Stefan, For you information: Cached domain accounts on a local system are not stored in the SAM. They are stored in the SECURITY registry hive. When a cached domain user logs in to the system, they do not authenticate against the SAM (As you can see in my article, I am not editing the SAM). ----------------------------------------------------- StenoPlasma at ExploitDevelopment.com www.ExploitDevelopment.com ----------------------------------------------------- -------- Original Message -------- > From: "Stefan Kanthak" <stefan.kanthak@xxxxxxxx> > Sent: Monday, December 13, 2010 7:53 AM > To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx > Subject: Re: Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002) > > "George Carlson" <gcarlson@xxxxxxxx> wrote: > > > Your objections are mostly true in a normal sense. > > And in abnormal sense? > > > However, it is not true when Group Policy is taken into account. > > Group Policies need an AD. Cached credentials are only used locally, > for domain accounts, when the computer can't connect to the AD. > > > Group Policies differentiate between local and Domain administrators > > Local administrators don't authenticate against an AD, they authenticate > against the local SAM. No GPOs there! > And: a local administrator can override ANY policy, even exempt the > computer completely from processing Group Policies. > > > and so this > > vulnerability is problematic for shops that differentiate between > > desktop support and AD support. > > Again: this is NO VULNERABILITY. > An administrator is an administrator is an administrator. > > [braindead fullquote removed ] > > Stefan
