local admin on one machine = ??? on others?
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: local admin on one machine = ??? on others?

  1. #1
    Junior Member
    Join Date
    May 2005
    Posts
    3

    local admin on one machine = ??? on others?

    Greetings everyone! I'm hoping that someone can point me in the right direction to find answers to the following question:

    If a user is a member of the local administrator group on a 2000 Server box, what methods might that user employ to elevate their privileges on XP workstations connected to the same network?

    TIA

    zooligan

  2. #2
    Member
    Join Date
    May 2002
    Posts
    93
    First post eh. Be very careful when asking this type of quesiton.

    Being very careful would entail giving more information then what is presented. Otherwise it just looks like your're trying to scam something.
    Tachyon

    |-----|Alcohol is my anti-drug |-----|

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    In theory, they can't gain access to the domain. However, in practice, they can gain domain rights of anybody who logs on locally (including grabbing their password probably).

    So I guess the main attack would be to plant a keylogger then generate some error which encourages the domain administrator to log on locally using their password.

    This is a weakness - most domain admins don't think twice about logging on locally to workstations with a domain admin account if there is a problem.

    Slarty

  4. #4
    Senior Member
    Join Date
    Mar 2004
    Posts
    510
    Contacting the network administrator is the easiest and safest way based on the info you have given.
    \"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn

  5. #5
    Junior Member
    Join Date
    May 2005
    Posts
    3
    **************************************************
    First post eh. Be very careful when asking this type of quesiton.

    Being very careful would entail giving more information then what is presented. Otherwise it just looks like your're trying to scam something.
    **************************************************

    Um... yeah. First post.

    OK, more info:

    I have the pleasure of maintaining a GIS server (the 2000 box mentined above), and at times must allow others local admin access on the box (for installation of software extensions, testing and development of GIS software customizations or standalone programs, etc) and am wondering what methods someone who is a member of the local admin group on this box *might* use to gain rights elsewhere on the network should they choose to do so.

    Is that what you meant by more info???

  6. #6
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    Would the SAM contain domain account information? IF not a key logger would be sneaky.

    The reason why more info was needed, is that many people post on this forum with similar posts, and you can never tell if ones intentions are for security reasons or say how to break into a schools computer lab.
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  7. #7
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,247
    Just deny the local account rights on the domain and be don with it
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  8. #8
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    Playing devils advocate here. Are you asking if granting them local admin rights compromises your XP workstations at all?

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    In principle none, but in practice the keylogger method I showed above. There is a way around this:

    1. Educate the domain admins to never log on as a domain admin account anywhere except the domain controllers
    2. Enforce this with a policy - deny local logons to anywhere except the domain controllers to the domain admin account(s) - domain admin accounts are only required for domain user administration
    3. Give each of your administrators separate accounts for different purposes - encourage them to only log on to them on specific machines - for example, a "normal" account for day-to-day stuff, a "workstation admin" account (which has admin on the workstations) and a "server admin" account with local admin on the servers.

    This will cause them a lot of hassle of course. But it's the only way.

    Even so, someone logging on locally as an account with local admin rights on *any* other machine in the domain, instantly gives them away to anybody else with local admin rights as soon as they log on.

    The only solution that would be totally proper, would be to log on as a local admin account only, and have a different password for every machine. But it'd be terribly inconvenient.

    Slarty

  10. #10
    Junior Member
    Join Date
    May 2005
    Posts
    3
    *******************************************************
    Even so, someone logging on locally as an account with local admin rights on *any* other machine in the domain, instantly gives them away to anybody else with local admin rights as soon as they log on.
    *******************************************************

    What does this mean, exactly??

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides