-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, January 08, 2007 10:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Risks of exposure of machine account passwords
You can't treat everyone inside your network like criminals
: Re: [ActiveDir] Risks of exposure of machine account passwords
On Tue, 9 Jan 2007 14:13:33 +1100
Ken Schaefer [EMAIL PROTECTED] wrote:
I'm not sure what NTLM SSO Pass-Through is, but NTLM is not natively
delegatable, so you can't (in the normal course of events) use this to
create
an account
I haven't tried it, but I would have assumed (I know, I know) that if
somebody *could* gain the computer account password:
1) you have much bigger issues
2) they would have access to a machine. See #1
3) they would have access to anything that authenticated users have access
to. See #1
4) they
The question is whether having the machine account password and access to
that system gives you any ability to impersonate users or elevate your
access to other systems. Presumably, if you could get into the protected
store, you could compromise any locally cached tickets for other users to
If an attacker gets access to a machine account password they can connect to
AD as that computer which is usually just normal user access rights. In
fact, if you set up an auth as the computer and tap an ADAM instance and
look at the RootDSE it will show you the groups you are a member of that are
+I,M.E,CCA,Network+, Security +
email:[EMAIL PROTECTED]
cell:401-639-3505
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, January 08, 2007 3:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Risks of exposure
I'm not sure I could forge new tickets as an authenticated user, to be
honest. I never really tried though I suspect that's more difficult than I
need to attempt because if I have that information, I already know enough
and have enough to mount a plausible attack.
In short, I never took it to
PROTECTED] *On Behalf Of *joe
*Sent:* Monday, January 08, 2007 3:33 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Risks of exposure of machine account passwords
If an attacker gets access to a machine account password they can
connect to AD as that computer which is usually just
On Mon, 8 Jan 2007 10:39:17 -0800
Mr Oteece [EMAIL PROTECTED] wrote:
What are the risks associated with the exposure of machine account passwords
in Active Directory? Passwords are changed for machine accounts regularly,
but they don't really expire and can get rather old. If an attacker has
On Mon, 8 Jan 2007 15:33:01 -0500
joe [EMAIL PROTECTED] wrote:
A dirty trick I have used in the
past to disprove how secure an environment was was to set up a web site on a
workstation, enable basic auth only, write a little perl cgi script to write
the creds sent to the website to a log file
Just one?
I prefer the on|off bit to be flipped. What was your method? :)
On 1/8/07, Michael B Allen [EMAIL PROTECTED] wrote:
On Mon, 8 Jan 2007 15:33:01 -0500
joe [EMAIL PROTECTED] wrote:
A dirty trick I have used in the
past to disprove how secure an environment was was to set up a web
.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: Michael B Allen [mailto:[EMAIL PROTECTED]
Sent: Monday, January 08, 2007 5:35 PM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Risks of exposure
From: [EMAIL PROTECTED] on behalf of Michael B Allen
Sent: Tue 9/01/2007 9:34 AM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Risks of exposure of machine account passwords
On Mon, 8 Jan 2007 15:33:01 -0500
joe [EMAIL PROTECTED] wrote:
But I can add
On Tue, 9 Jan 2007 14:13:33 +1100
Ken Schaefer [EMAIL PROTECTED] wrote:
I'm not sure what NTLM SSO Pass-Through is, but NTLM is not natively
delegatable, so you can't (in the normal course of events) use this to create
an account anywhere except on the local machine. There may be easier ways
14 matches
Mail list logo