Not always a dream if you control the code execution. Z
Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected] -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Friday, June 15, 2012 10:30 AM To: NT System Admin Issues Subject: Re: What is your take on this (built-in admin password and account lockout) In the best of all possible worlds, yes. Dreamer. On Fri, Jun 15, 2012 at 3:45 AM, Ken Schaefer <[email protected]> wrote: > Your FW should block this functionality for normal users. > > Cheers > Ken > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Sent: Friday, 15 June 2012 4:51 AM > To: NT System Admin Issues > Subject: Re: What is your take on this (built-in admin password and > account lockout) > > On Thu, Jun 14, 2012 at 10:52 AM, Ziots, Edward <[email protected]> wrote: >> It’s a well known sid aka 500, but if you can't enumerate the users on the >> system how are you going to tell in the first place? > > Run as a standard user 'psgetsid \\computername administrator', and then > you're off to the races. > > If it returns a SID that doesn't end in -500, well, you've got the > significant portion of the SID, so use psgetsid to enumerate the SID with the > -500 ending to get the name of the Administrator account. It just adds a very > small extra step. > > However, if the account that whose SID ends in -500 is disabled (no matter > what it's called), then the attacker has to try to enumerate all of the > accounts on that machine, and figure out which one(s) have the desired privs > - that's much harder, especially if you don't simply add the account to the > Administrators group. > > The hard part is getting the credentials of a standard user... > >> Disable the Null Sessions, which I hope people are doing and proper ACLing >> of traffic cuts down on that stuff. > > True. > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
