Title: [ActiveDir] OT: XP exploit
Yeah, I jumped too soon; I tested it when I got home, and
verified that it doesn't work with user or power user privs. Sorry for the
noise.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON,
BENSent: Tuesday, August 01, 2006 9:50 PMT
On Tue, 1 Aug 2006 18:29:24 +0100, "Grillenmeier, Guido"
<[EMAIL PROTECTED]> said:
>Richard doesn't seem to be too keen on giving us further details - too
>bad.
Sorry, been busy... 400 unread msgs from this list, got some catching up
to do.
> What does the current environment look like?
> How ex
Interesting exploit. Although I think this might not be new. I fired up a
somewhat old Windows XP VM I had to test it, and despite the fact that standard
users had permissions to read&execute AT.EXE, they were still denied access.
Same deal on my company workstation which is absolutely up to
This is silly. At least on XP, a normal, non-admin user cannot add AT jobs.
So, yes, this would work if the user is local admin., but big deal. At that
point, who cares? Is the point here that I can elevate from Administrator to
LocalSystem? I'm not really sure that's a revelation...
-Origi
That's not even fair I own that book already.I was hoping to avoid doing the scripting part... but that being said, how much of that will work in NT domains to get groups and their members/memberships?
On 8/1/06, Michael B. Smith <[EMAIL PROTECTED]> wrote:
You can certainly get all the pie
Use GPO to prevent users from running the scheduler. Need to do a reg
hack to block local accounts.
http://www.projectstreamer.com/users/r0t0r00t3r/xp_priv_esc/xp_priv_esc.
html
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http
You can certainly get all the piece parts from
here:
http://rallenhome.com/books/adcookbook/code.html
And you can use joe's wonderful adfind (or dsquery if you
were to insist) to do much of the gruntwork. I show you some examples
here:
http://blogs.brnets.com/michael/archive/2004/06/24/
Well, the problem of the postit note is that the people doing it are a bit more circumspect than they used to be. They don't post it with "Password: ilikebananas" and they don't necessarily put it on their monitor (though it hasn't been that long since I saw that and I always at the very least sco
msDs-User-Account-Control-Computed is a constructed attribute. Constructed
attributes cannot be set manually because they are automatically maintained by
the system.
Tony
-- Original Message --
From: "David Aragon" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@
This might be something that I can do with a combination of scripts, though I'm not sure where I'd get them from.1) I need to be able to export a list of users (the userID is fine) with their group memberships. (AD objects)
2) I need to be able to export a list of groups with their list of members
Just to be honest, it sounds like I made a bad assumption... that AD holds as much information (or more) natively as it does for Exchange. From what Joe is saying, it sounds like Exchange is a huge AD bloat monster.
Not that it's a problem for many environments, just the larger ones.I'd be interes
Without getting into the politics involved that got us here, suffice it to
say that someone with a lot of political clout, no Windows or Active
Directory experience (though considerable MAC/OS X experience), and a PhD at
the end of their name, made a decision to deploy openLDAP and Active
Directory
Interesting thoughts there...
My only tongue in cheek response right off (though this will bubble in my
head for some time) is that most predators are brighter than many people
doing admin work and we still need them to be able to find the systems...
;o)
Raise your hand if in the last year you
Some of the new laws are definitely coming into play. I have heard more than
once from Director level Security folks and CIOs that they want whatever is
needed done to make sure they aren't in a position to get sued or even worse
go to jail because some (and I am quoting) "some numbskull admin scre
LOL.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Tuesday, August 01, 2006 2:18 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] 80/20
My production patching has been very lucky. I tend to find the bugs in
testing and if I get through my testing ok then I haven't had an issue in
prod that I can recall, at least nothing in the last 6 or so years.
Certainly when I managed an Enterprise (DCs/Wins/And utility servers for
domain suppor
Not disagreeing with you Matt – we’re all just in a
guess mode without RM providing more information. I love those posts to lists
where the original poster never get’s back the questions being posted to
his questions…
Anyways – I just made the point that his DIT size is not
small for a
Lurk away, glad to help out. Don't be afraid to ask questions, we just all
seem mean. In real life we are all nice teddy bears, well except Deji. Avoid
Deji if you see him coming, he is a bit scary. ;o)
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-
> I will beg to differ on the
"worth the benefit" claim vis-à-vis the headaches associated
> with WINS and how less
resilient I've found INS to be compared to DNS.
Hey
just because it isn't resilent for you doesn't it mean it doesn't work ok for
some of us. :) I wouldn't say the rest of
:o)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Tuesday, August 01, 2006 3:35
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
DNS suffix resolution.
What do you mean by View these services? The info that they
maintain or the status on the services themselves?
The WINS User Group should definitely work to give access
to records. To make my life easier in a previous job I just places auth
users into that group for all WINS Machines.
As
Thanks joe for the very detailed reply!
My whole purpose for creating the query is that I had an employee
here depart about a month ago and I thought I had cleaned up
everything when I finally killed the AD account. What I was not
aware of was that some other employees had this person setup as
a d
Title: [ActiveDir] LDAP query struggle
Ok, so you are trying to find what users have Benjamin as a
publicDelegate. That is my B scenerio I listed.
Do this
adfind -gc -b "" -f name="Benjamin Ortega"
publicdelegatesBL
If you want more detailed info about each of the users he
is a delegat
Oh I completely agree with lack of change control. I can't
count the number of times I have asked companies what their change control
process is and they look at me and go huh? What do you mean, we go into
and make the change.
Like you have quite a bit of main/mid frame experience and
ev
Title: [ActiveDir] LDAP query struggle
Here's what I tried:
(&(objectCategory=person)(objectClass=user)(publicDelegates=Benjamin*))
I have a mailbox-enabled user named Benjamin
Ortega.
I figured that using Benjamin* would grab the user(s) that
have him set as having Send on behalf permissi
Sorry, I should have put everything together by subject
before responding before.
My experiences range pretty widely with how much the DIT
will grow with the inclusion of Exchange. Again, it depends entirely on what is
already there and what it will end up with for the GAL. One experience h
It depends a little on what you're looking for.
Let's say you have a meeting room (MR1) and a user (Bob Smith) has Send on
Behalf of permissions for the meeting room. A search using MR1 would use
publicDelegatesBL (the back link attribute) and would look something like this:
(&(objectclass=u
Where is the 1.25GB number from and what do you mean
the ability of the 32 bit server to handle it? Do you mean cache? How much can
be cached will depend on the OS level and amount of RAM but you can get up to a
2.7GB on a properly configured 32 bit K3 DC.
Certainly in terms of purely work
objectcategory=user isn't optimal, that will get changed to
objectcategory=person which will look at all contacts and users, however
that wouldn't prevent the query from working unless you are timing out. What
tool are you using to submit the query? Does it allow you to specify a
timeout?
Anyway,
Title: [ActiveDir] LDAP query struggle
Also insure you are putting the full DN of
the user that you are searching for in publicDelegates= since that is a linked
attribute.
Thanks,
-Steve
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge
instead of (objectCategory=user) use (objectCategory=person)(objectClass=user)
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.5
I'm not sure what else he's running on his DC. He might be running complex intrusion detection software, DNS, WINS, etcI have to assume that he's got 4GB worth of RAM and plenty of 'crap' (ok, maybe not crap, but you know what I'm saying) running on the DC that I'm sure plenty of us would love
I'd like to create an LDAP query to return a list of users
that have the "Send on behalf" field populated in the
"Exchange General / Delivery Options" properties in ADUC.
I cannot seems to make sense of the syntax of the query...
(&(objectCategory=user)(publicDelegates=))
Is there something I'm
Thanks Joe. Interestingly, I agree with what you're saying
here, but not for exactly the same reason. I happen to think that the
"badness" of having lots of over-privileged admins is not the accidental
stupidity (hmmm...is that an oxymoron?), although we know that happens. This
actually gets
On a totally serious note to Joe's tongue in cheek posting Go to a
zoo(1).. and you'll hear stories of how each animal has natural
'protection' from their predators.
Each animal has evolved to ensure they have some level of camouflage in
the way of color/features etc so that when their pre
California law AB1950 and SB1386
That's also real world... where I could get sued for civil damages if I
don't do reasonable measures to protect the PII on my network.
One of these days that "we don't care" ... will be in a deposition
statement in court.
