Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [FW: NT Security: Domain user adding self to Domain Admin

From: seanmckay () NETSCAPE NET (McKay)
Date: Tue, 4 May 1999 11:02:46 CDT

Gary, I also had problems with getting this to work....  Here is my setup I
tested against.

* NT 4.0 Server w/SP3 patch only applied.
* Various NT 4.0 Workstations with only SP3 or SP4 applied.

These were also all installed with Default Configurations.  I changed nothing
from how it was installed.

Gary Kalbfleisch <gkalbfle () CTC CTC EDU> wrote:


First I verified the various rights I thought would be involved. On the PDC
the group Everyone has "Access this computer from Network".  Rights to the
Registry Key in question ( HKLM\SoftWare\Microsoft\Windows
nt\CurrentVersion\ProfileList) are as follows; Administrators Full, System
Full, and the problem child Everyone; Special Access = Query Value, Set
Value, Create Subkey, Enumerate Subkeys, Notify & Read Control.



I verified the same type of permissions on the registry keys in particular.


The problem occurred when I logged in as an ordinary Domain user.  Using the
exact same batch files I was able to read the data in the ProfileList Subkey
and all its Subkeys but was not able to write the new values to that Key or
any Subkeys. When I would run the Reg Update batch file the error message
"access denied" was returned.


That is strange, when I ran reg.exe as a Domain User on the key in question, I
just got the "access denied" on both the query and the update :(


The security breach I mentioned in the first paragraph is that any Domain
user could use Reg Query to access information on any one including System
Admins that have logged in locally on the PDC or possibly other domain
computers.


I wasn't able to query any info from the registry in question as just a Domain
User:(

I did find one interesting "Feature" of reg.exe and regedt32.exe.  Apparently
if you are logged in remotely to the PDC using a local account on a machine on
the Windows NT network and your local account happens to have the same
username and password as a domain account on the PDC, then you get the domain
account's rights regardless of your local rights.  So if your local group has
User permissions only and the corresponding domain group has Administrators
rights, then you get to access the registry as if you were an Administrator.

McKay


____________________________________________________________________
Get your own FREE, personal Netscape WebMail account today at http://webmail.netscape.com.
Previous By Date Next
Previous By Thread Next

Current thread: