Re: Insufficient Authentication vulnerability in Asus notebook

[Ansgar Wiechers <bugtraq () planetcobalt net>]

On 2009-05-14 nameless wrote:
> Steve Quan wrote:
> > Is there something like su/sudo in the Windows world ? How do windows
> > administrators handle this (ie accountability) ?
>
> There is "runas".

Indeed. There's also a variety of third-party tools like SuperiorSU [1].

> There is no accountability with the local admin account.  You can
> disable the account and use domain credentials, but when the domain
> isn't available, you're screwed, so it is a poor decision.

I wouldn't agree entirely. It depends on who is given the password for
the local administrator account. You only have no accountability if more
than one person knows that password.

[...]
> In regards to changing the Admin account name, why make it easy for
> the kiddiots?  It is trivial for any of us to bypass this, right?

Please elaborate. What attack scenarios do you see that aren't mitigated
by a strong password? Besides, even if you change the login name, the
SID of the account (which is well-known) still remains the same.

[...]
> Changing the Administrator name is just another layer in the onion of
> your defensive strategy.

I entirely fail to see what additional security that will gain you, so
please explain.

[...]
> And I'm not trying to be a smart ass, but does anyone really use
> LM-hashes anymore?

I don't believe they're actually used by anyone anymore. However, the
use of LM-hashes is still enabled by default on any XP.

[1] http://www.stefan-kuhr.de/cms/index.php?option=com_content&view=article&id=62&Itemid=73

Regards
Ansgar Wiechers
-- 
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html