RE: [Full-disclosure] Flaw in Microsoft Domain Account
>The attack has some academically interesting details about how cached
>credentials work, but I agree with Stefan. If you own the machine, you own
>the machine. What's to stop you from, say, simply installing a rootkit?
Exactly. More importantly, even if you must make users local admins, there=
is never *any* reason why the domain administrator should interactively lo=
g onto a workstation as the domain administrator anyway. Service personnel=
log on with support accounts, not the domain admin accounts. If they do, =
well, then you've got other problems. But in this case even if a domain ad=
min logs in interactively (or via RDP), it's not an issue. Cached credenti=
als can't be used for anything other than to log on to the local machine if=
there is no DC available. After a domain account logs on to a local syste=
m, after AD authenticates the request, then *another* hash is made of the h=
ashed password with *a different salt* each time, for each user cached.=20
As far as the academic interest, cached account behavior is a documented pr=
ocess which has been around for years, local admin overwrite capabilities i=
ncluded. =20
t