If an attacker gets access to a machine account password they can connect to AD as that computer which is usually just normal user access rights. In fact, if you set up an auth as the computer and tap an ADAM instance and look at the RootDSE it will show you the groups you are a member of that are right for that context. For example: >tokenGroups: TEST\TESTCMP$ >tokenGroups: TEST\Domain Computers >tokenGroups: Everyone >tokenGroups: BUILTIN\Users >tokenGroups: NT AUTHORITY\NETWORK >tokenGroups: NT AUTHORITY\Authenticated Users >tokenGroups: NT AUTHORITY\This Organization I don't think overall that computer accounts are any more risky than normal userids. On the flip side, I think it is silly to leave enabled machine accounts lying around for computers that you are relatively sure will never reconnect. That is why I wrote oldcmp and make it available to everyone. The key part is as Al mentioned, how did they get that password? I don't recall seeing anything that will extract that from a machine and even so, I expect it is much easier and useful to target user passwords than computer passwords - primarily admin type user's. A dirty trick I have used in the past to disprove how secure an environment was was to set up a web site on a workstation, enable basic auth only, write a little perl cgi script to write the creds sent to the website to a log file and throw up a website unavailable screen and then tell admins that I have a web site that doens't seem to authenticate users properly could they try to logon to see if it is just my test IDs or a permission problem. I would say at least 50%-60% of the time the admins will go to the page and type in their creds. Alternately try to get an admin to log into a workstation I control. In far too many cases I think you will find admins are user's too... :) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mr Oteece Sent: Monday, January 08, 2007 1:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Risks of exposure of machine account passwords What are the risks associated with the exposure of machine account passwords in Active Directory? Passwords are changed for machine accounts regularly, but they don't really expire and can get rather old. If an attacker has access to this password, what sort of access would he have to other systems on the network via Kerberos? i.e., would he be able to forge service tickets as other users and elevate his access elsewhere? The laxness of policy surrounding these accounts suggests that this is not a huge risk. Should we be more concerned with these old passwords? Otis