Matt Hargraves wrote:
BTW, I wasn't
Richard doesn’t seem to be too keen on giving us further
details – too bad.
But not sure why you – Matt - are talking about “breaking
1.25 GB” with respects to the 32-bit capabilities. By default 32-bit
Win2003 DCs can cache a DIT up to approx. 1.5GB, which grows to 2.6-2.7GB using
the
Well, at least Darren posted another mail regarding “security
by obscurity” – which this is. It’s just like removing the
Domain Admins group from the local administrators group on member servers “to
secure the member server”…
Just because many of those domain admins don’t know why they
there is at least some documentation on this found at http://davenport.sourceforge.net/ntlm.html. i i'm not sure if it will meet your needs or not. think
there are some others around as well.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
WeerasingheSent: Tues
Thanks. It probably will help to some extent at least to see what traffic happens between a client and a server.I was hoping for some nice reading material too.
Cheers
M@
On 8/1/06, Kitchens Arthur E <[EMAIL PROTECTED]> wrote:
might sspi_workbench (from technet) be useful for this?
From:
might
sspi_workbench (from technet) be useful for this?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
WeerasingheSent: Tuesday, August 01, 2006 9:39 AMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: NTLM
troubleshooting info
Guys
Does anyone have any
Guys
Does anyone have any good resources on troubleshooting NTLM?. I've emailed technet mag as they posted the recent article by Jesper. I've also asked a couple of MSFT bloggers but havent heard a peep yet.
I would appreciate if you guys can help. Basically I am looking at an issue where NTLM
Ben, thanks for the article, I dont think I had seen that
before. Guido, thanks for the info, I will incorporate that into our
testing.
Thank you all!
Nate
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON,
BENSent: Monday, July 31, 2006 12:59 PMTo:
ActiveDir@mail
The intermittent result in the repro. isn’t unusual, it seems
likely there’s some kind of race condition occurring under the covers … thus
the unpredictable nature of the test scenarios.
I love this list, if you just wait long enough someone else will
do your work for you :0)
Check out the 'DNSadmins' group for DNS access and 'WINS
Users' for access to WINS.
Membership of these groups may give too little or too much
access. Can you be more specific about what access these support ppl actually
need?
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Single Windows 2003 domain FFL. I have a 2 DC's which act as WINS/DNS and DHCP. I want to give our Server Support team the ability to view these services from their workstations via an MMC console. For DHCP, the DHCP Users group provides me with an answer for that, does anyone know how I c
Thanks Neil. That makes a lot of sense.
Cheers
M@
On 8/1/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]
> wrote:
netlogon is responsible for all SRV records and the DHCP client is responsible for the A record.
neil
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Matheesha W
netlogon is responsible for all SRV records and the DHCP
client is responsible for the A record.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
WeerasingheSent: 01 August 2006 09:53To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS
oddities?
Ha
Ha ha!
So would I be correct in assuming netlogon registers _ldap _gc records and KDC registers _kerberos and _kpasswd records and dhcpclient does the "A" record etc.. or am I way off?
Cheers
M@
On 8/1/06, joe <[EMAIL PROTECTED]> wrote:
> If it works for a subset of records, why not for
Personally, the defaults work for me.
Here's a good article: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cncf_imp_tahj.mspx?mfr=true
Re reverse zones - enable scavenging per server and per
zone as appropriate.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL P
Hi, Windows 2003 R2 Single Domain/ FFL, AD Intergrated DNS I am thinking about configuring DNS Scavenging, I was reading the AD Cookbook and it mentions 'Configure Non Refresh and Refresh Intervals as necessary' What does this mean? what do you normally set your environment to? does
Wow, joe and Deji both agreed with me and in the same day
:)
I am at peace :-^
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: 31 July 2006 20:24To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS suffix
resolution..
One word... disjoint name s
We appear to agree that there is no 'need'. The OP used the
word 'need' and I merely continued that line of thought :)
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Deji
AkomolafeSent: 31 July 2006 19:06To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS su
Isn't DSI being discussed in great detail at Blackhat starting
tomorrow.. or am I mistaken and just thinking about the blog post again?
http://blog.joeware.net/2006/07/11/445/
Brett Shirley wrote:
I've always followed a DSI[1] access model, it definately supercedes in
every way what RBS[resour
54 matches
Mail list logo