Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Fun with cached credentials!

from [Firstname Lastname] Network Security [Permanent Link]
Subject: Fun with cached credentials!
Date: Fri, 3 Dec 2004 15:01:57 -0500 
One of the security settings on a Windows 2003 box is - Interactive
logon: Number of previous logons to cache

I was testing this feature and discovered something that might be
disturbing to some who are not already aware of it. By default, this
setting is set to 10, so Windows 2003 will remember 10 sets of logon
credentials. Some people confuse these credentials with the user
profiles, but the two do not appear to be synonymous. Some
experimentation has revealed what I think is a big problem with this
"feature". Namely, that in an Active Directory setting, users that are
deleted, or locked in AD can still logon using these cached credentials
if the system cannot communicate with the Domain Controllers.

Worse, they continue to be able to logon even if you delete or remove
their profiles. The credentials are stored somewhere else (probably the
registry). Thus, unless you take some other remediation deleted Active
Directory accounts can still logon to systems that are disconnected from
the Domain FOREVER. Even if you have a password policy that expires
passwords, that only appears to be enforced if the Domain Controller can
be contacted. I had no trouble disconnecting the machine and logging in
with a username long deleted and a password long expired.

One fix that I found was to change the default setting of the above
security setting to zero. That seems to cause all previously cached
credentials to be purged from the system. It also prevents ANYONE from
logging into the system with a Domain account if the system is not
actually attached to the domain. This could be a VERY big problem for
laptop users who do not use local accounts. However, I think this
setting should be set to zero on any and all servers in an Active
Directory environment.

Comments, opinions and further testing results are welcome.

Todd Thomas
Disaster Preparedness Consultant

--
Editor's Note: The 43rd Most Powerful Person in Networking says...

Register today to take the TruSecure ICSA exam by 12/31/04  at
<http://www.2test.com> ,  use promo code "CT1204" and you will pay just
$221.25 US Dollars for domestic exam delivery and  $296.25 US Dollars
for international delivery.

Visit <https://ticsa.trusecure.com>  for complete details regarding the
TICSA credential and to take the free sample exam.

--
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Fun with cached credentials!, Firstname Lastname <=
Previous by Date:  Alert: Microsoft Security Bulletin MS04-040 - Cumulative Security Update for Internet Explorer (889293), Russ Cooper
Next by Date:  Workaround for Symantec/Windows Installer Program problems on XP SP2, A. Wood
Previous by Thread:  Alert: Microsoft Security Bulletin MS04-040 - Cumulative Security Update for Internet Explorer (889293), Russ Cooper
Next by Thread:  Workaround for Symantec/Windows Installer Program problems on XP SP2, A. Wood
Indexes:  [Date] [Thread] [Top] [All Lists]