Although it is a well known fact that Windows desktops and servers still use LM Hashes and cache the last ten userids and passwords locally, just in-case an Active Directory, Domain, or NDS tree are not available, has anyone thought about the consequences of this issue in a hot-desking, or flexible working environment? With the increasing cost of real-esate, many corporates are beginning to look into hot-desking, where users share desk-space and in most cases a desktop PC. In large corporates it may be the case that a user is now sitting next to someone for a short period of time that they have never seen before, affording greater opportunity for someone undertaking an attack to go un-noticed or unchallenged. The speed and ease with which an attacker in this scenario can obtain other users logins, which may afford them access to a greater chunk of the network is quite frightening. PWDUMP to extract the SAM database, remove the file using a USB key, and crack at your leisure...usually very quickly. Now, I know what everyone is saying, wait a minute, for PWDUMP to work you need to be administrator to the local machine. But think again, how often is this the case? Many companys only look to restrict network access - as restricting local access may cause issues with applications which need to access the local drive. This is also a potential issue at drop-in centres where corporate users from the IT staff to sales and HR staff all use the systems for a short spell. My thinking is that prior to any hot-desking roll-out it is imperative that these issues are taken into consideration and dealt with, otherwise who knows who will be using your login id tomorrow! Any thoughts? K Milne Infosec Professional Author of Z4CK and Digital Force http://www.z4ck.org
