Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Securing workstations from IT guys

from [Erin Carroll] Network Security [Permanent Link]
Subject: RE: Securing workstations from IT guys
Date: Tue, 27 Nov 2007 14:24:14 -0800 
Mark is correct. 

I've been watching this thread with some interest. While there are multiple
approaches you can take to reduce the problem, and many excellent
suggestions have been mentioned, the simple fact is that at the end of the
day you can't stop a sufficiently knowledgeable admin (or user) from
bypassing whatever controls you put into place... You can only make it
harder to hide their tracks.

For the example below that has been under discussion, it's much easier to
assume the credentials of an authorized account (SYSTEM, domain admin,
whatever) and in some cases you don't even need to know what the password to
that account is in order to elevate and bypass controls.

With physical access, a standard user login, and your privilege escalation
of choice ("at [time] /interactive cmd", odd spaces in cmd .exe
invocations...pick your poison) you could use tool like the USB Switchblade
(http://wiki.hak5.org/wiki/USB_Switchblade) to snag the password hashes
and/or LSA of the target system. Then, using any number of brute-force tools
to crack the password of your target account (large Rainbow tables are
useful), subsequently access files/information by impersonating the target
privileged user. You could also use something like CORE's pass-the-hash tool
(http://oss.coresecurity.com/projects/pshtoolkit.htm) to effectively do the
same impersonation with no password cracking necessary.

In my opinion, the most severe threat to any organization from a security
perspective are also the most critical resources you need to keep business
flowing: your Security team and the Domain Admins. Pay them well :)


--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball" 





-----Original Message-----
From: listbounce@securityfocus.com 
[mailto:listbounce@securityfocus.com] On Behalf Of Mark Owen
Sent: Tuesday, November 27, 2007 1:51 PM
To: Liam Jewell
Cc: Depp, Dennis M.; Lim Ming Wei; WALI; security-basics
Subject: Re: Securing workstations from IT guys

On Nov 27, 2007 3:05 PM, Liam Jewell <ljjewell@gmail.com> wrote:

Anybody who has physical access to the machine becomes a 
vulnerability.  Even if you encrypt files under an administrator 
account on the local machine, simply resetting the password with a 
program like Passware, will not disable the encryption.  Then an 
unauthorized user can log in to the admin account with a blank 
password (or a password of their choosing) and have access to all 
encrypted files.



This is not entirely true.  If you reset or delete the 
password for an account then that account will no longer be 
able to decrypt the files.
--
Mark Owen
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: dns paper:case study, James Alcasid
Next by Date:  Re: Securing workstations from IT guys, Christian Brenner
Previous by Thread:  Re: Securing workstations from IT guys, Mark Owen
Next by Thread:  Re: Securing workstations from IT guys, Christian Brenner
Indexes:  [Date] [Thread] [Top] [All Lists]