Use certificates? Cheers Ken
From: Crawford, Scott [mailto:[email protected]] Sent: Sunday, 26 February 2012 5:36 AM To: NT System Admin Issues Subject: RE: Log on to DC directly Which is why you only use them on trusted machines because they're less likely to have malware. Sent from my Windows Phone ________________________________ From: Kurt Buff Sent: 2/25/2012 2:41 PM To: NT System Admin Issues Subject: Re: Log on to DC directly That's the risk you take logging in *anywhere* with elevated credentials, even a DC. By your logic, I can't actually use a DA account anywhere. On Sat, Feb 25, 2012 at 06:03, Crawford, Scott <[email protected]> wrote: > I can see that there is a difference between there, but the bottom line is > that malware can doesn't need to leverage stored credentials if it can just > wait for you to type them in. > > Sent from my Windows Phone > ________________________________ > From: Kurt Buff > Sent: 2/25/2012 1:27 AM > > To: NT System Admin Issues > Subject: Re: Log on to DC directly > > What I want is to avoid leaving my DA credentials in the local cache, > because to my mind, and from what I've read about and seen, that's the > biggest risk to the infrastructure. > > The "runas /netonly" incantations absolutely avoid that. Quitting the > apps running under those incantations when not actively being used > certainly helps, but the major thing is to not leave those credentials > on disk, in whatever form, to be attacked by malefactors. > > Kurt > > On Fri, Feb 24, 2012 at 23:13, Crawford, Scott <[email protected]> > wrote: >> Sounds like you're on the right track. I didn't mean to imply that you >> absolutely shouldn't log into your workstation. Simply that what you >> described contradicted your desire to avoid logging into your workstation >> with DA creds. >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
