Results 1 to 4 of 4

Thread: Deleated Users and SIDs

  1. #1
    Junior Member
    Join Date
    Oct 2002
    Posts
    20

    Deleated Users and SIDs

    Hey guys, I have a question

    I have a Windows 2000 DC running in vmware on one of my pc's and i've been toying with the active directory schema and SIDs, basically my idea is this

    If you create a user in active directory then assign permissions to this new user to a file or folder and go back into active directory and deleate the user, the permissions are still set to the users old SID and show up in the secuity window of the file or folder. I have seen applications that can modify active directory to enable the reuse of used SIDs. I assume this would mean that if I created a new user and it obtained the same SID as our first user then he would recive the same permissions? I have read a couple of articles on this but haven't seen a proof of concept yet so I am wondering if anyone has one? Also I'm wondering about the possibility of overwriting SIDs that are in use? prehaps an exploit that was able to change a regular users accounts sid to that of something in the administrators group, or prehaps even the administrator himself.
    Also wondering if anyone has any idea about how to defend against this sort of attack?

    cheers

    Memnoch

  2. #2
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Since security is in File System, if you delete an user/group, the rights will still remain on file system. Windows identify users by an internal identification instead the account name. SID is dynamically generated to avoid collisions (in a scope).
    If you have a tool that can change an account SID to a deleted one, this account will have access to those files. Period.
    BTW, leaving rights on directory (or resources) of dead users is the most stupid way to administer security. So, you can use this "exploit" only against dumb administrators.

    And against those guys, you can get access on an easy way, such "standard" passwords, or even basic social engineering
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  3. #3
    instead of deleting users at my old job, we would just set them as 'inactive' so that if that person was ever rehired for the same position, then they would have the same resources to whatever groups they were assigned to before. If that person was to get a different job for the company, it was a simple matter of moving them around in groups.

    Most of the time it is easier in the long run to set up groups for permissions and put users in groups rather than assign each user specified permissions. It is also safer since it will take less time to move users out of groups rather than have to look at each folder that you had set permissions to for each user.

    enjoy

    ~Halv

  4. #4
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    instead of deleting users at my old job, we would just set them as 'inactive' so that if that person was ever rehired for the same position, then they would have the same resources to whatever groups they were assigned to before. If that person was to get a different job for the company, it was a simple matter of moving them around in groups.
    No. You should delete all as soon they leave the company. Its the recommended pratice. Reusing the "old rights" for an rehired person inst a good pratice.
    Most of the time it is easier in the long run to set up groups for permissions and put users in groups rather than assign each user specified permissions.
    Yeap. That is the best pratice. Never assign rights directly to an user.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •