will spawn a shell, which will run a script, which will > reset Domain Admin password, I still get access to the AD (tested > successfully at home). > > The problem I see here is the fact that in DS Restore Mode (actually it does > not really matter in which mode), when you install a new service, it will > run by default in LSA context. > > I know that you will all say: "physical access = Domain Admin" and will be > right, but what bothers me more is the fact that local account has a way to > escalate it's rights by taking advantage of the fact that new services > default to run under Local System account. > > Your thoughts ? > > Guy > > -- > Smith & Wesson - the original point and click interface > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Smith & Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
