> You can't treat everyone inside your network like criminals or you'll never get anything done.
I don't completely agree with this. When you are an admin, especially a DA, you need to be etxremely paranoid about things and trust very little that you don't directly control when using your ID. When I see folks who aren't running separate accounts for admin work and normal work I know they aren't paranoid enough. Then if someone had two accounts the next question is are the passwords synced which is pretty normal to see but almost as bad as using your DA ID to log into your PC and doing work in which you aren't specifically making changes. The next thing to do to cut down on risk is do interactive auth as well as application auth to servers and DCs as little as possible with enhanced IDs. Just too many possible ways to get screwed whether on purpose or by accident to treat anything but proven trusted systems and people as anything but a danger. Yes it slows you down, but folks need to be very careful with their most powerful IDs. If people follow these guidelines it is considerably more difficult to compromise them through social engineering types of attacks such as outlined. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: Michael B Allen [mailto:[EMAIL PROTECTED] Sent: Monday, January 08, 2007 5:35 PM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Risks of exposure of machine account passwords On Mon, 8 Jan 2007 15:33:01 -0500 "joe" <[EMAIL PROTECTED]> wrote: > A dirty trick I have used in the > past to disprove how secure an environment was was to set up a web site on a > workstation, enable basic auth only, write a little perl cgi script to write > the creds sent to the website to a log file and throw up a website > unavailable screen and then tell admins that I have a web site that doens't > seem to authenticate users properly could they try to logon to see if it is > just my test IDs or a permission problem. I would say at least 50%-60% of > the time the admins will go to the page and type in their creds. Alternately > try to get an admin to log into a workstation I control. In far too many > cases I think you will find admins are user's too... :) If you already own a machine with an FQDN and you can send email to people as someone internal then it would be pretty hard to keep you out since you're already somewhat trusted. You can't treat everyone inside your network like criminals or you'll never get anything done. And if you do have a criminal inside you should take it up with HR not IT. But I can add an improved permutation to your dirty trick. Send out an email with a link to your site but use NTLM SSO pass-through to create a bogus account with a predefined password. If someone with domain admin privs so much as stumbles across your site they will create the said account and not even know they did it. No credentials necessary and no SSO account necessary. Just a website with an FQDN. There is one simple security setting that will thwart this attack though. For bonus points, does anyone know what it is? :-> Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
