I would also watch out for scripts tucked away that elevate some other users privileges using a domain admins credentials upon login.
Places I would check
Startup folder(s)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
win.ini - multiple entries on the "shell=" line. (on NT4 and older OS's)
Possibly a gpo attached to accounts that will remain domain admins?
 
Its very easy to ask an admin "can you log into this ... and see whats going on?" once the permission tightening was over and the consultant was gone. Then business as usual.
 
Clyde Burns
 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Friday, February 10, 2006 1:43 PM
To: [email protected]
Subject: RE: [ActiveDir] Hiding in the Directory

good points - usually the hardest ones to figure out.
 
and if you knew AD well and the forest is setup "appropriately", you might also want to leverage SIDhistory.


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V Contractor NASIC/SCNA
Sent: Freitag, 10. Februar 2006 18:19
To: [email protected]
Subject: RE: [ActiveDir] Hiding in the Directory

 
If I were wanting to hide out in the directory, and didnt know much about Active Directory, but had a fair amount of general knowledge about computers, I would check into the Active Directory hotel under a fake name with the Mrs and I.  I would call myself Intrasite Topology Generation Account or something sounding official and then use that as my runas buddy.  Or I could just create a group called Federated Forest Knowledge Consistency Checker's and then give the Topology Generation account membership to it, and then give the Federated Forest Knowledge Consistency Checker all the user rights of whatever kind of admin I would hope to be.  I might even install some services and make them sound official like Directory Services Cylic Redundancy Checker and make the Topology generation Account the service account it runs under as well.  Why try to create a backdoor when you can just create another front door?  Kinda like the fake laundry service gag to break out of prison you always see in the movies.
 
 
Nate


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Friday, February 10, 2006 11:54 AM
To: [email protected]
Subject: [ActiveDir] Hiding in the Directory

I have been asked by a company to help them tighten what is currently a very loose security model. Now, several non-IT-but-computer-adept employees have accounts with full Domain Admin privileges. Many of these folks are programmer types and pretty savvy (which leads them to think they know what they are doing – that’s another story). They are also aware that we are going to tighten things down. For political reasons, we could not just yank their admin access.

 

So the question is: if you were one of these folks and were inclined to mischief (or simply ensuring your continued access), how might you hide yourself in the Directory? More to the point: where should I look beyond the obvious group memberships?

 

Thanks.

 

-- nme


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.5/256 - Release Date: 2/10/2006


This message is confidential, intended only for the named
recipient(s) and may contain information that is privileged or
exempt from disclosure under applicable law. Any patient health
information must be delivered immediately to intended recipient(s).
If you are not the intended recipient(s), you are notified that the
dissemination, distribution or copying of this message is strictly
prohibited. If you receive this message in error, or are not the
named recipient(s), please notify the sender at either the e-mail
address or telephone number above and discard this e-mail. Thank
you.

Reply via email to