Use fport from www.foundstone.com to map out every process. Chances are if
the admin password has been compromised that is the least of your worries. I
would start looking for backdoors any programs that would would just dump
the user on the system. At that point the attacker could just come and go.
Final though... Rebuild to make sure.
From: "Boris Skoblo" <borsk@techunix.technion.ac.il>
To: "Thor" <thor@hammerofgod.com>, <focus-ms@securityfocus.com>
Subject: Re: disclosure the administrative password
Date: Wed, 2 Feb 2005 09:09:59 +0200
----- Original Message ----- From: "Thor" <thor@hammerofgod.com>
To: "Boris Skoblo" <borsk@techunix.technion.ac.il>;
<focus-ms@securityfocus.com>
Sent: Tuesday, February 01, 2005 11:58 PM
Subject: Re: disclosure the administrative password
This sounds like one of those "loaded" questions... This is a security
list, so we will want to know "why." Why is a smart card and all other
hardware not applicable?
These methods not applicable because of budgetary limitations
Why can't the operations be delegated?
For example, stoping and starting of various services for the diagnostic
purposes
And so what if it is a custom logger- it's still a driver. Is it a root
kit logger? If so, how do you know that?
Whether I do not know present keylogger at system,
but potential possibility exists therefore I should take safety measures
What actions does the admin have to perform that require RunAs in the
first place, exactly? Answering these will help us give you better
answers.
For example, stoping and starting of various services for the diagnostic
purposes
Wipe the machine and prevent non-admin loading of drivers. User SAFER
restrictions to only allow designated software to run. Initiate corporate
policy to fire and or prosecute offending users.
Use Remote Desktop on XP to initiate administrative tasks which bypass
the hardware keystroke logger (until Blue Boar and I write our Terminal
Services Keystroke Logger, that is. We're calling it Terminal Stroke.)
Worse case, change the admin password after you have to do whatever it is
you have to do as an admin on the box.
As about W2K workstations ?
T
----- Original Message ----- From: "Boris Skoblo"
<borsk@techunix.technion.ac.il>
To: <focus-ms@securityfocus.com>
Sent: Tuesday, February 01, 2005 4:50 AM
Subject: disclosure the administrative password
Hi All,
There is a usual situation: on normal users computers ( W2k and Winxp )
an administrator should perform an administrative actions
(for example, with help RunAs) thus the administrative password is
entered. Do exist a potential possibility that on the user's computer
there is keylogger.
What ways to perform administrative operations exist, thus not
endangering disclosure the administrative password? There are some
limitations:
1. usage of smarts-cards and others hardvare devices are not applicable .
2. performed operations cannot be delegated for various reasons
3. keylogger is custom designed and any of existing protective software
yet does not find out it
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Regards,
Boris Skoblo
Boris
---------------------------------------------------------------------------
---------------------------------------------------------------------------
_________________________________________________________________
Don�t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
---------------------------------------------------------------------------
---------------------------------------------------------------------------
